Automated Malware Analysis Report for s1.windows.exe ...

ID: 190087Sample Name: s1.windows.exeCookbook: default.jbsTime: 17:11:22Date: 15/11/2019Version: 28.0.0 Lapis Lazuli

2444455667777778888888

89999999

10101010101010101010101010101111111213131314141414141515

Table of Contents

Table of ContentsAnalysis Report s1.windows.exe

OverviewGeneral InformationDetectionConfidenceClassificationAnalysis AdviceMitre Att&ck MatrixSignature Overview

AV Detection:Cryptography:Networking:Key, Mouse, Clipboard, Microphone and Screen Capturing:System Summary:Data Obfuscation:Persistence and Installation Behavior:Malware Analysis System Evasion:Anti Debugging:HIPS / PFW / Operating System Protection Evasion:Language, Device and Operating System Detection:Stealing of Sensitive Information:

Behavior GraphSimulations

Behavior and APIsAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Yara OverviewInitial SamplePCAP (Network Traffic)Dropped FilesMemory DumpsUnpacked PEs

Sigma OverviewJoe Sandbox View / Context

IPsDomainsASNJA3 FingerprintsDropped Files

ScreenshotsThumbnails

StartupCreated / dropped FilesDomains and IPs

Contacted DomainsURLs from Memory and BinariesContacted IPsPublicPrivate

Static File InfoGeneralFile IconStatic PE Info

Copyright Joe Security LLC 2019 of 29

151515161718191919

19191919202020202020

2121

212122222227

2728282828

282828

2829

GeneralAuthenticode SignatureEntrypoint PreviewData DirectoriesSectionsResourcesImportsVersion InfosPossible Origin

Network BehaviorCode ManipulationsStatistics

BehaviorSystem Behavior

Analysis Process: s1.windows.exe PID: 3944 Parent PID: 2476GeneralFile Activities

File CreatedFile Written

Analysis Process: conhost.exe PID: 772 Parent PID: 3944General

Analysis Process: s1.exe PID: 4524 Parent PID: 3944GeneralFile Activities

File CreatedFile WrittenFile Read

Analysis Process: cmd.exe PID: 5072 Parent PID: 3944GeneralFile Activities

File DeletedFile Written

Analysis Process: PING.EXE PID: 4748 Parent PID: 5072GeneralFile Activities

DisassemblyCode Analysis


Analysis Report s1.windows.exe

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli

Analysis ID: 190087

Start date: 15.11.2019

Start time: 17:11:22

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 5m 57s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: s1.windows.exe

Cookbook file name: default.jbs

Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113

Number of analysed new started processes analysed: 10

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled

Analysis stop reason: Timeout

Detection: MAL

Classification: mal45.troj.spyw.evad.winEXE@8/5@0/1

EGA Information: Successful, ratio: 50%

HDC Information: Successful, ratio: 100% (good quality ratio 50%)Quality average: 28%Quality standard deviation: 28%

HCA Information: Failed

Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exe

Warnings:

Detection

Strategy Score Range Reporting Whitelisted Detection

Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exeReport size getting too big, too many NtAllocateVirtualMemory calls found.Report size getting too big, too many NtCreateFile calls found.Report size getting too big, too many NtDeviceIoControlFile calls found.Report size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtQueryValueKey calls found.Report size getting too big, too many NtQueryVolumeInformationFile calls found.Report size getting too big, too many NtReadVirtualMemory calls found.Report size getting too big, too many NtSetInformationFile calls found.

Show All


Threshold 45 0 - 100 false

Strategy Score Range Reporting Whitelisted Detection

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification


Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additionalcharacters like: "-", "/", "--")

Mitre Att&ck Matrix

Initial Access Execution PersistencePrivilegeEscalation

DefenseEvasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Command andControl

Valid Accounts WindowsRemoteManagement

WinlogonHelper DLL

ProcessInjection 1

DisablingSecurityTools 1

InputCapture 2 1

Network ShareDiscovery 1

ApplicationDeploymentSoftware

InputCapture 2 1

DataEncrypted 1

DataObfuscation

ReplicationThroughRemovableMedia

ServiceExecution

Port Monitors AccessibilityFeatures

ProcessInjection 1

NetworkSniffing

System TimeDiscovery 1

RemoteServices

Data fromRemovableMedia

Exfiltration OverOther NetworkMedium

FallbackChannels

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious


Drive-byCompromise

WindowsManagementInstrumentation

AccessibilityFeatures

PathInterception

Rootkit Input Capture QueryRegistry 1

WindowsRemoteManagement

Data fromNetwork SharedDrive

AutomatedExfiltration

CustomCryptographicProtocol

Exploit Public-FacingApplication

Scheduled Task SystemFirmware

DLL SearchOrder Hijacking

ObfuscatedFiles orInformation

Credentials inFiles

ProcessDiscovery 2

Logon Scripts Input Capture Data Encrypted MultibandCommunication

SpearphishingLink

Command-LineInterface

ShortcutModification

File SystemPermissionsWeakness

Masquerading AccountManipulation

SecuritySoftwareDiscovery 1

SharedWebroot

Data Staged ScheduledTransfer

StandardCryptographicProtocol

SpearphishingAttachment

Graphical UserInterface

ModifyExistingService

New Service DLL SearchOrder Hijacking

Brute Force SystemInformationDiscovery 1 2

Third-partySoftware

Screen Capture Data TransferSize Limits

CommonlyUsed Port

Spearphishingvia Service

Scripting PathInterception

Scheduled Task SoftwarePacking

Two-FactorAuthenticationInterception

Remote SystemDiscovery 1

Pass the Hash Email Collection Exfiltration OverCommand andControl Channel

UncommonlyUsed Port

Supply ChainCompromise

Third-partySoftware

Logon Scripts ProcessInjection

IndicatorBlocking

Bash History System NetworkConfigurationDiscovery 1

RemoteDesktopProtocol

Clipboard Data Exfiltration OverAlternativeProtocol

StandardApplicationLayer Protocol

Initial Access Execution PersistencePrivilegeEscalation

DefenseEvasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Command andControl

Signature Overview

• AV Detection

• Cryptography

• Networking

• Key, Mouse, Clipboard, Microphone and Screen Capturing

• System Summary

• Data Obfuscation

• Persistence and Installation Behavior

• Malware Analysis System Evasion

• Anti Debugging

• HIPS / PFW / Operating System Protection Evasion

• Language, Device and Operating System Detection

• Stealing of Sensitive Information

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for dropped file

Cryptography:

Public key (encryption) found

Networking:

Uses ping.exe to check the status of other devices and networks

Urls found in memory or binary data

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Installs a raw input device (often for capturing keystrokes)

System Summary:

Binary contains paths to development resources

Classification label


Creates files inside the user directory

Creates mutexes

PE file has an executable .text section and no other executable section

Queries a list of all open handles

Reads software policies

Sample might require command line arguments

Spawns processes

PE file has a valid certificate

Submission file is bigger than most known malware samples

PE file has a big raw section

Contains modern PE file flags such as dynamic base (ASLR) or NX

Binary contains paths to debug symbols

Data Obfuscation:

PE file contains an invalid checksum

PE file contains sections with non-standard names

Persistence and Installation Behavior:

Drops PE files

Malware Analysis System Evasion:

Uses ping.exe to sleep

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Queries a list of all running processes

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Contains functionality to query local / system time

Queries the cryptographic machine GUID

Stealing of Sensitive Information:

Opens network shares

Behavior Graph


Behavior Graph

ID: 190087

Sample: s1.windows.exe

Startdate: 15/11/2019

Architecture: WINDOWS

Score: 45

Uses ping.exe to sleepUses ping.exe to check

the status of otherdevices and networks

s1.windows.exe

2

started

C:\Users\user\Desktop\s1.exe, PE32+

dropped

s1.exe

11

started

cmd.exe

1

started

conhost.exe

started

Antivirus or MachineLearning detection for

dropped fileOpens network shares

127.0.0.1

unknown

unknown

Uses ping.exe to sleep

PING.EXE

1

started

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

No simulations

No Antivirus matches

Source Detection Scanner Label Link

C:\Users\user\Desktop\s1.exe 100% Joe Sandbox ML

C:\Users\user\Desktop\s1.exe 1% Virustotal Browse

C:\Users\user\Desktop\s1.exe 0% Metadefender Browse



Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains


https://www.virustotal.com/file/3fa5b17d94292916a5f37b4f50d516dd67d5d2732159ae881a0b492ce1b96095/analysis/1573781110/

https://www.metadefender.com/#!/results/file/bzE5MTAyOXJKWl9FV0xVOXJTazRzeFZPQTVT/regular/analysis

Sigma Overview

No Sigma rule has matched

Source Detection Scanner Label Link

www.microsoft.co. 0% Virustotal Browse

www.microsoft.co. 0% Avira URL Cloud safe

crl.micr 0% URL Reputation safe

www.infocyte.com/0 0% Virustotal Browse

www.infocyte.com/0 0% Avira URL Cloud safe

www.microsoft.co 0% Virustotal Browse

www.microsoft.co 0% Avira URL Cloud safe

No yara matches

No yara matches

No yara matches

No yara matches

No yara matches

No context

No context

No context

No context

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped FilesCopyright Joe Security LLC 2019 of 29

https://www.virustotal.com/url/170203decbb305bc6b61c68958c904da5b8714f5d2a37b638b284d43da825f79/analysis/1503350579/

https://www.virustotal.com/url/e1ff55eaa3f0a9b6b6161fdc49359ba1c565ab790bdbfd1816648489ad7edc4f/analysis/1542767245/


No context

ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.

Screenshots

StartupCopyright Joe Security LLC 2019 of 29

System is w10x64

s1.windows.exe (PID: 3944 cmdline: 'C:\Users\user\Desktop\s1.windows.exe' MD5: D1D75615D873F94D2541A780F7C63497)

conhost.exe (PID: 772 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

s1.exe (PID: 4524 cmdline: C:\Users\user\Desktop\s1.exe MD5: 05A3A6622E0FC97D7285CC610196EBF5)

cmd.exe (PID: 5072 cmdline: 'c:\windows\system32\cmd.exe' /C 'c:\windows\system32\ping.exe -n 3 127.0.0.1 > NUL & del C:\Users\user\Desktop\s1.windows.exe >> NUL'

MD5: F3BDBE3BB6F734E357235F4D5898582D)PING.EXE (PID: 4748 cmdline: c:\windows\system32\ping.exe -n 3 127.0.0.1 MD5: 70C24A306F768936563ABDADB9CA9108)

cleanup

C:\Users\user\Desktop\s1.exe

Process: C:\Users\user\Desktop\s1.windows.exe

File Type: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows

Size (bytes): 6263648

Entropy (8bit): 6.2962593059711205

Encrypted: false

MD5: 05A3A6622E0FC97D7285CC610196EBF5

SHA1: 7F840840DFB0618EF93CB783A854811755A8516C

SHA-256: 3FA5B17D94292916A5F37B4F50D516DD67D5D2732159AE881A0B492CE1B96095

SHA-512: 7CF9A1ACFFB9F009645F6D7418C9A1B6F4BF42015B73F4BF9A0C7692FBC9EABC1F7520F7DA8505D2E9D25B78270F4C6C2C3D6E5CC7E1155DB6FDC12246364413

Malicious: true

Antivirus: Antivirus: Joe Sandbox ML, Detection: 100%Antivirus: Virustotal, Detection: 1%, BrowseAntivirus: Metadefender, Detection: 0%, Browse

Reputation: low

Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./......`A..l_..,............@..............................._......C`...`... ..............................................._..;...._.......Z.,t...|_.`................................... ._.(...................d._..............................text...HQA......`A.................`..`.data...P....pA......pA.............@.`..rdata...z....C..|[email protected]@.pdata..,[email protected]@.xdata..|M....]..N....\.............@.@@.bss.....+...P_.......................p..idata...;...._..<[email protected]....._......r_.............@[email protected]....._......t_.............@.`[email protected].................................................................................................................................................................................................................

C:\Users\user\Desktop\s1.logProcess: C:\Users\user\Desktop\s1.exe

File Type: ASCII text, with CRLF line terminators

Size (bytes): 26608

Entropy (8bit): 5.115223611147472

Encrypted: false

MD5: 1FA0E22A2F9094785803E2994E19E482

SHA1: 1B1CB792B02BBAC600E9D15227081FE7C0391809

SHA-256: 161694B0348F67AAF29FE4880CFB24187332C86BBB0C31D25DE69C7C1C62EAA1

SHA-512: E7674E499D788856330BAD2E059049B94BE2D0D42CD66E97A29F038B3A34EC11BB191F467F41CD5AF18F7DE2DB271F365F89A7EE099844B2A499ABFBAD3FA057

Malicious: false

Reputation: low

Preview:[2019-11-15 17:12:40][hunt_survey] - Survey Version 2.0.0.0..[2019-11-15 17:12:40][hunt_survey] - Survey Framework Version 4.0.115..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 0, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 4, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 88, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 292, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 376, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 452, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 468, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 544, skipping..[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 560, skipping..[2019-11-15 17:12:

C:\Windows\System32\catroot2\dberr.txtProcess: C:\Users\user\Desktop\s1.exe


Size (bytes): 22022

Entropy (8bit): 4.726169180381783

Encrypted: false

MD5: 93F722050C647287FF51D74462606254

SHA1: BCEC4D2F1899E94F28325520A99C1ECE7A380B1B

SHA-256: B4DE4FA221538BB94B90ED59E4F4240000732690470C74B997B1B46BC2A6DA8A

SHA-512: 24156333C2C64ACB2908D0AFE847CDA1717DB77CE4D9556FB06C99FFCEF106668B1634D6D75006B4001C89C387F66BA80A1B44508D065BAD341AB30AF0D9BC59

Malicious: false

Reputation: low

Created / dropped Files




Preview:CatalogDB: 5:12:53 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:12:58 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:12:59 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:08 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:14 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:15 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:18 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:32 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:33 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:33 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057..CatalogDB: 5:13:34 PM 11/15/2019: catadnew.cpp at line #1485 encountered error 0x00000057.

C:\Windows\System32\catroot2\dberr.txt

\Device\NullProcess: C:\Windows\SysWOW64\PING.EXE


Size (bytes): 380

Entropy (8bit): 4.937448817509359

Encrypted: false

MD5: 63A3D026F6E4381585F5AEFACE172263

SHA1: 3EA8FDD98AA9F20167008F57DAA6F8ED3ECA9738

SHA-256: 4C31393CE8AE5EA969A049B3FF5DD0EA18E6C29E0E59841BEC1D7AFB7C64DE4C

SHA-512: FB88787000A6D258A1E3AAB97C46B8D92E68071B8E55C8F98278CB474AE6AFB31256A58BF198132D251F8EC666F28C085A88A103C8DB029B3B188F77163BE793

Malicious: false

Reputation: low

Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

No contacted domains info

Name Source Malicious Antivirus Detection Reputation

https://onedrive.live.com/about/en-us/ s1.exe, 00000003.00000003.1881165656.0000000000E46000.00000004.00000001.sdmp

false high

https://onedrive.live.com/about/en-us/0 s1.exe, 00000003.00000003.1909841561.0000000003E83000.00000004.00000001.sdmp

false high

https://github.com/clap-rs/clap/issues; s1.windows.exe, 00000000.00000003.1786885206.0000000005E4F000.00000004.00000001.sdmp, s1.exe, 00000003.00000000.1790148127.0000000000830000.00000002.00020000.sdmp, s1.exe.0.dr

false high

www.microsoft.co. s1.exe, 00000003.00000003.1901807346.0000000003E2C000.00000004.00000001.sdmp

false 0%, Virustotal, BrowseAvira URL Cloud: safe

low

crl.micr s1.exe, 00000003.00000003.1876911342.0000000003E0E000.00000004.00000001.sdmp

false URL Reputation: safe unknown

https://github.com/clap-rs/clap/issues s1.windows.exe, 00000000.00000003.1786885206.0000000005E4F000.00000004.00000001.sdmp, s1.exe, 00000003.00000000.1790148127.0000000000830000.00000002.00020000.sdmp, s1.exe.0.dr

false high

https://curl.haxx.se/docs/http-cookies.html s1.windows.exe, 00000000.00000003.1786885206.0000000005E4F000.00000004.00000001.sdmp, s1.exe, 00000003.00000000.1790148127.0000000000830000.00000002.00020000.sdmp, s1.exe.0.dr

false high

www.infocyte.com/0 s1.windows.exe false 0%, Virustotal, BrowseAvira URL Cloud: safe

unknown

www.microsoft.co s1.exe, 00000003.00000003.1876911342.0000000003E0E000.00000004.00000001.sdmp, s1.exe, 00000003.00000003.1880872021.0000000003DEF000.00000004.00000001.sdmp

false 0%, Virustotal, BrowseAvira URL Cloud: safe

low

Domains and IPs

Contacted Domains

URLs from Memory and Binaries



https://www.virustotal.com/url/e1ff55eaa3f0a9b6b6161fdc49359ba1c565ab790bdbfd1816648489ad7edc4f/analysis/1542767245/


Static File Info

GeneralFile type: PE32 executable (console) Intel 80386 (stripped to

external PDB), for MS Windows

Entropy (8bit): 7.988389166841247

TrID: Win32 Executable (generic) a (10002005/4) 99.96%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%

File name: s1.windows.exe

File size: 4383584

MD5: d1d75615d873f94d2541a780f7c63497

SHA1: 5bb38de07615597acf01f41a166aefd9a08d5fdc

SHA256: 0c943551435a623243eaef44a7ecf7f8f0641e091a82f7b6a78ac02f2a1ff471

SHA512: eed1c94ec7b5ef951448c28264d48144c7e0dc73df0618261ccb36d2f100bb1a5de6c1625fd332b7779a8aea9d34137a3096d08c28926c6ce29386b83b1b8cc4

Name Source Malicious Antivirus Detection Reputation

No. of IPs < 25%

25% < No. of IPs < 50%

50% < No. of IPs < 75%

75% < No. of IPs

IP Country Flag ASN ASN Name Malicious

IP

127.0.0.1

Contacted IPs

Public

Private


SSDEEP: 98304:uQXc6HPgpII3H6Oa0HvSxO7ciA0XJkuki+:usc6HPkDXVHgO7ciRZkuki

File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................./...........@...................@[email protected]&C...@... ............................

General

File Icon

Icon Hash: 00828e8e8686b000

GeneralEntrypoint: 0x4014e0

Entrypoint Section: .text

Digitally signed: true

Imagebase: 0x400000

Subsystem: windows cui

Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

DLL Characteristics: DYNAMIC_BASE, NX_COMPAT

Time Stamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]

TLS Callbacks: 0x403270, 0x41dbd0, 0x41db80

CLR (.Net) Version:

OS Version Major: 4

OS Version Minor: 0

File Version Major: 4

File Version Minor: 0

Subsystem Version Major: 4

Subsystem Version Minor: 0

Import Hash: 13d83db7800c387ed02e2465809812e4

Signature Valid: true

Signature Issuer: CN=DigiCert SHA2 High Assurance Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Signature Validation Error: The operation completed successfully

Error Number: 0

Not Before, Not After 9/11/2018 5:00:00 PM 11/18/2020 4:00:00 AM

Subject Chain CN="Infocyte, Inc", O="Infocyte, Inc", L=Austin, S=Texas, C=US

Version: 3

Thumbprint MD5: A8B736205461764A72B649BD26E47413

Thumbprint SHA-1: C70396DF9FDE5BE911464FADC5AFE6AE0F1F340A

Thumbprint SHA-256: 54F92737EB88F8413DD73B663FFF04E9AC6683D12DD6EDC5F26DD9E538BE85BE

Serial: 03B4A1213DB424E47221A83F8D6392CB

Instruction

sub esp, 0Ch

mov dword ptr [0082F578h], 00000000h

call 00007F12D0A76A83h

add esp, 0Ch

jmp 00007F12D0A5A1ABh

nop

nop

nop

nop

nop

nop

push ebp

Static PE Info

Authenticode Signature

Entrypoint Preview


mov ebp, esp

sub esp, 08h

lea eax, dword ptr [0082B0C8h]

mov dword ptr [esp], eax

lea eax, dword ptr [0082F01Ch]

mov dword ptr [esp+04h], eax

call 00007F12D0A6B3A7h

add esp, 08h

pop ebp

ret

nop word ptr [eax+eax+00000000h]

nop dword ptr [eax]

push ebp

mov ebp, esp

sub esp, 08h

lea eax, dword ptr [0082B0C8h]

mov dword ptr [esp], eax

lea eax, dword ptr [0082F01Ch]

mov dword ptr [esp+04h], eax

call 00007F12D0A6B377h

add esp, 08h

pop ebp

ret

nop

nop

nop

nop

nop

nop

nop

push ebp

mov ebp, esp

push ebx

push edi

push esi

sub esp, 30h

lea eax, dword ptr [ebp-10h]

mov esi, ecx

lea edi, dword ptr [ebp-3Ch]

lea ecx, dword ptr [ebp-1Ch]

lea ebx, dword ptr [ebp-24h]

mov dword ptr [eax], edx

xor edx, edx

mov dword ptr [edi], 00431290h

mov dword ptr [ebx], eax

mov dword ptr [ebx+04h], 0041D05Ah

inc edx

mov dword ptr [ecx], edx

and dword ptr [ecx+04h], 00000000h

mov dword ptr [edi+04h], edx

and dword ptr [edi+08h], 00000000h

and dword ptr [ecx+08h], 00000000h

mov dword ptr [edi+10h], ebx

mov dword ptr [edi+14h], edx

mov edx, edi

call 00007F12D0A75D94h

Instruction

Name Virtual Address Virtual Size Is in Section

IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IMPORT 0x430000 0xb04 .idata

IMAGE_DIRECTORY_ENTRY_RESOURCE 0x433000 0x2b8 .rsrc

IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0

Data Directories


IMAGE_DIRECTORY_ENTRY_SECURITY 0x42cc00 0x1760 /4

IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0

IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_TLS 0x432004 0x18 .tls

IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IAT 0x4301dc 0x18c .idata

IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Name Virtual Address Virtual Size Is in Section

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

.text 0x1000 0x2b7a4 0x2b800 False 0.556932471264 data 6.49629432777 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

.data 0x2d000 0x48 0x200 False 0.1015625 data 0.575648019985 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

.rdata 0x2e000 0x3fc260 0x3fc400 unknown unknown unknown unknown IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

/4 0x42b000 0x346c 0x3600 False 0.297743055556 data 4.6594010665 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Sections


.bss 0x42f000 0x5cc 0x0 False 0 empty 0.0 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

.idata 0x430000 0xb04 0xc00 False 0.384114583333 data 4.84541745784 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

.CRT 0x431000 0x40 0x200 False 0.095703125 data 0.420040511234 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

.tls 0x432000 0x20 0x200 False 0.056640625 data 0.210826267787 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

.rsrc 0x433000 0x2b8 0x400 False 0.32421875 data 2.33777533683 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

Name RVA Size Type Language Country

RT_VERSION 0x433058 0x25c data English United States

Resources


No network behavior found

Code Manipulations

Statistics

Behavior

• s1.windows.exe

• conhost.exe

• s1.exe

• cmd.exe

• PING.EXE

DLL Import

ADVAPI32.dll SystemFunction036

KERNEL32.dll AddVectoredExceptionHandler, CloseHandle, CreateFileA, CreateFileW, CreateNamedPipeW, CreateProcessW, DeleteCriticalSection, DeviceIoControl, DuplicateHandle, EnterCriticalSection, FormatMessageW, FreeEnvironmentStringsW, GetCommandLineW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetEnvironmentVariableW, GetFileInformationByHandle, GetLastError, GetModuleFileNameW, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetSystemTimeAsFileTime, GetTickCount, HeapAlloc, HeapFree, HeapReAlloc, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, OpenProcess, QueryFullProcessImageNameA, QueryPerformanceCounter, RtlCaptureContext, SetLastError, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WriteConsoleW, WriteFile

msvcrt.dll __dllonexit, __getmainargs, __initenv, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _errno, _fmode, _initterm, _iob, _lock, _onexit, _unlock, bsearch, calloc, exit, fprintf, free, fwrite, malloc, memcmp, memcpy, memmove, memset, realloc, signal, strcmp, strlen, strncmp, _vsnprintf, abort, vfprintf, atoi, _read, _open, _lseek, _getpid, _close

Description Data

LegalCopyright Copyright (C) 2015-YYYY

FileVersion 0.0.0.0

CompanyName Infocyte, Inc

ProductName Infocyte HUNT Survey

ProductVersion 0.0.0.0

FileDescription HUNT Survey

Translation 0x0409 0x04b0

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

Imports

Version Infos

Possible Origin


Click to jump to process

System Behavior

File ActivitiesFile Activities


Start date: 15/11/2019

Path: C:\Users\user\Desktop\s1.windows.exe

Wow64 process (32bit): true

Commandline: 'C:\Users\user\Desktop\s1.windows.exe'

Imagebase: 0x400000

File size: 4383584 bytes

MD5 hash: D1D75615D873F94D2541A780F7C63497

Has administrator privileges: true

Programmed in: C, C++ or other language

Reputation: low

File Path Access Attributes Options Completion CountSourceAddress Symbol

C:\Users\user\Desktop\s1.exe read attributes | synchronize | generic write

none synchronous io non alert | non directory file

success or wait 1 40B30F CreateFileW

File Path Offset Length Value Ascii Completion CountSourceAddress Symbol

Analysis Process: s1.windows.exe PID: 3944 Parent PID: 2476Analysis Process: s1.windows.exe PID: 3944 Parent PID: 2476

General

File CreatedFile Created

File WrittenFile Written


C:\Users\user\Desktop\s1.exe unknown 6263648 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 2f 02 0b 02 02 1e 00 60 41 00 00 6c 5f 00 00 2c 00 00 00 15 00 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 5f 00 00 10 00 00 e7 43 60 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./......`A..l_..,............@..............................._......C`...`... ............................

success or wait 1 4023B7 WriteFile




Path: C:\Windows\System32\conhost.exe

Wow64 process (32bit): false

Commandline: C:\Windows\system32\conhost.exe 0x4

Imagebase: 0x7ff642e80000


MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496



Reputation: high



Path: C:\Users\user\Desktop\s1.exe

Wow64 process (32bit): false

Commandline: C:\Users\user\Desktop\s1.exe

Imagebase: 0x400000


MD5 hash: 05A3A6622E0FC97D7285CC610196EBF5



Analysis Process: conhost.exe PID: 772 Parent PID: 3944Analysis Process: conhost.exe PID: 772 Parent PID: 3944

General

Analysis Process: s1.exe PID: 4524 Parent PID: 3944Analysis Process: s1.exe PID: 4524 Parent PID: 3944

General



Antivirus matches: Detection: 100%, Joe Sandbox MLDetection: 1%, Virustotal, BrowseDetection: 0%, Metadefender, Browse

Reputation: low


C:\Users\user\Desktop read data or list directory | synchronize

normal directory file | synchronous io non alert | open for backup ident | open reparse point

object name collision 1 5BDE89 CreateDirectoryW

C:\Users\user\Desktop\s1.log read attributes | synchronize | generic write

none synchronous io non alert | non directory file

success or wait 1 5BCE18 CreateFileW


C:\Users\user\Desktop\s1.log unknown 61 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 30 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 5d 20 2d 20 53 75 72 76 65 79 20 56 65 72 73 69 6f 6e 20 32 2e 30 2e 30 2e 30 0d 0a

[2019-11-15 17:12:40][hunt_survey] - Survey Version 2.0.0.0..

success or wait 1 5BCF6E WriteFile

C:\Users\user\Desktop\s1.log unknown 71 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 30 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 5d 20 2d 20 53 75 72 76 65 79 20 46 72 61 6d 65 77 6f 72 6b 20 56 65 72 73 69 6f 6e 20 34 2e 30 2e 31 31 35 0d 0a

[2019-11-15 17:12:40][hunt_survey] - Survey Framework Version 4.0.115..


C:\Users\user\Desktop\s1.log unknown 93 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 30 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 65 5f 66 6c 69 67 68 74 5d 20 2d 20 43 61 6e 6e 6f 74 20 6f 62 74 61 69 6e 20 68 61 6e 64 6c 65 20 74 6f 20 70 69 64 20 30 2c 20 73 6b 69 70 70 69 6e 67 0d 0a

[2019-11-15 17:12:40][survey_windows::pre_flight] - Cannot obtain handle to pid 0, skipping..


C:\Users\user\Desktop\s1.log unknown 83 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 5d 20 2d 20 49 6e 69 74 69 61 6c 20 63 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 20 73 75 63 63 65 73 73 66 75 6c 2c 20 70 72 6f 63 65 65 64 69 6e 67 0d 0a

[2019-11-15 17:12:41][hunt_survey] - Initial communication successful, proceeding..


C:\Users\user\Desktop\s1.log unknown 53 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 5d 20 2d 20 57 6f 72 6b 65 72 20 73 74 61 72 74 65 64 0d 0a

[2019-11-15 17:12:41][hunt_survey] - Worker started..


File CreatedFile Created





C:\Users\user\Desktop\s1.log unknown 63 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 3a 3a 77 6f 72 6b 65 72 5d 20 2d 20 48 6f 73 74 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a

[2019-11-15 17:12:41][hunt_survey::worker] - Host Information..


C:\Users\user\Desktop\s1.log unknown 60 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 3a 3a 77 6f 72 6b 65 72 5d 20 2d 20 55 73 65 72 20 41 63 63 6f 75 6e 74 73 0d 0a

[2019-11-15 17:12:41][hunt_survey::worker] - User Accounts..


C:\Users\user\Desktop\s1.log unknown 85 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 75 73 65 72 5f 61 63 63 6f 75 6e 74 73 5d 20 2d 20 45 6e 75 6d 65 72 61 74 69 6e 67 20 75 73 65 72 20 61 63 63 6f 75 6e 74 73 2e 2e 2e 0d 0a

[2019-11-15 17:12:41][survey_windows::user_accounts] - Enumerating user accounts.....


C:\Users\user\Desktop\s1.log unknown 96 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 75 73 65 72 5f 61 63 63 6f 75 6e 74 73 3a 3a 73 65 73 73 69 6f 6e 73 5d 20 2d 20 45 6e 75 6d 65 72 61 74 69 6e 67 20 6c 6f 67 6f 6e 20 73 65 73 73 69 6f 6e 73 2e 2e 2e 0d 0a

[2019-11-15 17:12:41][survey_windows::user_accounts::sessions] - Enumerating logon sessions.....


C:\Users\user\Desktop\s1.log unknown 126 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 75 73 65 72 5f 61 63 63 6f 75 6e 74 73 3a 3a 73 65 73 73 69 6f 6e 73 5d 20 2d 20 46 6f 75 6e 64 20 6c 6f 67 6f 6e 20 73 65 73 73 69 6f 6e 20 66 6f 72 20 4c 4f 43 41 4c 20 53 45 52 56 49 43 45 40 4e 54 20 41 55 54 48 4f 52 49 54 59 20 53 2d 31 2d 35 2d 31 39 0d 0a

[2019-11-15 17:12:41][survey_windows::user_accounts::sessions] - Found logon session for LOCAL SERVICE@NT AUTHORITY S-1-5-19..


C:\Users\user\Desktop\s1.log unknown 111 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 75 73 65 72 5f 61 63 63 6f 75 6e 74 73 5d 20 2d 20 55 6e 61 62 6c 65 20 74 6f 20 6c 6f 6f 6b 75 70 20 61 63 63 65 73 73 20 6c 65 76 65 6c 20 66 6f 72 20 4c 4f 43 41 4c 20 53 45 52 56 49 43 45 20 28 32 32 32 31 29 0d 0a

[2019-11-15 17:12:41][survey_windows::user_accounts] - Unable to lookup access level for LOCAL SERVICE (2221)..










C:\Users\user\Desktop\s1.log unknown 56 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 68 75 6e 74 5f 73 75 72 76 65 79 3a 3a 77 6f 72 6b 65 72 5d 20 2d 20 50 72 6f 63 65 73 73 65 73 0d 0a

[2019-11-15 17:12:41][hunt_survey::worker] - Processes..


C:\Users\user\Desktop\s1.log unknown 77 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 5d 20 2d 20 45 6e 75 6d 65 72 61 74 69 6e 67 20 70 72 6f 63 65 73 73 65 73 2e 2e 2e 0d 0a

[2019-11-15 17:12:41][survey_windows::processes] - Enumerating processes.....


C:\Users\user\Desktop\s1.log unknown 80 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 3a 3a 73 65 5f 64 65 62 75 67 5d 20 2d 20 53 65 44 65 62 75 67 20 45 6e 61 62 6c 65 64 20 31 0d 0a

[2019-11-15 17:12:41][survey_windows::processes::se_debug] - SeDebug Enabled 1..


C:\Users\user\Desktop\s1.log unknown 71 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 3a 3a 62 79 5f 65 6e 75 6d 5d 20 2d 20 43 6f 6d 70 6c 65 74 65 64 0d 0a

[2019-11-15 17:12:41][survey_windows::processes::by_enum] - Completed..


C:\Users\user\Desktop\s1.log unknown 78 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 31 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 3a 3a 62 79 5f 73 79 73 74 65 6d 5f 69 6e 66 6f 5d 20 2d 20 43 6f 6d 70 6c 65 74 65 64 0d 0a

[2019-11-15 17:12:41][survey_windows::processes::by_system_info] - Completed..




C:\Users\user\Desktop\s1.log unknown 74 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 32 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 3a 3a 62 79 5f 68 61 6e 64 6c 65 73 5d 20 2d 20 43 6f 6d 70 6c 65 74 65 64 0d 0a

[2019-11-15 17:12:42][survey_windows::processes::by_handles] - Completed..


C:\Users\user\Desktop\s1.log unknown 75 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 32 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 3a 3a 62 79 5f 73 6e 61 70 73 68 6f 74 5d 20 2d 20 43 6f 6d 70 6c 65 74 65 64 0d 0a

[2019-11-15 17:12:42][survey_windows::processes::by_snapshot] - Completed..


C:\Users\user\Desktop\s1.log unknown 86 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 32 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 5d 20 2d 20 43 6f 75 6c 64 20 6e 6f 74 20 67 65 74 20 66 69 6c 65 20 6e 61 6d 65 20 66 6f 72 20 31 33 32 30 21 0d 0a

[2019-11-15 17:12:42][survey_windows::processes] - Could not get file name for 1320!..


C:\Users\user\Desktop\s1.log unknown 82 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 6f 64 75 6c 65 73 5d 20 2d 20 45 6e 75 6d 65 72 61 74 69 6e 67 20 6d 6f 64 75 6c 65 73 20 66 6f 72 20 31 38 31 32 2e 2e 2e 0d 0a

[2019-11-15 17:12:43][survey_windows::modules] - Enumerating modules for 1812.....


C:\Users\user\Desktop\s1.log unknown 105 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 6f 64 75 6c 65 73 5d 20 2d 20 43 61 6e 6e 6f 74 20 67 65 74 20 6d 6f 64 75 6c 65 73 20 66 6f 72 20 31 38 31 32 3a 20 55 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 6d 6f 64 75 6c 65 20 6c 69 73 74 0d 0a

[2019-11-15 17:12:43][survey_windows::modules] - Cannot get modules for 1812: Unable to get module list..


C:\Users\user\Desktop\s1.log unknown 77 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 65 6d 73 63 61 6e 5d 20 2d 20 4d 65 6d 6f 72 79 20 73 63 61 6e 6e 69 6e 67 20 31 38 31 32 3a 20 74 72 75 65 0d 0a

[2019-11-15 17:12:43][survey_windows::memscan] - Memory scanning 1812: true..




C:\Users\user\Desktop\s1.log unknown 91 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 5d 20 2d 20 55 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 61 20 70 72 6f 63 65 73 73 20 68 61 6e 64 6c 65 20 66 6f 72 20 39 32 34 0d 0a

[2019-11-15 17:12:43][survey_windows::processes] - Unable to get a process handle for 924..


C:\Users\user\Desktop\s1.log unknown 85 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 70 72 6f 63 65 73 73 65 73 5d 20 2d 20 43 6f 75 6c 64 20 6e 6f 74 20 67 65 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 6f 6e 20 39 32 34 0d 0a

[2019-11-15 17:12:43][survey_windows::processes] - Could not get information on 924..


C:\Users\user\Desktop\s1.log unknown 85 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 68 6f 6f 6b 73 3a 3a 66 75 6e 63 74 69 6f 6e 5f 64 61 74 61 5d 20 2d 20 4c 6f 61 64 69 6e 67 20 66 75 6e 63 74 69 6f 6e 20 64 61 74 61 0d 0a

[2019-11-15 17:12:43][survey_windows::hooks::function_data] - Loading function data..


C:\Users\user\Desktop\s1.log unknown 145 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 34 34 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 68 6f 6f 6b 73 3a 3a 66 75 6e 63 74 69 6f 6e 5f 64 61 74 61 5d 20 2d 20 53 75 63 63 65 73 73 66 75 6c 6c 79 20 70 61 72 73 65 64 20 65 78 70 6f 72 74 73 20 66 72 6f 6d 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 5c 61 64 76 61 70 69 33 32 2e 64 6c 6c 20 77 69 74 68 20 37 20 73 65 63 74 69 6f 6e 73 0d 0a

[2019-11-15 17:12:44][survey_windows::hooks::function_data] - Successfully parsed exports from c:\windows\system32\advapi32.dll with 7 sections..


C:\Users\user\Desktop\s1.log unknown 73 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 35 30 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 6f 64 75 6c 65 73 5d 20 2d 20 47 65 74 74 69 6e 67 20 61 20 66 69 6c 65 20 6e 61 6d 65 3a 20 35 0d 0a

[2019-11-15 17:12:50][survey_windows::modules] - Getting a file name: 5..


C:\Users\user\Desktop\s1.log unknown 83 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 35 30 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 65 6d 73 63 61 6e 5d 20 2d 20 76 69 72 74 75 61 6c 5f 71 75 65 72 79 5f 65 72 72 6f 72 20 40 20 30 78 31 30 30 30 30 3a 20 35 0d 0a

[2019-11-15 17:12:50][survey_windows::memscan] - virtual_query_error @ 0x10000: 5..




C:\Users\user\Desktop\s1.log unknown 91 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 35 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 65 6d 73 63 61 6e 5d 20 2d 20 52 65 61 64 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 20 66 61 69 6c 65 64 20 77 69 74 68 20 65 72 72 6f 72 3a 20 32 39 39 0d 0a

[2019-11-15 17:12:53][survey_windows::memscan] - ReadProcessMemory failed with error: 299..


C:\Users\user\Desktop\s1.log unknown 91 5b 32 30 31 39 2d 31 31 2d 31 35 20 31 37 3a 31 32 3a 35 33 5d 5b 73 75 72 76 65 79 5f 77 69 6e 64 6f 77 73 3a 3a 6d 65 6d 73 63 61 6e 5d 20 2d 20 52 65 61 64 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 20 66 61 69 6c 65 64 20 77 69 74 68 20 65 72 72 6f 72 3a 20 32 39 39 0d 0a

[2019-11-15 17:12:53][survey_windows::memscan] - ReadProcessMemory failed with error: 299..



File Path Offset Length Completion CountSourceAddress Symbol

C:\Windows\System32\svchost.exe unknown 1024 success or wait 102 5BCECF ReadFile

C:\Users\user\Desktop\s1.exe unknown 8192 success or wait 765 5BCECF ReadFile

C:\Users\user\Desktop\s1.exe unknown 8192 end of file 1 5BCECF ReadFile

C:\Windows\System32\dllhost.exe unknown 1024 success or wait 21 5BCECF ReadFile

C:\Windows\System32\advapi32.dll unknown 64 success or wait 1 5BCECF ReadFile










C:\Windows\SysWOW64\kernel32.dll unknown 64 success or wait 1 5BCECF ReadFile










C:\Windows\SysWOW64\ntdll.dll unknown 64 success or wait 1 5BCECF ReadFile










File ReadFile Read

Analysis Process: cmd.exe PID: 5072 Parent PID: 3944Analysis Process: cmd.exe PID: 5072 Parent PID: 3944


Disassembly




Path: C:\Windows\SysWOW64\cmd.exe


Commandline: 'c:\windows\system32\cmd.exe' /C 'c:\windows\system32\ping.exe -n 3 127.0.0.1 > NUL & del C:\Users\user\Desktop\s1.windows.exe >> NUL'

Imagebase: 0x8d0000


MD5 hash: F3BDBE3BB6F734E357235F4D5898582D



Reputation: high


File Path Completion CountSourceAddress Symbol

C:\Users\user\Desktop\s1.windows.exe cannot delete 1 8F0374 DeleteFileW

C:\Users\user\Desktop\s1.windows.exe cannot delete 1 8F0374 DeleteFileW


\Device\Null unknown 39 43 3a 5c 55 73 65 72 73 5c 47 75 63 63 69 5c 44 65 73 6b 74 6f 70 5c 73 31 2e 77 69 6e 64 6f 77 73 2e 65 78 65 0d 0a

C:\Users\user\Desktop\s1.windows.exe..

success or wait 1 8E2837 WriteFile




Path: C:\Windows\SysWOW64\PING.EXE


Commandline: c:\windows\system32\ping.exe -n 3 127.0.0.1

Imagebase: 0x140000


MD5 hash: 70C24A306F768936563ABDADB9CA9108



Reputation: moderate



General

File DeletedFile Deleted


Analysis Process: PING.EXE PID: 4748 Parent PID: 5072Analysis Process: PING.EXE PID: 4748 Parent PID: 5072

General


Code Analysis


Automated Malware Analysis Report for s1.windows.exe ...

Documents

Transcript of Automated Malware Analysis Report for s1.windows.exe ...