Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:50184
Start time:23:19:04
Joe Sandbox Product:CloudBasic
Start date:13.03.2018
Overall analysis duration:0h 3m 35s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:65doc776165262622 pdf.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winEXE@3/2@0/1
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): svchost.exe, WmiApSrv.exe, WerFault.exe, dllhost.exe
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: 65doc776165262622 pdf.exe


Detection

StrategyScoreRangeReportingDetection
Threshold480 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: WerFault.exe, 65doc776165262622 pdf.exeString found in binary or memory: http://www.light-alloy.ru
Source: WerFault.exeString found in binary or memory: http://www.light-alloy.ruC:

Persistence and Installation Behavior:

barindex
May use bcdedit to modify the Windows boot settingsShow sources
Source: 65doc776165262622 pdf.exeBinary or memory string: l-bcdedit.exe

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.01220015001
PE file contains an invalid checksumShow sources
Source: 65doc776165262622 pdf.exeStatic PE information: real checksum: 0x6e138 should be: 0x70cab

System Summary:

barindex
Binary contains paths to debug symbolsShow sources
Source: Binary string: ntdll.pdb source: WerFault.exe
Source: Binary string: kernel32.pdb} source: WerFault.exe
Source: Binary string: kernel32C:\Windows\system32\kernel32.dllC:\Windows\system32\kernel32.dllRSDSkernel32.pdbX source: WerFault.exe
Source: Binary string: kernel32.pdb( source: WerFault.exe
Source: Binary string: ntdll.pdb( source: WerFault.exe
Source: Binary string: KiUserCallbackDispatcherRSDSntdll.pdb source: WerFault.exe
Source: Binary string: ntdll.pdb source: WerFault.exe
Source: Binary string: kernel32.pdb source: WerFault.exe
Classification labelShow sources
Source: classification engineClassification label: mal48.winEXE@3/2@0/1
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\WerFault.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_65doc77616526262_5ccd493d0c95560b313bb49f9ad3e9688fff6_0dacba67
Creates temporary filesShow sources
Source: C:\Windows\System32\WerFault.exeFile created: C:\Users\user\AppData\Local\Temp\WERB71E.tmp
PE file has an executable .text section and no other executable sectionShow sources
Source: 65doc776165262622 pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\65doc776165262622 pdf.exeSection loaded: C:\Windows\System32\msvbvm60.dll
Reads ini filesShow sources
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\win.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\65doc776165262622 pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\65doc776165262622 pdf.exe 'C:\Users\user\Desktop\65doc776165262622 pdf.exe'
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3472 -s 180
Source: C:\Users\user\Desktop\65doc776165262622 pdf.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3472 -s 180
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WerFault.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{713aacc8-3b71-435c-a3a1-be4e53621ab1}\InProcServer32
Creates mutexesShow sources
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3472
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3472 -s 180
PE file contains strange resourcesShow sources
Source: 65doc776165262622 pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: 65doc776165262622 pdf.exeBinary or memory string: OriginalFilenameHomemakers6.exe vs 65doc776165262622 pdf.exe
Source: 65doc776165262622 pdf.exeBinary or memory string: OriginalFilenameWerFault.exej% vs 65doc776165262622 pdf.exe
Source: 65doc776165262622 pdf.exeBinary or memory string: OriginalFilenameuser32j% vs 65doc776165262622 pdf.exe
Source: 65doc776165262622 pdf.exeBinary or memory string: OriginalFilenameHomemakers6.exe vs 65doc776165262622 pdf.exe
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WerFault.exeSystem information queried: KernelDebuggerInformation
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\65doc776165262622 pdf.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\65doc776165262622 pdf.exeProcess queried: DebugPort
Enables debug privilegesShow sources
Source: C:\Windows\System32\WerFault.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WerFault.exeProcess information queried: ProcessInformation
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WerFault.exe TID: 3680Thread sleep time: -60000s >= -60000s

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\65doc776165262622 pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\65doc776165262622 pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\65doc776165262622 pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\65doc776165262622 pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\65doc776165262622 pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\65doc776165262622 pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\65doc776165262622 pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS and NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WerFault.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 50184 Sample: 65doc776165262622 pdf.exe Startdate: 13/03/2018 Architecture: WINDOWS Score: 48 13 Potential malicious icon found 2->13 6 65doc776165262622 pdf.exe 2->6         started        process3 process4 8 WerFault.exe 5 4 6->8         started        dnsIp5 11 8.8.8.8, 50900, 53, 53440 GOOGLE-GoogleIncUS United States 8->11

Simulations

Behavior and APIs

TimeTypeDescription
23:19:49API Interceptor1x Sleep call for process: 65doc776165262622 pdf.exe modified
23:19:50API Interceptor3x Sleep call for process: WerFault.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot