Automated Malware Analysis Report for s1.windows.exe ...
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of Automated Malware Analysis Report for s1.windows.exe ...
ID: 190087Sample Name: s1.windows.exeCookbook: default.jbsTime: 17:11:22Date: 15/11/2019Version: 28.0.0 Lapis Lazuli
2444455667777778888888
89999999
10101010101010101010101010101111111213131314141414141515
Table of Contents
Table of ContentsAnalysis Report s1.windows.exe
OverviewGeneral InformationDetectionConfidenceClassificationAnalysis AdviceMitre Att&ck MatrixSignature Overview
AV Detection:Cryptography:Networking:Key, Mouse, Clipboard, Microphone and Screen Capturing:System Summary:Data Obfuscation:Persistence and Installation Behavior:Malware Analysis System Evasion:Anti Debugging:HIPS / PFW / Operating System Protection Evasion:Language, Device and Operating System Detection:Stealing of Sensitive Information:
Behavior GraphSimulations
Behavior and APIsAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Yara OverviewInitial SamplePCAP (Network Traffic)Dropped FilesMemory DumpsUnpacked PEs
Sigma OverviewJoe Sandbox View / Context
IPsDomainsASNJA3 FingerprintsDropped Files
ScreenshotsThumbnails
StartupCreated / dropped FilesDomains and IPs
Contacted DomainsURLs from Memory and BinariesContacted IPsPublicPrivate
Static File InfoGeneralFile IconStatic PE Info
Copyright Joe Security LLC 2019 Page 2 of 29
151515161718191919
19191919202020202020
2121
212122222227
2728282828
282828
2829
GeneralAuthenticode SignatureEntrypoint PreviewData DirectoriesSectionsResourcesImportsVersion InfosPossible Origin
Network BehaviorCode ManipulationsStatistics
BehaviorSystem Behavior
Analysis Process: s1.windows.exe PID: 3944 Parent PID: 2476GeneralFile Activities
File CreatedFile Written
Analysis Process: conhost.exe PID: 772 Parent PID: 3944General
Analysis Process: s1.exe PID: 4524 Parent PID: 3944GeneralFile Activities
File CreatedFile WrittenFile Read
Analysis Process: cmd.exe PID: 5072 Parent PID: 3944GeneralFile Activities
File DeletedFile Written
Analysis Process: PING.EXE PID: 4748 Parent PID: 5072GeneralFile Activities
DisassemblyCode Analysis
Copyright Joe Security LLC 2019 Page 3 of 29
Analysis Report s1.windows.exe
Overview
General Information
Joe Sandbox Version: 28.0.0 Lapis Lazuli
Analysis ID: 190087
Start date: 15.11.2019
Start time: 17:11:22
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 5m 57s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: s1.windows.exe
Cookbook file name: default.jbs
Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed: 10
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled
Analysis stop reason: Timeout
Detection: MAL
Classification: mal45.troj.spyw.evad.winEXE@8/5@0/1
EGA Information: Successful, ratio: 50%
HDC Information: Successful, ratio: 100% (good quality ratio 50%)Quality average: 28%Quality standard deviation: 28%
HCA Information: Failed
Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exe
Warnings:
Detection
Strategy Score Range Reporting Whitelisted Detection
Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exeReport size getting too big, too many NtAllocateVirtualMemory calls found.Report size getting too big, too many NtCreateFile calls found.Report size getting too big, too many NtDeviceIoControlFile calls found.Report size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtQueryValueKey calls found.Report size getting too big, too many NtQueryVolumeInformationFile calls found.Report size getting too big, too many NtReadVirtualMemory calls found.Report size getting too big, too many NtSetInformationFile calls found.
Show All
Copyright Joe Security LLC 2019 Page 4 of 29
Threshold 45 0 - 100 false
Strategy Score Range Reporting Whitelisted Detection
Confidence
Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Copyright Joe Security LLC 2019 Page 5 of 29
Analysis Advice
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additionalcharacters like: "-", "/", "--")
Mitre Att&ck Matrix
Initial Access Execution PersistencePrivilegeEscalation
DefenseEvasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Command andControl
Valid Accounts WindowsRemoteManagement
WinlogonHelper DLL
ProcessInjection 1
DisablingSecurityTools 1
InputCapture 2 1
Network ShareDiscovery 1
ApplicationDeploymentSoftware
InputCapture 2 1
DataEncrypted 1
DataObfuscation
ReplicationThroughRemovableMedia
ServiceExecution
Port Monitors AccessibilityFeatures
ProcessInjection 1
NetworkSniffing
System TimeDiscovery 1
RemoteServices
Data fromRemovableMedia
Exfiltration OverOther NetworkMedium
FallbackChannels
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
Copyright Joe Security LLC 2019 Page 6 of 29
Drive-byCompromise
WindowsManagementInstrumentation
AccessibilityFeatures
PathInterception
Rootkit Input Capture QueryRegistry 1
WindowsRemoteManagement
Data fromNetwork SharedDrive
AutomatedExfiltration
CustomCryptographicProtocol
Exploit Public-FacingApplication
Scheduled Task SystemFirmware
DLL SearchOrder Hijacking
ObfuscatedFiles orInformation
Credentials inFiles
ProcessDiscovery 2
Logon Scripts Input Capture Data Encrypted MultibandCommunication
SpearphishingLink
Command-LineInterface
ShortcutModification
File SystemPermissionsWeakness
Masquerading AccountManipulation
SecuritySoftwareDiscovery 1
SharedWebroot
Data Staged ScheduledTransfer
StandardCryptographicProtocol
SpearphishingAttachment
Graphical UserInterface
ModifyExistingService
New Service DLL SearchOrder Hijacking
Brute Force SystemInformationDiscovery 1 2
Third-partySoftware
Screen Capture Data TransferSize Limits
CommonlyUsed Port
Spearphishingvia Service
Scripting PathInterception
Scheduled Task SoftwarePacking
Two-FactorAuthenticationInterception
Remote SystemDiscovery 1
Pass the Hash Email Collection Exfiltration OverCommand andControl Channel
UncommonlyUsed Port
Supply ChainCompromise
Third-partySoftware
Logon Scripts ProcessInjection
IndicatorBlocking
Bash History System NetworkConfigurationDiscovery 1
RemoteDesktopProtocol
Clipboard Data Exfiltration OverAlternativeProtocol
StandardApplicationLayer Protocol
Initial Access Execution PersistencePrivilegeEscalation
DefenseEvasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Command andControl
Signature Overview
• AV Detection
• Cryptography
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
Click to jump to signature section
AV Detection:
Antivirus or Machine Learning detection for dropped file
Cryptography:
Public key (encryption) found
Networking:
Uses ping.exe to check the status of other devices and networks
Urls found in memory or binary data
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
System Summary:
Binary contains paths to development resources
Classification label
Copyright Joe Security LLC 2019 Page 7 of 29
Creates files inside the user directory
Creates mutexes
PE file has an executable .text section and no other executable section
Queries a list of all open handles
Reads software policies
Sample might require command line arguments
Spawns processes
PE file has a valid certificate
Submission file is bigger than most known malware samples
PE file has a big raw section
Contains modern PE file flags such as dynamic base (ASLR) or NX
Binary contains paths to debug symbols
Data Obfuscation:
PE file contains an invalid checksum
PE file contains sections with non-standard names
Persistence and Installation Behavior:
Drops PE files
Malware Analysis System Evasion:
Uses ping.exe to sleep
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Queries a list of all running processes
Anti Debugging:
Creates guard pages, often used to prevent reverse engineering and debugging
HIPS / PFW / Operating System Protection Evasion:
Creates a process in suspended mode (likely to inject code)
Language, Device and Operating System Detection:
Queries the volume information (name, serial number etc) of a device
Contains functionality to query local / system time
Queries the cryptographic machine GUID
Stealing of Sensitive Information:
Opens network shares
Behavior Graph
Copyright Joe Security LLC 2019 Page 8 of 29
Behavior Graph
ID: 190087
Sample: s1.windows.exe
Startdate: 15/11/2019
Architecture: WINDOWS
Score: 45
Uses ping.exe to sleepUses ping.exe to check
the status of otherdevices and networks
s1.windows.exe
2
started
C:\Users\user\Desktop\s1.exe, PE32+
dropped
s1.exe
11
started
cmd.exe
1
started
conhost.exe
started
Antivirus or MachineLearning detection for
dropped fileOpens network shares
127.0.0.1
unknown
unknown
Uses ping.exe to sleep
PING.EXE
1
started
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
No simulations
No Antivirus matches
Source Detection Scanner Label Link
C:\Users\user\Desktop\s1.exe 100% Joe Sandbox ML
C:\Users\user\Desktop\s1.exe 1% Virustotal Browse
C:\Users\user\Desktop\s1.exe 0% Metadefender Browse
No Antivirus matches
No Antivirus matches
Simulations
Behavior and APIs
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Dropped Files
Unpacked PE Files
Domains
Copyright Joe Security LLC 2019 Page 9 of 29
Sigma Overview
No Sigma rule has matched
Source Detection Scanner Label Link
www.microsoft.co. 0% Virustotal Browse
www.microsoft.co. 0% Avira URL Cloud safe
crl.micr 0% URL Reputation safe
www.infocyte.com/0 0% Virustotal Browse
www.infocyte.com/0 0% Avira URL Cloud safe
www.microsoft.co 0% Virustotal Browse
www.microsoft.co 0% Avira URL Cloud safe
No yara matches
No yara matches
No yara matches
No yara matches
No yara matches
No context
No context
No context
No context
URLs
Yara Overview
Initial Sample
PCAP (Network Traffic)
Dropped Files
Memory Dumps
Unpacked PEs
Joe Sandbox View / Context
IPs
Domains
ASN
JA3 Fingerprints
Dropped FilesCopyright Joe Security LLC 2019 Page 10 of 29
No context
ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
Screenshots
StartupCopyright Joe Security LLC 2019 Page 11 of 29
System is w10x64
s1.windows.exe (PID: 3944 cmdline: 'C:\Users\user\Desktop\s1.windows.exe' MD5: D1D75615D873F94D2541A780F7C63497)
conhost.exe (PID: 772 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
s1.exe (PID: 4524 cmdline: C:\Users\user\Desktop\s1.exe MD5: 05A3A6622E0FC97D7285CC610196EBF5)
cmd.exe (PID: 5072 cmdline: 'c:\windows\system32\cmd.exe' /C 'c:\windows\system32\ping.exe -n 3 127.0.0.1 > NUL & del C:\Users\user\Desktop\s1.windows.exe >> NUL'
MD5: F3BDBE3BB6F734E357235F4D5898582D)PING.EXE (PID: 4748 cmdline: c:\windows\system32\ping.exe -n 3 127.0.0.1 MD5: 70C24A306F768936563ABDADB9CA9108)
cleanup
C:\Users\user\Desktop\s1.exe
Process: C:\Users\user\Desktop\s1.windows.exe
File Type: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Size (bytes): 6263648
Entropy (8bit): 6.2962593059711205
Encrypted: false
MD5: 05A3A6622E0FC97D7285CC610196EBF5
SHA1: 7F840840DFB0618EF93CB783A854811755A8516C
SHA-256: 3FA5B17D94292916A5F37B4F50D516DD67D5D2732159AE881A0B492CE1B96095
SHA-512: 7CF9A1ACFFB9F009645F6D7418C9A1B6F4BF42015B73F4BF9A0C7692FBC9EABC1F7520F7DA8505D2E9D25B78270F4C6C2C3D6E5CC7E1155DB6FDC12246364413
Malicious: true
Antivirus: Antivirus: Joe Sandbox ML, Detection: 100%Antivirus: Virustotal, Detection: 1%, BrowseAntivirus: Metadefender, Detection: 0%, Browse
Reputation: low
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./......`A..l_..,............@..............................._......C`...`... ..............................................._..;...._.......Z.,t...|_.`................................... ._.(...................d._..............................text...HQA......`A.................`..`.data...P....pA......pA.............@.`..rdata...z....C..|[email protected]@.pdata..,[email protected]@.xdata..|M....]..N....\.............@.@@.bss.....+...P_.......................p..idata...;...._..<[email protected]....._......r_.............@[email protected]....._......t_.............@.`[email protected].................................................................................................................................................................................................................
C:\Users\user\Desktop\s1.logProcess: C:\Users\user\Desktop\s1.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26608
Entropy (8bit): 5.115223611147472
Encrypted: false
MD5: 1FA0E22A2F9094785803E2994E19E482
SHA1: 1B1CB792B02BBAC600E9D15227081FE7C0391809
SHA-256: 161694B0348F67AAF29FE4880CFB24187332C86BBB0C31D25DE69C7C1C62EAA1
SHA-512: E7674E499D788856330BAD2E059049B94BE2D0D42CD66E97A29F038B3A34EC11BB191F467F41CD5AF18F7DE2DB271F365F89A7EE099844B2A499ABFBAD3FA057
Malicious: false
Reputation: low
Preview:[2019-11-15 17:12:40][hunt_survey] - Survey Version 2.0.0.0..[2019-11-15 17:12:40][hunt_survey] - Survey Framework Version 4.0.115..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 0, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 4, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 88, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 292, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 376, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 452, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 468, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 544, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 560, skipping..[2019-11-15 17:12:
C:\Windows\System32\catroot2\dberr.txtProcess: C:\Users\user\Desktop\s1.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 22022
Entropy (8bit): 4.726169180381783
Encrypted: false
MD5: 93F722050C647287FF51D74462606254
SHA1: BCEC4D2F1899E94F28325520A99C1ECE7A380B1B
SHA-256: B4DE4FA221538BB94B90ED59E4F4240000732690470C74B997B1B46BC2A6DA8A
SHA-512: 24156333C2C64ACB2908D0AFE847CDA1717DB77CE4D9556FB06C99FFCEF106668B1634D6D75006B4001C89C387F66BA80A1B44508D065BAD341AB30AF0D9BC59
Malicious: false
Reputation: low
Created / dropped Files
Copyright Joe Security LLC 2019 Page 12 of 29
Preview:CatalogDB: 5:12:53 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:12:58 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:12:59 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:08 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:14 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:15 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:18 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:32 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:33 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:33 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:34 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057.
C:\Windows\System32\catroot2\dberr.txt
\Device\NullProcess: C:\Windows\SysWOW64\PING.EXE
File Type: ASCII text, with CRLF line terminators
Size (bytes): 380
Entropy (8bit): 4.937448817509359
Encrypted: false
MD5: 63A3D026F6E4381585F5AEFACE172263
SHA1: 3EA8FDD98AA9F20167008F57DAA6F8ED3ECA9738
SHA-256: 4C31393CE8AE5EA969A049B3FF5DD0EA18E6C29E0E59841BEC1D7AFB7C64DE4C
SHA-512: FB88787000A6D258A1E3AAB97C46B8D92E68071B8E55C8F98278CB474AE6AFB31256A58BF198132D251F8EC666F28C085A88A103C8DB029B3B188F77163BE793
Malicious: false
Reputation: low
Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..
No contacted domains info
Name Source Malicious Antivirus Detection Reputation
https://onedrive.live.com/about/en-us/ s1.exe, 00000003.00000003.1881165656.0000000000E46000.00000004.00000001.sdmp
false high
https://onedrive.live.com/about/en-us/0 s1.exe, 00000003.00000003.1909841561.0000000003E83000.00000004.00000001.sdmp
false high
https://github.com/clap-rs/clap/issues; s1.windows.exe, 00000000.00000003.1786885206.0000000005E4F000.00000004.00000001.sdmp, s1.exe, 00000003.00000000.1790148127.0000000000830000.00000002.00020000.sdmp, s1.exe.0.dr
false high
www.microsoft.co. s1.exe, 00000003.00000003.1901807346.0000000003E2C000.00000004.00000001.sdmp
false 0%, Virustotal, BrowseAvira URL Cloud: safe
low
crl.micr s1.exe, 00000003.00000003.1876911342.0000000003E0E000.00000004.00000001.sdmp
false URL Reputation: safe unknown
https://github.com/clap-rs/clap/issues s1.windows.exe, 00000000.00000003.1786885206.0000000005E4F000.00000004.00000001.sdmp, s1.exe, 00000003.00000000.1790148127.0000000000830000.00000002.00020000.sdmp, s1.exe.0.dr
false high
https://curl.haxx.se/docs/http-cookies.html s1.windows.exe, 00000000.00000003.1786885206.0000000005E4F000.00000004.00000001.sdmp, s1.exe, 00000003.00000000.1790148127.0000000000830000.00000002.00020000.sdmp, s1.exe.0.dr
false high
www.infocyte.com/0 s1.windows.exe false 0%, Virustotal, BrowseAvira URL Cloud: safe
unknown
www.microsoft.co s1.exe, 00000003.00000003.1876911342.0000000003E0E000.00000004.00000001.sdmp, s1.exe, 00000003.00000003.1880872021.0000000003DEF000.00000004.00000001.sdmp
false 0%, Virustotal, BrowseAvira URL Cloud: safe
low
Domains and IPs
Contacted Domains
URLs from Memory and Binaries
Copyright Joe Security LLC 2019 Page 13 of 29
Static File Info
GeneralFile type: PE32 executable (console) Intel 80386 (stripped to
external PDB), for MS Windows
Entropy (8bit): 7.988389166841247
TrID: Win32 Executable (generic) a (10002005/4) 99.96%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name: s1.windows.exe
File size: 4383584
MD5: d1d75615d873f94d2541a780f7c63497
SHA1: 5bb38de07615597acf01f41a166aefd9a08d5fdc
SHA256: 0c943551435a623243eaef44a7ecf7f8f0641e091a82f7b6a78ac02f2a1ff471
SHA512: eed1c94ec7b5ef951448c28264d48144c7e0dc73df0618261ccb36d2f100bb1a5de6c1625fd332b7779a8aea9d34137a3096d08c28926c6ce29386b83b1b8cc4
Name Source Malicious Antivirus Detection Reputation
No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs
IP Country Flag ASN ASN Name Malicious
IP
127.0.0.1
Contacted IPs
Public
Private
Copyright Joe Security LLC 2019 Page 14 of 29
SSDEEP: 98304:uQXc6HPgpII3H6Oa0HvSxO7ciA0XJkuki+:usc6HPkDXVHgO7ciRZkuki
File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................./...........@...................@[email protected]&C...@... ............................
General
File Icon
Icon Hash: 00828e8e8686b000
GeneralEntrypoint: 0x4014e0
Entrypoint Section: .text
Digitally signed: true
Imagebase: 0x400000
Subsystem: windows cui
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics: DYNAMIC_BASE, NX_COMPAT
Time Stamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks: 0x403270, 0x41dbd0, 0x41db80
CLR (.Net) Version:
OS Version Major: 4
OS Version Minor: 0
File Version Major: 4
File Version Minor: 0
Subsystem Version Major: 4
Subsystem Version Minor: 0
Import Hash: 13d83db7800c387ed02e2465809812e4
Signature Valid: true
Signature Issuer: CN=DigiCert SHA2 High Assurance Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error: The operation completed successfully
Error Number: 0
Not Before, Not After 9/11/2018 5:00:00 PM 11/18/2020 4:00:00 AM
Subject Chain CN="Infocyte, Inc", O="Infocyte, Inc", L=Austin, S=Texas, C=US
Version: 3
Thumbprint MD5: A8B736205461764A72B649BD26E47413
Thumbprint SHA-1: C70396DF9FDE5BE911464FADC5AFE6AE0F1F340A
Thumbprint SHA-256: 54F92737EB88F8413DD73B663FFF04E9AC6683D12DD6EDC5F26DD9E538BE85BE
Serial: 03B4A1213DB424E47221A83F8D6392CB
Instruction
sub esp, 0Ch
mov dword ptr [0082F578h], 00000000h
call 00007F12D0A76A83h
add esp, 0Ch
jmp 00007F12D0A5A1ABh
nop
nop
nop
nop
nop
nop
push ebp
Static PE Info
Authenticode Signature
Entrypoint Preview
Copyright Joe Security LLC 2019 Page 15 of 29
mov ebp, esp
sub esp, 08h
lea eax, dword ptr [0082B0C8h]
mov dword ptr [esp], eax
lea eax, dword ptr [0082F01Ch]
mov dword ptr [esp+04h], eax
call 00007F12D0A6B3A7h
add esp, 08h
pop ebp
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax]
push ebp
mov ebp, esp
sub esp, 08h
lea eax, dword ptr [0082B0C8h]
mov dword ptr [esp], eax
lea eax, dword ptr [0082F01Ch]
mov dword ptr [esp+04h], eax
call 00007F12D0A6B377h
add esp, 08h
pop ebp
ret
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push ebx
push edi
push esi
sub esp, 30h
lea eax, dword ptr [ebp-10h]
mov esi, ecx
lea edi, dword ptr [ebp-3Ch]
lea ecx, dword ptr [ebp-1Ch]
lea ebx, dword ptr [ebp-24h]
mov dword ptr [eax], edx
xor edx, edx
mov dword ptr [edi], 00431290h
mov dword ptr [ebx], eax
mov dword ptr [ebx+04h], 0041D05Ah
inc edx
mov dword ptr [ecx], edx
and dword ptr [ecx+04h], 00000000h
mov dword ptr [edi+04h], edx
and dword ptr [edi+08h], 00000000h
and dword ptr [ecx+08h], 00000000h
mov dword ptr [edi+10h], ebx
mov dword ptr [edi+14h], edx
mov edx, edi
call 00007F12D0A75D94h
Instruction
Name Virtual Address Virtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IMPORT 0x430000 0xb04 .idata
IMAGE_DIRECTORY_ENTRY_RESOURCE 0x433000 0x2b8 .rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0
Data Directories
Copyright Joe Security LLC 2019 Page 16 of 29
IMAGE_DIRECTORY_ENTRY_SECURITY 0x42cc00 0x1760 /4
IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0
IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_TLS 0x432004 0x18 .tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IAT 0x4301dc 0x18c .idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Name Virtual Address Virtual Size Is in Section
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
.text 0x1000 0x2b7a4 0x2b800 False 0.556932471264 data 6.49629432777 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.data 0x2d000 0x48 0x200 False 0.1015625 data 0.575648019985 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.rdata 0x2e000 0x3fc260 0x3fc400 unknown unknown unknown unknown IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/4 0x42b000 0x346c 0x3600 False 0.297743055556 data 4.6594010665 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Sections
Copyright Joe Security LLC 2019 Page 17 of 29
.bss 0x42f000 0x5cc 0x0 False 0 empty 0.0 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.idata 0x430000 0xb04 0xc00 False 0.384114583333 data 4.84541745784 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.CRT 0x431000 0x40 0x200 False 0.095703125 data 0.420040511234 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.tls 0x432000 0x20 0x200 False 0.056640625 data 0.210826267787 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.rsrc 0x433000 0x2b8 0x400 False 0.32421875 data 2.33777533683 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
Name RVA Size Type Language Country
RT_VERSION 0x433058 0x25c data English United States
Resources
Copyright Joe Security LLC 2019 Page 18 of 29
No network behavior found
Code Manipulations
Statistics
Behavior
• s1.windows.exe
• conhost.exe
• s1.exe
• cmd.exe
• PING.EXE
DLL Import
ADVAPI32.dll SystemFunction036
KERNEL32.dll AddVectoredExceptionHandler, CloseHandle, CreateFileA, CreateFileW, CreateNamedPipeW, CreateProcessW, DeleteCriticalSection, DeviceIoControl, DuplicateHandle, EnterCriticalSection, FormatMessageW, FreeEnvironmentStringsW, GetCommandLineW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetEnvironmentVariableW, GetFileInformationByHandle, GetLastError, GetModuleFileNameW, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetSystemTimeAsFileTime, GetTickCount, HeapAlloc, HeapFree, HeapReAlloc, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, OpenProcess, QueryFullProcessImageNameA, QueryPerformanceCounter, RtlCaptureContext, SetLastError, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WriteConsoleW, WriteFile
msvcrt.dll __dllonexit, __getmainargs, __initenv, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _errno, _fmode, _initterm, _iob, _lock, _onexit, _unlock, bsearch, calloc, exit, fprintf, free, fwrite, malloc, memcmp, memcpy, memmove, memset, realloc, signal, strcmp, strlen, strncmp, _vsnprintf, abort, vfprintf, atoi, _read, _open, _lseek, _getpid, _close
Description Data
LegalCopyright Copyright (C) 2015-YYYY
FileVersion 0.0.0.0
CompanyName Infocyte, Inc
ProductName Infocyte HUNT Survey
ProductVersion 0.0.0.0
FileDescription HUNT Survey
Translation 0x0409 0x04b0
Language of compilation system Country where language is spoken Map
English United States
Network Behavior
Imports
Version Infos
Possible Origin
Copyright Joe Security LLC 2019 Page 19 of 29
Click to jump to process
System Behavior
File ActivitiesFile Activities
Start time: 17:12:36
Start date: 15/11/2019
Path: C:\Users\user\Desktop\s1.windows.exe
Wow64 process (32bit): true
Commandline: 'C:\Users\user\Desktop\s1.windows.exe'
Imagebase: 0x400000
File size: 4383584 bytes
MD5 hash: D1D75615D873F94D2541A780F7C63497
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user\Desktop\s1.exe read attributes | synchronize | generic write
none synchronous io non alert | non directory file
success or wait 1 40B30F CreateFileW
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Analysis Process: s1.windows.exe PID: 3944 Parent PID: 2476Analysis Process: s1.windows.exe PID: 3944 Parent PID: 2476
General
File CreatedFile Created
File WrittenFile Written
Copyright Joe Security LLC 2019 Page 20 of 29
C:\Users\user\Desktop\s1.exe unknown 6263648 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 2f 02 0b 02 02 1e 00 60 41 00 00 6c 5f 00 00 2c 00 00 00 15 00 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 5f 00 00 10 00 00 e7 43 60 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./......`A..l_..,............@..............................._......C`...`... ............................
success or wait 1 4023B7 WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Start time: 17:12:37
Start date: 15/11/2019
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0x4
Imagebase: 0x7ff642e80000
File size: 625664 bytes
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
Start time: 17:12:39
Start date: 15/11/2019
Path: C:\Users\user\Desktop\s1.exe
Wow64 process (32bit): false
Commandline: C:\Users\user\Desktop\s1.exe
Imagebase: 0x400000
File size: 6263648 bytes
MD5 hash: 05A3A6622E0FC97D7285CC610196EBF5
Has administrator privileges: true
Programmed in: C, C++ or other language
Analysis Process: conhost.exe PID: 772 Parent PID: 3944Analysis Process: conhost.exe PID: 772 Parent PID: 3944
General
Analysis Process: s1.exe PID: 4524 Parent PID: 3944Analysis Process: s1.exe PID: 4524 Parent PID: 3944
General
Copyright Joe Security LLC 2019 Page 21 of 29
File ActivitiesFile Activities
Antivirus matches: Detection: 100%, Joe Sandbox MLDetection: 1%, Virustotal, BrowseDetection: 0%, Metadefender, Browse
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user\Desktop read data or list directory | synchronize
normal directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 1 5BDE89 CreateDirectoryW
C:\Users\user\Desktop\s1.log read attributes | synchronize | generic write
none synchronous io non alert | non directory file
success or wait 1 5BCE18 CreateFileW
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
C:\Users\user\Desktop\s1.log unknown 61 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 30 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 5d 20 2d 20 53 75 72 76 65 79 20 56 65 72 73 69 6f 6e 20 32 2e 30 2e 30 2e 30 0d 0a
[2019-11-15 17:12:40][hunt_survey] - Survey Version 2.0.0.0..
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 71 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 30 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 5d 20 2d 20 53 75 72 76 65 79 20 46 72 61 6d 65 77 6f 72 6b 20 56 65 72 73 69 6f 6e 20 34 2e 30 2e 31 31 35 0d 0a
[2019-11-15 17:12:40][hunt_survey] - Survey Framework Version 4.0.115..
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 93 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 30 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 65 5f 66 6c 69 67 68 74 5d 20 2d 20 43 61 6e 6e 6f 74 20 6f 62 74 61 69 6e 20 68 61 6e 64 6c 65 20 74 6f 20 70 69 64 20 30 2c 20 73 6b 69 70 70 69 6e 67 0d 0a
[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 0, skipping..
success or wait 39 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 83 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 5d 20 2d 20 49 6e 69 74 69 61 6c 20 63 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 20 73 75 63 63 65 73 73 66 75 6c 2c 20 70 72 6f 63 65 65 64 69 6e 67 0d 0a
[2019-11-15 17:12:41][hunt_survey] - Initial communication successful, proceeding..
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 53 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 5d 20 2d 20 57 6f 72 6b 65 72 20 73 74 61 72 74 65 64 0d 0a
[2019-11-15 17:12:41][hunt_survey] - Worker started..
success or wait 1 5BCF6E WriteFile
File CreatedFile Created
File WrittenFile Written
Copyright Joe Security LLC 2019 Page 22 of 29
C:\Users\user\Desktop\s1.log unknown 63 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 3a 3a 77 6f 72 6b 65 72 5d 20 2d 20 48 6f 73 74 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a
[2019-11-15 17:12:41][hunt_survey::worker] - Host Information..
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 60 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 3a 3a 77 6f 72 6b 65 72 5d 20 2d 20 55 73 65 72 20 41 63 63 6f 75 6e 74 73 0d 0a
[2019-11-15 17:12:41][hunt_survey::worker] - User Accounts..
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 85 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 75 73 65 72 5f 61 63 63 6f 75 6e 74 73 5d 20 2d 20 45 6e 75 6d 65 72 61 74 69 6e 67 20 75 73 65 72 20 61 63 63 6f 75 6e 74 73 2e 2e 2e 0d 0a
[2019-11-15 17:12:41][survey_windows::user_accounts] - Enumerating user accounts.....
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 96 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 75 73 65 72 5f 61 63 63 6f 75 6e 74 73 3a 3a 73 65 73 73 69 6f 6e 73 5d 20 2d 20 45 6e 75 6d 65 72 61 74 69 6e 67 20 6c 6f 67 6f 6e 20 73 65 73 73 69 6f 6e 73 2e 2e 2e 0d 0a
[2019-11-15 17:12:41][survey_windows::user_accounts::sessions] - Enumerating logon sessions.....
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 126 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 75 73 65 72 5f 61 63 63 6f 75 6e 74 73 3a 3a 73 65 73 73 69 6f 6e 73 5d 20 2d 20 46 6f 75 6e 64 20 6c 6f 67 6f 6e 20 73 65 73 73 69 6f 6e 20 66 6f 72 20 4c 4f 43 41 4c 20 53 45 52 56 49 43 45 40 4e 54 20 41 55 54 48 4f 52 49 54 59 20 53 2d 31 2d 35 2d 31 39 0d 0a
[2019-11-15 17:12:41][survey_windows::user_accounts::sessions] - Found logon session for LOCAL SERVICE@NT AUTHORITY S-1-5-19..
success or wait 6 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 111 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 75 73 65 72 5f 61 63 63 6f 75 6e 74 73 5d 20 2d 20 55 6e 61 62 6c 65 20 74 6f 20 6c 6f 6f 6b 75 70 20 61 63 63 65 73 73 20 6c 65 76 65 6c 20 66 6f 72 20 4c 4f 43 41 4c 20 53 45 52 56 49 43 45 20 28 32 32 32 31 29 0d 0a
[2019-11-15 17:12:41][survey_windows::user_accounts] - Unable to lookup access level for LOCAL SERVICE (2221)..
success or wait 6 5BCF6E WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2019 Page 23 of 29
C:\Users\user\Desktop\s1.log unknown 111 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 75 73 65 72 5f 61 63 63 6f 75 6e 74 73 5d 20 2d 20 55 6e 61 62 6c 65 20 74 6f 20 6c 6f 6f 6b 75 70 20 61 63 63 65 73 73 20 6c 65 76 65 6c 20 66 6f 72 20 4c 4f 43 41 4c 20 53 45 52 56 49 43 45 20 28 32 32 32 31 29 0d 0a
[2019-11-15 17:12:41][survey_windows::user_accounts] - Unable to lookup access level for LOCAL SERVICE (2221)..
success or wait 6 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 111 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 75 73 65 72 5f 61 63 63 6f 75 6e 74 73 5d 20 2d 20 55 6e 61 62 6c 65 20 74 6f 20 6c 6f 6f 6b 75 70 20 61 63 63 65 73 73 20 6c 65 76 65 6c 20 66 6f 72 20 4c 4f 43 41 4c 20 53 45 52 56 49 43 45 20 28 32 32 32 31 29 0d 0a
[2019-11-15 17:12:41][survey_windows::user_accounts] - Unable to lookup access level for LOCAL SERVICE (2221)..
success or wait 6 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 56 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 3a 3a 77 6f 72 6b 65 72 5d 20 2d 20 50 72 6f 63 65 73 73 65 73 0d 0a
[2019-11-15 17:12:41][hunt_survey::worker] - Processes..
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 77 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 5d 20 2d 20 45 6e 75 6d 65 72 61 74 69 6e 67 20 70 72 6f 63 65 73 73 65 73 2e 2e 2e 0d 0a
[2019-11-15 17:12:41][survey_windows::processes] - Enumerating processes.....
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 80 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 3a 3a 73 65 5f 64 65 62 75 67 5d 20 2d 20 53 65 44 65 62 75 67 20 45 6e 61 62 6c 65 64 20 31 0d 0a
[2019-11-15 17:12:41][survey_windows::processes::se_debug] - SeDebug Enabled 1..
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 71 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 3a 3a 62 79 5f 65 6e 75 6d 5d 20 2d 20 43 6f 6d 70 6c 65 74 65 64 0d 0a
[2019-11-15 17:12:41][survey_windows::processes::by_enum] - Completed..
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 78 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 3a 3a 62 79 5f 73 79 73 74 65 6d 5f 69 6e 66 6f 5d 20 2d 20 43 6f 6d 70 6c 65 74 65 64 0d 0a
[2019-11-15 17:12:41][survey_windows::processes::by_system_info] - Completed..
success or wait 1 5BCF6E WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2019 Page 24 of 29
C:\Users\user\Desktop\s1.log unknown 74 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 32 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 3a 3a 62 79 5f 68 61 6e 64 6c 65 73 5d 20 2d 20 43 6f 6d 70 6c 65 74 65 64 0d 0a
[2019-11-15 17:12:42][survey_windows::processes::by_handles] - Completed..
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 75 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 32 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 3a 3a 62 79 5f 73 6e 61 70 73 68 6f 74 5d 20 2d 20 43 6f 6d 70 6c 65 74 65 64 0d 0a
[2019-11-15 17:12:42][survey_windows::processes::by_snapshot] - Completed..
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 86 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 32 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 5d 20 2d 20 43 6f 75 6c 64 20 6e 6f 74 20 67 65 74 20 66 69 6c 65 20 6e 61 6d 65 20 66 6f 72 20 31 33 32 30 21 0d 0a
[2019-11-15 17:12:42][survey_windows::processes] - Could not get file name for 1320!..
success or wait 3 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 82 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 6f 64 75 6c 65 73 5d 20 2d 20 45 6e 75 6d 65 72 61 74 69 6e 67 20 6d 6f 64 75 6c 65 73 20 66 6f 72 20 31 38 31 32 2e 2e 2e 0d 0a
[2019-11-15 17:12:43][survey_windows::modules] - Enumerating modules for 1812.....
success or wait 48 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 105 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 6f 64 75 6c 65 73 5d 20 2d 20 43 61 6e 6e 6f 74 20 67 65 74 20 6d 6f 64 75 6c 65 73 20 66 6f 72 20 31 38 31 32 3a 20 55 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 6d 6f 64 75 6c 65 20 6c 69 73 74 0d 0a
[2019-11-15 17:12:43][survey_windows::modules] - Cannot get modules for 1812: Unable to get module list..
success or wait 27 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 77 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 65 6d 73 63 61 6e 5d 20 2d 20 4d 65 6d 6f 72 79 20 73 63 61 6e 6e 69 6e 67 20 31 38 31 32 3a 20 74 72 75 65 0d 0a
[2019-11-15 17:12:43][survey_windows::memscan] - Memory scanning 1812: true..
success or wait 47 5BCF6E WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2019 Page 25 of 29
C:\Users\user\Desktop\s1.log unknown 91 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 5d 20 2d 20 55 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 61 20 70 72 6f 63 65 73 73 20 68 61 6e 64 6c 65 20 66 6f 72 20 39 32 34 0d 0a
[2019-11-15 17:12:43][survey_windows::processes] - Unable to get a process handle for 924..
success or wait 11 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 85 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 5d 20 2d 20 43 6f 75 6c 64 20 6e 6f 74 20 67 65 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 6f 6e 20 39 32 34 0d 0a
[2019-11-15 17:12:43][survey_windows::processes] - Could not get information on 924..
success or wait 13 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 85 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 68 6f 6f 6b 73 3a 3a 66 75 6e 63 74 69 6f 6e 5f 64 61 74 61 5d 20 2d 20 4c 6f 61 64 69 6e 67 20 66 75 6e 63 74 69 6f 6e 20 64 61 74 61 0d 0a
[2019-11-15 17:12:43][survey_windows::hooks::function_data] - Loading function data..
success or wait 1 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 145 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 34 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 68 6f 6f 6b 73 3a 3a 66 75 6e 63 74 69 6f 6e 5f 64 61 74 61 5d 20 2d 20 53 75 63 63 65 73 73 66 75 6c 6c 79 20 70 61 72 73 65 64 20 65 78 70 6f 72 74 73 20 66 72 6f 6d 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 5c 61 64 76 61 70 69 33 32 2e 64 6c 6c 20 77 69 74 68 20 37 20 73 65 63 74 69 6f 6e 73 0d 0a
[2019-11-15 17:12:44][survey_windows::hooks::function_data] - Successfully parsed exports from c:\windows\system32\advapi32.dll with 7 sections..
success or wait 10 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 73 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 35 30 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 6f 64 75 6c 65 73 5d 20 2d 20 47 65 74 74 69 6e 67 20 61 20 66 69 6c 65 20 6e 61 6d 65 3a 20 35 0d 0a
[2019-11-15 17:12:50][survey_windows::modules] - Getting a file name: 5..
success or wait 21 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 83 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 35 30 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 65 6d 73 63 61 6e 5d 20 2d 20 76 69 72 74 75 61 6c 5f 71 75 65 72 79 5f 65 72 72 6f 72 20 40 20 30 78 31 30 30 30 30 3a 20 35 0d 0a
[2019-11-15 17:12:50][survey_windows::memscan] - virtual_query_error @ 0x10000: 5..
success or wait 1 5BCF6E WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2019 Page 26 of 29
C:\Users\user\Desktop\s1.log unknown 91 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 35 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 65 6d 73 63 61 6e 5d 20 2d 20 52 65 61 64 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 20 66 61 69 6c 65 64 20 77 69 74 68 20 65 72 72 6f 72 3a 20 32 39 39 0d 0a
[2019-11-15 17:12:53][survey_windows::memscan] - ReadProcessMemory failed with error: 299..
success or wait 8 5BCF6E WriteFile
C:\Users\user\Desktop\s1.log unknown 91 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 35 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 65 6d 73 63 61 6e 5d 20 2d 20 52 65 61 64 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 20 66 61 69 6c 65 64 20 77 69 74 68 20 65 72 72 6f 72 3a 20 32 39 39 0d 0a
[2019-11-15 17:12:53][survey_windows::memscan] - ReadProcessMemory failed with error: 299..
success or wait 28 5BCF6E WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
C:\Windows\System32\svchost.exe unknown 1024 success or wait 102 5BCECF ReadFile
C:\Users\user\Desktop\s1.exe unknown 8192 success or wait 765 5BCECF ReadFile
C:\Users\user\Desktop\s1.exe unknown 8192 end of file 1 5BCECF ReadFile
C:\Windows\System32\dllhost.exe unknown 1024 success or wait 21 5BCECF ReadFile
C:\Windows\System32\advapi32.dll unknown 64 success or wait 1 5BCECF ReadFile
C:\Windows\System32\advapi32.dll unknown 20 success or wait 1 5BCECF ReadFile
C:\Windows\System32\advapi32.dll unknown 240 success or wait 1 5BCECF ReadFile
C:\Windows\System32\advapi32.dll unknown 40 success or wait 7 5BCECF ReadFile
C:\Windows\System32\advapi32.dll unknown 40 success or wait 1 5BCECF ReadFile
C:\Windows\System32\advapi32.dll unknown 3428 success or wait 1 5BCECF ReadFile
C:\Windows\System32\advapi32.dll unknown 1716 success or wait 1 5BCECF ReadFile
C:\Windows\System32\advapi32.dll unknown 3432 success or wait 1 5BCECF ReadFile
C:\Windows\System32\advapi32.dll unknown 1 success or wait 18089 5BCECF ReadFile
C:\Windows\System32\advapi32.dll unknown 20 success or wait 26 5BCECF ReadFile
C:\Windows\SysWOW64\kernel32.dll unknown 64 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\kernel32.dll unknown 20 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\kernel32.dll unknown 224 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\kernel32.dll unknown 40 success or wait 5 5BCECF ReadFile
C:\Windows\SysWOW64\kernel32.dll unknown 40 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\kernel32.dll unknown 6380 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\kernel32.dll unknown 3190 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\kernel32.dll unknown 6380 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\kernel32.dll unknown 1 success or wait 32590 5BCECF ReadFile
C:\Windows\SysWOW64\kernel32.dll unknown 20 success or wait 32 5BCECF ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 64 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 20 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 224 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 40 success or wait 7 5BCECF ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 40 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 9524 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 4762 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 9524 success or wait 1 5BCECF ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 1 success or wait 48219 5BCECF ReadFile
C:\Windows\SysWOW64\ntdll.dll unknown 20 success or wait 80 5BCECF ReadFile
File ReadFile Read
Analysis Process: cmd.exe PID: 5072 Parent PID: 3944Analysis Process: cmd.exe PID: 5072 Parent PID: 3944
Copyright Joe Security LLC 2019 Page 27 of 29
Disassembly
File ActivitiesFile Activities
Start time: 17:12:40
Start date: 15/11/2019
Path: C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit): true
Commandline: 'c:\windows\system32\cmd.exe' /C 'c:\windows\system32\ping.exe -n 3 127.0.0.1 > NUL & del C:\Users\user\Desktop\s1.windows.exe >> NUL'
Imagebase: 0x8d0000
File size: 232960 bytes
MD5 hash: F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Completion CountSourceAddress Symbol
C:\Users\user\Desktop\s1.windows.exe cannot delete 1 8F0374 DeleteFileW
C:\Users\user\Desktop\s1.windows.exe cannot delete 1 8F0374 DeleteFileW
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
\Device\Null unknown 39 43 3a 5c 55 73 65 72 73 5c 47 75 63 63 69 5c 44 65 73 6b 74 6f 70 5c 73 31 2e 77 69 6e 64 6f 77 73 2e 65 78 65 0d 0a
C:\Users\user\Desktop\s1.windows.exe..
success or wait 1 8E2837 WriteFile
File ActivitiesFile Activities
Start time: 17:12:40
Start date: 15/11/2019
Path: C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit): true
Commandline: c:\windows\system32\ping.exe -n 3 127.0.0.1
Imagebase: 0x140000
File size: 18944 bytes
MD5 hash: 70C24A306F768936563ABDADB9CA9108
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: moderate
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
General
File DeletedFile Deleted
File WrittenFile Written
Analysis Process: PING.EXE PID: 4748 Parent PID: 5072Analysis Process: PING.EXE PID: 4748 Parent PID: 5072
General
Copyright Joe Security LLC 2019 Page 28 of 29