Windows
Analysis Report
UltraVNC_1_4_20_X64_Setup.exe
Overview
General Information
Detection
Score: | 10 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64_ra
- UltraVNC_1_4_20_X64_Setup.exe (PID: 7136 cmdline:
C:\Users\u ser\Deskto p\UltraVNC _1_4_20_X6 4_Setup.ex e MD5: CB68CB54C38D053F83DA53E386E37113) - UltraVNC_1_4_20_X64_Setup.tmp (PID: 3624 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-4O6 5A.tmp\Ult raVNC_1_4_ 20_X64_Set up.tmp" /S L5="$3025A ,4425789,1 073152,C:\ Users\user \Desktop\U ltraVNC_1_ 4_20_X64_S etup.exe" MD5: 1E199F2650A289BF0503864D6AC0DE9E)
- cleanup
Click to jump to signature section
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Static PE information: |
Source: | File read: |
Source: | File created: |
Source: | Key opened: |
Source: | Key opened: | ||
Source: | Key opened: | ||
Source: | Key opened: | ||
Source: | Key opened: |
Source: | Classification label: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | File created: |
Source: | Window found: |
Source: | Window detected: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | Process created: | ||
Source: | Process created: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Command and Scripting Interpreter | Path Interception | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | ReversingLabs | |||
5% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | Virustotal | Browse |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
52.109.32.24 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
52.109.8.44 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
192.229.221.95 | unknown | United States | 15133 | EDGECASTUS | false |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 849845 |
Start date and time: | 2023-04-19 16:33:41 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip) |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 1 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Sample file name: | UltraVNC_1_4_20_X64_Setup.exe |
Detection: | CLEAN |
Classification: | clean10.winEXE@3/3@0/15 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): login.live.com
Process: | C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3414984 |
Entropy (8bit): | 6.382783556411566 |
Encrypted: | false |
SSDEEP: | |
MD5: | 1E199F2650A289BF0503864D6AC0DE9E |
SHA1: | 5E45ED8EE42402F017A4BD5571EC07753A51FB47 |
SHA-256: | A8C8B556B400249934DC958F0AC075B92A113783762801D26541BC40987662DE |
SHA-512: | AA8BD2E983FC8B3C2272CE64FA9257636843448E39A3E01868EF4089F57EDA0B421EDB778E8913D406F5A3CABD93E92286029AEF14B7A218F1805C0CDF5F96AD |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
File Type: | |
Category: | dropped |
Size (bytes): | 576 |
Entropy (8bit): | 5.059635826240281 |
Encrypted: | false |
SSDEEP: | |
MD5: | 7EC2D1C016B14977DDF379F339D946A5 |
SHA1: | E26F146E618B64736E8FCA33A65C8D2C6EDC48E2 |
SHA-256: | 85788E6549A95B1C550A24A695E0DA22CE597936822A0218DFBDE3E509F47B70 |
SHA-512: | 2408F251C034630174A446B6E127058A0F49C25FA60CA469D472DCEEEA76D72257510FAE791003120B15ED566CD93F1AFFCDD618A93FA5FCAFCE163D898C9358 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.853456231667099 |
TrID: |
|
File name: | UltraVNC_1_4_20_X64_Setup.exe |
File size: | 5358040 |
MD5: | cb68cb54c38d053f83da53e386e37113 |
SHA1: | 2d86c3b061090c52c9c9b12404643e90ef09378c |
SHA256: | 73d3523558b9177185f782e690d1219d7c4ed12124ea962ca7bb37df46bd0741 |
SHA512: | 206bfc88bb1dd98dcf2f96a717373b27a4ca5bf584da5e386f6ee4fbcff7849a6b0cfc85cce4430b68bd5ea479f2a0c0f24fadd2570958279d28c559babc6c54 |
SSDEEP: | 98304:BSi+Jol0atLxLZ63PwDH3CZYNavF51RQ16gxjdiTavfeta3wig:cJolLlQuXAsM5zgHga2agig |
TLSH: | 1346012BB734693ED45A06711072CBB0963BAE5225258D2A17F07C1FFF3A5E11E2B217 |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | d0ce8ecccc8ef0c4 |
Entrypoint: | 0x4b5eec |
Entrypoint Section: | .itext |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 1 |
File Version Major: | 6 |
File Version Minor: | 1 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 1 |
Import Hash: | 5a594319a0d69dbc452e748bcf05892e |
Signature Valid: | true |
Signature Issuer: | CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 9DD4D820F2BD4C1E19D0B58E87D2E5E8 |
Thumbprint SHA-1: | ADC749D2F75F158C8218857FF187F81B97B3872A |
Thumbprint SHA-256: | CAB069B8C7CB68F49FA0E8DCF3BECFDE320F4A241E571C2741B701EB0EC1B833 |
Serial: | 4C03670A31E62B9FACB9D2D37039BD07 |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFA4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-3Ch], eax |
mov dword ptr [ebp-40h], eax |
mov dword ptr [ebp-5Ch], eax |
mov dword ptr [ebp-30h], eax |
mov dword ptr [ebp-38h], eax |
mov dword ptr [ebp-34h], eax |
mov dword ptr [ebp-2Ch], eax |
mov dword ptr [ebp-28h], eax |
mov dword ptr [ebp-14h], eax |
mov eax, 004B10F0h |
call 00007F2154DA2715h |
xor eax, eax |
push ebp |
push 004B65E2h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 004B659Eh |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [004BE634h] |
call 00007F2154E44E3Fh |
call 00007F2154E44992h |
lea edx, dword ptr [ebp-14h] |
xor eax, eax |
call 00007F2154DB8188h |
mov edx, dword ptr [ebp-14h] |
mov eax, 004C1D84h |
call 00007F2154D9D307h |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [004C1D84h] |
mov dl, 01h |
mov eax, dword ptr [004237A4h] |
call 00007F2154DB91EFh |
mov dword ptr [004C1D88h], eax |
xor edx, edx |
push ebp |
push 004B654Ah |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
call 00007F2154E44EC7h |
mov dword ptr [004C1D90h], eax |
mov eax, dword ptr [004C1D90h] |
cmp dword ptr [eax+0Ch], 01h |
jne 00007F2154E4B4AAh |
mov eax, dword ptr [004C1D90h] |
mov edx, 00000028h |
call 00007F2154DB9AE4h |
mov edx, dword ptr [004C1D90h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0xc4000 | 0x9a | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc2000 | 0xf36 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc7000 | 0x4bd38 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x519a10 | 0x27c8 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xc6000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc22e4 | 0x244 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0xc3000 | 0x1a4 | .didata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xb361c | 0xb3800 | False | 0.3448639341051532 | data | 6.356058204328091 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.itext | 0xb5000 | 0x1688 | 0x1800 | False | 0.544921875 | data | 5.972750055221053 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0xb7000 | 0x37a4 | 0x3800 | False | 0.36097935267857145 | data | 5.044400562007734 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0xbb000 | 0x6de8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc2000 | 0xf36 | 0x1000 | False | 0.3681640625 | data | 4.8987046479600425 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.didata | 0xc3000 | 0x1a4 | 0x200 | False | 0.345703125 | data | 2.7563628682496506 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.edata | 0xc4000 | 0x9a | 0x200 | False | 0.2578125 | data | 1.8722228665884297 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.tls | 0xc5000 | 0x18 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xc6000 | 0x5d | 0x200 | False | 0.189453125 | data | 1.3838943752217987 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0xc7000 | 0x4bd38 | 0x4be00 | False | 0.17498970345963757 | data | 5.165168911096991 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xc75b8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States |
RT_ICON | 0xc8460 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States |
RT_ICON | 0xc8d08 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | English | United States |
RT_ICON | 0xc93d0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States |
RT_ICON | 0xc9938 | 0x42028 | Device independent bitmap graphic, 256 x 512 x 32, image size 270336 | English | United States |
RT_ICON | 0x10b960 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States |
RT_ICON | 0x10df08 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States |
RT_ICON | 0x10efb0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States |
RT_ICON | 0x10f938 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States |
RT_STRING | 0x10fda0 | 0x360 | data | ||
RT_STRING | 0x110100 | 0x260 | data | ||
RT_STRING | 0x110360 | 0x45c | data | ||
RT_STRING | 0x1107bc | 0x40c | data | ||
RT_STRING | 0x110bc8 | 0x2d4 | data | ||
RT_STRING | 0x110e9c | 0xb8 | data | ||
RT_STRING | 0x110f54 | 0x9c | data | ||
RT_STRING | 0x110ff0 | 0x374 | data | ||
RT_STRING | 0x111364 | 0x398 | data | ||
RT_STRING | 0x1116fc | 0x368 | data | ||
RT_STRING | 0x111a64 | 0x2a4 | data | ||
RT_RCDATA | 0x111d08 | 0x10 | data | ||
RT_RCDATA | 0x111d18 | 0x2c4 | data | ||
RT_RCDATA | 0x111fdc | 0x2c | data | ||
RT_GROUP_ICON | 0x112008 | 0x84 | data | English | United States |
RT_VERSION | 0x11208c | 0x584 | data | English | United States |
RT_MANIFEST | 0x112610 | 0x726 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
kernel32.dll | GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale |
comctl32.dll | InitCommonControls |
version.dll | GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW |
user32.dll | CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW |
oleaut32.dll | SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate |
netapi32.dll | NetWkstaGetInfo, NetApiBufferFree |
advapi32.dll | RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW |
Name | Ordinal | Address |
---|---|---|
TMethodImplementationIntercept | 3 | 0x454060 |
__dbk_fcall_wrapper | 2 | 0x40d0a0 |
dbkFCallWrapperAddr | 1 | 0x4be63c |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |