Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
67AzzNNioP.exe

Overview

General Information

Sample Name:67AzzNNioP.exe
Analysis ID:708239
MD5:f44d0bd72d14338b655a6d4457419493
SHA1:dbe1773340912698515f76885f07d6faacbce09c
SHA256:8f8cb5930100e80159502fd6d224909606f47ff17614f89b41b650afc3a91b6d
Tags:185-25-204-244ServereasySrlexemorpheus
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Installs a raw input device (often for capturing keystrokes)
Searches for the Microsoft Outlook file path
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
File is packed with WinRar
Detected TCP or UDP traffic on non-standard ports
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 67AzzNNioP.exe (PID: 3932 cmdline: "C:\Users\user\Desktop\67AzzNNioP.exe" MD5: F44D0BD72D14338B655A6D4457419493)
    • AIO.exe (PID: 5576 cmdline: "C:\Users\user\Desktop\AIO.exe" MD5: 9C1181704C48D62DE14C5F682C4F5D5E)
      • conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 67AzzNNioP.exeReversingLabs: Detection: 27%
Source: 67AzzNNioP.exeVirustotal: Detection: 22%Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\AIO.exeVirustotal: Detection: 7%Perma Link
Source: 67AzzNNioP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 67AzzNNioP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 67AzzNNioP.exe
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_001EA69B
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_001FC220
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_0020B348 FindFirstFileExA,0_2_0020B348
Source: global trafficTCP traffic: 192.168.2.3:49702 -> 185.25.204.244:9090
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: 67AzzNNioP.exe, 00000000.00000003.264138468.000000000C2CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,M3.2.0,M11.1.0476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitCallWindowProcWCreateHardLinkWCreatePopupMenuCreateWindowExWDefSubclassProcDeviceIoControlDialogBoxParamWDragAcceptFilesDuplicateHandleFailed to find Failed to load FindNextStreamWFlushViewOfFileGdiplusShutdownGetActiveWindowGetAdaptersInfoGetClassInfoExWGetCommandLineWGetEnhMetaFileWGetMenuItemRectGetMonitorInfoWGetProcessTimesGetRawInputDataGetStartupInfoWGetTextMetricsWHanifi_RohingyaImpersonateSelfInsertMenuItemWIsWindowEnabledIsWindowVisibleMonitorFromRectOpenThreadTokenOther_LowercaseOther_UppercasePlayEnhMetaFilePostQuitMessageProcess32FirstWPsalter_PahlaviRegCreateKeyExWRegDeleteValueWSetDCBrushColorShowWindowAsyncSwapMouseButtonUnmapViewOfFile]
Source: 67AzzNNioP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001E848E0_2_001E848E
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001F6CDC0_2_001F6CDC
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001F40880_2_001F4088
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001F00B70_2_001F00B7
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001E40FE0_2_001E40FE
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001F71530_2_001F7153
Source: C:\Users\user\Desktop\67AzzNNioP.exe<