Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:order_of_quotationpdf.exe
Analysis ID:840855


AveMaria, UACMe
Range:0 - 100


Snort IDS alert for network traffic
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Initial sample is a PE file and has a suspicious name
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to check if Internet connection is working
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Contains functionality to steal e-mail passwords
Found evasive API chain checking for user administrative privileges
Yara detected Generic Downloader
Contains functionality to steal Chrome passwords or cookies
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Found decision node followed by non-executed suspicious APIs
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores files to the Windows start menu directory
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality to download and execute PE files
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to shutdown / reboot the system
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses Microsoft's Enhanced Cryptographic Provider


  • System is w10x64
  • order_of_quotationpdf.exe (PID: 6752 cmdline: C:\Users\user\Desktop\order_of_quotationpdf.exe MD5: 3A222BA5C055F7E201AE3A121FE9DB9A)
    • powershell.exe (PID: 6804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • order_of_quotationpdf.exe (PID: 2956 cmdline: C:\Users\user\Desktop\order_of_quotationpdf.exe MD5: 3A222BA5C055F7E201AE3A121FE9DB9A)
  • cleanup