Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:56303
Start time:15:34:04
Joe Sandbox Product:Cloud
Start date:03.07.2018
Overall analysis duration:0h 6m 22s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:csshead (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:W10 Native physical Machine for testing VM-aware malware (Office 2010, Java 1.8.0_91, Flash 22.0.0.192, Acrobat Reader DC 15.016.20039, Internet Explorer 11, Chrome 55, Firefox 50)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal76.evad.winEXE@3/0@0/0
HCA Information:
  • Successful, ratio: 74%
  • Number of executed functions: 106
  • Number of non-executed functions: 246
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 45.7% (good quality ratio 42.1%)
  • Quality average: 80.9%
  • Quality standard deviation: 30.5%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time

Detection

StrategyScoreRangeReportingDetection
Threshold760 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample reads itself and does not show any behavior, likely it performs some host environment checks which are compared to an embedded key
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for unpacked fileShow sources
Source: 0.2.csshead.exe.50000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 0.2.csshead.exe.400000.1.unpackAvira: Label: HEUR/AGEN.1023574
Source: 0.0.csshead.exe.400000.0.unpackAvira: Label: TR/Patched.Gen
Source: 1.2.explorer.exe.790000.2.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 1.2.explorer.exe.770000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 0.1.csshead.exe.400000.0.unpackAvira: Label: TR/Patched.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004017A2 CryptDecrypt,CryptDecrypt,0_2_004017A2
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0040153C CryptGenRandom,CryptGenRandom,0_2_0040153C
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401402 CryptHashData,CryptHashData,0_2_00401402
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004017A4 CryptDecrypt,CryptDecrypt,0_2_004017A4
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401AAE CryptEncrypt,CryptEncrypt,0_2_00401AAE
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004017E8 CryptAcquireContextA,CryptAcquireContextA,0_2_004017E8
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401574 CryptSetKeyParam,CryptSetKeyParam,0_2_00401574
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401AB0 CryptEncrypt,CryptEncrypt,0_2_00401AB0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401374 CryptCreateHash,CryptCreateHash,0_2_00401374
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004018A0 CryptImportKey,CryptImportKey,0_2_004018A0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004014D0 CryptDestroyHash,CryptDestroyHash,0_2_004014D0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401490 CryptGetHashParam,CryptGetHashParam,0_2_00401490
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401404 CryptHashData,CryptHashData,0_2_00401404
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401AF8 CryptDestroyKey,CryptDestroyKey,0_2_00401AF8
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401B20 CryptReleaseContext,CryptReleaseContext,0_2_00401B20
Source: C:\Windows\explorer.exeCode function: 1_2_007714D0 CryptDestroyHash,CryptDestroyHash,1_2_007714D0
Source: C:\Windows\explorer.exeCode function: 1_2_00771404 CryptHashData,CryptHashData,1_2_00771404
Source: C:\Windows\explorer.exeCode function: 1_2_00771AF8 CryptDestroyKey,CryptDestroyKey,1_2_00771AF8
Source: C:\Windows\explorer.exeCode function: 1_2_00771402 CryptHashData,CryptHashData,1_2_00771402
Source: C:\Windows\explorer.exeCode function: 1_2_00771574 CryptSetKeyParam,CryptSetKeyParam,1_2_00771574
Source: C:\Windows\explorer.exeCode function: 1_2_00771AAE CryptEncrypt,CryptEncrypt,1_2_00771AAE
Source: C:\Windows\explorer.exeCode function: 1_2_007717E8 CryptAcquireContextA,CryptAcquireContextA,1_2_007717E8
Source: C:\Windows\explorer.exeCode function: 1_2_00771B20 CryptReleaseContext,CryptReleaseContext,1_2_00771B20
Source: C:\Windows\explorer.exeCode function: 1_2_007717A2 CryptDecrypt,CryptDecrypt,1_2_007717A2
Source: C:\Windows\explorer.exeCode function: 1_2_00771AB0 CryptEncrypt,CryptEncrypt,1_2_00771AB0
Source: C:\Windows\explorer.exeCode function: 1_2_007718A0 CryptImportKey,CryptImportKey,1_2_007718A0
Source: C:\Windows\explorer.exeCode function: 1_2_00771490 CryptGetHashParam,CryptGetHashParam,1_2_00771490
Source: C:\Windows\explorer.exeCode function: 1_2_00771374 CryptCreateHash,CryptCreateHash,1_2_00771374
Source: C:\Windows\explorer.exeCode function: 1_2_0077153C CryptGenRandom,CryptGenRandom,1_2_0077153C
Source: C:\Windows\explorer.exeCode function: 1_2_007717A4 CryptDecrypt,CryptDecrypt,1_2_007717A4

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004018A0 CryptImportKey,CryptImportKey,0_2_004018A0
Source: C:\Windows\explorer.exeCode function: 1_2_007718A0 CryptImportKey,CryptImportKey,1_2_007718A0

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 4x nop then pop ecx0_2_00409178
Source: C:\Users\user\Desktop\csshead.exeCode function: 4x nop then pop ecx0_2_00409147
Source: C:\Windows\explorer.exeCode function: 4x nop then pop ecx1_2_00779147
Source: C:\Windows\explorer.exeCode function: 4x nop then pop ecx1_2_00779178

Networking:

barindex
Contains functionality to upload files via FTPShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadBitmapA,AppendMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,mmioSetInfo,mmioAscend,GetSystemInfo,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,Loa0_2_00419D20
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\explorer.exeCode function: 1_2_007715B0 InternetReadFile,1_2_007715B0
Urls found in memory or binary dataShow sources
Source: csshead.exe, explorer.exeString found in binary or memory: https://

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401928 LoadLibraryA,GetProcAddress,0_2_00401928
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0040949C push 004094C8h; ret 0_2_004094C0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004094E0 push 00409506h; ret 0_2_004094FE
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0040103C push 00401068h; ret 0_2_00401060
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0040107C push 004010A8h; ret 0_2_004010A0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00429267 push ebx; ret 0_2_00429268
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00429F35 push ecx; ret 0_2_00429F48
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00432D21 pushfd ; retf 0043h0_2_00432D22
Source: C:\Windows\explorer.exeCode function: 1_2_0077949C push 007794C8h; ret 1_2_007794C0
Source: C:\Windows\explorer.exeCode function: 1_2_007794E0 push 00779506h; ret 1_2_007794FE
Source: C:\Windows\explorer.exeCode function: 1_2_0077103C push 00771068h; ret 1_2_00771060
Source: C:\Windows\explorer.exeCode function: 1_2_0077107C push 007710A8h; ret 1_2_007710A0

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00403988 FindFirstFileA,FindClose,0_2_00403988
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00405640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405640
Source: C:\Windows\explorer.exeCode function: 1_2_00775640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,1_2_00775640
Source: C:\Windows\explorer.exeCode function: 1_2_00773988 FindFirstFileA,FindClose,1_2_00773988

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00404E94 NtQueryInformationProcess,ReadProcessMemory,0_2_00404E94
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00408A48 PostQuitMessage,NtdllDefWindowProc_A,0_2_00408A48
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00404DE0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,0_2_00404DE0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00408A44 NtdllDefWindowProc_A,0_2_00408A44
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadBitmapA,AppendMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,mmioSetInfo,mmioAscend,GetSystemInfo,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,Loa0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00417E60 SetWindowLongA,NtdllDefWindowProc_A,0_2_00417E60
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00417ED0 SetWindowLongA,GetWindowLongA,OleUninitialize,OleInitialize,GetWindowTextLengthA,GetWindowTextA,SetWindowTextA,GlobalAlloc,GlobalFix,GlobalUnWire,lstrlen,SetWindowLongA,NtdllDefWindowProc_A,0_2_00417ED0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00418190 SetWindowLongA,GetWindowLongA,OleUninitialize,OleInitialize,GetWindowTextLengthA,GetWindowTextA,SetWindowTextA,GlobalAlloc,GlobalFix,GlobalUnWire,SysFreeString,lstrlen,SysFreeString,SetWindowLongA,SysFreeString,NtdllDefWindowProc_A,0_2_00418190
Source: C:\Windows\explorer.exeCode function: 1_2_00778A48 PostQuitMessage,NtdllDefWindowProc_A,1_2_00778A48
Source: C:\Windows\explorer.exeCode function: 1_2_00774E94 NtQueryInformationProcess,ReadProcessMemory,1_2_00774E94
Source: C:\Windows\explorer.exeCode function: 1_2_00778A44 NtdllDefWindowProc_A,1_2_00778A44
Source: C:\Windows\explorer.exeCode function: 1_2_00774DE0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,1_2_00774DE0
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00405D200_2_00405D20
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D200_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0041C95B0_2_0041C95B
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0043256D0_2_0043256D
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00430D580_2_00430D58
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00423AD00_2_00423AD0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004308070_2_00430807
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004302B60_2_004302B6
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0042E76B0_2_0042E76B
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_1_0041C95B0_1_0041C95B
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_1_0043256D0_1_0043256D
Source: C:\Windows\explorer.exeCode function: 1_2_00775D201_2_00775D20
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: String function: 00429EF0 appears 34 times
PE file contains strange resourcesShow sources
Source: csshead.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: csshead.exeBinary or memory string: OriginalFilenametemplate.exeJ vs csshead.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\csshead.exeFile read: C:\Users\user\Desktop\csshead.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal76.evad.winEXE@3/0@0/0
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_1_0041C95B EnumPrintersA,EnumPrintersA,OpenColorProfileA,OpenColorProfileA,EnumPrintersA,EnumPrintersA,LoadLibraryA,LoadIconA,LoadIconA,800001A3,800001A3,GetHGlobalFromStream,LoadLibraryA,LoadIconA,800001A3,GetHGlobalFromStream,EnumPrintersA,EnumPrintersA,GetDC,CreateEventA,GetClassLongA,SetClassLongA,GetCursorPos,GetCursorPos,CreateStreamOnHGlobal,CommDlgExtendedError,WaitForSingleObject,WaitNamedPipeA,CreateFileA,WaitNamedPipeA,CreateFileA,SetNamedPipeHandleState,CloseHandle,CloseHandle,WriteFile,ReadFile,WriteFile,CloseHandle,ReadFile,CloseHandle,LookupAccountNameA,LookupAccountNameA,GetLastError,GetLastError,GetLastError,GetLastError,LocalAlloc,LocalAlloc,GetLastError,LocalAlloc,GetLastError,LookupAccountNameA,GetLastError,LocalFree,SetStretchBltMode,SetStretchBltMode,SetAbortProc,DrawFrameControl,LoadImageA,SetWindowLongA,SetWindowLongA,CreateEventA,GetCursorPos,GetCursorPos,DragQueryFileA,GetNumberOfPhysicalMonitorsFromHMONITOR,CreateRectRgnIndirect,WaitForSingleObject,EnableMenuItem,CoInitializeEx,CoC0_1_0041C95B
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadBitmapA,AppendMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,mmioSetInfo,mmioAscend,GetSystemInfo,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,Loa0_2_00419D20
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\csshead.exeProcess created: C:\Windows\explorer.exeJump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: (XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: DXC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: <XC0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: (XC0_2_00419D20
PE file has an executable .text section and no other executable sectionShow sources
Source: csshead.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\csshead.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\csshead.exe 'C:\Users\user\Desktop\csshead.exe'
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\csshead.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\As\Release\2000s.pdb source: csshead.exe

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\Desktop\csshead.exeMemory written: PID: 972 base: B0000 value: 43Jump to behavior
Source: C:\Users\user\Desktop\csshead.exeMemory written: PID: 972 base: 2431E8 value: 00Jump to behavior
Source: C:\Users\user\Desktop\csshead.exeMemory written: PID: 972 base: 12D46B0 value: 55Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\csshead.exeMemory written: C:\Windows\explorer.exe base: 12D46B0Jump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00404406 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,0_2_00404406
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004041C8 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,EqualSid,FreeSid,0_2_004041C8

Anti Debugging:

barindex
Found API chain indicative of debugger detectionShow sources
Source: C:\Windows\explorer.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_1-5244
Source: C:\Users\user\Desktop\csshead.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_0-20617
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004010B4 rdtsc 0_2_004010B4
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00406D40 IsDebuggerPresent,0_2_00406D40
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004239DD VirtualProtect ?,-00000001,00000104,?0_2_004239DD
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401928 LoadLibraryA,GetProcAddress,0_2_00401928
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004024F8 mov eax, dword ptr fs:[00000030h]0_2_004024F8
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_01961560 mov eax, dword ptr fs:[00000030h]0_2_01961560
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_01963134 mov eax, dword ptr fs:[00000030h]0_2_01963134
Source: C:\Windows\explorer.exeCode function: 1_2_007724F8 mov eax, dword ptr fs:[00000030h]1_2_007724F8
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401460 GetProcessHeap,RtlReAllocateHeap,0_2_00401460
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0042CA48 SetUnhandledExceptionFilter,0_2_0042CA48
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00424FEB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00424FEB
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00429814 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00429814
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_1_0042CA48 SetUnhandledExceptionFilter,0_1_0042CA48

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00406B18 0_2_00406B18
Source: C:\Windows\explorer.exeCode function: 1_2_00776B18 1_2_00776B18
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Windows\explorer.exeCode function: 1_2_00776DB0 GetTickCount,Sleep,GetTickCount,1_2_00776DB0
Source: C:\Windows\explorer.exeCode function: 1_2_00776DC8 GetTickCount,Sleep,GetTickCount,1_2_00776DC8
Found evasive API chain (may execute only at specific dates)Show sources
Source: C:\Windows\explorer.exeEvasive API call chain: GetSystemTime,DecisionNodes,Sleepgraph_1-4754
Found stalling execution ending in API Sleep callShow sources
Source: C:\Windows\explorer.exeStalling execution: Execution stalls by calling Sleepgraph_1-4543
Tries to detect sandboxes and other dynamic analysis tools (process name or module)Show sources
Source: csshead.exe, 00000000.00000002.16598505108.00594000.00000004.sdmpBinary or memory string: SBIEDLL.DLL
Source: csshead.exe, 00000000.00000002.16598505108.00594000.00000004.sdmpBinary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\Desktop\csshead.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004010B4 rdtsc 0_2_004010B4
Found evasive API chain (date check)Show sources
Source: C:\Windows\explorer.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-4754
Found evasive API chain (may stop execution after accessing registry keys)Show sources
Source: C:\Windows\explorer.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_1-4677
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\csshead.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-18809
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\csshead.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-19037
Source: C:\Windows\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-4564
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\explorer.exe TID: 3852Thread sleep count: 75 > 30Jump to behavior
Source: C:\Windows\explorer.exe TID: 3852Thread sleep time: -75000s >= -60000sJump to behavior
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\explorer.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00403988 FindFirstFileA,FindClose,0_2_00403988
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00405640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405640
Source: C:\Windows\explorer.exeCode function: 1_2_00775640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,1_2_00775640
Source: C:\Windows\explorer.exeCode function: 1_2_00773988 FindFirstFileA,FindClose,1_2_00773988
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadBitmapA,AppendMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,mmioSetInfo,mmioAscend,GetSystemInfo,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,Loa0_2_00419D20
Program exit pointsShow sources
Source: C:\Users\user\Desktop\csshead.exeAPI call chain: ExitProcess graph end nodegraph_0-18811
Source: C:\Users\user\Desktop\csshead.exeAPI call chain: ExitProcess graph end nodegraph_0-20649
Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end nodegraph_1-5197
Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end nodegraph_1-5140
Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end nodegraph_1-5566

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00420B80 GetWindowLongA,GetWindowLongA,IsWindowVisible,IsIconic,ShowWindow,GetWindowLongA,GetParent,0_2_00420B80

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
May initialize a security null descriptorShow sources
Source: csshead.exeBinary or memory string: S:(ML;;NRNWNX;;;LW)

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00406C6C cpuid 0_2_00406C6C
Queries device information via Setup APIShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00406EEC LoadLibraryA,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CharLowerBuffA,SetupDiDestroyDeviceInfoList,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CharLowerBuffA,SetupDiDestroyDeviceInfoList,0_2_00406EEC
Queries the installation date of WindowsShow sources
Source: C:\Users\user\Desktop\csshead.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the product ID of WindowsShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00405468 GetSystemTime,0_2_00405468
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0041C95B LoadLibraryA,LoadLibraryA,CreateEventA,GetClassLongA,SetClassLongA,GetCursorPos,GetCursorPos,WaitForSingleObject,WaitNamedPipeA,CreateFileA,SetNamedPipeHandleState,WriteFile,ReadFile,LookupAccountNameA,LocalFree,SetAbortProc,DrawFrameControl,LoadImageA,CreateEventA,GetCursorPos,GetCursorPos,DragQueryFile,CreateRectRgnIndirect,WaitForSingleObject,EnableMenuItem,GetDlgItem,OleInitialize,RegisterDragDrop,GetTopWindow,RevokeDragDrop,OleUninitialize,SetMenuItemInfoA,GetLastError,DrawMenuBar,GetMenuItemInfoA,BeginPaint,EndPaint,GetClientRect,EnumDateFormatsA,Sleep,0_2_0041C95B
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004064BC GetVersionExA,0_2_004064BC

Behavior Graph

Simulations

Behavior and APIs

TimeTypeDescription
15:35:03API Interceptor3x Sleep call for process: csshead.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLink
0.2.csshead.exe.50000.0.unpack100%AviraTR/Crypt.XPACK.Gen
0.2.csshead.exe.400000.1.unpack100%AviraHEUR/AGEN.1023574
0.0.csshead.exe.400000.0.unpack100%AviraTR/Patched.Gen
1.2.explorer.exe.790000.2.unpack100%AviraTR/Patched.Ren.Gen
1.2.explorer.exe.770000.1.unpack100%AviraTR/Crypt.XPACK.Gen
0.1.csshead.exe.400000.0.unpack100%AviraTR/Patched.Gen

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots