Analysis Report evatest2.exe
Overview
General Information |
---|
Joe Sandbox Version: | 26.0.0 |
Analysis ID: | 881802 |
Start date: | 11.06.2019 |
Start time: | 14:48:08 |
Joe Sandbox Product: | Cloud |
Overall analysis duration: | 0h 6m 35s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | evatest2.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43) |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis stop reason: | Timeout |
Detection: | SUS |
Classification: | sus25.winEXE@1/0@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Whitelisted | Detection | |
---|---|---|---|---|---|---|
Threshold | 25 | 0 - 100 | Report FP / FN | false |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control |
---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Execution through API1 | Winlogon Helper DLL | Port Monitors | Software Packing1 | Credential Dumping | System Time Discovery1 | Application Deployment Software | Data from Local System | Data Encrypted1 | Standard Cryptographic Protocol1 |
Replication Through Removable Media | Service Execution | Port Monitors | Accessibility Features | Obfuscated Files or Information1 | Network Sniffing | Security Software Discovery2 | Remote Services | Data from Removable Media | Exfiltration Over Other Network Medium | Fallback Channels |
Drive-by Compromise | Windows Management Instrumentation | Accessibility Features | Path Interception | Rootkit | Input Capture | System Information Discovery11 | Windows Remote Management | Data from Network Shared Drive | Automated Exfiltration | Custom Cryptographic Protocol |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus or Machine Learning detection for unpacked file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
System Summary: |
---|
Detected potential crypto function | Show sources |
Source: | Code function: | 0_2_01091C99 |
Yara signature match | Show sources |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Classification label | Show sources |
Source: | Classification label: |
PE file has an executable .text section and no other executable section | Show sources |
Source: | Static PE information: |
Reads software policies | Show sources |
Source: | Key opened: | Jump to behavior |
Submission file is bigger than most known malware samples | Show sources |
Source: | Static file information: |
PE file has a big raw section | Show sources |
Source: | Static PE information: |
PE file contains a mix of data directories often seen in goodware | Show sources |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources |
Source: | Static PE information: |
PE file contains a debug data directory | Show sources |
Source: | Static PE information: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: |
PE file contains a valid data directory to section mapping | Show sources |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Data Obfuscation: |
---|
Contains functionality to dynamically determine API calls | Show sources |
Source: | Code function: | 0_2_01091000 |
Uses code obfuscation techniques (call, push, ret) | Show sources |
Source: | Code function: | 0_2_010922B8 |
Malware Analysis System Evasion: |
---|
Country aware sample found (crashes after keyboard check) | Show sources |
Source: | Event Logs and Signature results: |
Found evasive API chain (may stop execution after checking a module file name) | Show sources |
Source: | Evasive API call chain: | graph_0-3409 |
Program does not show much activity (idle) | Show sources |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts) | Show sources |
Source: | Code function: | 0_2_01091000 | |
Source: | Code function: | 0_2_01091000 |
Anti Debugging: |
---|
Checks if the current process is being debugged | Show sources |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Contains functionality to check if a debugger is running (IsDebuggerPresent) | Show sources |
Source: | Code function: | 0_2_01093B64 |
Contains functionality to dynamically determine API calls | Show sources |
Source: | Code function: | 0_2_01091000 |
Program does not show much activity (idle) | Show sources |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Contains functionality to register its own exception handler | Show sources |
Source: | Code function: | 0_2_01093B64 | |
Source: | Code function: | 0_2_0109120D | |
Source: | Code function: | 0_2_010960B7 |
Language, Device and Operating System Detection: |
---|
Contains functionality locales information (e.g. system language) | Show sources |
Source: | Code function: | 0_2_01096D2C |
Contains functionality to query local / system time | Show sources |
Source: | Code function: | 0_2_010938DB |
Behavior Graph |
---|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
14:50:07 | API Interceptor |
Antivirus and Machine Learning Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Joe Sandbox ML | Download File | |||
100% | Joe Sandbox ML | Download File | |||
100% | Joe Sandbox ML | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author |
---|---|---|---|
evatest2.exe | Embedded_PE | unknown | unknown |
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
Source | Rule | Description | Author |
---|---|---|---|
00000000.00000001.1662073315.01090000.00000002.sdmp | Embedded_PE | unknown | unknown |
00000000.00000002.1671247806.01090000.00000002.sdmp | Embedded_PE | unknown | unknown |
00000000.00000000.1660532969.01090000.00000002.sdmp | Embedded_PE | unknown | unknown |
Unpacked PEs |
---|
Source | Rule | Description | Author |
---|---|---|---|
0.1.evatest2.exe.1090000.0.raw.unpack | Embedded_PE | unknown | unknown |
0.2.evatest2.exe.1090000.0.raw.unpack | Embedded_PE | unknown | unknown |
0.0.evatest2.exe.1090000.0.raw.unpack | Embedded_PE | unknown | unknown |
0.0.evatest2.exe.1090000.0.unpack | Embedded_PE | unknown | unknown |
0.1.evatest2.exe.1090000.0.unpack | Embedded_PE | unknown | unknown |
0.2.evatest2.exe.1090000.0.unpack | Embedded_PE | unknown | unknown |
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Startup |
---|
|
Created / dropped Files |
---|
No created / dropped files found |
---|
Domains and IPs |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.848117084807777 |
TrID: |
|
File name: | evatest2.exe |
File size: | 6677504 |
MD5: | 4ae1716abd362ea12f5e93c9d7010d68 |
SHA1: | 93d51ac86c5ed207dd6e77b2e767cdeb23106925 |
SHA256: | 4f305bea98220120fb71e82f6adb7708e300c87a49eeaa05d729600db4e4e9df |
SHA512: | 8a31f0b7f00f7c9e3c4ea0ea30839cb6de32806bb02b64be7be012fc4adee8569860762012e4fd912ce9e522e92c638494f8050f3ab503374bbbe40cf02b9fb1 |
SSDEEP: | 98304:bTRvmbxXIuaWLZPxMKtCM8IjaPbktQWX8AfHbhIWwPaOJn3N/BUKTKR:QGMJ8Ijary8Af7hIjJn1 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W...W...W...I.G.M...I.V.G...I.@.....pI..R...W.......I.I.V...I.R.V...RichW...................PE..L...Qu.\.................f. |
File Icon |
---|
Icon Hash: | aab2e3e39383aa00 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4014dc |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5CFE7551 [Mon Jun 10 15:20:49 2019 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | dadba842a33028572cf693651cd12efb |
Entrypoint Preview |
---|
Instruction |
---|
call 1C59046Fh |
jmp 1C58DEEDh |
mov edi, edi |
push ebp |
mov ebp, esp |
sub esp, 00000328h |
mov dword ptr [00A5B198h], eax |
mov dword ptr [00A5B194h], ecx |
mov dword ptr [00A5B190h], edx |
mov dword ptr [00A5B18Ch], ebx |
mov dword ptr [00A5B188h], esi |
mov dword ptr [00A5B184h], edi |
mov word ptr [00A5B1B0h], ss |
mov word ptr [00A5B1A4h], cs |
mov word ptr [00A5B180h], ds |
mov word ptr [00A5B17Ch], es |
mov word ptr [00A5B178h], fs |
mov word ptr [00A5B174h], gs |
pushfd |
pop dword ptr [00A5B1A8h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [00A5B19Ch], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [00A5B1A0h], eax |
lea eax, dword ptr [ebp+08h] |
mov dword ptr [00A5B1ACh], eax |
mov eax, dword ptr [ebp-00000320h] |
mov dword ptr [00A5B0E8h], 00010001h |
mov eax, dword ptr [00A5B1A0h] |
mov dword ptr [00A5B09Ch], eax |
mov dword ptr [00A5B090h], C0000409h |
mov dword ptr [00A5B094h], 00000001h |
mov eax, dword ptr [0040A004h] |
mov dword ptr [ebp-00000328h], eax |
mov eax, dword ptr [0040A008h] |
mov dword ptr [ebp-00000324h], eax |
call dword ptr [00000034h] |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x96e4 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x65c000 | 0x1b4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x65d000 | 0x6d0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x8130 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x9390 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x100 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6434 | 0x6600 | False | 0.611481311275 | ump; DBase 3 data file with memo(s) (1750554197 records) | 6.57584458721 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x1cb6 | 0x1e00 | False | 0.352864583333 | ump; data | 5.35731007345 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x651c1c | 0x651200 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x65c000 | 0x1b4 | 0x200 | False | 0.490234375 | ump; data | 5.0997477791 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x65d000 | 0x47c4 | 0x4800 | False | 0.0876736111111 | ump; data | 1.04076936106 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_MANIFEST | 0x65c058 | 0x15a | ump; ASCII text, with CRLF line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | lstrlenA, OutputDebugStringW, GetProcAddress, LoadLibraryA, GetModuleHandleA, VirtualProtect, HeapAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW |
USER32.dll | GetKeyboardLayout |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 14:50:07 |
Start date: | 11/06/2019 |
Path: | C:\Users\user\Desktop\evatest2.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x1090000 |
File size: | 6677504 bytes |
MD5 hash: | 4AE1716ABD362EA12F5E93C9D7010D68 |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 7.6% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 4% |
Total number of Nodes: | 1102 |
Total number of Limit Nodes: | 13 |
Graph
Executed Functions |
---|
Function 01091000, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 169librarymemorystringCOMMON
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1,00% |
Function 01094387, Relevance: 3.0, APIs: 2, Instructions: 21COMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1,00% |
Function 0109244C, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1,00% |
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1,00% |
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1,00% |
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1,00% |
Non-executed Functions |
---|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1,00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1,00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1,00% |
Function 010939E8, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1,00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1,00% |