Play interactive tour

Edit tour

Analysis Report evatest2.exe

Overview

General Information

Joe Sandbox Version:	26.0.0
Analysis ID:	881802
Start date:	11.06.2019
Start time:	14:48:08
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 6m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	evatest2.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java)
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus25.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	25	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Execution through API1	Winlogon Helper DLL	Port Monitors	Software Packing1	Credential Dumping	System Time Discovery1	Application Deployment Software	Data from Local System	Data Encrypted1	Standard Cryptographic Protocol1
Replication Through Removable Media	Service Execution	Port Monitors	Accessibility Features	Obfuscated Files or Information1	Network Sniffing	Security Software Discovery2	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Fallback Channels
Drive-by Compromise	Windows Management Instrumentation	Accessibility Features	Path Interception	Rootkit	Input Capture	System Information Discovery11	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 0.0.evatest2.exe.1090000.0.unpack	Joe Sandbox ML: detected
Source: 0.1.evatest2.exe.1090000.0.unpack	Joe Sandbox ML: detected
Source: 0.2.evatest2.exe.1090000.0.unpack	Joe Sandbox ML: detected

System Summary:

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\evatest2.exe

Code function: 0_2_01091C99

0_2_01091C99

Yara signature match

Show sources

Source: evatest2.exe, type: SAMPLE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000001.1662073315.01090000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.1671247806.01090000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000000.1660532969.01090000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.evatest2.exe.1090000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.evatest2.exe.1090000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.evatest2.exe.1090000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.evatest2.exe.1090000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.evatest2.exe.1090000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.evatest2.exe.1090000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs

Classification label

Show sources

Source: classification engine

Classification label: sus25.winEXE@1/0@0/0

PE file has an executable .text section and no other executable section

Show sources

Source: evatest2.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Show sources

Source: C:\Users\user\Desktop\evatest2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Submission file is bigger than most known malware samples

Show sources

Source: evatest2.exe

Static file information: File size 6677504 > 1048576

PE file has a big raw section

Show sources

Source: evatest2.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x651200

PE file contains a mix of data directories often seen in goodware

Show sources

Source: evatest2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: evatest2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: evatest2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: evatest2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: evatest2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: evatest2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: evatest2.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Show sources

Source: evatest2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Show sources

Source:

Binary string: C:\UnTroueCunTroueKhouya\Release\UnTroueCunTroueKhouya.pdb source: evatest2.exe

PE file contains a valid data directory to section mapping

Show sources

Source: evatest2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: evatest2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: evatest2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: evatest2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: evatest2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\evatest2.exe

Code function: 0_2_01091000 OutputDebugStringW,GetKeyboardLayout,lstrlenA,lstrlenA,_malloc,GetModuleHandleA,GetProcAddress,_malloc,VirtualProtect,LoadLibraryA,GetProcAddress,

0_2_01091000

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\evatest2.exe

Code function: 0_2_010922A5 push ecx; ret

0_2_010922B8

Malware Analysis System Evasion:

Country aware sample found (crashes after keyboard check)

Show sources

Source: c:\users\user\desktop\evatest2.exe

Event Logs and Signature results: Application crash and keyboard check

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Users\user\Desktop\evatest2.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-3409

Program does not show much activity (idle)

Show sources

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Show sources

Source: C:\Users\user\Desktop\evatest2.exe	Code function: 0_2_01091000 GetKeyboardLayout followed by cmp: cmp al, 09h and CTI: je 01091023h country: English (en)		0_2_01091000
Source: C:\Users\user\Desktop\evatest2.exe	Code function: 0_2_01091000 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: jne 0109102Dh country: Russian (ru)		0_2_01091000

Anti Debugging:

Checks if the current process is being debugged

Show sources

Source: C:\Users\user\Desktop\evatest2.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\evatest2.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\evatest2.exe

Code function: 0_2_01093B64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_01093B64

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\evatest2.exe

Code function: 0_2_01091000 OutputDebugStringW,GetKeyboardLayout,lstrlenA,lstrlenA,_malloc,GetModuleHandleA,GetProcAddress,_malloc,VirtualProtect,LoadLibraryA,GetProcAddress,

0_2_01091000

Program does not show much activity (idle)

Show sources

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\evatest2.exe	Code function: 0_2_01093B64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_01093B64
Source: C:\Users\user\Desktop\evatest2.exe	Code function: 0_2_0109120D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0109120D
Source: C:\Users\user\Desktop\evatest2.exe	Code function: 0_2_010960B7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_010960B7

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\user\Desktop\evatest2.exe

Code function: GetLocaleInfoA,

0_2_01096D2C

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Desktop\evatest2.exe

Code function: 0_2_010938DB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_010938DB

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
14:50:07	API Interceptor	274x Sleep call for process: evatest2.exe modified

Antivirus and Machine Learning Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Download
0.0.evatest2.exe.1090000.0.unpack	100%	Joe Sandbox ML	Download File
0.1.evatest2.exe.1090000.0.unpack	100%	Joe Sandbox ML	Download File
0.2.evatest2.exe.1090000.0.unpack	100%	Joe Sandbox ML	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

Source	Rule	Description	Author
evatest2.exe	Embedded_PE	unknown	unknown

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author
00000000.00000001.1662073315.01090000.00000002.sdmp	Embedded_PE	unknown	unknown
00000000.00000002.1671247806.01090000.00000002.sdmp	Embedded_PE	unknown	unknown
00000000.00000000.1660532969.01090000.00000002.sdmp	Embedded_PE	unknown	unknown

Unpacked PEs

Source	Rule	Description	Author
0.1.evatest2.exe.1090000.0.raw.unpack	Embedded_PE	unknown	unknown
0.2.evatest2.exe.1090000.0.raw.unpack	Embedded_PE	unknown	unknown
0.0.evatest2.exe.1090000.0.raw.unpack	Embedded_PE	unknown	unknown
0.0.evatest2.exe.1090000.0.unpack	Embedded_PE	unknown	unknown
0.1.evatest2.exe.1090000.0.unpack	Embedded_PE	unknown	unknown
0.2.evatest2.exe.1090000.0.unpack	Embedded_PE	unknown	unknown

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

evatest2.exe (PID: 2800 cmdline: 'C:\Users\user\Desktop\evatest2.exe' MD5: 4AE1716ABD362EA12F5E93C9D7010D68)

cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):	7.848117084807777
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	evatest2.exe
File size:	6677504
MD5:	4ae1716abd362ea12f5e93c9d7010d68
SHA1:	93d51ac86c5ed207dd6e77b2e767cdeb23106925
SHA256:	4f305bea98220120fb71e82f6adb7708e300c87a49eeaa05d729600db4e4e9df
SHA512:	8a31f0b7f00f7c9e3c4ea0ea30839cb6de32806bb02b64be7be012fc4adee8569860762012e4fd912ce9e522e92c638494f8050f3ab503374bbbe40cf02b9fb1
SSDEEP:	98304:bTRvmbxXIuaWLZPxMKtCM8IjaPbktQWX8AfHbhIWwPaOJn3N/BUKTKR:QGMJ8Ijary8Af7hIjJn1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W...W...W...I.G.M...I.V.G...I.@.....pI..R...W.......I.I.V...I.R.V...RichW...................PE..L...Qu.\.................f.

File Icon


Icon Hash:	aab2e3e39383aa00

Static PE Info

General
Entrypoint:	0x4014dc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5CFE7551 [Mon Jun 10 15:20:49 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	dadba842a33028572cf693651cd12efb

Entrypoint Preview

Instruction
call 1C59046Fh
jmp 1C58DEEDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00A5B198h], eax
mov dword ptr [00A5B194h], ecx
mov dword ptr [00A5B190h], edx
mov dword ptr [00A5B18Ch], ebx
mov dword ptr [00A5B188h], esi
mov dword ptr [00A5B184h], edi
mov word ptr [00A5B1B0h], ss
mov word ptr [00A5B1A4h], cs
mov word ptr [00A5B180h], ds
mov word ptr [00A5B17Ch], es
mov word ptr [00A5B178h], fs
mov word ptr [00A5B174h], gs
pushfd
pop dword ptr [00A5B1A8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00A5B19Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00A5B1A0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00A5B1ACh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00A5B0E8h], 00010001h
mov eax, dword ptr [00A5B1A0h]
mov dword ptr [00A5B09Ch], eax
mov dword ptr [00A5B090h], C0000409h
mov dword ptr [00A5B094h], 00000001h
mov eax, dword ptr [0040A004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0040A008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00000034h]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[LNK] VS2008 build 21022
[C++] VS2008 build 21022
[ASM] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x96e4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x65c000	0x1b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x65d000	0x6d0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8130	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9390	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6434	0x6600	False	0.611481311275	ump; DBase 3 data file with memo(s) (1750554197 records)	6.57584458721	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1cb6	0x1e00	False	0.352864583333	ump; data	5.35731007345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x651c1c	0x651200	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x65c000	0x1b4	0x200	False	0.490234375	ump; data	5.0997477791	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x65d000	0x47c4	0x4800	False	0.0876736111111	ump; data	1.04076936106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x65c058	0x15a	ump; ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

lstrlenA, OutputDebugStringW, GetProcAddress, LoadLibraryA, GetModuleHandleA, VirtualProtect, HeapAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW

USER32.dll

GetKeyboardLayout

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: evatest2.exe PID: 2800 Parent PID: 2468

General

Start time:	14:50:07
Start date:	11/06/2019
Path:	C:\Users\user\Desktop\evatest2.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\evatest2.exe'
Imagebase:	0x1090000
File size:	6677504 bytes
MD5 hash:	4AE1716ABD362EA12F5E93C9D7010D68
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000000.00000001.1662073315.01090000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.1671247806.01090000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000000.1660532969.01090000.00000002.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: evatest2.exe PID: 2800 Parent PID: 2468 evatest2.exeCOMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	1102
Total number of Limit Nodes:	13

Executed Functions

Function 01091000, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 169
librarymemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNELBASE(Salut la scene de l'hexagone de la part de votre meilleur ami. Depuis Skopje, 06/06/2019), ref: 0109100C
GetKeyboardLayout.USER32(00000000), ref: 01091015
lstrlenA.KERNEL32(JhNL121jlUAVQBqa6T88S4BXvirw2PXL), ref: 0109103A
_malloc.LIBCMT ref: 0109105E
GetModuleHandleA.KERNEL32(ntdll,RtlDecompressBuffer), ref: 01091072
GetProcAddress.KERNEL32(00000000), ref: 01091079
_malloc.LIBCMT ref: 010910AA
VirtualProtect.KERNEL32(00000000,?,00000040,?), ref: 0109110D

Strings

RtlDecompressBuffer, xrefs: 01091066
JhNL121jlUAVQBqa6T88S4BXvirw2PXL, xrefs: 01091035, 01091045
Salut la scene de l'hexagone de la part de votre meilleur ami. Depuis Skopje, 06/06/2019, xrefs: 01091007
ntdll, xrefs: 0109106B

Memory Dump Source

Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd

Yara matches

Similarity

API ID: _malloc$AddressDebugHandleKeyboardLayoutModuleOutputProcProtectStringVirtuallstrlen
String ID: JhNL121jlUAVQBqa6T88S4BXvirw2PXL$RtlDecompressBuffer$Salut la scene de l'hexagone de la part de votre meilleur ami. Depuis Skopje, 06/06/2019$ntdll
API String ID: 2917901339-765280124
Opcode ID: 517781e4a7ab18d2f4fae7ea1eb9369228bea58d0e20e8d82ac2ade4fa0fb288
Instruction ID: 6f99394cf70af3179dfc535c8d805af62ed21ebf4034de3e5ea86f7413f0f11e
Opcode Fuzzy Hash: 517781e4a7ab18d2f4fae7ea1eb9369228bea58d0e20e8d82ac2ade4fa0fb288
Instruction Fuzzy Hash: CF51FFB170030AAFDB20CF69CCA4BAAB7A5FF85324F048469F99987341D335E815DB90

Uniqueness

Uniqueness Score: -1,00%

Function 01094387, Relevance: 3.0, APIs: 2, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__calloc_crt.LIBCMT ref: 0109438E

Part of subcall function 01093ABB: __calloc_impl.LIBCMT ref: 01093ACC
Part of subcall function 01093ABB: Sleep.KERNEL32(00000000), ref: 01093AE3

__encode_pointer.LIBCMT ref: 01094396

Part of subcall function 0109333E: TlsGetValue.KERNEL32(00000000,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 01093350
Part of subcall function 0109333E: TlsGetValue.KERNEL32(00000003,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 01093367
Part of subcall function 0109333E: RtlEncodePointer.NTDLL(00000000,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 010933A5

Memory Dump Source

Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd

Yara matches

Similarity

API ID: Value$EncodePointerSleep__calloc_crt__calloc_impl__encode_pointer
String ID:
API String ID: 2812158048-0
Opcode ID: 226acbb921075ca572401cc3be91de767efa0c3ee5bc0a07dc076e8757f62525
Instruction ID: 690b4f4d15878ef23a0e6b268c490db9a4dabff490f178e3c05331a655db4d1a
Opcode Fuzzy Hash: 226acbb921075ca572401cc3be91de767efa0c3ee5bc0a07dc076e8757f62525
Instruction Fuzzy Hash: 0DD05B73D456251AEFB196357C157D936D0D740770F11C166E544DE284EF60484257C0

Uniqueness

Uniqueness Score: -1,00%

Function 0109244C, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 01092461

Memory Dump Source

Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 55b297b39118319f1b8980d8d675db49fe7a880871e4b6be3750bdc86a99c332
Instruction ID: 005c2c854da20e029e1987db6445d1c972bb01490cbbd63c57f779f88f09c402
Opcode Fuzzy Hash: 55b297b39118319f1b8980d8d675db49fe7a880871e4b6be3750bdc86a99c332
Instruction Fuzzy Hash: D9D05E76554309AADB619E766C08B623BDC9385395F10C436B95CCA144FA78C5509F00

Uniqueness

Uniqueness Score: -1,00%

Function 010943B8, Relevance: 1.5, APIs: 1, Instructions: 14
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01092518: __lock.LIBCMT ref: 0109251A

__onexit_nolock.LIBCMT ref: 010943D0

Part of subcall function 010942CD: __decode_pointer.LIBCMT ref: 010942DC
Part of subcall function 010942CD: __decode_pointer.LIBCMT ref: 010942EC
Part of subcall function 010942CD: __msize.LIBCMT ref: 0109430A
Part of subcall function 010942CD: __realloc_crt.LIBCMT ref: 0109432E
Part of subcall function 010942CD: __realloc_crt.LIBCMT ref: 01094344
Part of subcall function 010942CD: __encode_pointer.LIBCMT ref: 01094356
Part of subcall function 010942CD: __encode_pointer.LIBCMT ref: 01094364
Part of subcall function 010942CD: __encode_pointer.LIBCMT ref: 0109436F

Memory Dump Source

Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd

Yara matches

Similarity

API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
String ID:
API String ID: 1316407801-0
Opcode ID: e079d7076ebf568266cbacfdf6e9732690663e7b3985c759d0bd2b54dcfd0ad5
Instruction ID: 1f949755b19a22eecf1036e8de071498472f4f8868bf6b429ffe43d545c1840c
Opcode Fuzzy Hash: e079d7076ebf568266cbacfdf6e9732690663e7b3985c759d0bd2b54dcfd0ad5
Instruction Fuzzy Hash: 4AD05E71C0230ABAEF10BBB4C960BCE76707F20321FA08288A0E0A60D0CA744602BB41

Uniqueness

Uniqueness Score: -1,00%

Function 01094465, Relevance: 1.5, APIs: 1, Instructions: 5
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__encode_pointer.LIBCMT ref: 0109446A

Part of subcall function 0109333E: TlsGetValue.KERNEL32(00000000,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 01093350
Part of subcall function 0109333E: TlsGetValue.KERNEL32(00000003,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 01093367
Part of subcall function 0109333E: RtlEncodePointer.NTDLL(00000000,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 010933A5

Memory Dump Source

Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd

Yara matches

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: bd475dd3a91cf132121601a8e4f13c01cfdc920b7f9ed5e856f71acf36cbaaaf
Instruction ID: 02d088ff2abdf414b873dbd36b003354c8cc12b3d011a5ebaa3615f4e8312f8d
Opcode Fuzzy Hash: bd475dd3a91cf132121601a8e4f13c01cfdc920b7f9ed5e856f71acf36cbaaaf
Instruction Fuzzy Hash: 02A002A29C6246494F546BB6BE3258426D07595652750E25EF0A8CE248DFA000517A15

Uniqueness

Uniqueness Score: -1,00%

Function 010933B0, Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__encode_pointer.LIBCMT ref: 010933B2

Part of subcall function 0109333E: TlsGetValue.KERNEL32(00000000,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 01093350
Part of subcall function 0109333E: TlsGetValue.KERNEL32(00000003,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 01093367
Part of subcall function 0109333E: RtlEncodePointer.NTDLL(00000000,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 010933A5

Memory Dump Source

Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd

Yara matches

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 47b9a5247b9d3b2232a05d43e38ee8037fc72fdec48eb7539effcff6c66b4fbc
Instruction ID: 037c1d300b38c76fdc58ad587e1d62720e1385852740713e3a02524a045eb3d5
Opcode Fuzzy Hash: 47b9a5247b9d3b2232a05d43e38ee8037fc72fdec48eb7539effcff6c66b4fbc
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1,00%

Non-executed Functions

Function 0109120D, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 010915A1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 010915B6
UnhandledExceptionFilter.KERNEL32(0109814C), ref: 010915C1
GetCurrentProcess.KERNEL32(C0000409), ref: 010915DD
TerminateProcess.KERNEL32(00000000), ref: 010915E4

Memory Dump Source

Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 47a8569a142b8be9175a7df26f41a24118ba4b45052d50173fbf3ae54428a015
Instruction ID: 158be9274d5d7e5af2fdf97ff41aaf896b92a7caaf246161019fd555998a998c
Opcode Fuzzy Hash: 47a8569a142b8be9175a7df26f41a24118ba4b45052d50173fbf3ae54428a015
Instruction Fuzzy Hash: 612123B4900209DFDB71DF24FD5A6883BF0BB49322F40621AE5498F358E7B5A9A4CF04

Uniqueness

Uniqueness Score: -1,00%

Function 01096D2C, Relevance: 1.5, APIs: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000006,?,?,?,?,?,?,00000000), ref: 01096D50

Memory Dump Source

Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d542dcd3b4e06b9419035c1b7e16c3fc1328cfe56b8fc90685bf38ae765a955c
Instruction ID: 038029e93591d03c46b205434be772a3dfaa706c5ad60451dcdb916af5d1ee58
Opcode Fuzzy Hash: d542dcd3b4e06b9419035c1b7e16c3fc1328cfe56b8fc90685bf38ae765a955c
Instruction Fuzzy Hash: ADF0ED30A0420CAECF10EBB8C824BAE7BA8AB48324F4041A9F5A1DA2C0DA729604D710

Uniqueness

Uniqueness Score: -1,00%

Function 01094D96, Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 01094DA2

Part of subcall function 01093605: __getptd_noexit.LIBCMT ref: 01093608
Part of subcall function 01093605: __amsg_exit.LIBCMT ref: 01093615

__amsg_exit.LIBCMT ref: 01094DC2
__lock.LIBCMT ref: 01094DD2
InterlockedDecrement.KERNEL32(?), ref: 01094DEF
InterlockedIncrement.KERNEL32(00641690), ref: 01094E1A

Memory Dump Source

Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 4a14a1dc4b897edc68df21453a04259b5bf87e41b597c172075473a8f662b7c7
Instruction ID: f6f148408252fc2b8723cb07679de74def5c8b4709b99c19183b5d92c4a85d93
Opcode Fuzzy Hash: 4a14a1dc4b897edc68df21453a04259b5bf87e41b597c172075473a8f662b7c7
Instruction Fuzzy Hash: 4A010432E4A716EBDF61AF28912578EB7E0BF04721F014049E4D0E7280C7786943EBD1

Uniqueness

Uniqueness Score: -1,00%

Function 010939E8, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 01093A06

Part of subcall function 01091768: __mtinitlocknum.LIBCMT ref: 0109177E
Part of subcall function 01091768: __amsg_exit.LIBCMT ref: 0109178A
Part of subcall function 01091768: EnterCriticalSection.KERNEL32(?,?,?,0109596B,00000004,01099668,0000000C,01093AD1,?,?,00000000,00000000,00000000,?,010935B7,00000001), ref: 01091792

___sbh_find_block.LIBCMT ref: 01093A11
___sbh_free_block.LIBCMT ref: 01093A20
HeapFree.KERNEL32(00000000,?,01099568), ref: 01093A50
GetLastError.KERNEL32(?,0109596B,00000004,01099668,0000000C,01093AD1,?,?,00000000,00000000,00000000,?,010935B7,00000001,00000214), ref: 01093A61

Memory Dump Source

Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd

Yara matches

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 41c6cc0237cd49862e55be84a8a65958311b0005b07422c7a69581aed153eb5a
Instruction ID: bd7148797fb667f266170f264c0ec27ca972b173306cf87503220209571a2b40
Opcode Fuzzy Hash: 41c6cc0237cd49862e55be84a8a65958311b0005b07422c7a69581aed153eb5a
Instruction Fuzzy Hash: 59018F31D01207AAEF31ABB49C28B9E7AA4BF10B60F204149F1C1AA184CA398580AF55

Uniqueness

Uniqueness Score: -1,00%

Function 01095874, Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 01095880

Part of subcall function 01093605: __getptd_noexit.LIBCMT ref: 01093608
Part of subcall function 01093605: __amsg_exit.LIBCMT ref: 01093615

__getptd.LIBCMT ref: 01095897
__amsg_exit.LIBCMT ref: 010958A5
__lock.LIBCMT ref: 010958B5

Memory Dump Source

Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true

Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 6795282b0b9725a4ce6dcbc82f3fa518d85de902d0cdee0ae786dafd6c425d78
Instruction ID: ddb5a4d9ee631932785ef154fc9c263fbc55af83f5395e40211ac69467d1396d
Opcode Fuzzy Hash: 6795282b0b9725a4ce6dcbc82f3fa518d85de902d0cdee0ae786dafd6c425d78
Instruction Fuzzy Hash: F1F06D32A417029BEF62BBAA892179E77E47B14720F01414AC5C0AF2D0CB349901EB92

Uniqueness

Uniqueness Score: -1,00%

Description:	Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.
Tactics:	Execution
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report evatest2.exe

Overview

General Information

Detection

Confidence

Classification

Mitre Att&ck Matrix

Signature Overview

AV Detection:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus and Machine Learning Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: evatest2.exe PID: 2800 Parent PID: 2468

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: evatest2.exe PID: 2800 Parent PID: 2468 evatest2.exeCOMMON

Execution Graph

Graph

Executed Functions

Function 01091000, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 169librarymemorystringCOMMON

Control-flow Graph

Function 01094387, Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Control-flow Graph

Function 0109244C, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Control-flow Graph

Function 010943B8, Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Control-flow Graph

Function 01094465, Relevance: 1.5, APIs: 1, Instructions: 5COMMONLIBRARYCODE

Control-flow Graph

Function 01091000, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 169
librarymemorystringCOMMON

Function 01094387, Relevance: 3.0, APIs: 2, Instructions: 21
COMMON

Function 0109244C, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 010943B8, Relevance: 1.5, APIs: 1, Instructions: 14
COMMONLIBRARYCODE

Function 01094465, Relevance: 1.5, APIs: 1, Instructions: 5
COMMONLIBRARYCODE

Function 010933B0, Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE