ID: 475569

Sample Name: PCMAV-

RTP.exe
Cookbook: default.jbs
Time: 08:51:47
Date: 01/09/2021
Version: 33.0.0 White Diamond
 Table of Contents

Table of Contents 2
Windows Analysis Report PCMAV-RTP.exe 3
Overview 3
General Information 3
Detection 3
Signatures 3
Classification 3
Process Tree 3
Malware Configuration 3
Yara Overview 3
Sigma Overview 3
Jbx Signature Overview 3
AV Detection: 3
Mitre Att&ck Matrix 4
Behavior Graph 4
Screenshots 4
Thumbnails 4
Antivirus, Machine Learning and Genetic Malware Detection 5
Initial Sample 5
Dropped Files 5
Unpacked PE Files 5
Domains 5
URLs 5
Domains and IPs 6
Contacted Domains 6
Contacted IPs 6
General Information 6
Simulations 6
Behavior and APIs 6
Joe Sandbox View / Context 7
IPs 7
Domains 7
ASN 7
JA3 Fingerprints 7
Dropped Files 7
Created / dropped Files 7
Static File Info 7
General 7
File Icon 7
Static PE Info 8
General 8
Entrypoint Preview 8
Data Directories 8
Sections 8
Resources 8
Imports 8
Possible Origin 8
Network Behavior 8
Code Manipulations 8
Statistics 9
System Behavior 9
Analysis Process: PCMAV-RTP.exe PID: 1816 Parent PID: 5296 9
General 9
File Activities 9
Disassembly 9
Code Analysis 9

Copyright Joe Security LLC 2021 Page 2 of 9

 Windows Analysis Report PCMAV-RTP.exe
Overview

General Information Detection Signatures Classification

Sample PCMAV-RTP.exe
Name: Multi
Multi AV
AV Scanner
Scanner detection
detection for
for subm
subm…
subm…

Analysis ID: 475569 Multi AVaaScanner

Creates
Creates detection
DirectInput
DirectInput objectfor
object subm
(often
(often fo
fo…
fo…
MD5: 11141eadf0938ba… Creates
Uses a DirectInput
Uses 32bit
32bit PE files object (often fo
PE files
SHA1: ae572a121e8affa… Ransomware

Uses 32bit
Antivirus
Antivirus orPE
or files Learning
Machine
Machine Learning detec
detec…
detec… Miner Spreading

SHA256: fd70e288679b79d…
Antivirus
Contains or
Contains Machine Learning
functionality
functionality to detec …
to dynamically
dynamically…
dynamically malicious
malicious

Infos:
malicious

Evader Phishing

Contains
PE file
PE functionality
file contains
contains strange
strangeto resources
dynamically
resources
suspicious
suspicious

suspicious

Most interesting Screenshot: clean

clean

PE file contains
Contains strange
functionality
functionality to resources
to query
query locale
clean

Contains locale…
locale…
Exploiter Banker

Contains
Program functionality
Program does
does not
not show
showto much
query locale…
much activi
activi…
activi

Program
Uses does
Uses code
code not showtechniques
obfuscation
obfuscation much activi((…
techniques (…
Spyware Trojan / Bot

Adware

Uses code
Contains
Contains obfuscationto
functionality
functionality totechniques
launch pr(…
launch aa pr
pr…
Score: 48
Range: 0 - 100 Contains functionality to launch a pr

Whitelisted: false
Confidence: 100%

Process Tree

System is w10x64
PCMAV-RTP.exe (PID: 1816 cmdline: 'C:\Users\user\Desktop\PCMAV-RTP.exe' MD5: 11141EADF0938BA126704EA4C1289557)
cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

AV Detection:

Copyright Joe Security LLC 2021 Page 3 of 9

 Multi AV Scanner detection for submitted file

Mitre Att&ck Matrix

Command Remote
Initial Privilege Defense Credential Lateral and Network Service
Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact
Valid Native Path Exploitation Software Input File and Remote Input Exfiltration Data Eavesdrop on Remotely Modify
Accounts API 1 Interception for Privilege Packing 1 1 Capture 1 Directory Services Capture 1 Over Other Obfuscation Insecure Track Device System
Escalation 1 Discovery 1 Network Network Without Partition
Medium Communication Authorization
Default Scheduled Boot or Boot or Obfuscated Files LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device
Accounts Task/Job Logon Logon or Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout
Initialization Initialization Information 1 1 Discovery 1 3 Protocol Media Bluetooth Calls/SMS Without
Scripts Scripts Authorization

Behavior Graph
Hide Legend

Legend:
Behavior Graph Process
Signature
ID: 475569
Created File

Sample: PCMAV-RTP.exe DNS/IP Info

Is Dropped
Startdate: 01/09/2021 Is Windows Process

Architecture: WINDOWS Number of created Registry Values

Number of created Files

Score: 48 Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Multi AV Scanner detection Is malicious

started
for submitted file Internet

PCMAV-RTP.exe

Screenshots

Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 4 of 9

 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link

PCMAV-RTP.exe 7% Virustotal Browse
PCMAV-RTP.exe 14% Metadefender Browse
PCMAV-RTP.exe 18% ReversingLabs Win32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source Detection Scanner Label Link Download

0.0.PCMAV-RTP.exe.400000.0.unpack 100% Avira DR/Delphi.Gen Download File
0.2.PCMAV-RTP.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Copyright Joe Security LLC 2021 Page 5 of 9

 Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 33.0.0 White Diamond

Analysis ID: 475569
Start date: 01.09.2021
Start time: 08:51:47
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 2m 42s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: PCMAV-RTP.exe
Cookbook file name: default.jbs
Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes 5
analysed:
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabled
EGA enabled
HDC enabled
AMSI enabled

Analysis Mode: default

Analysis stop reason: Timeout
Detection: MAL
Classification: mal48.winEXE@1/0@0/0
EGA Information: Successful, ratio: 100%
HDC Information: Successful, ratio: 99.6% (good quality ratio 94.2%)
Quality average: 82.9%
Quality standard deviation: 28.1%
HCA Information: Failed
Cookbook Comments: Adjust boot time
Enable AMSI
Found application associated with file extension: .exe
Stop behavior analysis, all processes terminated
Warnings: Show All

Simulations

Behavior and APIs

No simulations

Copyright Joe Security LLC 2021 Page 6 of 9

 Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type: PE32 executable (GUI) Intel 80386, for MS Windows,
UPX compressed
Entropy (8bit): 6.245411409848703
TrID: Win32 Executable (generic) a (10002005/4)
99.37%
UPX compressed Win32 Executable (30571/9)
0.30%
Win32 EXE Yoda's Crypter (26571/9) 0.26%
Win16/32 Executable Delphi generic (2074/23)
0.02%
Generic Win/DOS Executable (2004/3) 0.02%
File name: PCMAV-RTP.exe
File size: 55296
MD5: 11141eadf0938ba126704ea4c1289557
SHA1: ae572a121e8affac5509304d60c9fe78a325fe42
SHA256: fd70e288679b79dd3ba31c395aa00dd4f35581a068f3aea
f8e10d018ccafa79a
SHA512: 44178f4a1dd30ed9f77d9f7ce858b376e456caae2604ba1
6a08c4c0cf42a016a73c1cc3d344f5884db3480e944f951
62fd3b00c5629c4a117d19591595462d8d
SSDEEP: 768:MjnpHJvFIViXfTdHdkvcWQbqHiDR1xahES5jltuGVi
bnfC:2vvFkiXfTldIq6iXxOF8D
File Content Preview: MZP.....................@...............................................!..L.!..
This program must be run under Win32..$7....................
.........................................................................................
..........................

File Icon

Icon Hash: f9b835d8e4deec74

Copyright Joe Security LLC 2021 Page 7 of 9

 Static PE Info

General
Entrypoint: 0x419df0
Entrypoint Section: UPX1
Digitally signed: false
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO,
EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI,
RELOCS_STRIPPED
DLL Characteristics:
Time Stamp: 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major: 4
OS Version Minor: 0
File Version Major: 4
File Version Minor: 0
Subsystem Version Major: 4
Subsystem Version Minor: 0
Import Hash: bd9427217fec1e0496de452f98c72192

Entrypoint Preview

Data Directories

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
UPX0 0x1000 0x14000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_CNT_UNINITIALIZED_
DATA, IMAGE_SCN_MEM_READ
UPX1 0x15000 0x5000 0x5000 False 0.982763671875 data 7.87274436714 IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_CNT_INITIALIZED_DA
TA, IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_MEM_READ
.rsrc 0x1a000 0x9000 0x8400 False 0.497129498106 data 4.79483107717 IMAGE_SCN_CNT_INITIALIZED_DA
TA, IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_MEM_READ

Resources

Imports

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

No network behavior found

Code Manipulations

Copyright Joe Security LLC 2021 Page 8 of 9

 Statistics
Statistics

System Behavior

Analysis Process: PCMAV-RTP.exe PID: 1816 Parent PID: 5296

General

Start time: 08:52:39

Start date: 01/09/2021
Path: C:\Users\user\Desktop\PCMAV-RTP.exe
Wow64 process (32bit): true
Commandline: 'C:\Users\user\Desktop\PCMAV-RTP.exe'
Imagebase: 0x400000
File size: 55296 bytes
MD5 hash: 11141EADF0938BA126704EA4C1289557
Has elevated privileges: true
Has administrator privileges: true
Programmed in: Borland Delphi
Reputation: low

File Activities Show Windows behavior

Disassembly

Code Analysis

Copyright Joe Security LLC Joe Sandbox Cloud Basic 33.0.0 White Diamond

Copyright Joe Security LLC 2021 Page 9 of 9