Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:67065
Start time:18:05:02
Joe Sandbox Product:CloudBasic
Start date:06.07.2018
Overall analysis duration:0h 3m 42s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Invoice_.xps
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean0.winXPS@1/10@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .xps
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe

Detection

StrategyScoreRangeReportingDetection
Threshold00 - 100Report FP / FNclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Signature Overview

Click to jump to signature section


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: xpsrchvw.exe, 00000001.00000002.21582361471.035B2000.00000004.sdmpString found in binary or memory: http://fontfabrik.comQ
Source: xpsrchvw.exe, 00000001.00000002.21574769845.00578000.00000004.sdmpString found in binary or memory: http://s
Source: xpsrchvw.exe, 00000001.00000002.21574769845.00578000.00000004.sdmpString found in binary or memory: http://sche
Source: xpsrchvw.exe, 00000001.00000002.21574769845.00578000.00000004.sdmpString found in binary or memory: http://schema
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/FixedDoc.fdoc
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/FixedDoc.fdoc.
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/Pages/../../../Resources/24DE1777-7646-60E0-8B61-50471F230D5B.odt
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/Pages/../../../Resources/745F30EE-6392-7712-3830-072548342D12.odt
Source: xpsrchvw.exe, 00000001.00000002.21574389541.002E3000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/Pages/../../../Resources/Images/image_0.png
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/Pages/../../../Resources/Images/image_1.png
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/Pages/../../../Resources/Images/image_2.png
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/Pages/../Structure/Fragments/1.frag
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/Pages/1.fpage
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/Pages/_rels/1.fpage.rels
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/Structure/DocStructure.struct
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/Structure/Fragments/1.frag
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/Documents/1/_rels/FixedDoc.fdoc.rels
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/FixedDocSeq.fdseq3
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/FixedDocSeq.fdseq?
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Resources/24DE1777-7646-60E0-8B61-50471F230D5B.odttf
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Resources/745F30EE-6392-7712-3830-072548342D12.odttf
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Resources/Images/image_0.png
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/Resources/Images/image_1.png
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Resources/Images/image_1.pngz
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Resources/Images/image_2.png
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/Resources/Images/image_2.pngd
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/_rels/.rels
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/_rels/FixedDocSeq.fdseq.rels
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/_rels/FixedDocSeq.fdseq.rels2
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/docProps/core.xml
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/docProps/thumbnail.jpeg
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.fdoc
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.fdseq
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.fpage
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.frag
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.jpeg
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.jpegO
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.odttf
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.png
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.rels
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.relsC
Source: xpsrchvw.exe, 00000001.00000002.21574024016.00223000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.struct
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.xml
Source: xpsrchvw.exe, 00000001.00000002.21574226699.00280000.00000004.sdmpString found in binary or memory: http://www.example.com/samplePartName.xmli~

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: clean0.winXPS@1/10@0/0
Creates temporary filesShow sources
Source: C:\Windows\System32\xpsrchvw.exeFile created: C:\Users\user\AppData\LocalLow\Temp\MicrosoftJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\xpsrchvw.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\xpsrchvw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32Jump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Windows\System32\xpsrchvw.exeWindow found: window name: SysTabControl32Jump to behavior
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)Show sources
Source: C:\Windows\System32\xpsrchvw.exeWindow detected: Number of UI elements: 14
Source: C:\Windows\System32\xpsrchvw.exeWindow detected: Number of UI elements: 14

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: xpsrchvw.exe, 00000001.00000002.21575780471.00AE0000.00000002.sdmpBinary or memory string: Progman
Source: xpsrchvw.exe, 00000001.00000002.21575780471.00AE0000.00000002.sdmpBinary or memory string: Program Manager
Source: xpsrchvw.exe, 00000001.00000002.21575780471.00AE0000.00000002.sdmpBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\xpsrchvw.exeMemory protected: page read and write | page guardJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\xpsrchvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\xpsrchvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\xpsrchvw.exeQueries volume information: C:\Users\user\AppData\LocalLow\Temp\Microsoft\OPC\DDT.g3s1a2iz06asrahit5ys80qhd.tmp VolumeInformationJump to behavior
Source: C:\Windows\System32\xpsrchvw.exeQueries volume information: C:\Users\user\AppData\LocalLow\Temp\Microsoft\OPC\DDT.r1q66iv0byiotad_83g6i24_e.tmp VolumeInformationJump to behavior
Source: C:\Windows\System32\xpsrchvw.exeQueries volume information: C:\Users\user\AppData\LocalLow\Temp\Microsoft\OPC\DDT.5kiwq4zy1xkb1kc1qbngmvheg.tmp VolumeInformationJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 process2 2 Behavior Graph ID: 67065 Sample: Invoice_.xps Startdate: 06/07/2018 Architecture: WINDOWS Score: 0 4 xpsrchvw.exe 4 24 2->4         started       

Simulations

Behavior and APIs

TimeTypeDescription
18:05:44API Interceptor1x Sleep call for process: xpsrchvw.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
Invoice_.xps0%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots