Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INV_0893.exe

Overview

General Information

Sample Name:INV_0893.exe
Analysis ID:715068
MD5:d23e1e317d68720216699e1c9e524a78
SHA1:76b58185f5aa824e5bafc589aaa6c228b341b239
SHA256:8dda840eccb53427037b3a06dd5f886c78e6e55fe69d96b256b05176e85172db
Tags:exeJustClickAm-com
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected AntiVM autoit script
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Drops PE files with a suspicious file extension
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
OS version to string mapping found (often used in BOTs)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • INV_0893.exe (PID: 1348 cmdline: C:\Users\user\Desktop\INV_0893.exe MD5: D23E1E317D68720216699E1C9E524A78)
    • uvbdlqfvw.pif (PID: 2528 cmdline: "C:\Users\user\1_102\uvbdlqfvw.pif" faeupdrjbw.afr MD5: F28AA08788132E64DB4B8918EE2430B1)
      • wscript.exe (PID: 5360 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • uvbdlqfvw.pif (PID: 1244 cmdline: "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR MD5: F28AA08788132E64DB4B8918EE2430B1)
          • wscript.exe (PID: 1076 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
            • uvbdlqfvw.pif (PID: 4648 cmdline: "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR MD5: F28AA08788132E64DB4B8918EE2430B1)
              • wscript.exe (PID: 5848 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
                • uvbdlqfvw.pif (PID: 5884 cmdline: "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR MD5: F28AA08788132E64DB4B8918EE2430B1)
                  • wscript.exe (PID: 2472 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
                    • uvbdlqfvw.pif (PID: 5336 cmdline: "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR MD5: F28AA08788132E64DB4B8918EE2430B1)
  • uvbdlqfvw.pif (PID: 5268 cmdline: "C:\Users\user\1_102\UVBDLQ~1.PIF" C:\Users\user\1_102\FAEUPD~1.AFR MD5: F28AA08788132E64DB4B8918EE2430B1)
    • wscript.exe (PID: 4392 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • uvbdlqfvw.pif (PID: 5328 cmdline: "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR MD5: F28AA08788132E64DB4B8918EE2430B1)
        • wscript.exe (PID: 6060 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • uvbdlqfvw.pif (PID: 2148 cmdline: "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR MD5: F28AA08788132E64DB4B8918EE2430B1)
  • uvbdlqfvw.pif (PID: 2180 cmdline: "C:\Users\user\1_102\UVBDLQ~1.PIF" C:\Users\user\1_102\FAEUPD~1.AFR MD5: F28AA08788132E64DB4B8918EE2430B1)
    • wscript.exe (PID: 6072 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • uvbdlqfvw.pif (PID: 1332 cmdline: "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR MD5: F28AA08788132E64DB4B8918EE2430B1)
        • wscript.exe (PID: 4596 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • uvbdlqfvw.pif (PID: 5780 cmdline: "C:\Users\user\1_102\UVBDLQ~1.PIF" C:\Users\user\1_102\FAEUPD~1.AFR MD5: F28AA08788132E64DB4B8918EE2430B1)
    • wscript.exe (PID: 4324 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • uvbdlqfvw.pif (PID: 3648 cmdline: "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR MD5: F28AA08788132E64DB4B8918EE2430B1)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: uvbdlqfvw.pif PID: 2528JoeSecurity_AntiVM_1Yara detected AntiVM autoit scriptJoe Security
    Process Memory Space: uvbdlqfvw.pif PID: 5336JoeSecurity_AntiVM_1Yara detected AntiVM autoit scriptJoe Security
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: INV_0893.exeReversingLabs: Detection: 68%
      Source: INV_0893.exeVirustotal: Detection: 65%Perma Link
      Source: INV_0893.exeAvira: detected
      Source: C:\Users\user\1_102\uvbdlqfvw.pifAvira: detection malicious, Label: TR/Redcap.qnaqq
      Source: C:\Users\user\1_102\uvbdlqfvw.pifReversingLabs: Detection: 84%
      Source: C:\Users\user\1_102\uvbdlqfvw.pifMetadefender: Detection: 38%Perma Link