Play interactive tour

Edit tour

Analysis Report xuy1.bin

Overview

General Information

Joe Sandbox Version:	26.0.0
Analysis ID:	836034
Start date:	11.04.2019
Start time:	19:17:10
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	xuy1.bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.evad.winEXE@5/1@0/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtUserCreateWindowEx calls found. Report size getting too big, too many NtUserDestroyWindow calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: xuy1.exe, regsvr32.exe, rundll32.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	68	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Graphical User Interface1	Winlogon Helper DLL	Process Injection111	Software Packing1	Credential Dumping	Process Discovery1	Application Deployment Software	Data from Local System	Data Encrypted1	Standard Non-Application Layer Protocol1
Replication Through Removable Media	Service Execution	Port Monitors	Accessibility Features	Process Injection111	Network Sniffing	Security Software Discovery1	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Application Layer Protocol1
Drive-by Compromise	Windows Management Instrumentation	Accessibility Features	Path Interception	Obfuscated Files or Information2	Input Capture	System Information Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for sample

Show sources

Source: xuy1.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 0.0.xuy1.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 0.1.xuy1.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 0.2.xuy1.exe.3ff0000.2.unpack	Joe Sandbox ML: detected

Networking:

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 215.56.245.0
Source: unknown	TCP traffic detected without corresponding DNS query: 215.56.245.0
Source: unknown	TCP traffic detected without corresponding DNS query: 215.56.245.0
Source: unknown	TCP traffic detected without corresponding DNS query: 174.60.72.9
Source: unknown	TCP traffic detected without corresponding DNS query: 174.60.72.9
Source: unknown	TCP traffic detected without corresponding DNS query: 174.60.72.9
Source: unknown	TCP traffic detected without corresponding DNS query: 87.18.28.52
Source: unknown	TCP traffic detected without corresponding DNS query: 87.18.28.52
Source: unknown	TCP traffic detected without corresponding DNS query: 87.18.28.52
Source: unknown	TCP traffic detected without corresponding DNS query: 150.132.134.24

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Show sources

Source: global traffic	TCP traffic: 192.168.1.81:49216 -> 215.56.245.0:443
Source: global traffic	TCP traffic: 192.168.1.81:49217 -> 174.60.72.9:443
Source: global traffic	TCP traffic: 192.168.1.81:49218 -> 87.18.28.52:443
Source: global traffic	TCP traffic: 192.168.1.81:49219 -> 150.132.134.24:443

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 443

System Summary:

Blacklisted process start detected (Windows program)

Show sources

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\\rundll32.exe C:\Users\user~1\Desktop\xuy1.dll,f0

PE file has nameless sections

Show sources

Source: xuy1.exe

Static PE information: section name:

PE file contains executable resources (Code or Archives)

Show sources

Source: xuy1.exe

Static PE information: Resource name: RT_STRING type: ump; DOS executable (COM)

Tries to load missing DLLs

Show sources

Source: C:\Windows\System32\regsvr32.exe

Section loaded: f1.dll

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Show sources

Source: xuy1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Show sources

Source: classification engine

Classification label: mal68.evad.winEXE@5/1@0/4

Creates files inside the user directory

Show sources

Source: C:\Users\user\Desktop\xuy1.exe

File created: C:\Users\user\Desktop\xuy1.dll

Jump to behavior

PE file has an executable .text section and no other executable section

Show sources

Source: xuy1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Show sources

Source: C:\Users\user\Desktop\xuy1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\xuy1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\regsvr32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Reads software policies

Show sources

Source: C:\Users\user\Desktop\xuy1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Show sources

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\\rundll32.exe C:\Users\user~1\Desktop\xuy1.dll,f0

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\xuy1.exe 'C:\Users\user\Desktop\xuy1.exe'
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user~1\Desktop\xuy1.dll f1 C:\Users\user~1\Desktop\xuy1.exe@224
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\\rundll32.exe C:\Users\user~1\Desktop\xuy1.dll,f0
Source: C:\Users\user\Desktop\xuy1.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user~1\Desktop\xuy1.dll f1 C:\Users\user~1\Desktop\xuy1.exe@224	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\\rundll32.exe C:\Users\user~1\Desktop\xuy1.dll,f0

Data Obfuscation:

PE file contains sections with non-standard names

Show sources

Source: xuy1.exe	Static PE information: section name: .newIT
Source: xuy1.exe	Static PE information: section name:
Source: xuy1.dll.0.dr	Static PE information: section name: .didata

Registers a DLL

Show sources

Source: unknown

Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user~1\Desktop\xuy1.dll f1 C:\Users\user~1\Desktop\xuy1.exe@224

Binary may include packed or encrypted code

Show sources

Source: initial sample

Static PE information: section name: .text entropy: 7.29911063566

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Users\user\Desktop\xuy1.exe

File created: C:\Users\user\Desktop\xuy1.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\xuy1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuy1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Checks the free space of harddrives

Show sources

Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\rundll32.exe	File Volume queried: C:\ FullSizeInformation

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Users\user\Desktop\xuy1.exe	Window / User API: threadDelayed 420			Jump to behavior
Source: C:\Users\user\Desktop\xuy1.exe	Window / User API: threadDelayed 420			Jump to behavior

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Users\user\Desktop\xuy1.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\xuy1.dll

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\Desktop\xuy1.exe TID: 2712	Thread sleep count: 420 > 30			Jump to behavior
Source: C:\Users\user\Desktop\xuy1.exe TID: 2588	Thread sleep count: 420 > 30			Jump to behavior

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\xuy1.exe

System information queried: KernelDebuggerInformation

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\rundll32.exe	Network Connect: 87.18.28.52 443
Source: C:\Windows\System32\rundll32.exe	Network Connect: 150.132.134.24 443
Source: C:\Windows\System32\rundll32.exe	Network Connect: 215.56.245.0 443
Source: C:\Windows\System32\rundll32.exe	Network Connect: 174.60.72.9 443

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Users\user\Desktop\xuy1.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user~1\Desktop\xuy1.dll f1 C:\Users\user~1\Desktop\xuy1.exe@224			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\\rundll32.exe C:\Users\user~1\Desktop\xuy1.dll,f0

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: rundll32.exe, 00000003.00000002.1645767935.00600000.00000002.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000003.00000002.1645767935.00600000.00000002.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000003.00000002.1645767935.00600000.00000002.sdmp	Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\xuy1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
19:18:14	API Interceptor	498x Sleep call for process: xuy1.exe modified
19:18:14	API Interceptor	1x Sleep call for process: regsvr32.exe modified
19:18:15	API Interceptor	1x Sleep call for process: rundll32.exe modified

Antivirus and Machine Learning Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xuy1.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Download
0.0.xuy1.exe.400000.0.unpack	100%	Joe Sandbox ML	Download File
0.1.xuy1.exe.400000.0.unpack	100%	Joe Sandbox ML	Download File
0.2.xuy1.exe.3ff0000.2.unpack	100%	Joe Sandbox ML	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

xuy1.exe (PID: 224 cmdline: 'C:\Users\user\Desktop\xuy1.exe' MD5: 9977310186F3DF14EE1C3D60EDBB9821)

regsvr32.exe (PID: 5932 cmdline: C:\Windows\system32\regsvr32.exe -s C:\Users\user~1\Desktop\xuy1.dll f1 C:\Users\user~1\Desktop\xuy1.exe@224 MD5: 432BE6CF7311062633459EEF6B242FB5)

rundll32.exe (PID: 5960 cmdline: C:\Windows\system32\\rundll32.exe C:\Users\user~1\Desktop\xuy1.dll,f0 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Created / dropped Files

C:\Users\user\Desktop\xuy1.dll Download File
Process:	C:\Users\user\Desktop\xuy1.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	453648
Entropy (8bit):	6.321533380248072
Encrypted:	false
MD5:	A2E35DF6B51831044519B392E3050B6F
SHA1:	6FA35EA0C642B0C7954B36B27948B29EE12C9BC9
SHA-256:	B7AB58BD4CB1E31C1ABA4BB5B14CCF669A9D9CD9A7D8B7217CDE84548FC78EDD
SHA-512:	990A4952E1A409FEBB799A07BB7050B79CAD18012EE017D38571379A7FC4BDDB539D57F912D65CC87DCC3A9D64A264F94F4B4DDB96651212C958044D3ECE69BF
Malicious:	false
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...R..\.................^..........(u............@..................................................................@..p.... ...............................`..d=...................................................".......0.......................text....T.......V.................. ..`.itext..H....p.......Z.............. ..`.data....%.......&...b..............@....bss.....b...............................idata....... ......................@....didata......0......................@....edata..p....@......................@..@.rdata..D....P......................@..@.reloc..d=...`...>..................@..B.rsrc...............................@..@....................................@..@........................................................

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
87.18.28.52	Italy	3269	ASN-IBSNAZIT	true
150.132.134.24	Sweden	158	ERI-AS-EricssonNetworkSystemsIncUS	true
215.56.245.0	United States	721	DNIC-ASBLK-00721-00726-DoDNetworkInformationCenterUS	true
174.60.72.9	United States	7922	unknown	true

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):	6.993291537469341
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xuy1.exe
File size:	952320
MD5:	9977310186f3df14ee1c3d60edbb9821
SHA1:	2be94450d8677cb819aa74684901bb52e1604674
SHA256:	67a77942a7aa208f2a7e178de2b75e5acab6c5fd89883f691255bb9457a0ca4c
SHA512:	b50125e0eea2e6e873a16354b30bdab8227ebfa6f25aefc3a5461bec3feb330b2b054878b70c68b31daebe47b7ae7bbc186d58e48086a502e4014a93e7c7f174
SSDEEP:	24576:MWn0sX1FqSgNfscXtaJPnzKeAnjTy+RzHZ:9qfawh
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..\............................h:............@.................................K............@.........................

File Icon


Icon Hash:	aab2e3e39383aa00

Static PE Info

General
Entrypoint:	0x403a68
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5CADA338 [Wed Apr 10 08:03:04 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f7bf957f6a3c581f66fe6f6bb8756c85

Entrypoint Preview

Instruction
pushad
xor ebx, ebx
push 00002111h
push 00008777h
call 5D1F994Bh
or eax, eax
jne 5D1F9FE2h
push 00000014h
call 5D1F9E43h
or eax, eax
jne 5D1F9FD7h
push 00000040h
push 00001000h
push dword ptr [ebx+004D000Ch]
push 00000000h
call dword ptr [ebx+004D0688h]
mov edi, eax
mov dword ptr [ebx+004D0024h], edi
cmp ebx, 00000000h
jbe 5D1F9FCEh
add dword ptr [ebx+004D0000h], ebx
add dword ptr [ebx+004D0030h], ebx
mov esi, dword ptr [ebx+004D0000h]
mov ecx, dword ptr [ebx+004D000Ch]
rep movsb
mov ecx, 000FFFFFh
mov eax, dword ptr [ebx+004D0024h]
push 00403AE9h
pop dword ptr [ebx+004D0034h]
and dword ptr [ebx+004D0034h], ecx
xor eax, dword ptr [ebx+004D0034h]
jmp eax
push FFFF0000h
call 5D1F9BEBh
or ebx, ebx
je 5D1F9FD7h
push 00000004h
push 00001000h
push dword ptr [ebx+004D001Ch]
push 00000000h
call dword ptr [ebx+004D0688h]
push eax
pop dword ptr [ebx+004D0028h]
mov dword ptr [ebx+004D0018h], 00000002h
mov dword ptr [ebx+004D0014h], eax
lea eax, dword ptr [ebx+004D0018h]
push eax
push 00000040h
push dword ptr [ebx+0000000Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15a000	0xf0	.newIT
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x151000	0x83f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xd0400	0x18	.data
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x240	0xf4
IMAGE_DIRECTORY_ENTRY_IAT	0xd0600	0x1c4	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xce8d8	0xcea00	False	0.808364526618	ump; data	7.29911063566	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xd0000	0x80d6e	0x1400	False	0.418359375	ump; data	4.23078910028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x151000	0x83f0	0x8400	False	0.5498046875	ump; data	6.48386562547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.newIT	0x15a000	0xf0	0x200	False	0.248046875	ump; data	2.09852780187	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x15b000	0x10000	0x10000	False	0.00128173828125	ump; data	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x151628	0x25a8	ump; data
RT_MENU	0x153bd0	0x3fc	ump; data
RT_MENU	0x153fcc	0x350	ump; data
RT_MENU	0x15431c	0x274	ump; data
RT_MENU	0x154590	0x3cc	ump; data
RT_MENU	0x15495c	0x4ca	ump; data
RT_MENU	0x154e28	0x312	ump; data
RT_DIALOG	0x15513c	0x224	ump; data
RT_DIALOG	0x155360	0x5ce	ump; data
RT_DIALOG	0x155930	0x100	ump; data
RT_DIALOG	0x155a30	0x294	ump; data
RT_DIALOG	0x155cc4	0x8c	ump; data
RT_DIALOG	0x155d50	0x1a6	ump; data
RT_DIALOG	0x155ef8	0x100	ump; data
RT_DIALOG	0x155ff8	0x298	ump; data
RT_STRING	0x156290	0x3ee	ump; data
RT_STRING	0x156680	0x37a	ump; DBase 3 data file
RT_STRING	0x1569fc	0x934	ump; data
RT_STRING	0x157330	0x940	ump; DOS executable (COM)
RT_STRING	0x157c70	0x5e2	ump; data
RT_STRING	0x158254	0x192	ump; data
RT_STRING	0x1583e8	0xb54	ump; data
RT_STRING	0x158f3c	0x208	ump; data
RT_RCDATA	0x159144	0x4f	ump; data
RT_RCDATA	0x159194	0x50	ump; data
RT_RCDATA	0x1591e4	0x3a	ump; data
RT_RCDATA	0x159220	0x5c	ump; data
RT_GROUP_ICON	0x15927c	0x16	ump; MS Windows icon resource
RT_MANIFEST	0x159294	0x15a	ump; ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	GetACP, GetModuleHandleA, GetProcAddress, GetVersion, ExitThread, Sleep, VirtualAlloc, VirtualProtect, LoadLibraryA, CreateThread, ExitProcess, SetLocalPrimaryComputerNameA, GetSystemTimeAdjustment, GetConsoleInputWaitHandle, GetProcessHandleCount, WritePrivateProfileStructW, SetThreadAffinityMask, FindActCtxSectionGuid, SetComputerNameExA, HeapDestroy
comctl32.dll	InitCommonControls, ImageList_GetFlags, DefSubclassProc, DPA_DeleteAllPtrs, FlatSB_GetScrollRange, SetWindowSubclass, ImageList_ReplaceIcon, ImageList_Replace
ole32.dll	OleUninitialize, OleInitialize, CoAllowSetForegroundWindow, CoPopServiceDomain, DllGetClassObject, CoGetClassVersion, CoGetSystemSecurityPermissions
gdi32.dll	GdiSetBatchLimit, ClearBitmapAttributes, GetWorldTransform, GetMetaRgn, GdiConvertDC, GdiGetBitmapBitsSize, GetPolyFillMode, CombineRgn, GetGlyphIndicesW, PaintRgn, DdEntry24
msimg32.dll	TransparentBlt, AlphaBlend, vSetDdrawflag
oledlg.dll	OleUIObjectPropertiesW, OleUIChangeSourceW, OleUIConvertA, OleUIUpdateLinksW, OleUIPromptUserW, OleUIEditLinksA, OleUIAddVerbMenuA, OleUICanConvertOrActivateAs, OleUIInsertObjectW, OleUIBusyA, OleUIChangeIconW, OleUIBusyW, OleUIUpdateLinksA
winspool.drv	PerfCollect, EnumPrinterDataExA, SetPrinterDataExA, EnumFormsA, DocumentPropertiesW, EnumPortsW, EndDocPrinter
imagehlp.dll	ImageEnumerateCertificates, SymGetSymFromName, MapDebugInformation, SymGetSymPrev, ImageGetDigestStream, SymGetLineNext
oleacc.dll	AccessibleObjectFromEvent, GetOleaccVersionInfo, GetStateTextW, AccessibleObjectFromWindow, AccessibleChildren, CreateStdAccessibleObject, CreateStdAccessibleProxyW, IID_IAccessible
shlwapi.dll	PathAppendA, SHOpenRegStream2W, SHRegGetPathW, PathRenameExtensionA, PathFindFileNameA, SHRegSetUSValueA, PathGetCharTypeA, PathFindNextComponentA, PathUnquoteSpacesA, AssocQueryStringA, PathIsUNCW
shell32.dll	SHStartNetConnectionDialogW, FindExecutableW, SHPathPrepareForWriteA, CommandLineToArgvW, ShellExecuteEx, SHCloneSpecialIDList, RealShellExecuteA, SHGetNewLinkInfoW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 11, 2019 19:19:05.048475981 MESZ	49216	443	192.168.1.81	215.56.245.0
Apr 11, 2019 19:19:08.048301935 MESZ	49216	443	192.168.1.81	215.56.245.0
Apr 11, 2019 19:19:14.047909975 MESZ	49216	443	192.168.1.81	215.56.245.0
Apr 11, 2019 19:19:26.075037003 MESZ	49217	443	192.168.1.81	174.60.72.9
Apr 11, 2019 19:19:29.063646078 MESZ	49217	443	192.168.1.81	174.60.72.9
Apr 11, 2019 19:19:35.064271927 MESZ	49217	443	192.168.1.81	174.60.72.9
Apr 11, 2019 19:19:47.072783947 MESZ	49218	443	192.168.1.81	87.18.28.52
Apr 11, 2019 19:19:50.079416990 MESZ	49218	443	192.168.1.81	87.18.28.52
Apr 11, 2019 19:19:56.079925060 MESZ	49218	443	192.168.1.81	87.18.28.52
Apr 11, 2019 19:20:08.082268953 MESZ	49219	443	192.168.1.81	150.132.134.24

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: xuy1.exe PID: 224 Parent PID: 3416

General

Start time:	19:17:15
Start date:	11/04/2019
Path:	C:\Users\user\Desktop\xuy1.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\xuy1.exe'
Imagebase:	0x400000
File size:	952320 bytes
MD5 hash:	9977310186F3DF14EE1C3D60EDBB9821
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: regsvr32.exe PID: 5932 Parent PID: 224

General

Start time:	19:18:13
Start date:	11/04/2019
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe -s C:\Users\user~1\Desktop\xuy1.dll f1 C:\Users\user~1\Desktop\xuy1.exe@224
Imagebase:	0xfd0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: rundll32.exe PID: 5960 Parent PID: 5932

General

Start time:	19:18:14
Start date:	11/04/2019
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\\rundll32.exe C:\Users\user~1\Desktop\xuy1.dll,f0
Imagebase:	0x4e0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	The Graphical User Interfaces (GUI) is a common way to interact with an operating system. Adversaries may use a system's GUI during an operation, commonly through a remote interactive session such as Remote Desktop Protocol , instead of through a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), to search for information and execute files via mouse double-click events, the Windows Run command , or other potentially difficult to monitor interactions.
Tactics:	Execution
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report xuy1.bin

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus and Machine Learning Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted IPs

Public

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: xuy1.exe PID: 224 Parent PID: 3416

General

Chronological Activities

Analysis Process: regsvr32.exe PID: 5932 Parent PID: 224

General

Chronological Activities

Analysis Process: rundll32.exe PID: 5960 Parent PID: 5932

General

Chronological Activities