Windows
Analysis Report
cambridge.shareholdersuite.exe
Overview
General Information
Detection
Score: | 2 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64_ra
- cambridge.shareholdersuite.exe (PID: 6440 cmdline:
C:\Users\a lfredo\Des ktop\cambr idge.share holdersuit e.exe MD5: 36A2A6C6F6BA38708F501ACCE1176F1C) - WerFault.exe (PID: 6592 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 440 -s 808 MD5: 28D356B668C66115EA55135D24EEFB2C)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process created: |
Source: | File read: |
Source: | File created: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Static file information: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Classification label: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Mutant created: |
Source: | File read: | ||
Source: | File read: |
Source: | File opened: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Memory allocated: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Disable or Modify Tools | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 11 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 1 Remote System Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
4% | Virustotal | Browse |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
20.189.173.20 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 800790 |
Start date and time: | 2023-02-07 19:53:29 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip) |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Sample file name: | cambridge.shareholdersuite.exe |
Detection: | CLEAN |
Classification: | clean2.winEXE@2/6@0/10 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 40.126.32.76, 40.126.32.140, 40.126.32.74, 40.126.32.68, 40.126.32.134, 20.190.160.20, 20.190.160.17, 40.126.32.72, 20.189.173.20
- Excluded domains from analysis (whitelisted): prda.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, watson.telemetry.microsoft.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
- Report size getting too big, too many NtSetInformationFile calls found.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cambridge.shareh_b0b1b6854f979e9e27d3f079aaadcb4db67090f2_dd0f84fe_82132d7a-9be1-4710-9e0b-377f233cb68f\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8917153966165613 |
Encrypted: | false |
SSDEEP: | |
MD5: | 3E2D5B3851F33FFF32AEA5C7B4FDEECF |
SHA1: | 6770424C9C5627FC61E0086EEAE01BE40029EF4B |
SHA-256: | 1CCB3014B0CA0A72A27BAEA4AD8126258261DDDF7534ECCBE9713463A31B857D |
SHA-512: | CCC84B359C56F135E86F77B01015BE3CA45B68433E51D06BCC3A1637F5156A5489BE3951B73697057F9CEEE4B4D7EF12EF33CE780DCF5B3C2EA7C2EA77C23667 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 129193 |
Entropy (8bit): | 3.531005970180092 |
Encrypted: | false |
SSDEEP: | |
MD5: | FF6F1E3F19AB71C225CB991B994C34FF |
SHA1: | CADB4FA29C4547F6445DD3D3698DC52932AEBADA |
SHA-256: | F458B18533869EEBE844961F764D7D82A35C659F7D62D42D91D1B035A58D1A86 |
SHA-512: | 88FF4BEB027FFC4D0F970A7A398D3F1238D72AFDFAA1FFC54CAFC971F54D9396B54066D3102C5A479E87A994306B5CD01B6F0D9719D59E2A5CAFCC77021740BC |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8402 |
Entropy (8bit): | 3.6990298569740547 |
Encrypted: | false |
SSDEEP: | |
MD5: | 686092FE4DB868C06EC2A0CF1D2AC552 |
SHA1: | D0433D72A2204683C7AFCB5FD7D97B240B5AA25D |
SHA-256: | A88AD7AAD3167A33C4601CD3DC7B8492554F6D86DB9DA6BA72CCDBE902B1E432 |
SHA-512: | 999088CC262345DFA71C25546972006FF5871EFF6D191AC40580C28A7D9F9EDBF2A120AFAA873F301D37EED14D0B4980CDB8BFE905B6B484994AF384866AADCD |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4767 |
Entropy (8bit): | 4.517850488965283 |
Encrypted: | false |
SSDEEP: | |
MD5: | A917353E79A3B717A88486AB951C8EAA |
SHA1: | CA16B3F8592E8AC1BAE88DD8DF42D7D4342F5D00 |
SHA-256: | B989E34C7966D2199B681E144F2190F6EF7A154178A9DFA4FA9E6533A9EDE3FD |
SHA-512: | D58A8A858E191A8A2DB6AB49157421360BA3F8B7FE166723E111EB8DB711A73A1FB8C6D3FDB9F7132CF62D30E8FEE16A0A843633CEAEC1A73CE47C4E9AF3D32E |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1048576 |
Entropy (8bit): | 4.264313122457509 |
Encrypted: | false |
SSDEEP: | |
MD5: | 73A7039D1DE2708FC35819C74B2DCA20 |
SHA1: | 77C00358A95635CDE1761C33C50A01BE65D516AE |
SHA-256: | 1A270B345777385671F6C5E3AD8EE8CA6D63BD153593DCAE22CC1B311F896FFD |
SHA-512: | 7FDE7D042FD5E3DEBB5C3B52489AEE727668FFFB33B1AEEC3762963A626A2B90E2230EF5B906FBDA4A5C242DFD6B19F44632867F71B9B958FAE57E2657A29759 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 28672 |
Entropy (8bit): | 3.513830756732477 |
Encrypted: | false |
SSDEEP: | |
MD5: | 8B30E7D9B14A6B1FE6EBED54579E7FEA |
SHA1: | 741FA3DFEA4095BB53B875252394DAE1896C8DEA |
SHA-256: | 9EE6F4B955826247F14429E7A165D8B15A2C4296FFD64246CD985D51632773AE |
SHA-512: | 2BFE0983F0FDA8EDAE0C37B898B59E6F15AE9D67808A4CBF1091250A1CD3EAE9751DC1A202492528C99C897DF72B0BDB4309A880155E35903F839BD52E5693F0 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 4.064007115455676 |
TrID: |
|
File name: | cambridge.shareholdersuite.exe |
File size: | 16980992 |
MD5: | 36a2a6c6f6ba38708f501acce1176f1c |
SHA1: | b5dbb9cef3950df5ad736367fc402f4a2cd8f741 |
SHA256: | d7e7a93d26422463c14fe026463ba369fd02e538df3fc379007135fe8a301b41 |
SHA512: | f2e5029d11e18eb748738feb87619b92063aaf01320eec0f895ebbeccb265b7bc4d63ad9c51b609a90e7a417c908ef8f7103800a06137ed0b8c1ee42f9cb70cc |
SSDEEP: | 98304:ceJ3hNLMJf65l50LD77w5Nv5rgvB2ANt01vMJqMJ:1xsLHM5NBrK2Bvr |
TLSH: | 9D072901A2A0CB29E57A5FF4E02400F543F5BD59F92AF21F9D817DE73D72B80981A627 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wM.c..............0.................. ........@.. ....................................`................................ |
Icon Hash: | b2f1fbf3e7f397ce |
Entrypoint: | 0x141a58e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x63A34D77 [Wed Dec 21 18:16:23 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x101a53c | 0x4f | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x101c000 | 0x19188 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1036000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x101a404 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x1018594 | 0x1018600 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x101c000 | 0x19188 | 0x19200 | False | 0.9572255907960199 | data | 7.866811806016482 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x1036000 | 0xc | 0x200 | False | 0.044921875 | data | 0.11836963125913882 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x101c148 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m | ||
RT_ICON | 0x101c5c0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 11811 x 11811 px/m | ||
RT_ICON | 0x101cf58 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m | ||
RT_ICON | 0x101e010 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m | ||
RT_ICON | 0x10205c8 | 0x1475f | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
RT_GROUP_ICON | 0x1034d38 | 0x4c | data | ||
RT_VERSION | 0x1034d94 | 0x3f0 | SysEx File - OctavePlateau |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |