Windows Analysis Report ZM80M76Nwv.exe
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
System Summary: |
---|
PE file has nameless sections | Show sources |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Virustotal: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Code function: | 3_2_02DDEB70 | |
Source: | Code function: | 3_2_02DD7E75 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior |
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection1 | Virtualization/Sandbox Evasion1 | Input Capture1 | Query Registry1 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Software Packing2 | LSASS Memory | Security Software Discovery21 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection1 | Security Account Manager | Virtualization/Sandbox Evasion1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | System Information Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
36% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Contacted IPs |
---|
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 528754 |
Start date: | 25.11.2021 |
Start time: | 18:35:35 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 10s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | ZM80M76Nwv.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 18 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal56.winEXE@2/6@0/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
18:36:48 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6253742074260888 |
Encrypted: | false |
SSDEEP: | 96:rKgFol6JhDsoL7DsNfBpXIQcQvc6QcEDMcw3DT+HbHg6ZAXGng5FMTPSkvPkpXmI:7Sl1/tHBUZMXQjE/u7siS274It0 |
MD5: | 27A1475D9B2C2945E79FC17171E2E6F5 |
SHA1: | 72C6910A056ACAADEEB5FE5982368CD10B2D67BD |
SHA-256: | C2EA9CC7654314A0681105C0E63AAD352E22477E6F42436721C4BDA8A0C9514A |
SHA-512: | 89CF4277BBCA265DE36C357F87F2DB0A832190961D113EF70040BE2EFD5F3252D2FD04E18D71E8121E633F5F5530175FB34E4491FFE0FF9F7484AD433BA07C01 |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4568 |
Entropy (8bit): | 4.467661344802117 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsBJgtWI9ptWSC8BC8fm8M4Js5TlFgFHo+q8RbmkWR5taKVd:uITfTOcSN1JVIGIaKVd |
MD5: | 6BCF8B5212194E159B189848E0762F6E |
SHA1: | DA66068E437C27294B6BA5B9797B499F86EEFCE3 |
SHA-256: | D2C1A1702D0A447898BA068A547FBCAD0E108FA06AC16BD5618EDA5662CF88A0 |
SHA-512: | 53376297F9C665E1A7B707749285148345E6A3B8EADE188159AE3FD979033B1F7C7E20926B711D12E7793288ECF4F1DD20A035B290C97B74DE883510CC467FF5 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 18276 |
Entropy (8bit): | 2.1636177054427765 |
Encrypted: | false |
SSDEEP: | 96:5V8il8+GYqP5vH40i7k2pSiqrRgAmfLSJAlzWInWIXoIxy2dmO+7:AiZqRvHdOjSzRgAtAlVykK7 |
MD5: | 0C23D61DF57CC229A64119FC95ADC6F1 |
SHA1: | 6DB8161A1D4BD01A86539A9E7B360A33CE48C306 |
SHA-256: | 955C2780E0B8E701BCC68127E8F0F6E343246DC51E54CE49F772E8772074767C |
SHA-512: | A964ADC773A82DB3BFEA20A297BF8ED1E4228498BEF0F53CEEC7D2B6F5C82A73686C0BB8CC6345BD2A3F1A07A667D0D37A90A2FB296DF9C63CCC217FC5A91CE6 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8290 |
Entropy (8bit): | 3.7002049520527085 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNid06x116Yr+SUfMYZygmfQS5+pry89b59sfyzm:RrlsNiO6x116YCSUfMYZygmfQSm52ff |
MD5: | 1B9CC6D0D7B9F8DC25FC0419188D6C2C |
SHA1: | 3B8C123B795BB63EA3B1664D5E0FF153877BFB6F |
SHA-256: | 4A79EF51651C81AC04C4EDD812AF29ECBDC9EBE6311E24834BBDB4D7F3EF36BC |
SHA-512: | 1DE4B457905188EC8C9151DFFECBA27B8DB179503558B8F7F22F73611F42164853B218108265D4BC9750607F08A537B26776427FD153EA747CADAD414AC7AF51 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.241540396008965 |
Encrypted: | false |
SSDEEP: | 12288:c9DyRrVStP4YsYxoQT9p1g5rJ/fDwf8t/KzLvHH/mqxVM085:yDyRrVStP4XYxoAIJ |
MD5: | E0EEA1D188D636649479AE4AE432E3A6 |
SHA1: | 419529BF1A17DDAB5AA7E55505FAD428E476CEBF |
SHA-256: | 7457F1E84B2EB9821456BE108F03F137CD0A85A3FD15AC3F00630DF7FC5F3599 |
SHA-512: | C80DC0BF5557C9DF774B9FCC26D007900828EB6CDF7D94B3F5AB3B8936FCADA8BFB496DEC4E9A7719A2D823AD20618C34B7FC42D36D9F5EE24D5AAA37B8E6616 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 20480 |
Entropy (8bit): | 3.363092622106805 |
Encrypted: | false |
SSDEEP: | 384:Ijp5K5SPv4KgnVVEeDzeF1NKZtj9T8G/w/1BMerP:Y3Kwg/EeDze/NYtjiG/w/Eer |
MD5: | A700267FB783D1695EEBF6DA65C08B14 |
SHA1: | 77999B3F85D8118E6053CFA8D9F91380FF94F710 |
SHA-256: | B3FD9DC64A3A88FF941CA2C11E109D8B9A3148E8A5B33EFB976FB69B2E987478 |
SHA-512: | 87646DEF596EC87FEA39C6E6F9FC9487D2ED65A8BFACEF0EA1583355150C7B438657FAB803313FE9760EB6C2AA8DEB4E02C21EDD920C6C1D7584B7A7BAD80D5D |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.997292727076848 |
TrID: |
|
File name: | ZM80M76Nwv.exe |
File size: | 236703 |
MD5: | 3c93f57536f15046b52f4340edba42da |
SHA1: | a7b4f2c0390ebc7c4b7aa5bbfbb60503aba08955 |
SHA256: | 493ea8db7e8d8554d3f3c1dcbcf661dc5027892b02d262dfdcb58372e257191b |
SHA512: | ef0370f11683092dd06e96b387e031a2966a90d3aad94fd161442af23350b05244cf69798d3eda425b010ba66207675cf41726cd99a489c625da359dfaee7793 |
SSDEEP: | 6144:SOIiujNUOuPzzt0z6IVI0mEoP/RYjwYbylp:S0uvGyuGmzPSjwYbylp |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.a.................4...........P.......P....@..........................po.....V.B.................................... |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x425000 |
Entrypoint Section: | |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
DLL Characteristics: | TERMINAL_SERVER_AWARE, NX_COMPAT |
Time Stamp: | 0x61993087 [Sat Nov 20 17:29:43 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: |
Entrypoint Preview |
---|
Instruction |
---|
push 00AAB001h |
call 00007FB728E4A4F6h |
ret |
ret |
sub dword ptr [edi-5Ch], edx |
sub esp, 7Ah |
lds eax, fword ptr [eax] |
jnbe 00007FB728E4A49Eh |
and esi, dword ptr [edx+1F2EE19Ch] |
mov ch, BBh |
dec esi |
cmp edi, edi |
push ss |
pop eax |
jecxz 00007FB728E4A4F0h |
jnc 00007FB728E4A540h |
mov esp, D092331Ah |
in eax, dx |
pop ds |
int3 |
cmp byte ptr [ecx-5Eh], dh |
push ds |
shr byte ptr [ebx-6174F0A8h], FFFFFFA8h |
insb |
out 44h, eax |
mov al, 6Ah |
inc dh |
and eax, 7D091FFAh |
scasb |
jno 00007FB728E4A4D7h |
test eax, 6008DB81h |
popfd |
loop 00007FB728E4A529h |
or cl, FFFFFF88h |
cmpsb |
mov byte ptr [04D15535h], al |
sub eax, DFE4C75Ah |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6abc7c | 0x194 | .AqWcUFG |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x6aa000 | 0x5b9 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x100000 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
0x1000 | 0x21fc2 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ | |
0x23000 | 0x1306 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ | |
0x25000 | 0xf000 | 0x7a00 | False | 1.00051229508 | data | 7.99401104881 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ | |
0x34000 | 0x2000 | 0x400 | False | 1.0107421875 | data | 7.78065343968 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ | |
0x36000 | 0x26966a | 0x0 | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ | |
0x2a0000 | 0x40a000 | 0x3dc000 | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ | |
.rsrc | 0x6aa000 | 0x1000 | 0x600 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.AqWcUFG | 0x6ab000 | 0x4b000 | 0x4aa00 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.adata | 0x6f6000 | 0x1000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 18:36:38 |
Start date: | 25/11/2021 |
Path: | C:\Users\user\Desktop\ZM80M76Nwv.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 236703 bytes |
MD5 hash: | 3C93F57536F15046B52F4340EDBA42DA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 18:36:40 |
Start date: | 25/11/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc40000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|