Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CVE-2022-26809.exe

Overview

General Information

Sample Name:CVE-2022-26809.exe
Analysis ID:629914
MD5:7e0c8be0d03c75bbdc6fd286a796434a
SHA1:0e2e0d26caa32840a720be7f67b49d45094861cb
SHA256:6c676773700c1de750c3f8767dbce9106317396d66a004aabbdd29882435d5e0
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains long sleeps (>= 3 min)

Classification

  • System is w10x64
  • CVE-2022-26809.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\CVE-2022-26809.exe" MD5: 7E0C8BE0D03C75BBDC6FD286A796434A)
    • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.414274842.0000000002867000.00000004.00000800.00020000.00000000.sdmpWiltedTulip_WindowsTaskDetects hack tool used in Operation Wilted Tulip - Windows TasksFlorian Roth
  • 0x13fe:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
  • 0x2e2e:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
Process Memory Space: CVE-2022-26809.exe PID: 7056WiltedTulip_WindowsTaskDetects hack tool used in Operation Wilted Tulip - Windows TasksFlorian Roth
  • 0x4be4:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
  • 0x660f:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: CVE-2022-26809.exeVirustotal: Detection: 29%Perma Link
Source: CVE-2022-26809.exeJoe Sandbox ML: detected
Source: CVE-2022-26809.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\CVE-2022-26809.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: CVE-2022-26809.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

System Summary

barindex
Source: 00000000.00000002.414274842.0000000002867000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: Process Memory Space: CVE-2022-26809.exe PID: 7056, type: MEMORYSTRMatched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: CVE-2022-26809.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 00000000.00000002.414274842.0000000002867000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: CVE-2022-26809.exe PID: 7056, type: MEMORYSTRMatched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: CVE-2022-26809.exeBinary or memory string: OriginalFilename vs CVE-2022-26809.exe
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B00980_2_049B0098
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B5C810_2_049B5C81
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B42B90_2_049B42B9
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B03200_2_049B0320
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B16680_2_049B1668
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B30600_2_049B3060
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B00880_2_049B0088
Source: CVE-2022-26809.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CVE-2022-26809.exeVirustotal: Detection: 29%
Source: CVE-2022-26809.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CVE-2022-26809.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\CVE-2022-26809.exe "C:\Users\user\Desktop\CVE-2022-26809.exe"
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_01
Source: C:\Users\user\Desktop\CVE-2022-26809.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CVE-2022-26809.exe.logJump to behavior
Source: classification engineClassification label: mal60.winEXE@2/2@0/0
Source: C:\Users\user\Desktop\CVE-2022-26809.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Source: CVE-2022-26809.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\CVE-2022-26809.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: CVE-2022-26809.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_00B029B4 pushfd ; ret 0_2_00B029AE
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_00B02928 pushfd ; ret 0_2_00B029AE
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_00B0299D pushfd ; ret 0_2_00B029AE
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_00B0288C pushfd ; ret 0_2_00B02922
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_00B0254C pushfd ; ret 0_2_00B0255A
Source: initial sampleStatic PE information: section name: .text entropy: 7.53756303635
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exe TID: 7124Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeMemory allocated: page read and write | page guardJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection
1
Masquerading
OS Credential Dumping21
Virtualization/Sandbox Evasion
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Software Packing
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Process Injection
LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common2
Obfuscated Files or Information
Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.