Joe Sandbox Cloud Basic Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:51088
Start time:23:17:16
Joe Sandbox Product:CloudBasic
Start date:20.03.2018
Overall analysis duration:0h 3m 50s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ocsp_server.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:SUS
Classification:sus22.evad.winEXE@1/1@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe


Detection

StrategyScoreRangeReportingDetection
Threshold220 - 100Report FP / FNsuspicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold20 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample launched by virtual dos engine, sample likely has a wrong file extension
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Signature Overview

Click to jump to signature section


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: ntvdm.exeString found in binary or memory: http://ipxe.org
Source: ntvdm.exeString found in binary or memory: http://ipxe.org)
Source: ntvdm.exeString found in binary or memory: http://ipxe.orgiPXE

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)Show sources
Source: C:\Windows\System32\ntvdm.exeFile opened: u:
Source: C:\Windows\System32\ntvdm.exeFile opened: m:
Source: C:\Windows\System32\ntvdm.exeFile opened: p:
Source: C:\Windows\System32\ntvdm.exeFile opened: v:
Source: C:\Windows\System32\ntvdm.exeFile opened: j:
Source: C:\Windows\System32\ntvdm.exeFile opened: f:
Source: C:\Windows\System32\ntvdm.exeFile opened: s:
Source: C:\Windows\System32\ntvdm.exeFile opened: e:
Source: C:\Windows\System32\ntvdm.exeFile opened: b:
Source: C:\Windows\System32\ntvdm.exeFile opened: w:
Source: C:\Windows\System32\ntvdm.exeFile opened: o:
Source: C:\Windows\System32\ntvdm.exeFile opened: y:
Source: C:\Windows\System32\ntvdm.exeFile opened: t:
Source: C:\Windows\System32\ntvdm.exeFile opened: n:
Source: C:\Windows\System32\ntvdm.exeFile opened: a:
Source: C:\Windows\System32\ntvdm.exeFile opened: r:
Source: C:\Windows\System32\ntvdm.exeFile opened: l:
Source: C:\Windows\System32\ntvdm.exeFile opened: z:
Source: C:\Windows\System32\ntvdm.exeFile opened: h:
Source: C:\Windows\System32\ntvdm.exeFile opened: x:
Source: C:\Windows\System32\ntvdm.exeFile opened: c:
Source: C:\Windows\System32\ntvdm.exeFile opened: i:
Source: C:\Windows\System32\ntvdm.exeFile opened: q:
Source: C:\Windows\System32\ntvdm.exeFile opened: k:
Source: C:\Windows\System32\ntvdm.exeFile opened: g:
Source: C:\Windows\System32\ntvdm.exeFile opened: d:

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: sus22.evad.winEXE@1/1@0/0
Creates temporary filesShow sources
Source: C:\Windows\System32\ntvdm.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\scsD1F3.tmp
Reads software policiesShow sources
Source: C:\Windows\System32\ntvdm.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: ocsp_server.exeMetascan Online: hash found
Creates driver filesShow sources
Source: C:\Windows\System32\ntvdm.exeFile created: C:\MSDOS.SYS
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\ntvdm.exeSection loaded: sfc.dll
Source: C:\Windows\System32\ntvdm.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\ntvdm.exeSection loaded: winmm.dll
Source: C:\Windows\System32\ntvdm.exeSection loaded: ntvdmd.dll
Source: C:\Windows\System32\ntvdm.exeSection loaded: vdmredir.dll
Source: C:\Windows\System32\ntvdm.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\ntvdm.exeSection loaded: netutils.dll
Source: C:\Windows\System32\ntvdm.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\ntvdm.exeSection loaded: wkscli.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Windows\System32\ntvdm.exeThread register set: target process: unknown

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Windows\System32\ntvdm.exeProcess queried: DebugPort
Source: C:\Windows\System32\ntvdm.exeProcess queried: DebugPort

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\ntvdm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ntvdm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ntvdm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ntvdm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ntvdm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ntvdm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ntvdm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ntvdm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ntvdm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ntvdm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ntvdm.exeProcess information set: NOOPENFILEERRORBOX

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 process2 2 Behavior Graph ID: 51088 Sample: ocsp_server.exe Startdate: 20/03/2018 Architecture: WINDOWS Score: 22 4 ntvdm.exe 4 2->4         started        file3 8 unknown, ASCII 4->8 dropped 10 Modifies the context of a thread in another process (thread injection) 4->10 signatures4

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
ocsp_server.exe0%virustotalBrowse
ocsp_server.exe0%metadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot