Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tlw8Vv1OPD

Overview

General Information

Sample name:tlw8Vv1OPD
renamed because original name is a hash value
Original sample name:3393068eec5540b5a987e0c31c601b6d77ec326fcda7d6ddaf62d0d4f9f6db65
Analysis ID:1390949
MD5:82f3539d8578b18fbc931f4f33fcbba3
SHA1:196f127502d898e7d14cf9521b2b5838a2c1aa14
SHA256:3393068eec5540b5a987e0c31c601b6d77ec326fcda7d6ddaf62d0d4f9f6db65

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected VMProtect packer
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Entry point lies outside standard sections
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Tries to load missing DLLs

Classification

Process Tree

  • System is w10x64_ra
  • tlw8Vv1OPD.exe (PID: 4776 cmdline: C:\Users\user\Desktop\tlw8Vv1OPD.exe MD5: 82F3539D8578B18FBC931F4F33FCBBA3)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: tlw8Vv1OPDReversingLabs: Detection: 84%
Source: tlw8Vv1OPDStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

System Summary

barindex
Detected VMProtect packer
Source: tlw8Vv1OPDStatic PE information: .vmp0 and .vmp1 section names
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeSection loaded: powrprof.dll
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeSection loaded: umpdc.dll
Source: classification engineClassification label: mal64.evad.win@1/0@0/0
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: tlw8Vv1OPDReversingLabs: Detection: 84%
Source: tlw8Vv1OPDStatic file information: File size 6196824 > 1048576
Source: tlw8Vv1OPDStatic PE information: Raw size of .vmp2 is bigger than: 0x100000 < 0x5c5c00
Source: tlw8Vv1OPDStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp2
Source: tlw8Vv1OPDStatic PE information: real checksum: 0x5d6a1d should be: 0x5f4e61
Source: tlw8Vv1OPDStatic PE information: section name: .vmp0
Source: tlw8Vv1OPDStatic PE information: section name: .symtab
Source: tlw8Vv1OPDStatic PE information: section name: .vmp1
Source: tlw8Vv1OPDStatic PE information: section name: .vmp2

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeMemory written: PID: 4776 base: 7FFF4F430008 value: E9 EB D9 E9 FF
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeMemory written: PID: 4776 base: 7FFF4F2CD9F0 value: E9 20 26 16 00
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 000000000196178D second address: 0000000001961792 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop esp 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 0000000001A6B9E7 second address: 0000000001A7F934 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 popfd 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc bp 0x00000008 mov edx, ecx 0x0000000a dec ecx 0x0000000b arpl dx, bx 0x0000000d pop edx 0x0000000e dec ecx 0x0000000f movzx ebp, ax 0x00000012 inc ecx 0x00000013 not al 0x00000015 pop eax 0x00000016 dec esp 0x00000017 movzx ecx, bx 0x0000001a inc ecx 0x0000001b pop esi 0x0000001c inc ecx 0x0000001d xchg cl, bh 0x0000001f jmp 00007FA0F0BEC89Ch 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 inc eax 0x00000027 not ch 0x00000029 dec esp 0x0000002a movzx edx, di 0x0000002d inc esp 0x0000002e movzx eax, ax 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 movzx bp, bl 0x00000037 inc ebp 0x00000038 movzx edx, bx 0x0000003b dec eax 0x0000003c movzx ebx, sp 0x0000003f inc ecx 0x00000040 pop eax 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 inc cx 0x00000045 movsx ebp, ah 0x00000048 dec eax 0x00000049 bswap ebp 0x0000004b inc ecx 0x0000004c not edx 0x0000004e pop ebx 0x0000004f mov ebp, 393B192Eh 0x00000054 inc bp 0x00000056 movsx edx, bl 0x00000059 pop ebp 0x0000005a inc ecx 0x0000005b pop edx 0x0000005c jmp 00007FA0F0DC9867h 0x00000061 ret 0x00000062 popfd 0x00000063 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 000000000135C7D7 second address: 000000000135C7DC instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop esp 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 00000000012B9F90 second address: 00000000012B9F94 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop esi 0x00000004 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 0000000001A6B9E7 second address: 0000000001A7F934 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 popfd 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc bp 0x00000008 mov edx, ecx 0x0000000a dec ecx 0x0000000b arpl dx, bx 0x0000000d pop edx 0x0000000e dec ecx 0x0000000f movzx ebp, ax 0x00000012 inc ecx 0x00000013 not al 0x00000015 pop eax 0x00000016 dec esp 0x00000017 movzx ecx, bx 0x0000001a inc ecx 0x0000001b pop esi 0x0000001c inc ecx 0x0000001d xchg cl, bh 0x0000001f jmp 00007FA0F14C4BACh 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 inc eax 0x00000027 not ch 0x00000029 dec esp 0x0000002a movzx edx, di 0x0000002d inc esp 0x0000002e movzx eax, ax 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 movzx bp, bl 0x00000037 inc ebp 0x00000038 movzx edx, bx 0x0000003b dec eax 0x0000003c movzx ebx, sp 0x0000003f inc ecx 0x00000040 pop eax 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 inc cx 0x00000045 movsx ebp, ah 0x00000048 dec eax 0x00000049 bswap ebp 0x0000004b inc ecx 0x0000004c not edx 0x0000004e pop ebx 0x0000004f mov ebp, 393B192Eh 0x00000054 inc bp 0x00000056 movsx edx, bl 0x00000059 pop ebp 0x0000005a inc ecx 0x0000005b pop edx 0x0000005c jmp 00007FA0F16A1B77h 0x00000061 ret 0x00000062 popfd 0x00000063 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 0000000001A6B9E7 second address: 0000000001A7F934 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 popfd 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc bp 0x00000008 mov edx, ecx 0x0000000a dec ecx 0x0000000b arpl dx, bx 0x0000000d pop edx 0x0000000e dec ecx 0x0000000f movzx ebp, ax 0x00000012 inc ecx 0x00000013 not al 0x00000015 pop eax 0x00000016 dec esp 0x00000017 movzx ecx, bx 0x0000001a inc ecx 0x0000001b pop esi 0x0000001c inc ecx 0x0000001d xchg cl, bh 0x0000001f jmp 00007FA0F06EBC2Ch 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 inc eax 0x00000027 not ch 0x00000029 dec esp 0x0000002a movzx edx, di 0x0000002d inc esp 0x0000002e movzx eax, ax 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 movzx bp, bl 0x00000037 inc ebp 0x00000038 movzx edx, bx 0x0000003b dec eax 0x0000003c movzx ebx, sp 0x0000003f inc ecx 0x00000040 pop eax 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 inc cx 0x00000045 movsx ebp, ah 0x00000048 dec eax 0x00000049 bswap ebp 0x0000004b inc ecx 0x0000004c not edx 0x0000004e pop ebx 0x0000004f mov ebp, 393B192Eh 0x00000054 inc bp 0x00000056 movsx edx, bl 0x00000059 pop ebp 0x0000005a inc ecx 0x0000005b pop edx 0x0000005c jmp 00007FA0F08C8BF7h 0x00000061 ret 0x00000062 popfd 0x00000063 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 0000000001A6B9E7 second address: 0000000001A7F934 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 popfd 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc bp 0x00000008 mov edx, ecx 0x0000000a dec ecx 0x0000000b arpl dx, bx 0x0000000d pop edx 0x0000000e dec ecx 0x0000000f movzx ebp, ax 0x00000012 inc ecx 0x00000013 not al 0x00000015 pop eax 0x00000016 dec esp 0x00000017 movzx ecx, bx 0x0000001a inc ecx 0x0000001b pop esi 0x0000001c inc ecx 0x0000001d xchg cl, bh 0x0000001f jmp 00007FA0F1A1337Ch 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 inc eax 0x00000027 not ch 0x00000029 dec esp 0x0000002a movzx edx, di 0x0000002d inc esp 0x0000002e movzx eax, ax 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 movzx bp, bl 0x00000037 inc ebp 0x00000038 movzx edx, bx 0x0000003b dec eax 0x0000003c movzx ebx, sp 0x0000003f inc ecx 0x00000040 pop eax 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 inc cx 0x00000045 movsx ebp, ah 0x00000048 dec eax 0x00000049 bswap ebp 0x0000004b inc ecx 0x0000004c not edx 0x0000004e pop ebx 0x0000004f mov ebp, 393B192Eh 0x00000054 inc bp 0x00000056 movsx edx, bl 0x00000059 pop ebp 0x0000005a inc ecx 0x0000005b pop edx 0x0000005c jmp 00007FA0F1BF0347h 0x00000061 ret 0x00000062 popfd 0x00000063 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 0000000001A6B9E7 second address: 0000000001A7F934 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 popfd 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc bp 0x00000008 mov edx, ecx 0x0000000a dec ecx 0x0000000b arpl dx, bx 0x0000000d pop edx 0x0000000e dec ecx 0x0000000f movzx ebp, ax 0x00000012 inc ecx 0x00000013 not al 0x00000015 pop eax 0x00000016 dec esp 0x00000017 movzx ecx, bx 0x0000001a inc ecx 0x0000001b pop esi 0x0000001c inc ecx 0x0000001d xchg cl, bh 0x0000001f jmp 00007FA0F0C1181Ch 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 inc eax 0x00000027 not ch 0x00000029 dec esp 0x0000002a movzx edx, di 0x0000002d inc esp 0x0000002e movzx eax, ax 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 movzx bp, bl 0x00000037 inc ebp 0x00000038 movzx edx, bx 0x0000003b dec eax 0x0000003c movzx ebx, sp 0x0000003f inc ecx 0x00000040 pop eax 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 inc cx 0x00000045 movsx ebp, ah 0x00000048 dec eax 0x00000049 bswap ebp 0x0000004b inc ecx 0x0000004c not edx 0x0000004e pop ebx 0x0000004f mov ebp, 393B192Eh 0x00000054 inc bp 0x00000056 movsx edx, bl 0x00000059 pop ebp 0x0000005a inc ecx 0x0000005b pop edx 0x0000005c jmp 00007FA0F0DEE7E7h 0x00000061 ret 0x00000062 popfd 0x00000063 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 0000000001A6B9E7 second address: 0000000001A7F934 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 popfd 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc bp 0x00000008 mov edx, ecx 0x0000000a dec ecx 0x0000000b arpl dx, bx 0x0000000d pop edx 0x0000000e dec ecx 0x0000000f movzx ebp, ax 0x00000012 inc ecx 0x00000013 not al 0x00000015 pop eax 0x00000016 dec esp 0x00000017 movzx ecx, bx 0x0000001a inc ecx 0x0000001b pop esi 0x0000001c inc ecx 0x0000001d xchg cl, bh 0x0000001f jmp 00007FA0F1A07E3Ch 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 inc eax 0x00000027 not ch 0x00000029 dec esp 0x0000002a movzx edx, di 0x0000002d inc esp 0x0000002e movzx eax, ax 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 movzx bp, bl 0x00000037 inc ebp 0x00000038 movzx edx, bx 0x0000003b dec eax 0x0000003c movzx ebx, sp 0x0000003f inc ecx 0x00000040 pop eax 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 inc cx 0x00000045 movsx ebp, ah 0x00000048 dec eax 0x00000049 bswap ebp 0x0000004b inc ecx 0x0000004c not edx 0x0000004e pop ebx 0x0000004f mov ebp, 393B192Eh 0x00000054 inc bp 0x00000056 movsx edx, bl 0x00000059 pop ebp 0x0000005a inc ecx 0x0000005b pop edx 0x0000005c jmp 00007FA0F1BE4E07h 0x00000061 ret 0x00000062 popfd 0x00000063 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 0000000001A6B9E7 second address: 0000000001A7F934 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 popfd 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc bp 0x00000008 mov edx, ecx 0x0000000a dec ecx 0x0000000b arpl dx, bx 0x0000000d pop edx 0x0000000e dec ecx 0x0000000f movzx ebp, ax 0x00000012 inc ecx 0x00000013 not al 0x00000015 pop eax 0x00000016 dec esp 0x00000017 movzx ecx, bx 0x0000001a inc ecx 0x0000001b pop esi 0x0000001c inc ecx 0x0000001d xchg cl, bh 0x0000001f jmp 00007FA0F1A18E9Ch 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 inc eax 0x00000027 not ch 0x00000029 dec esp 0x0000002a movzx edx, di 0x0000002d inc esp 0x0000002e movzx eax, ax 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 movzx bp, bl 0x00000037 inc ebp 0x00000038 movzx edx, bx 0x0000003b dec eax 0x0000003c movzx ebx, sp 0x0000003f inc ecx 0x00000040 pop eax 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 inc cx 0x00000045 movsx ebp, ah 0x00000048 dec eax 0x00000049 bswap ebp 0x0000004b inc ecx 0x0000004c not edx 0x0000004e pop ebx 0x0000004f mov ebp, 393B192Eh 0x00000054 inc bp 0x00000056 movsx edx, bl 0x00000059 pop ebp 0x0000005a inc ecx 0x0000005b pop edx 0x0000005c jmp 00007FA0F1BF5E67h 0x00000061 ret 0x00000062 popfd 0x00000063 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 0000000001A6B9E7 second address: 0000000001A7F934 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 popfd 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc bp 0x00000008 mov edx, ecx 0x0000000a dec ecx 0x0000000b arpl dx, bx 0x0000000d pop edx 0x0000000e dec ecx 0x0000000f movzx ebp, ax 0x00000012 inc ecx 0x00000013 not al 0x00000015 pop eax 0x00000016 dec esp 0x00000017 movzx ecx, bx 0x0000001a inc ecx 0x0000001b pop esi 0x0000001c inc ecx 0x0000001d xchg cl, bh 0x0000001f jmp 00007FA0F1A1137Ch 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 inc eax 0x00000027 not ch 0x00000029 dec esp 0x0000002a movzx edx, di 0x0000002d inc esp 0x0000002e movzx eax, ax 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 movzx bp, bl 0x00000037 inc ebp 0x00000038 movzx edx, bx 0x0000003b dec eax 0x0000003c movzx ebx, sp 0x0000003f inc ecx 0x00000040 pop eax 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 inc cx 0x00000045 movsx ebp, ah 0x00000048 dec eax 0x00000049 bswap ebp 0x0000004b inc ecx 0x0000004c not edx 0x0000004e pop ebx 0x0000004f mov ebp, 393B192Eh 0x00000054 inc bp 0x00000056 movsx edx, bl 0x00000059 pop ebp 0x0000005a inc ecx 0x0000005b pop edx 0x0000005c jmp 00007FA0F1BEE347h 0x00000061 ret 0x00000062 popfd 0x00000063 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 0000000001A6B9E7 second address: 0000000001A7F934 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 popfd 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc bp 0x00000008 mov edx, ecx 0x0000000a dec ecx 0x0000000b arpl dx, bx 0x0000000d pop edx 0x0000000e dec ecx 0x0000000f movzx ebp, ax 0x00000012 inc ecx 0x00000013 not al 0x00000015 pop eax 0x00000016 dec esp 0x00000017 movzx ecx, bx 0x0000001a inc ecx 0x0000001b pop esi 0x0000001c inc ecx 0x0000001d xchg cl, bh 0x0000001f jmp 00007FA0F0BDD1CCh 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 inc eax 0x00000027 not ch 0x00000029 dec esp 0x0000002a movzx edx, di 0x0000002d inc esp 0x0000002e movzx eax, ax 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 movzx bp, bl 0x00000037 inc ebp 0x00000038 movzx edx, bx 0x0000003b dec eax 0x0000003c movzx ebx, sp 0x0000003f inc ecx 0x00000040 pop eax 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 inc cx 0x00000045 movsx ebp, ah 0x00000048 dec eax 0x00000049 bswap ebp 0x0000004b inc ecx 0x0000004c not edx 0x0000004e pop ebx 0x0000004f mov ebp, 393B192Eh 0x00000054 inc bp 0x00000056 movsx edx, bl 0x00000059 pop ebp 0x0000005a inc ecx 0x0000005b pop edx 0x0000005c jmp 00007FA0F0DBA197h 0x00000061 ret 0x00000062 popfd 0x00000063 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 0000000001A6B9E7 second address: 0000000001A7F934 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 popfd 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc bp 0x00000008 mov edx, ecx 0x0000000a dec ecx 0x0000000b arpl dx, bx 0x0000000d pop edx 0x0000000e dec ecx 0x0000000f movzx ebp, ax 0x00000012 inc ecx 0x00000013 not al 0x00000015 pop eax 0x00000016 dec esp 0x00000017 movzx ecx, bx 0x0000001a inc ecx 0x0000001b pop esi 0x0000001c inc ecx 0x0000001d xchg cl, bh 0x0000001f jmp 00007FA0F14C4EACh 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 inc eax 0x00000027 not ch 0x00000029 dec esp 0x0000002a movzx edx, di 0x0000002d inc esp 0x0000002e movzx eax, ax 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 movzx bp, bl 0x00000037 inc ebp 0x00000038 movzx edx, bx 0x0000003b dec eax 0x0000003c movzx ebx, sp 0x0000003f inc ecx 0x00000040 pop eax 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 inc cx 0x00000045 movsx ebp, ah 0x00000048 dec eax 0x00000049 bswap ebp 0x0000004b inc ecx 0x0000004c not edx 0x0000004e pop ebx 0x0000004f mov ebp, 393B192Eh 0x00000054 inc bp 0x00000056 movsx edx, bl 0x00000059 pop ebp 0x0000005a inc ecx 0x0000005b pop edx 0x0000005c jmp 00007FA0F16A1E77h 0x00000061 ret 0x00000062 popfd 0x00000063 rdtsc
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeRDTSC instruction interceptor: First address: 0000000001A6B9E7 second address: 0000000001A7F934 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 popfd 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc bp 0x00000008 mov edx, ecx 0x0000000a dec ecx 0x0000000b arpl dx, bx 0x0000000d pop edx 0x0000000e dec ecx 0x0000000f movzx ebp, ax 0x00000012 inc ecx 0x00000013 not al 0x00000015 pop eax 0x00000016 dec esp 0x00000017 movzx ecx, bx 0x0000001a inc ecx 0x0000001b pop esi 0x0000001c inc ecx 0x0000001d xchg cl, bh 0x0000001f jmp 00007FA0F0BD67BCh 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 inc eax 0x00000027 not ch 0x00000029 dec esp 0x0000002a movzx edx, di 0x0000002d inc esp 0x0000002e movzx eax, ax 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 movzx bp, bl 0x00000037 inc ebp 0x00000038 movzx edx, bx 0x0000003b dec eax 0x0000003c movzx ebx, sp 0x0000003f inc ecx 0x00000040 pop eax 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 inc cx 0x00000045 movsx ebp, ah 0x00000048 dec eax 0x00000049 bswap ebp 0x0000004b inc ecx 0x0000004c not edx 0x0000004e pop ebx 0x0000004f mov ebp, 393B192Eh 0x00000054 inc bp 0x00000056 movsx edx, bl 0x00000059 pop ebp 0x0000005a inc ecx 0x0000005b pop edx 0x0000005c jmp 00007FA0F0DB3787h 0x00000061 ret 0x00000062 popfd 0x00000063 rdtsc
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeSpecial instruction interceptor: First address: 0000000001A7F934 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\tlw8Vv1OPD.exeProcess information queried: ProcessInformation
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		1
Credential API Hooking		2
Security Software Discovery		Remote Services1
Credential API Hooking		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager21
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
tlw8Vv1OPD84%ReversingLabsWin64.Infostealer.ClipBanker

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
teams-9999.teams-msedge.net
52.113.196.254
truefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1390949
    Start date and time:2024-02-12 17:19:34 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:14
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    Analysis Mode:stream
    Analysis stop reason:Timeout
    Sample name:tlw8Vv1OPD
    renamed because original name is a hash value
    Original Sample Name:3393068eec5540b5a987e0c31c601b6d77ec326fcda7d6ddaf62d0d4f9f6db65
    Detection:MAL
    Classification:mal64.evad.win@1/0@0/0

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, login.live.com, teams-ring.msedge.net, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: tlw8Vv1OPD

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
    Entropy (8bit):7.918065443689799
    TrID:
    • Win64 Executable (generic) (12005/4) 74.95%
    • Generic Win/DOS Executable (2004/3) 12.51%
    • DOS Executable Generic (2002/1) 12.50%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
    File name:tlw8Vv1OPD
    File size:6'196'824 bytes
    MD5:82f3539d8578b18fbc931f4f33fcbba3
    SHA1:196f127502d898e7d14cf9521b2b5838a2c1aa14
    SHA256:3393068eec5540b5a987e0c31c601b6d77ec326fcda7d6ddaf62d0d4f9f6db65
    SHA512:1a3a35b7c4090028e99843c442e15bf12a7b38f0840fce144a1686510e95d1f48a102056ee7e7abc263198338432000cdf4a870c8ae7d2284ae65990eaa86c78
    SSDEEP:98304:qq8hnonj3rw5tcmV9w7bO8EBTYOxsBvQem5OSUs3Bl7m/l992S:X8hA/wfcSGEBhs+ZUs3BJm92
    TLSH:1F5622FD62443398C016C9345523FE4AB3B6161E9BEDA8AEF5CB3BC07F5A5109906F42
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."..................x........@..............................p.......j]...`... ............................

    File Icon

    Icon Hash:1208ae60a9c35732

    Static PE Info

    General

    Entrypoint:0xd178db
    Entrypoint Section:.vmp2
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:1
    File Version Major:6
    File Version Minor:1
    Subsystem Version Major:6
    Subsystem Version Minor:1
    Import Hash:d910780e43eb6473c6ca334d8a16a8af

    Authenticode Signature

    Signature Valid:false
    Signature Issuer:CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
    Signature Validation Error:The digital signature of the object did not verify
    Error Number:-2146869232
    Not Before, Not After
    • 03/07/2019 02:00:00 20/08/2021 14:00:00
    Subject Chain
    • CN=Malwarebytes Inc, O=Malwarebytes Inc, L=Santa Clara, S=California, C=US
    Version:3
    Thumbprint MD5:D51B8AEBED6D1E6C35F2F6FB092C0224
    Thumbprint SHA-1:816BE9397F66D1A26EFA04035BCA3BB9E3779740
    Thumbprint SHA-256:642577228C33F97B53278CE40767DE78C84A663F269DB23FFB5538A31CD0FED5
    Serial:08A2EC4E78A09E174B192E5535984B59

    Entrypoint Preview

    Instruction
    push DA2F7259h
    call 00007FA0F0E6D1F3h
    je 00007FA0F0D451CCh
    jmp 00007FA0F0D4521Dh
    or byte ptr [eax-4BC33671h], al
    retf
    xor byte ptr [ecx-35767932h], ah
    push ss
    xchg eax, edi
    aad 3Fh
    mov ebx, 3FC0313Ch
    stosb
    dec esi
    xchg eax, esi
    and al, C0h
    sub al, 9Fh
    fcom st(0), st(6)
    aas
    jc 00007FA0F0D45208h
    mov ah, al
    aas
    pop ebx
    imul esi, dword ptr [CE8D3FC3h], D9h
    pop ss
    shr byte ptr [edi-21h], FFFFFFF9h
    or eax, eax
    jne 00007FA0F0D451E4h
    sbb bh, cl
    aas
    int3
    pop esp
    xchg eax, ebp
    idiv dword ptr [edi]
    mov ebp, C0329705h
    jnl 00007FA0F0D4518Fh
    push ss
    fdivr qword ptr [edi]
    sub edi, dword ptr [eax+esi*4+16E13FC9h]
    pop ss
    sub eax, 595707C0h
    fistp qword ptr [edi]
    jc 00007FA0F0D45178h
    or ebp, ecx
    aas
    adc esi, ebx
    mov ah, CAh
    aas
    and eax, C01E5846h
    xchg eax, esp
    jnle 00007FA0F0D45141h
    push 836FC3C0h
    xchg eax, ebx
    mov ecx, dword ptr [esi]
    movsb
    xor esp, dword ptr [ebx]
    sbb al, DEh
    add al, ch
    rcr dword ptr [edx+eax*2], cl
    mov edx, D5662DF8h
    mov eax, dword ptr [0FBDD07Eh]
    movsb
    adc ebx, eax
    int 30h
    sub al, E2h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x84ac080x8c.vmp2
    IMAGE_DIRECTORY_ENTRY_RESOURCE0xaf60000xd8c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0xaf1db00x2d60.vmp2
    IMAGE_DIRECTORY_ENTRY_SECURITY0x5c72000x21c58.vmp2
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xaf50000x88.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x94a0000xc0.vmp2
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000xbe38a0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0xc00000xbb0780x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x17c0000x621f00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata0x1df0000x4760x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .vmp00x1e00000x790a0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .symtab0x1e80000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ
    .vmp10x1e90000x3455410x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .vmp20x52f0000x5c5b100x5c5c00319efad702b2ec814e3c4953ed245933unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .reloc0xaf50000x880x200c6801b3e1c149ccbb62fdb9f350edbadFalse0.232421875data1.3604214641515557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .rsrc0xaf60000xd8c0xe006f6b92679bd5145f868210239b1d88cfFalse0.5226004464285714data4.384633446911444IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_ICON0xaf60e80x838Device independent bitmap graphic, 50 x 100 x 4, image size 18000.5570342205323194
    RT_GROUP_ICON0xaf69200x14data1.1
    RT_VERSION0xaf69380x454dataCatalanSpain0.5306859205776173

    Imports

    DLLImport
    kernel32.dllWriteFile
    WTSAPI32.dllWTSSendMessageW
    kernel32.dllGetSystemTimeAsFileTime
    USER32.dllGetUserObjectInformationW
    kernel32.dllLocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
    USER32.dllGetProcessWindowStation, GetUserObjectInformationW

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    CatalanSpain