Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:66900
Start time:16:48:12
Joe Sandbox Product:CloudBasic
Start date:05.07.2018
Overall analysis duration:0h 2m 4s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:winmonitor (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:SUS
Classification:sus25.winEXE@1/0@0/0
HCA Information:Failed
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 95.7%)
  • Quality average: 81.3%
  • Quality standard deviation: 26.3%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe

Detection

StrategyScoreRangeReportingDetection
Threshold250 - 100Report FP / FNsuspicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for unpacked fileShow sources
Source: 1.2.winmonitor.exe.1e0000.0.unpackAvira: Label: HEUR/AGEN.1004669
Source: 1.0.winmonitor.exe.1e0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
Source: 1.1.winmonitor.exe.1e0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001EADB5 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_001EADB5
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001E3E45 push ecx; ret 1_2_001E3E58
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001E1AF0 GetDriveTypeA,lstrlen,lstrcat,FindFirstFileA,lstrcmp,lstrcmp,lstrcmp,lstrcat,CreateThread,Sleep,Sleep,Sleep,FindNextFileA,FindClose,1_2_001E1AF0

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001E87631_2_001E8763
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001E10001_2_001E1000
Enables security privilegesShow sources
Source: C:\Users\user\Desktop\winmonitor.exeProcess token adjusted: SecurityJump to behavior
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: String function: 001E3E00 appears 40 times
Classification labelShow sources
Source: classification engineClassification label: sus25.winEXE@1/0@0/0
Reads software policiesShow sources
Source: C:\Users\user\Desktop\winmonitor.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: winmonitor.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: .pdbo source: winmonitor.exe
Source: Binary string: \2_CRF\4_MT_PART\flkr\Release\flkr.pdb source: winmonitor.exe

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001E48CA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_001E48CA
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001EADB5 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_001EADB5
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001EBF55 CreateFileA,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,SetEndOfFile,GetLastError,1_2_001EBF55
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001E6A17 SetUnhandledExceptionFilter,1_2_001E6A17
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001EBE3E SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_001EBE3E
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001E48CA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_001E48CA
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001E2320 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_001E2320

Malware Analysis System Evasion:

barindex
Found evaded block containing many API callsShow sources
Source: C:\Users\user\Desktop\winmonitor.exeEvaded block: after key decisiongraph_1-6725
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\winmonitor.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_1-6152
Source: C:\Users\user\Desktop\winmonitor.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-6254
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001E1AF0 GetDriveTypeA,lstrlen,lstrcat,FindFirstFileA,lstrcmp,lstrcmp,lstrcmp,lstrcat,CreateThread,Sleep,Sleep,Sleep,FindNextFileA,FindClose,1_2_001E1AF0
Program exit pointsShow sources
Source: C:\Users\user\Desktop\winmonitor.exeAPI call chain: ExitProcess graph end nodegraph_1-6255

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to clear windows event logs (to hide its activities)Show sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001E1EB0 OpenEventLogA,OpenEventLogA,ClearEventLogW,CloseEventLog,ClearEventLogW,CloseEventLog,OpenEventLogA,ClearEventLogW,CloseEventLog,OpenEventLogA,ClearEventLogW,CloseEventLog,OpenEventLogA,ClearEventLogW,CloseEventLog,OpenEventLogA,ClearEventLogW,CloseEventLog,OpenEventLogA,ClearEventLogW,CloseEventLog,1_2_001E1EB0

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: GetLocaleInfoA,1_2_001EC3E2
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\winmonitor.exeCode function: 1_2_001E7250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,RtlQueryPerformanceCounter,1_2_001E7250

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 66900 Sample: winmonitor Startdate: 05/07/2018 Architecture: WINDOWS Score: 25 7 Antivirus detection for unpacked file 2->7 5 winmonitor.exe 2->5         started        process3

Simulations

Behavior and APIs

TimeTypeDescription
16:48:25API Interceptor2x Sleep call for process: winmonitor.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLink
1.2.winmonitor.exe.1e0000.0.unpack100%AviraHEUR/AGEN.1004669
1.0.winmonitor.exe.1e0000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2
1.1.winmonitor.exe.1e0000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots