Loading ...

Analysis Report Hearts_x86_en.exe

Overview

General Information

Joe Sandbox Version:24.0.0 Fire Opal
Analysis ID:96302
Start date:07.12.2018
Start time:00:33:36
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 52s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Hearts_x86_en.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean5.winEXE@4/2@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 57.1%)
  • Quality average: 33.4%
  • Quality standard deviation: 34%
HCA Information:
  • Successful, ratio: 87%
  • Number of executed functions: 4
  • Number of non-executed functions: 3
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: tmpEC55.exe

Detection

StrategyScoreRangeReportingDetection
Threshold50 - 100Report FP / FNclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection11Disabling Security Tools1Credential DumpingSystem Information Discovery1Application Deployment SoftwareData from Local SystemData CompressedData Obfuscation
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection11Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels

Signature Overview

Click to jump to signature section


Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: Hearts_x86_en.exeString found in binary or memory: http://yahoo.com/ equals www.yahoo.com (Yahoo)
Urls found in memory or binary dataShow sources
Source: Hearts_x86_en.exeString found in binary or memory: http://www.toncha.org/
Source: Hearts_x86_en.exeString found in binary or memory: http://www.toncha.org/catalog/ItemDetail.aspx?itemId=i12
Source: Hearts_x86_en.exeString found in binary or memory: http://www.toncha.org/catalog/admin/SetupGame.ashx
Source: Hearts_x86_en.exeString found in binary or memory: http://www.toncha.org/catalog/admin/SetupInstall.ashx
Source: Hearts_x86_en.exeString found in binary or memory: http://www.toncha.org/catalog/admin/SetupToncha.ashx
Source: Hearts_x86_en.exeString found in binary or memory: http://yahoo.com/

System Summary:

barindex
Abnormal high CPU UsageShow sources
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeProcess Stats: CPU usage > 98%
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1192:120:WilError_01
PE file contains executable resources (Code or Archives)Show sources
Source: Hearts_x86_en.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE file contains strange resourcesShow sources
Source: Hearts_x86_en.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Hearts_x86_en.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tmpEC55.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tmpEC55.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilename vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenameInterop.IWshRuntimeLibrary.dll vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenametoncha.exe0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenamegambling-house.exe@ vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenamegame_7.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenamedata_2.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenametoncha1.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenametoncha2.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenametoncha3.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenametoncha4.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenametoncha5.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenametoncha6.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenametoncha.exeH vs Hearts_x86_en.exe
Source: Hearts_x86_en.exe, 00000000.00000000.2561121693.0000000000422000.00000008.sdmpBinary or memory string: OriginalFilenameUninstaller.exeH vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenameInterop.IWshRuntimeLibrary.dll vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenametoncha.exe0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenamegambling-house.exe@ vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenamegame_7.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenamedata_2.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenametoncha1.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenametoncha2.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenametoncha3.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenametoncha4.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenametoncha5.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenametoncha6.dll0 vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenametoncha.exeH vs Hearts_x86_en.exe
Source: Hearts_x86_en.exeBinary or memory string: OriginalFilenameUninstaller.exeH vs Hearts_x86_en.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\Hearts_x86_en.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean5.winEXE@4/2@0/0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\Hearts_x86_en.exeCode function: 0_2_00401486 FindResourceA,LoadResource,CreateFileA,LockResource,SizeofResource,WriteFile,CloseHandle,lstrlenA,LocalAlloc,memset,memcpy,0_2_00401486
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\Hearts_x86_en.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEC55.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Hearts_x86_en.exeStatic PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\93d3642eb09dd0758766983414b96cbb\mscorlib.ni.dllJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Hearts_x86_en.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Hearts_x86_en.exe 'C:\Users\user\Desktop\Hearts_x86_en.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tmpEC55.exe C:\Users\user\AppData\Local\Temp\tmpEC55.exe
Source: C:\Users\user\Desktop\Hearts_x86_en.exeProcess created: C:\Users\user\AppData\Local\Temp\tmpEC55.exe C:\Users\user\AppData\Local\Temp\tmpEC55.exeJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: Hearts_x86_en.exeStatic file information: File size 6677276 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
PE file has a big raw sectionShow sources
Source: Hearts_x86_en.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x633000
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\en\gambling-house\game_7_\obj\Release\game_7.pdb0eNe @e_CorDllMainmscoree.dll source: Hearts_x86_en.exe
Source: Binary string: C:\en\gambling-house\toncha3\obj\Release\toncha3.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\en\gambling-house\toncha4\obj\Release\toncha4.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\ru\TonchaComm\TonchaComm\obj\Release\toncha.pdb( source: Hearts_x86_en.exe
Source: Binary string: C:\en\gambling-house\gambling-house\obj\Release\gambling-house.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\en\gambling-house\toncha4\obj\Release\toncha4.pdb` source: Hearts_x86_en.exe
Source: Binary string: C:\en\Setup\Hearts_x86_en\Confusion_x86_en\obj\Release\Hearts_x86_en.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\en\gambling-house\toncha1\obj\Release\toncha1.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\en\gambling-house\toncha2\obj\Release\toncha2.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\en\gambling-house\toncha5\obj\Release\toncha5.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\en\Test\Hearts_x86_en\Confusion_x86_en\obj\Release\Hearts_x86_en.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\en\gambling-house\toncha6\obj\Release\toncha6.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\en\uninstall\uninstall\obj\Release\toncha.pdb8MNM @M_CorExeMainmscoree.dll source: Hearts_x86_en.exe
Source: Binary string: C:\en\gambling-house\data_2_\obj\Release\data_2.pdb, source: Hearts_x86_en.exe
Source: Binary string: C:\ru\TonchaComm\TonchaComm\obj\Release\toncha.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\en\Uninstaller\Uninstaller\obj\Release\Uninstaller.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\en\gambling-house\game_7_\obj\Release\game_7.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\en\uninstall\uninstall\obj\Release\toncha.pdb source: Hearts_x86_en.exe
Source: Binary string: C:\en\gambling-house\data_2_\obj\Release\data_2.pdb source: Hearts_x86_en.exe

Data Obfuscation:

barindex
PE file contains sections with non-standard namesShow sources
Source: Hearts_x86_en.exeStatic PE information: section name: .eh_fram

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\Hearts_x86_en.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEC55.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Program exit pointsShow sources
Source: C:\Users\user\Desktop\Hearts_x86_en.exeAPI call chain: ExitProcess graph end nodegraph_0-396

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\Hearts_x86_en.exeCode function: 0_2_00401000 SetUnhandledExceptionFilter,__getmainargs,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,signal,signal,signal,signal,signal,signal,0_2_00401000
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\AppData\Local\Temp\tmpEC55.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Hearts_x86_en.exeProcess created: C:\Users\user\AppData\Local\Temp\tmpEC55.exe C:\Users\user\AppData\Local\Temp\tmpEC55.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: Hearts_x86_en.exe, 00000000.00000002.4012979469.0000000001620000.00000002.sdmpBinary or memory string: Program Manager
Source: Hearts_x86_en.exe, 00000000.00000002.4012979469.0000000001620000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: Hearts_x86_en.exe, 00000000.00000002.4012979469.0000000001620000.00000002.sdmpBinary or memory string: Progman
Source: Hearts_x86_en.exe, 00000000.00000002.4012979469.0000000001620000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\Hearts_x86_en.exeCode function: 0_2_004017AE FreeConsole,GetVersion,memset,LoadStringA,MessageBoxA,LoadLibraryA,ShellExecuteA,Sleep,memset,memset,CreateProcessA,SetLastError,memset,LoadStringA,MessageBoxA,WaitForSingleObject,CloseHandle,CloseHandle,0_2_004017AE

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 process2 2 Behavior Graph ID: 96302 Sample: Hearts_x86_en.exe Startdate: 07/12/2018 Architecture: WINDOWS Score: 5 5 Hearts_x86_en.exe 4 2->5         started        file3 12 C:\Users\user\AppData\Local\...\tmpEC55.exe, PE32 5->12 dropped 8 tmpEC55.exe 2 5->8         started        10 conhost.exe 5->10         started        process4

Simulations

Behavior and APIs

TimeTypeDescription
00:34:14API Interceptor6x Sleep call for process: Hearts_x86_en.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
Hearts_x86_en.exe3%virustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\tmpEC55.exe0%virustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.toncha.org/catalog/admin/SetupGame.ashx0%virustotalBrowse
http://www.toncha.org/catalog/admin/SetupGame.ashx0%Avira URL Cloudsafe
http://www.toncha.org/0%virustotalBrowse
http://www.toncha.org/0%Avira URL Cloudsafe
http://www.toncha.org/catalog/admin/SetupToncha.ashx0%virustotalBrowse
http://www.toncha.org/catalog/admin/SetupToncha.ashx0%Avira URL Cloudsafe
http://www.toncha.org/catalog/ItemDetail.aspx?itemId=i120%virustotalBrowse
http://www.toncha.org/catalog/ItemDetail.aspx?itemId=i120%Avira URL Cloudsafe
http://www.toncha.org/catalog/admin/SetupInstall.ashx0%virustotalBrowse
http://www.toncha.org/catalog/admin/SetupInstall.ashx0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.