Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WCTBt2z7KE.exe

Overview

General Information

Sample Name:WCTBt2z7KE.exe
Analysis ID:708235
MD5:612955e16c4580bbc11798215426ff35
SHA1:016c2f953e1c7a1ba88c1812d70751925ab9e3e0
SHA256:2a39458d3161f7dae38dbad7e846ebecdbd802392f4cd0b845440914532a28d7
Tags:exemorpheus
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function

Classification

  • System is w10x64
  • WCTBt2z7KE.exe (PID: 1804 cmdline: "C:\Users\user\Desktop\WCTBt2z7KE.exe" MD5: 612955E16C4580BBC11798215426FF35)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: WCTBt2z7KE.exeAvira: detected
Source: WCTBt2z7KE.exeReversingLabs: Detection: 22%
Source: WCTBt2z7KE.exeVirustotal: Detection: 33%Perma Link
Source: WCTBt2z7KE.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014000B64C NtdllDefWindowProc_W,GetWindowLongPtrW,GetWindowTextLengthW,RtlAllocateHeap,GetWindowTextW,EnableWindow,DestroyWindow,UnregisterClassW,
Source: WCTBt2z7KE.exeStatic PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_00000001400660A0
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014000B758
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_00000001400138E5
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_00000001400154F0
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_0000000140015160
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_0000000140015170
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_0000000140013175
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_0000000140010210
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_0000000140016210
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014000EA48
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014001366E
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_0000000140012FDD
Source: WCTBt2z7KE.exeReversingLabs: Detection: 22%
Source: WCTBt2z7KE.exeVirustotal: Detection: 33%
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engineClassification label: mal60.winEXE@1/0@0/0
Source: WCTBt2z7KE.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_00000001400660A0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_004509C9 push ebx; retf
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_00451C49 push edi; retf
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_00450A0A push edi; iretd
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_00450A19 push edi; iretd
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_00451B19 push edx; retf
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_00451C79 push es; iretd
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_00451B38 push edi; iretd
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_3_0045093A push edi; iretd
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014001BD3E push rbx; ret
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_00000001400660A0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014000C4D0 RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,RtlAddVectoredContinueHandler,
Source: C:\Users\user\Desktop\WCTBt2z7KE.exeCode function: 0_2_000000014001F888 RtlAddVectoredExceptionHandler,
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Native API
Path InterceptionPath Interception1
Software Packing
OS Credential Dumping1
System Information Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Obfuscated Files or Information
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.