Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WCTBt2z7KE.exe

Overview

General Information

Sample Name:WCTBt2z7KE.exe
Analysis ID:708235
MD5:612955e16c4580bbc11798215426ff35
SHA1:016c2f953e1c7a1ba88c1812d70751925ab9e3e0
SHA256:2a39458d3161f7dae38dbad7e846ebecdbd802392f4cd0b845440914532a28d7
Tags:exemorpheus
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • WCTBt2z7KE.exe (PID: 1804 cmdline: "C:\Users\user\Desktop\WCTBt2z7KE.exe" MD5: 612955E16C4580BBC11798215426FF35)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: WCTBt2z7KE.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: WCTBt2z7KE.exeReversingLabs: Detection: 22%
Source: WCTBt2z7KE.exeVirustotal: Detection: 33%Perma Link
Machine Learning detection for sample
Source: WCTBt2z7KE.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014000B64C NtdllDefWindowProc_W,GetWindowLongPtrW,GetWindowTextLengthW,RtlAllocateHeap,GetWindowTextW,EnableWindow,DestroyWindow,UnregisterClassW,
Source: WCTBt2z7KE.exeStatic PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_00000001400660A0
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014000B758
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_00000001400138E5
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_00000001400154F0
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_0000000140015160
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_0000000140015170
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_0000000140013175
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_0000000140010210
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_0000000140016210
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014000EA48
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014001366E
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_0000000140012FDD
Source: WCTBt2z7KE.exeReversingLabs: Detection: 22%
Source: WCTBt2z7KE.exeVirustotal: Detection: 33%
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engineClassification label: mal60.winEXE@1/0@0/0
Source: WCTBt2z7KE.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_00000001400660A0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_004509C9 push ebx; retf
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_00451C49 push edi; retf
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_00450A0A push edi; iretd
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_00450A19 push edi; iretd
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_00451B19 push edx; retf
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_00451C79 push es; iretd
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_00451B38 push edi; iretd
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_0045093A push edi; iretd
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014001BD3E push rbx; ret
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_00000001400660A0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014000C4D0 RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,RtlAddVectoredContinueHandler,
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014001F888 RtlAddVectoredExceptionHandler,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Native API		Path InterceptionPath Interception1
Software Packing		OS Credential Dumping1
System Information Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WCTBt2z7KE.exe22%ReversingLabs
WCTBt2z7KE.exe33%VirustotalBrowse
WCTBt2z7KE.exe17%MetadefenderBrowse
WCTBt2z7KE.exe100%AviraHEUR/AGEN.1226841
WCTBt2z7KE.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:708235
Start date and time:2022-09-23 07:54:01 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 50s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:WCTBt2z7KE.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 65% (good quality ratio 39.1%)
  • Quality average: 38%
  • Quality standard deviation: 36.6%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):3.06384833991322
TrID:
  • Win64 Executable GUI (202006/5) 81.25%
  • UPX compressed Win32 Executable (30571/9) 12.30%
  • Win64 Executable (generic) (12005/4) 4.83%
  • Generic Win/DOS Executable (2004/3) 0.81%
  • DOS Executable Generic (2002/1) 0.81%
File name:WCTBt2z7KE.exe
File size:325632
MD5:612955e16c4580bbc11798215426ff35
SHA1:016c2f953e1c7a1ba88c1812d70751925ab9e3e0
SHA256:2a39458d3161f7dae38dbad7e846ebecdbd802392f4cd0b845440914532a28d7
SHA512:1e766f005a182e6d5c1f8d83fef6a216935246501a6b175face5ee780daa660d75e5c314346ee1788ff0a4bb7a4320c93b3f37a9af6c20f5f153b40577113916
SSDEEP:1536:24dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTN7nCcfrHc:24dzVTaer344JzthRZijQ1JWcfr
TLSH:B964AF8EFD64BCE8C41ED3720692087C61399116DA1B670DD5BFD5B7DBA2A843F40683
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...E.@]........../....2.....0.......`.........@...........................................................................

File Icon

Icon Hash:008039c4c4384000

Static PE Info

General

Entrypoint:0x1400660a0
Entrypoint Section:UPX1
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:0x5D400545 [Tue Jul 30 08:52:21 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:a50e815adb2cfe3e58d388c791946db8

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFFF3F7Ah]
dec eax
lea edi, dword ptr [esi-00059025h]
push edi
mov eax, 00064A7Fh
push eax
dec eax
mov ecx, esp
dec eax
mov edx, edi
dec eax
mov edi, esi
mov esi, 0000C075h
push ebp
dec eax
mov ebp, esp
inc esp
mov ecx, dword ptr [ecx]
dec ecx
mov eax, edx
dec eax
mov edx, esi
dec eax
lea esi, dword ptr [edi+02h]
push esi
mov al, byte ptr [edi]
dec edx
mov cl, al
and al, 07h
shr cl, 00000003h
dec eax
mov ebx, FFFFFD00h
dec eax
shl ebx, cl
mov cl, al
dec eax
lea ebx, dword ptr [esp+ebx*2-00000E78h]
dec eax
and ebx, FFFFFFC0h
push 00000000h
dec eax
cmp esp, ebx
jne 00007F759126C5BBh
push ebx
dec eax
lea edi, dword ptr [ebx+08h]
mov cl, byte ptr [esi-01h]
dec edx
mov byte ptr [edi+02h], al
mov al, cl
shr cl, 00000004h
mov byte ptr [edi+01h], cl
and al, 0Fh
mov byte ptr [edi], al
dec eax
lea ecx, dword ptr [edi-04h]
push eax
inc ecx
push edi
dec eax
lea eax, dword ptr [edi+04h]
inc ebp
xor edi, edi
inc ecx
push esi
inc ecx
mov esi, 00000001h
inc ecx
push ebp
inc ebp
xor ebp, ebp
inc ecx
push esp
push ebp
push ebx
dec eax
mov dword ptr [esp-10h], ecx
dec eax
mov dword ptr [esp-28h], eax
mov eax, 00000001h
dec eax
mov dword ptr [esp-08h], esi
dec esp
mov dword ptr [esp-18h], eax
mov ebx, eax
inc esp
mov dword ptr [esp-1Ch], ecx
movzx ecx, byte ptr [edi+02h]
shl ebx, cl
mov ecx, ebx
dec eax
mov ebx, dword ptr [esp+38h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xa955c0x28c.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE0x670000x4255c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d0000x10d4UPX0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
UPX00x10000x590000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX10x5a0000xd0000xce00False0.9676501820388349data7.969338587590873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x670000x430000x42800False0.03488457471804511data1.4954359032844007IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0x672b00x42028data
RT_RCDATA0x642d40x93data
RT_RCDATA0x643680xdDOS executable (COM, 0x8C-variant)
RT_RCDATA0x643780xcfdata
RT_RCDATA0x644480x1very short file (no magic)
RT_GROUP_ICON0xa92dc0x14data
RT_MANIFEST0xa92f40x267XML 1.0 document, ASCII text

Imports

DLLImport
COMCTL32.DLLInitCommonControlsEx
GDI32.DLLGetStockObject
KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
msvcrt.dllfree
OLE32.DLLCoInitialize
SHELL32.DLLShellExecuteExW
SHLWAPI.DLLPathRemoveArgsW
USER32.DLLSetFocus
WINMM.DLLtimeBeginPeriod

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

General

Target ID:0
Start time:07:55:00
Start date:23/09/2022
Path:C:\Users\user\Desktop\WCTBt2z7KE.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\WCTBt2z7KE.exe"
Imagebase:0x140000000
File size:325632 bytes
MD5 hash:612955E16C4580BBC11798215426FF35
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Disassembly

No disassembly