Joe Sandbox Class Analysis Report

Loading ...

Similarity Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:71214
Start date:06.08.2018
Start time:20:44:02
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 13s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:LyTaZHwHpG (renamed file extension from none to rtf)
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal80.expl.winRTF@4/9@3/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 2
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Simulate clicks
  • Found warning dialog
  • Click Ok
  • Number of clicks 1
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE

Static File Info

File type:Rich Text Format data, unknown version
Entropy (8bit):3.2192086982578436
TrID:
  • Rich Text Format (5005/1) 55.56%
  • Rich Text Format (4004/1) 44.44%
File name:LyTaZHwHpG.rtf
File size:9388
MD5:15a43d4c8ae9592ee06a410c58311e35
SHA1:8e1ab5ddc917da3689818af3ae61d646f6a6bcab
SHA256:da29f37ec139b87d9dcee92156af4882a1c7312e8ad54ca0912c360d4ea2f362
SHA512:a8d73d5ea36a3269e1428a6b9ce26855fd8e2fc1fbfb4048499bcdd33ccde0818ccbcffedd82eba8a39585263f775ef8cca08b03dbbd3ca0eecffc4199277895
File Content Preview:{\rtf{\object\objhtml\objupdate\objw3118\objh1589{\*\objdata 359c4439020000001600000049666c6359686b4375743948465639587a7a31457600000000000000000000120000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001000000010000

Similarity Information

Algorithm:APISTRING
Total Signature IDs in Database:4105427
Total Processes Database:48828
Total similar Processes:5
Total similar Functions:8

Similar Processes

  • EQNEDT32.EXE (MD5: A87236E214F6D42A65F5DEDAC816AEC8, PID: 3500)
    • EQNEDT32.EXE (PID: 3484, MD5: A87236E214F6D42A65F5DEDAC816AEC8 AnalysisID: 57956 Similar Functions: 3)
    • EQNEDT32.EXE (PID: 3792, MD5: A87236E214F6D42A65F5DEDAC816AEC8 AnalysisID: 57481 Similar Functions: 2)
    • EQNEDT32.EXE (PID: 3496, MD5: A87236E214F6D42A65F5DEDAC816AEC8 AnalysisID: 57528 Similar Functions: 1)
    • EQNEDT32.EXE (PID: 3488, MD5: A87236E214F6D42A65F5DEDAC816AEC8 AnalysisID: 54758 Similar Functions: 1)
    • EQNEDT32.EXE (PID: 3540, MD5: A87236E214F6D42A65F5DEDAC816AEC8 AnalysisID: 68513 Similar Functions: 1)

Similar Functions

  • Function_000243E6 API ID: CreateProcessExitProcessLoadLibraryURLDownloadToFile, String ID: , Total Matches: 8

Process Name: EQNEDT32.EXE Analysis ID: 57956

General

Root Process Name:EQNEDT32.EXE
Process MD5:A87236E214F6D42A65F5DEDAC816AEC8
Total matches:3
Initial Analysis Report:Open
Initial sample Analysis ID:57956
Initial sample SHA 256:0CD0C4ECB2FFEA63BA0406CF0DB74512246C25FF2986245A672C03C77E00E526
Initial sample name:Conti5390.doc

Similar Executed Functions

Function 006913E6, Relevance: 6.1, APIs: 4, Instructions: 81 Total matches: 8processlibrarynetwork
Similarity
  • Total matches: 8
  • API ID: CreateProcessExitProcessLoadLibraryURLDownloadToFile
  • String ID:
  • API String ID: 56192602-0
  • Opcode ID: 83d6e6d825590b82a6a1e997d8ad5ec4107100683c0a1bbb37378612a1abd3c1
  • Instruction ID: bceced8a00630c12e91db78dff18ae479874e901a960f271a264118b8b7ec908
  • Opcode Fuzzy Hash: 4FF0C90FD010C5A8C31221022885221D675AF46776D8CE7BBFDB19A3CCCC91753C9B9C
  • Instruction Fuzzy Hash: bceced8a00630c12e91db78dff18ae479874e901a960f271a264118b8b7ec908
APIs
  • LoadLibraryA.KERNEL32(?), ref: 0069146C
  • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0069148D
  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006914CA
  • ExitProcess.KERNEL32(00000000), ref: 006914DA
Memory Dump Source
  • Source File: 00000002.00000002.21013342670.0066D000.00000004.sdmp, Offset: 0066D000, based on PE: false

Similar Non-Executed Functions

Process Name: EQNEDT32.EXE Analysis ID: 57481

General

Root Process Name:EQNEDT32.EXE
Process MD5:A87236E214F6D42A65F5DEDAC816AEC8
Total matches:2
Initial Analysis Report:Open
Initial sample Analysis ID:57481
Initial sample SHA 256:1307B363E3669183A6EA5C1F83A4E227DD5182524C91F67B3B010DEFB7F03CB2
Initial sample name:Quotation Request RFQ#9087454.doc

Similar Executed Functions

Function 006913E6, Relevance: 6.1, APIs: 4, Instructions: 81 Total matches: 8processlibrarynetwork
Similarity
  • Total matches: 8
  • API ID: CreateProcessExitProcessLoadLibraryURLDownloadToFile
  • String ID:
  • API String ID: 56192602-0
  • Opcode ID: 83d6e6d825590b82a6a1e997d8ad5ec4107100683c0a1bbb37378612a1abd3c1
  • Instruction ID: bceced8a00630c12e91db78dff18ae479874e901a960f271a264118b8b7ec908
  • Opcode Fuzzy Hash: 4FF0C90FD010C5A8C31221022885221D675AF46776D8CE7BBFDB19A3CCCC91753C9B9C
  • Instruction Fuzzy Hash: bceced8a00630c12e91db78dff18ae479874e901a960f271a264118b8b7ec908
APIs
  • LoadLibraryA.KERNEL32(?), ref: 0069146C
  • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0069148D
  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006914CA
  • ExitProcess.KERNEL32(00000000), ref: 006914DA
Memory Dump Source
  • Source File: 00000002.00000002.21013342670.0066D000.00000004.sdmp, Offset: 0066D000, based on PE: false

Similar Non-Executed Functions

Process Name: EQNEDT32.EXE Analysis ID: 57528

General

Root Process Name:EQNEDT32.EXE
Process MD5:A87236E214F6D42A65F5DEDAC816AEC8
Total matches:1
Initial Analysis Report:Open
Initial sample Analysis ID:57528
Initial sample SHA 256:70738E454CAC5C0F4E16842DBB4B18B7E7ADF744CC33BCAAAABADC40CBA92BEF
Initial sample name:05012018video review agreement.rtf

Similar Executed Functions

Function 006913E6, Relevance: 6.1, APIs: 4, Instructions: 81 Total matches: 8processlibrarynetwork
Similarity
  • Total matches: 8
  • API ID: CreateProcessExitProcessLoadLibraryURLDownloadToFile
  • String ID:
  • API String ID: 56192602-0
  • Opcode ID: 83d6e6d825590b82a6a1e997d8ad5ec4107100683c0a1bbb37378612a1abd3c1
  • Instruction ID: bceced8a00630c12e91db78dff18ae479874e901a960f271a264118b8b7ec908
  • Opcode Fuzzy Hash: 4FF0C90FD010C5A8C31221022885221D675AF46776D8CE7BBFDB19A3CCCC91753C9B9C
  • Instruction Fuzzy Hash: bceced8a00630c12e91db78dff18ae479874e901a960f271a264118b8b7ec908
APIs
  • LoadLibraryA.KERNEL32(?), ref: 0069146C
  • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0069148D
  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006914CA
  • ExitProcess.KERNEL32(00000000), ref: 006914DA
Memory Dump Source
  • Source File: 00000002.00000002.21013342670.0066D000.00000004.sdmp, Offset: 0066D000, based on PE: false

Similar Non-Executed Functions

Process Name: EQNEDT32.EXE Analysis ID: 54758

General

Root Process Name:EQNEDT32.EXE
Process MD5:A87236E214F6D42A65F5DEDAC816AEC8
Total matches:1
Initial Analysis Report:Open
Initial sample Analysis ID:54758
Initial sample SHA 256:BBBA2E5239FC9C8A23E6B90C01CCF55E7198CF6576737DE50E98543FBAEAD3C5
Initial sample name:404611576.doc

Similar Executed Functions

Function 006913E6, Relevance: 6.1, APIs: 4, Instructions: 81 Total matches: 8processlibrarynetwork
Similarity
  • Total matches: 8
  • API ID: CreateProcessExitProcessLoadLibraryURLDownloadToFile
  • String ID:
  • API String ID: 56192602-0
  • Opcode ID: 83d6e6d825590b82a6a1e997d8ad5ec4107100683c0a1bbb37378612a1abd3c1
  • Instruction ID: bceced8a00630c12e91db78dff18ae479874e901a960f271a264118b8b7ec908
  • Opcode Fuzzy Hash: 4FF0C90FD010C5A8C31221022885221D675AF46776D8CE7BBFDB19A3CCCC91753C9B9C
  • Instruction Fuzzy Hash: bceced8a00630c12e91db78dff18ae479874e901a960f271a264118b8b7ec908
APIs
  • LoadLibraryA.KERNEL32(?), ref: 0069146C
  • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0069148D
  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006914CA
  • ExitProcess.KERNEL32(00000000), ref: 006914DA
Memory Dump Source
  • Source File: 00000002.00000002.21013342670.0066D000.00000004.sdmp, Offset: 0066D000, based on PE: false

Similar Non-Executed Functions

Process Name: EQNEDT32.EXE Analysis ID: 68513

General

Root Process Name:EQNEDT32.EXE
Process MD5:A87236E214F6D42A65F5DEDAC816AEC8
Total matches:1
Initial Analysis Report:Open
Initial sample Analysis ID:68513
Initial sample SHA 256:A7994FA7DBFD7D402875015FBCE48BE7752787D18CF2F3CC49CE9CD0874CDF1B
Initial sample name:gzDmmZoDY.xlsx

Similar Executed Functions

Function 006913E6, Relevance: 6.1, APIs: 4, Instructions: 81 Total matches: 8processlibrarynetwork
Similarity
  • Total matches: 8
  • API ID: CreateProcessExitProcessLoadLibraryURLDownloadToFile
  • String ID:
  • API String ID: 56192602-0
  • Opcode ID: 83d6e6d825590b82a6a1e997d8ad5ec4107100683c0a1bbb37378612a1abd3c1
  • Instruction ID: bceced8a00630c12e91db78dff18ae479874e901a960f271a264118b8b7ec908
  • Opcode Fuzzy Hash: 4FF0C90FD010C5A8C31221022885221D675AF46776D8CE7BBFDB19A3CCCC91753C9B9C
  • Instruction Fuzzy Hash: bceced8a00630c12e91db78dff18ae479874e901a960f271a264118b8b7ec908
APIs
  • LoadLibraryA.KERNEL32(?), ref: 0069146C
  • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0069148D
  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006914CA
  • ExitProcess.KERNEL32(00000000), ref: 006914DA
Memory Dump Source
  • Source File: 00000002.00000002.21013342670.0066D000.00000004.sdmp, Offset: 0066D000, based on PE: false

Similar Non-Executed Functions