Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
40_115.exe

Overview

General Information

Sample Name:40_115.exe
Analysis ID:609861
MD5:7c05da2e4612fca213430b6c93e76b06
SHA1:fdeb96bc3d4ab32ef826e7e53f4fe1c72e580379
SHA256:d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00
Tags:exerelatedtoIndustroyerrelatedtoIndustroyer2sandstorm
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Yara signature match
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)

Classification

  • System is w10x64
  • 40_115.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\40_115.exe" MD5: 7C05DA2E4612FCA213430B6C93E76B06)
    • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
40_115.exedragos_crashoverride_moduleStringsIEC-104 Interaction Module Program StringsDragos Inc
  • 0x82f4:$s2: MSTR ->> SLV
  • 0x8340:$s2: MSTR ->> SLV
  • 0x8558:$s2: MSTR ->> SLV
  • 0x8364:$s3: MSTR <<- SLV
  • 0x8380:$s3: MSTR <<- SLV
  • 0x8390:$s3: MSTR <<- SLV
  • 0x83a0:$s3: MSTR <<- SLV
  • 0x83c4:$s3: MSTR <<- SLV
  • 0x83e8:$s3: MSTR <<- SLV
  • 0x840c:$s3: MSTR <<- SLV
  • 0x8568:$s3: MSTR <<- SLV
  • 0x85a8:$s4: Unknown APDU format !!!
SourceRuleDescriptionAuthorStrings
00000000.00000000.234960631.0000000000A49000.00000002.00000001.01000000.00000003.sdmpdragos_crashoverride_moduleStringsIEC-104 Interaction Module Program StringsDragos Inc
  • 0xcf4:$s2: MSTR ->> SLV
  • 0xd40:$s2: MSTR ->> SLV
  • 0xf58:$s2: MSTR ->> SLV
  • 0xd64:$s3: MSTR <<- SLV
  • 0xd80:$s3: MSTR <<- SLV
  • 0xd90:$s3: MSTR <<- SLV
  • 0xda0:$s3: MSTR <<- SLV
  • 0xdc4:$s3: MSTR <<- SLV
  • 0xde8:$s3: MSTR <<- SLV
  • 0xe0c:$s3: MSTR <<- SLV
  • 0xf68:$s3: MSTR <<- SLV
  • 0xfa8:$s4: Unknown APDU format !!!
00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmpdragos_crashoverride_moduleStringsIEC-104 Interaction Module Program StringsDragos Inc
  • 0xcf4:$s2: MSTR ->> SLV
  • 0xd40:$s2: MSTR ->> SLV
  • 0xf58:$s2: MSTR ->> SLV
  • 0xd64:$s3: MSTR <<- SLV
  • 0xd80:$s3: MSTR <<- SLV
  • 0xd90:$s3: MSTR <<- SLV
  • 0xda0:$s3: MSTR <<- SLV
  • 0xdc4:$s3: MSTR <<- SLV
  • 0xde8:$s3: MSTR <<- SLV
  • 0xe0c:$s3: MSTR <<- SLV
  • 0xf68:$s3: MSTR <<- SLV
  • 0xfa8:$s4: Unknown APDU format !!!
Process Memory Space: 40_115.exe PID: 7112dragos_crashoverride_moduleStringsIEC-104 Interaction Module Program StringsDragos Inc
  • 0x39e0:$s2: MSTR ->> SLV
  • 0x3f71:$s2: MSTR ->> SLV
  • 0x41fc:$s2: MSTR ->> SLV
  • 0x6147:$s2: MSTR ->> SLV
  • 0x66d8:$s2: MSTR ->> SLV
  • 0x6963:$s2: MSTR ->> SLV
  • 0x39f0:$s3: MSTR <<- SLV
  • 0x3f90:$s3: MSTR <<- SLV
  • 0x3fa8:$s3: MSTR <<- SLV
  • 0x3fb7:$s3: MSTR <<- SLV
  • 0x3fc6:$s3: MSTR <<- SLV
  • 0x3fd7:$s3: MSTR <<- SLV
  • 0x420b:$s3: MSTR <<- SLV
  • 0x6157:$s3: MSTR <<- SLV
  • 0x66f7:$s3: MSTR <<- SLV
  • 0x670f:$s3: MSTR <<- SLV
  • 0x671e:$s3: MSTR <<- SLV
  • 0x672d:$s3: MSTR <<- SLV
  • 0x673e:$s3: MSTR <<- SLV
  • 0x6972:$s3: MSTR <<- SLV
  • 0x4093:$s4: Unknown APDU format !!!
SourceRuleDescriptionAuthorStrings
0.2.40_115.exe.a40000.0.unpackdragos_crashoverride_moduleStringsIEC-104 Interaction Module Program StringsDragos Inc
  • 0x82f4:$s2: MSTR ->> SLV
  • 0x8340:$s2: MSTR ->> SLV
  • 0x8558:$s2: MSTR ->> SLV
  • 0x8364:$s3: MSTR <<- SLV
  • 0x8380:$s3: MSTR <<- SLV
  • 0x8390:$s3: MSTR <<- SLV
  • 0x83a0:$s3: MSTR <<- SLV
  • 0x83c4:$s3: MSTR <<- SLV
  • 0x83e8:$s3: MSTR <<- SLV
  • 0x840c:$s3: MSTR <<- SLV
  • 0x8568:$s3: MSTR <<- SLV
  • 0x85a8:$s4: Unknown APDU format !!!
0.0.40_115.exe.a40000.0.unpackdragos_crashoverride_moduleStringsIEC-104 Interaction Module Program StringsDragos Inc
  • 0x82f4:$s2: MSTR ->> SLV
  • 0x8340:$s2: MSTR ->> SLV
  • 0x8558:$s2: MSTR ->> SLV
  • 0x8364:$s3: MSTR <<- SLV
  • 0x8380:$s3: MSTR <<- SLV
  • 0x8390:$s3: MSTR <<- SLV
  • 0x83a0:$s3: MSTR <<- SLV
  • 0x83c4:$s3: MSTR <<- SLV
  • 0x83e8:$s3: MSTR <<- SLV
  • 0x840c:$s3: MSTR <<- SLV
  • 0x8568:$s3: MSTR <<- SLV
  • 0x85a8:$s4: Unknown APDU format !!!

There are no malicious signatures, click here to show all signatures.

Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Users\user\Desktop\40_115.exe" , ParentImage: C:\Users\user\Desktop\40_115.exe, ParentProcessId: 7112, ParentProcessName: 40_115.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 7120, ProcessName: conhost.exe
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 40_115.exeVirustotal: Detection: 25%Perma Link
Source: 40_115.exeMetadefender: Detection: 14%Perma Link
Source: 40_115.exeReversingLabs: Detection: 46%
Source: 40_115.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 40_115.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\40_115.exeCode function: 0_2_00A45B30 recv,WSAGetLastError,WSAGetLastError,WSAGetLastError,0_2_00A45B30
Source: 40_115.exe, 00000000.00000002.273477826.0000000000E2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

barindex
Source: 40_115.exe, type: SAMPLEMatched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: 0.2.40_115.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: 0.0.40_115.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: 00000000.00000000.234960631.0000000000A49000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: 00000000.00000002.273265989.0000000000A49000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: IE