Loading ...

Play interactive tourEdit tour

Analysis Report xuy1.bin

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:836034
Start date:11.04.2019
Start time:19:17:10
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 50s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:xuy1.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.evad.winEXE@5/1@0/4
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtUserCreateWindowEx calls found.
  • Report size getting too big, too many NtUserDestroyWindow calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: xuy1.exe, regsvr32.exe, rundll32.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection111Software Packing1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection111Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureSystem Information Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: xuy1.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.0.xuy1.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.1.xuy1.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.2.xuy1.exe.3ff0000.2.unpackJoe Sandbox ML: detected

Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 215.56.245.0
Source: unknownTCP traffic detected without corresponding DNS query: 215.56.245.0
Source: unknownTCP traffic detected without corresponding DNS query: 215.56.245.0
Source: unknownTCP traffic detected without corresponding DNS query: 174.60.72.9
Source: unknownTCP traffic detected without corresponding DNS query: 174.60.72.9
Source: unknownTCP traffic detected without corresponding DNS query: 174.60.72.9
Source: unknownTCP traffic detected without corresponding DNS query: 87.18.28.52
Source: unknownTCP traffic detected without corresponding DNS query: 87.18.28.52
Source: unknownTCP traffic detected without corresponding DNS query: 87.18.28.52
Source: unknownTCP traffic detected without corresponding DNS query: 150.132.134.24
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.1.81:49216 -> 215.56.245.0:443
Source: global trafficTCP traffic: 192.168.1.81:49217 -> 174.60.72.9:443
Source: global trafficTCP traffic: 192.168.1.81:49218 -> 87.18.28.52:443
Source: global trafficTCP traffic: 192.168.1.81:49219 -> 150.132.134.24:443
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49219 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49217 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49216 -> 443

System Summary:

barindex
Blacklisted process start detected (Windows program)Show sources
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\\rundll32.exe C:\Users\user~1\Desktop\xuy1.dll,f0
PE file has nameless sectionsShow sources
Source: xuy1.exeStatic PE information: section name:
PE file contains executable resources (Code or Archives)Show sources
Source: xuy1.exeStatic PE information: Resource name: RT_STRING type: ump; DOS executable (COM)
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\regsvr32.exeSection loaded: f1.dll
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: xuy1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal68.evad.winEXE@5/1@0/4
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\xuy1.exeFile created: C:\Users\user\Desktop\xuy1.dllJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: xuy1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\xuy1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\xuy1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Reads software policiesShow sources
Source: C:\Users\user\Desktop\xuy1.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\\rundll32.exe C:\Users\user~1\Desktop\xuy1.dll,f0
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\xuy1.exe 'C:\Users\user\Desktop\xuy1.exe'
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user~1\Desktop\xuy1.dll f1 C:\Users\user~1\Desktop\xuy1.exe@224
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\\rundll32.exe C:\Users\user~1\Desktop\xuy1.dll,f0
Source: C:\Users\user\Desktop\xuy1.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user~1\Desktop\xuy1.dll f1 C:\Users\user~1\Desktop\xuy1.exe@224Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\\rundll32.exe C:\Users\user~1\Desktop\xuy1.dll,f0

Data Obfuscation:

barindex
PE file contains sections with non-standard namesShow sources
Source: xuy1.exeStatic PE information: section name: .newIT
Source: xuy1.exeStatic PE information: section name:
Source: xuy1.dll.0.drStatic PE information: section name: .didata
Registers a DLLShow sources
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user~1\Desktop\xuy1.dll f1 C:\Users\user~1\Desktop\xuy1.exe@224
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.29911063566

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\xuy1.exeFile created: C:\Users\user\Desktop\xuy1.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\xuy1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\xuy1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformation
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\xuy1.exeWindow / User API: threadDelayed 420Jump to behavior
Source: C:\Users\user\Desktop\xuy1.exeWindow / User API: threadDelayed 420Jump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Desktop\xuy1.exeDropped PE file which has not been started: C:\Users\user\Desktop\xuy1.dllJump to dropped file
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\xuy1.exe TID: 2712Thread sleep count: 420 > 30Jump to behavior
Source: C:\Users\user\Desktop\xuy1.exe TID: 2588Thread sleep count: 420 > 30Jump to behavior
Queries a list of all running processesShow sources
Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\xuy1.exeSystem information queried: KernelDebuggerInformation

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 87.18.28.52 443
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 150.132.134.24 443
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 215.56.245.0 443
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 174.60.72.9 443
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\xuy1.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user~1\Desktop\xuy1.dll f1 C:\Users\user~1\Desktop\xuy1.exe@224Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\\rundll32.exe C:\Users\user~1\Desktop\xuy1.dll,f0
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: rundll32.exe, 00000003.00000002.1645767935.00600000.00000002.sdmpBinary or memory string: Program Manager
Source: rundll32.exe, 00000003.00000002.1645767935.00600000.00000002.sdmpBinary or memory string: Progman
Source: rundll32.exe, 00000003.00000002.1645767935.00600000.00000002.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformation
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\xuy1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 836034 Sample: xuy1.bin Startdate: 11/04/2019 Architecture: WINDOWS Score: 68 25 Antivirus or Machine Learning detection for sample 2->25 27 PE file has nameless sections 2->27 29 Antivirus or Machine Learning detection for unpacked file 2->29 7 xuy1.exe 1 2->7         started        process3 file4 17 C:\Users\user\Desktop\xuy1.dll, PE32 7->17 dropped 10 regsvr32.exe 7->10         started        process5 signatures6 31 Blacklisted process start detected (Windows program) 10->31 13 rundll32.exe 10->13         started        process7 dnsIp8 19 150.132.134.24, 443 ERI-AS-EricssonNetworkSystemsIncUS Sweden 13->19 21 215.56.245.0, 443 DNIC-ASBLK-00721-00726-DoDNetworkInformationCenterUS United States 13->21 23 2 other IPs or domains 13->23 33 System process connects to network (likely due to code injection or exploit) 13->33 signatures9

Simulations

Behavior and APIs

TimeTypeDescription
19:18:14API Interceptor498x Sleep call for process: xuy1.exe modified
19:18:14API Interceptor1x Sleep call for process: regsvr32.exe modified
19:18:15API Interceptor1x Sleep call for process: rundll32.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
xuy1.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.xuy1.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.1.xuy1.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.2.xuy1.exe.3ff0000.2.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.