Professional Documents
Culture Documents
Report
Report
Report
Table of Contents 2
Windows Analysis Report PCMAV-RTP.exe 3
Overview 3
General Information 3
Detection 3
Signatures 3
Classification 3
Process Tree 3
Malware Configuration 3
Yara Overview 3
Sigma Overview 3
Jbx Signature Overview 3
AV Detection: 3
Mitre Att&ck Matrix 4
Behavior Graph 4
Screenshots 4
Thumbnails 4
Antivirus, Machine Learning and Genetic Malware Detection 5
Initial Sample 5
Dropped Files 5
Unpacked PE Files 5
Domains 5
URLs 5
Domains and IPs 6
Contacted Domains 6
Contacted IPs 6
General Information 6
Simulations 6
Behavior and APIs 6
Joe Sandbox View / Context 7
IPs 7
Domains 7
ASN 7
JA3 Fingerprints 7
Dropped Files 7
Created / dropped Files 7
Static File Info 7
General 7
File Icon 7
Static PE Info 8
General 8
Entrypoint Preview 8
Data Directories 8
Sections 8
Resources 8
Imports 8
Possible Origin 8
Network Behavior 8
Code Manipulations 8
Statistics 9
System Behavior 9
Analysis Process: PCMAV-RTP.exe PID: 1816 Parent PID: 5296 9
General 9
File Activities 9
Disassembly 9
Code Analysis 9
Sample PCMAV-RTP.exe
Name: Multi
Multi AV
AV Scanner
Scanner detection
detection for
for subm
subm…
subm…
Uses 32bit
Antivirus
Antivirus orPE
or files Learning
Machine
Machine Learning detec
detec…
detec… Miner Spreading
SHA256: fd70e288679b79d…
Antivirus
Contains or
Contains Machine Learning
functionality
functionality to detec …
to dynamically
dynamically…
dynamically malicious
malicious
Infos:
malicious
Evader Phishing
Contains
PE file
PE functionality
file contains
contains strange
strangeto resources
dynamically
resources
suspicious
suspicious
suspicious
PE file contains
Contains strange
functionality
functionality to resources
to query
query locale
clean
Contains locale…
locale…
Exploiter Banker
Contains
Program functionality
Program does
does not
not show
showto much
query locale…
much activi
activi…
activi
Program
Uses does
Uses code
code not showtechniques
obfuscation
obfuscation much activi((…
techniques (…
Spyware Trojan / Bot
Adware
Uses code
Contains
Contains obfuscationto
functionality
functionality totechniques
launch pr(…
launch aa pr
pr…
Score: 48
Range: 0 - 100 Contains functionality to launch a pr
Whitelisted: false
Confidence: 100%
Process Tree
System is w10x64
PCMAV-RTP.exe (PID: 1816 cmdline: 'C:\Users\user\Desktop\PCMAV-RTP.exe' MD5: 11141EADF0938BA126704EA4C1289557)
cleanup
Malware Configuration
Yara Overview
No yara matches
Sigma Overview
AV Detection:
Command Remote
Initial Privilege Defense Credential Lateral and Network Service
Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact
Valid Native Path Exploitation Software Input File and Remote Input Exfiltration Data Eavesdrop on Remotely Modify
Accounts API 1 Interception for Privilege Packing 1 1 Capture 1 Directory Services Capture 1 Over Other Obfuscation Insecure Track Device System
Escalation 1 Discovery 1 Network Network Without Partition
Medium Communication Authorization
Default Scheduled Boot or Boot or Obfuscated Files LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device
Accounts Task/Job Logon Logon or Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout
Initialization Initialization Information 1 1 Discovery 1 3 Protocol Media Bluetooth Calls/SMS Without
Scripts Scripts Authorization
Behavior Graph
Hide Legend
Legend:
Behavior Graph Process
Signature
ID: 475569
Created File
Delphi
Java
.Net C# or VB.NET
PCMAV-RTP.exe
Screenshots
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Initial Sample
Dropped Files
No Antivirus matches
Unpacked PE Files
Domains
No Antivirus matches
URLs
No Antivirus matches
Contacted Domains
Contacted IPs
No contacted IP infos
General Information
Simulations
No simulations
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
General
File type: PE32 executable (GUI) Intel 80386, for MS Windows,
UPX compressed
Entropy (8bit): 6.245411409848703
TrID: Win32 Executable (generic) a (10002005/4)
99.37%
UPX compressed Win32 Executable (30571/9)
0.30%
Win32 EXE Yoda's Crypter (26571/9) 0.26%
Win16/32 Executable Delphi generic (2074/23)
0.02%
Generic Win/DOS Executable (2004/3) 0.02%
File name: PCMAV-RTP.exe
File size: 55296
MD5: 11141eadf0938ba126704ea4c1289557
SHA1: ae572a121e8affac5509304d60c9fe78a325fe42
SHA256: fd70e288679b79dd3ba31c395aa00dd4f35581a068f3aea
f8e10d018ccafa79a
SHA512: 44178f4a1dd30ed9f77d9f7ce858b376e456caae2604ba1
6a08c4c0cf42a016a73c1cc3d344f5884db3480e944f951
62fd3b00c5629c4a117d19591595462d8d
SSDEEP: 768:MjnpHJvFIViXfTdHdkvcWQbqHiDR1xahES5jltuGVi
bnfC:2vvFkiXfTldIq6iXxOF8D
File Content Preview: MZP.....................@...............................................!..L.!..
This program must be run under Win32..$7....................
.........................................................................................
..........................
File Icon
General
Entrypoint: 0x419df0
Entrypoint Section: UPX1
Digitally signed: false
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO,
EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI,
RELOCS_STRIPPED
DLL Characteristics:
Time Stamp: 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major: 4
OS Version Minor: 0
File Version Major: 4
File Version Minor: 0
Subsystem Version Major: 4
Subsystem Version Minor: 0
Import Hash: bd9427217fec1e0496de452f98c72192
Entrypoint Preview
Data Directories
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
UPX0 0x1000 0x14000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_CNT_UNINITIALIZED_
DATA, IMAGE_SCN_MEM_READ
UPX1 0x15000 0x5000 0x5000 False 0.982763671875 data 7.87274436714 IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_CNT_INITIALIZED_DA
TA, IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_MEM_READ
.rsrc 0x1a000 0x9000 0x8400 False 0.497129498106 data 4.79483107717 IMAGE_SCN_CNT_INITIALIZED_DA
TA, IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_MEM_READ
Resources
Imports
Possible Origin
Network Behavior
Code Manipulations
System Behavior
General
Disassembly
Code Analysis
Copyright Joe Security LLC Joe Sandbox Cloud Basic 33.0.0 White Diamond