Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:50179
Start time:22:33:27
Joe Sandbox Product:CloudBasic
Start date:13.03.2018
Overall analysis duration:0h 3m 17s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:47proforma.scr (renamed file extension from scr to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winEXE@1/0@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: 47proforma.exe


Detection

StrategyScoreRangeReportingDetection
Threshold480 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: 47proforma.exe, 47proform.exeString found in binary or memory: http://www.light-alloy.ru

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.23636245956
PE file contains an invalid checksumShow sources
Source: 47proform.exeStatic PE information: real checksum: 0x74798 should be: 0x6ed87

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.winEXE@1/0@0/0
PE file has an executable .text section and no other executable sectionShow sources
Source: 47proform.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\47proforma.exeSection loaded: C:\Windows\System32\msvbvm60.dll
Reads software policiesShow sources
Source: C:\Users\user\Desktop\47proforma.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
PE file contains strange resourcesShow sources
Source: 47proform.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: 47proform.exeBinary or memory string: OriginalFilenameRagsorter5.exe vs 47proform.exe
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 47proforma.exeBinary or memory string: Progman
Source: 47proforma.exeBinary or memory string: Program Manager
Source: 47proforma.exeBinary or memory string: Shell_TrayWnd

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\47proforma.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\47proforma.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\47proforma.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\47proforma.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\47proforma.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\47proforma.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\47proforma.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\47proforma.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\47proforma.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\47proforma.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\47proforma.exeProcess information set: NOOPENFILEERRORBOX

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 50179 Sample: 47proforma.scr Startdate: 13/03/2018 Architecture: WINDOWS Score: 48 7 Potential malicious icon found 2->7 5 47proforma.exe 2->5         started        process3

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot