Loading ...

Analysis Report XgkKQZc74T.exe

Overview

General Information

Joe Sandbox Version:24.0.0
Analysis ID:710217
Start date:12.11.2018
Start time:22:28:12
Joe Sandbox Product:Cloud
Overall analysis duration:0h 4m 55s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:XgkKQZc74T.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 x64 (Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.evad.winEXE@3/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 93%
  • Number of executed functions: 5
  • Number of non-executed functions: 1
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, mscorsvw.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold560 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample might require command line arguments, analyze it with the command line cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection11Masquerading1Credential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection11Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


System Summary:

barindex
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)Show sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeMemory allocated: 76D80000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\XgkKQZc74T.exeMemory allocated: 76C80000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\szgfw.exeMemory allocated: 76D80000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\szgfw.exeMemory allocated: 76C80000 page execute and read and writeJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeCode function: 1_1_004019921_1_00401992
Source: C:\Users\user\Desktop\XgkKQZc74T.exeCode function: 1_1_004014961_1_00401496
Source: C:\Users\user\Desktop\XgkKQZc74T.exeCode function: 1_1_0040199D1_1_0040199D
Sample file is different than original file name gathered from version infoShow sources
Source: XgkKQZc74T.exe, 00000001.00000002.300612479.0000000000540000.00000002.sdmpBinary or memory string: System.OriginalFileName vs XgkKQZc74T.exe
Source: XgkKQZc74T.exe, 00000001.00000002.300792911.0000000000580000.00000008.sdmpBinary or memory string: originalfilename vs XgkKQZc74T.exe
Source: XgkKQZc74T.exe, 00000001.00000002.300792911.0000000000580000.00000008.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs XgkKQZc74T.exe
Source: XgkKQZc74T.exe, 00000001.00000002.300901341.00000000005B0000.00000008.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs XgkKQZc74T.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeFile read: C:\Users\user\Desktop\XgkKQZc74T.exeJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal56.evad.winEXE@3/1@0/0
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeFile created: C:\Users\user~1\AppData\Local\Temp\szgfw.exeJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: XgkKQZc74T.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\XgkKQZc74T.exe 'C:\Users\user\Desktop\XgkKQZc74T.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\szgfw.exe 'C:\Users\user~1\AppData\Local\Temp\szgfw.exe'
Source: C:\Users\user\Desktop\XgkKQZc74T.exeProcess created: C:\Users\user\AppData\Local\Temp\szgfw.exe 'C:\Users\user~1\AppData\Local\Temp\szgfw.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
PE file contains a debug data directoryShow sources
Source: XgkKQZc74T.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: uiopferta.pdb source: XgkKQZc74T.exe

Data Obfuscation:

barindex
Detected packer (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeUnpacked PE file: 1.2.XgkKQZc74T.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\szgfw.exeUnpacked PE file: 2.2.szgfw.exe.400000.0.unpack
PE file contains an invalid checksumShow sources
Source: XgkKQZc74T.exeStatic PE information: real checksum: 0x14be4 should be: 0x16762
Source: szgfw.exe.1.drStatic PE information: real checksum: 0x14be4 should be: 0x770c
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 6.97667822547
Source: initial sampleStatic PE information: section name: .text entropy: 6.97667822547

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeFile created: C:\Users\user~1\AppData\Local\Temp\szgfw.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, PE includes an icon from a different legit application in order to fool usersShow sources
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: e8d8888888ac84b8
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\XgkKQZc74T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\XgkKQZc74T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\XgkKQZc74T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Temp\szgfw.exe TID: 256Thread sleep count: 109 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\szgfw.exe TID: 256Thread sleep time: -109000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\AppData\Local\Temp\szgfw.exeLast function: Thread delayed

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\XgkKQZc74T.exeProcess created: C:\Users\user\AppData\Local\Temp\szgfw.exe 'C:\Users\user~1\AppData\Local\Temp\szgfw.exe' Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: szgfw.exe, 00000002.00000002.574332727.0000000000790000.00000002.sdmpBinary or memory string: Program Manager
Source: szgfw.exe, 00000002.00000002.574332727.0000000000790000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: szgfw.exe, 00000002.00000002.574332727.0000000000790000.00000002.sdmpBinary or memory string: !Progman

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 710217 Sample: XgkKQZc74T.exe Startdate: 12/11/2018 Architecture: WINDOWS Score: 56 15 Icon mismatch, PE includes an icon from a different legit application in order to fool users 2->15 6 XgkKQZc74T.exe 2 2->6         started        process3 file4 13 C:\Users\user~1\AppData\Local\...\szgfw.exe, PE32 6->13 dropped 17 Detected packer (overwrites its own PE header) 6->17 10 szgfw.exe 6->10         started        signatures5 process6 signatures7 19 Detected packer (overwrites its own PE header) 10->19

Simulations

Behavior and APIs

TimeTypeDescription
22:29:11API Interceptor1x Sleep call for process: XgkKQZc74T.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Startup

  • System is w7x64l
  • XgkKQZc74T.exe (PID: 316 cmdline: 'C:\Users\user\Desktop\XgkKQZc74T.exe' MD5: B113F9673926A4DA52A24BAB925A51CB)
    • szgfw.exe (PID: 268 cmdline: 'C:\Users\user~1\AppData\Local\Temp\szgfw.exe' MD5: FEC523CD6854792CCAB4E308B77F6D26)
  • cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\szgfw.exe
Process:C:\Users\user\Desktop\XgkKQZc74T.exe
File Type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):29792
Entropy (8bit):5.34156855306948
Encrypted:false
MD5:FEC523CD6854792CCAB4E308B77F6D26
SHA1:7AACB730DADDC4A96F34B0E0BF8CED33DFF73208
SHA-256:B4143846A11B4498A57FAEA636DB394FFAFE5DE77ED7819DBB33DD854088BC0F
SHA-512:F4712E70C6F79AC4058C147108F46034AF59D7F3A68CFFF8F3C58513651C176FFD6C10514F67B723D77EF1BBF94FE97BCBC1B42CAB7A9F524AA02AD5F8466653
Malicious:false
Reputation:low

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):5.342677298449259
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.94%
  • Win16/32 Executable Delphi generic (2074/23) 0.02%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • VXD Driver (31/22) 0.00%
File name:XgkKQZc74T.exe
File size:29708
MD5:b113f9673926a4da52a24bab925a51cb
SHA1:93954a4504345d4a33ee6b1e000946ff8275e2fe
SHA256:973c5ba01815e4f19749cae93c1a5bbcfca39382edd931b1639f0692d089b7bd
SHA512:86b3bd8cf99f9ff285193f12de3a97b23739ffc103a2e786da57ebbf0526b974cf919bf72c4aae379605a3b41a2a94ed2d45d5f42e48bc08a4bea7c69c391275
SSDEEP:768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rCBswh:GY9jw/dUT62rGdiUOWWrCqwh
File Content Preview:MZ......................@...............................................!..L.!That program cannot be run in DOS mode....$.......PE..L......S................."...D...............@....@..................................K.....................................

File Icon

Icon Hash:e8d8888888ac84b8

Static PE Info

General

Entrypoint:0x401992
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x530503FE [Wed Feb 19 19:20:30 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:222e7b320f36011feb1642000d8fa826

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFB0h
mov esi, dword ptr [esp]
add esi, 55h
xor dword ptr [004050B5h], esi
mov edx, dword ptr [esp]
add edx, esi
mov ecx, dword ptr [esp]
adc ecx, dword ptr [00405074h]
mov eax, dword ptr [esp]
add eax, esi
mov edx, dword ptr [esp]
add edx, eax
sub dword ptr [004051E0h], esi
sub esi, esi
xor edx, FFFFFFD3h
or eax, dword ptr [004050A8h]
sub edx, 6Ch
lea ecx, dword ptr [00405CE0h]
push dword ptr [ecx]
call dword ptr [004041A8h]
mov ecx, dword ptr [esp]
add ecx, eax
or ah, byte ptr [00405168h]
mov ebx, dword ptr [esp]
adc ebx, dword ptr [0040510Dh]
mov edi, dword ptr [esp]
add edi, esi
mov edx, 00401600h
call edx
xor edi, ebx
and dword ptr [00405056h], 000000B1h
xor dword ptr [004050C0h], esi
adc eax, dword ptr [004050AAh]
or dword ptr [004050E3h], 000000CEh
adc cl, byte ptr [0040516Ch]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+4051F50Dh], al
add byte ptr [ebx], bh
mov dh, byte ptr [esp]
add dh, bh
mov ecx, dword ptr [esp]
adc ecx, dword ptr [004050D4h]
or eax, dword ptr [00405140h]
push 00405C3Dh
push 00405C32h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x41e40x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x2cae.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x5d010x1c.data
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x41000x1e4.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x210a0x2200False0.687614889706ump; DBase 3 data file with memo(s) (1079070981 records)6.97667822547IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x40000x7080x800False0.451171875ump; data4.1084947915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x50000xd430xe00False0.573102678571ump; data5.17510483066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x60000x2cae0x2e00False0.11277173913ump; data3.12356224824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0x67060x25a8ump; data
RT_MENU0x60f00x600ump; dataEnglishUnited States
RT_GROUP_ICON0x66f00x16ump; MS Windows icon resource - 1 icon

Imports

DLLImport
cryptdll.dllCDBuildVect, MD5Update, CDLocateRng, MD5Init
shell32.dllDragAcceptFiles, SHCreateShellItem, ShellAboutA, SHGetFileInfoA, StrChrA, SHFileOperationA, DragQueryFileA, FreeIconList, SHGetDataFromIDListA, SHGetDiskFreeSpaceA, FindExecutableA, SHGetDesktopFolder, ShellMessageBoxW, SHGetFolderPathA, SHGetMalloc, DragFinish
dbnmpntw.dllConnectionClose, ConnectionWrite, ConnectionError
kernel32.dllFileTimeToSystemTime, SearchPathA, OpenMutexA, GetPrivateProfileIntW, GetModuleHandleW, GetLocalTime, ReadConsoleW, FindFirstFileA, GetEnvironmentVariableA, DeviceIoControl, SetEnvironmentVariableW, CompareStringW, GetStringTypeW, IsValidCodePage, lstrcmpiA, lstrcmpA, TlsGetValue, GetProcAddress, GetTickCount, WriteConsoleA, lstrcpynW, GetLastError, CreateDirectoryA, GetCurrentDirectoryW, SetErrorMode, SleepEx, InterlockedDecrement, GetFullPathNameW, GetPrivateProfileIntW, IsBadStringPtrA

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Start time:22:29:03
Start date:12/11/2018
Path:C:\Users\user\Desktop\XgkKQZc74T.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\XgkKQZc74T.exe'
Imagebase:0x400000
File size:29708 bytes
MD5 hash:B113F9673926A4DA52A24BAB925A51CB
Has administrator privileges:true
Programmed in:"C, C++ or other language
Reputation:low

General

Start time:22:29:11
Start date:12/11/2018
Path:C:\Users\user\AppData\Local\Temp\szgfw.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user~1\AppData\Local\Temp\szgfw.exe'
Imagebase:0x400000
File size:29792 bytes
MD5 hash:FEC523CD6854792CCAB4E308B77F6D26
Has administrator privileges:true
Programmed in:"C, C++ or other language
Reputation:low

Disassembly

Code Analysis

Reset < >