Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AIO.exe

Overview

General Information

Sample Name:AIO.exe
Analysis ID:708236
MD5:9c1181704c48d62de14c5f682c4f5d5e
SHA1:ada9921624f3225054745643b0d4504939efd1aa
SHA256:44ea8ae385d7d95d4f0b9c6969c0d0ca55acfd996e97236c0ae04eb2b4b2d623
Tags:droppedexemorpheus
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
PE file contains more sections than normal
Potential time zone aware malware
Installs a raw input device (often for capturing keystrokes)
Program does not show much activity (idle)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names

Classification

  • System is w10x64
  • AIO.exe (PID: 4572 cmdline: "C:\Users\user\Desktop\AIO.exe" MD5: 9C1181704C48D62DE14C5F682C4F5D5E)
    • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: AIO.exeVirustotal: Detection: 7%Perma Link
Source: AIO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: global trafficTCP traffic: 192.168.2.5:49697 -> 185.25.204.244:9090
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: AIO.exeBinary or memory string: github.com/gonutz/w32/v2.getRawInputData
Source: AIO.exeStatic PE information: Number of sections : 14 > 10
Source: AIO.exeStatic PE information: Section: /19 ZLIB complexity 0.9970344753440367
Source: AIO.exeStatic PE information: Section: /32 ZLIB complexity 0.9973810369318182
Source: AIO.exeStatic PE information: Section: /65 ZLIB complexity 0.9984575565403423
Source: AIO.exeVirustotal: Detection: 7%
Source: AIO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AIO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: AIO.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: classification engineClassification label: mal48.winEXE@2/0@0/1
Source: unknownProcess created: C:\Users\user\Desktop\AIO.exe "C:\Users\user\Desktop\AIO.exe"
Source: C:\Users\user\Desktop\AIO.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_01
Source: AIO.exeStatic file information: File size 4077056 > 1048576
Source: AIO.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: AIO.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12ea00
Source: AIO.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x131a00
Source: AIO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: AIO.exeStatic PE information: section name: /4
Source: AIO.exeStatic PE information: section name: /19
Source: AIO.exeStatic PE information: section name: /32
Source: AIO.exeStatic PE information: section name: /46
Source: AIO.exeStatic PE information: section name: /65
Source: AIO.exeStatic PE information: section name: /78
Source: AIO.exeStatic PE information: section name: /90
Source: AIO.exeStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\AIO.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\AIO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AIO.exeSystem information queried: CurrentTimeZoneInformation
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: AIO.exe, 00000000.00000002.309927572.000002228A628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllooJ
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter
Path Interception1
Process Injection
1
Software Packing
11
Input Capture
1
System Time Discovery
Remote Services11
Input Capture
Exfiltration Over Other Network Medium1
Non-Standard Port
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection
LSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708236 Sample: AIO.exe Startdate: 23/09/2022 Architecture: WINDOWS Score: 48 13 Multi AV Scanner detection for submitted file 2->13 6 AIO.exe 1 2->6         started        process3 dnsIp4 11 185.25.204.244, 49697, 9090 ASSERVEREASYIT Italy 6->11 9 conhost.exe 6->9         started        process5

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
AIO.exe0%ReversingLabs
AIO.exe7%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
185.25.204.244
unknownItaly
60798ASSERVEREASYITfalse
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:708236
Start date and time:2022-09-23 07:54:04 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 5s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:AIO.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winEXE@2/0@0/1
EGA Information:Failed
HDC Information:
  • Successful, ratio: 100% (good quality ratio 100%)
  • Quality average: 75.8%
  • Quality standard deviation: 24.4%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
  • Execution Graph export aborted for target AIO.exe, PID 4572 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):6.745466282178942
TrID:
  • Win64 Executable (generic) (12005/4) 74.95%
  • Generic Win/DOS Executable (2004/3) 12.51%
  • DOS Executable Generic (2002/1) 12.50%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:AIO.exe
File size:4077056
MD5:9c1181704c48d62de14c5f682c4f5d5e
SHA1:ada9921624f3225054745643b0d4504939efd1aa
SHA256:44ea8ae385d7d95d4f0b9c6969c0d0ca55acfd996e97236c0ae04eb2b4b2d623
SHA512:42756ad205c3e99b3a9c0eda1dbaa80923b714ab56e9ab987917e6a41b52571f6965254ee9dc486c2e444d080554956ad4059ca5695d36de53d92201583e4f05
SSDEEP:49152:g8CBJF3V3kt1rb/TLvO90d7HjmAFd4A64nsfJr3J66/XUg/UljSVZgxxkq1QarAU:U3WeIAnba7tKtzQ
TLSH:45164C03784758A4C4B993BD8565C2D576337B84EB3227D32A20A6799A72FC34E3E3D4
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........7......."..................Y........@...............................D...........`... ............................
Icon Hash:20000a0021000480
Entrypoint:0x465900
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:9cbefe68f395e67356e2a5d8d1b285c0
Instruction
jmp 00007F4E18D1BB00h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00000028h]
dec eax
cmp edx, 00000000h
jne 00007F4E18D1F80Eh
dec eax
mov eax, 00000000h
jmp 00007F4E18D1F885h
dec eax
mov edx, dword ptr [edx+00000000h]
dec eax
cmp edx, 00000000h
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x3dc0000x47c.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x4140000x33170.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x3dd0000x5580.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2621800x140.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x12e80d0x12ea00False0.44155953118546054data6.13492107696467IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x1300000x1319880x131a00False0.40479933537832313data5.362616895297891IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x2620000x777c80x1ba00False0.37963093891402716data4.4437373554282775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/40x2da0000x1270x200False0.6171875data5.097874074212899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/190x2db0000x367470x36800False0.9970344753440367data7.994232193058085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/320x3120000xafd10xb000False0.9973810369318182data7.939671694657932IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/460x31d0000x300x200False0.103515625data0.8556848540171443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/650x31e0000x663f50x66400False0.9984575565403423data7.996921212792595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/780x3850000x430140x43200False0.9842695239757915data7.992613233207576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/900x3c90000x122ad0x12400False0.9734321489726028data7.801216600325401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata0x3dc0000x47c0x600False0.333984375data3.572216214307509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x3dd0000x55800x5600False0.32562681686046513data5.4368326520791035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab0x3e30000x30c150x30e00False0.24586397058823528data5.2949299515861545IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc0x4140000x331700x33200False0.029206143031784843data2.383138623744508IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_ICON0x4140e80x32c38data
RT_GROUP_ICON0x446d200x14data
RT_MANIFEST0x446d380x434XML 1.0 document, ASCII textEnglishUnited States
DLLImport
kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler
Language of compilation systemCountry where language is spokenMap
EnglishUnited States
TimestampSource PortDest PortSource IPDest IP
Sep 23, 2022 07:55:03.822855949 CEST496979090192.168.2.5185.25.204.244
Sep 23, 2022 07:55:03.848623037 CEST909049697185.25.204.244192.168.2.5
Sep 23, 2022 07:55:04.354446888 CEST496979090192.168.2.5185.25.204.244
Sep 23, 2022 07:55:04.380914927 CEST909049697185.25.204.244192.168.2.5
Sep 23, 2022 07:55:04.885790110 CEST496979090192.168.2.5185.25.204.244
Sep 23, 2022 07:55:04.911514044 CEST909049697185.25.204.244192.168.2.5

Click to jump to process

Target ID:0
Start time:07:55:02
Start date:23/09/2022
Path:C:\Users\user\Desktop\AIO.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\AIO.exe"
Imagebase:0x1a0000
File size:4077056 bytes
MD5 hash:9C1181704C48D62DE14C5F682C4F5D5E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Target ID:1
Start time:07:55:03
Start date:23/09/2022
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7fcd70000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

No disassembly