Automated Malware Analysis Report for Iexpress.Exe
ID: 185077 Sample Name: iexpress.exe Cookbook: default.jbs Time: 15:15:57 Date: 24/10/2019 Version: 28.0.0 Lapis Lazuli Table of Contents
Table of Contents 2 Analysis Report iexpress.exe 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Mitre Att&ck Matrix 5 Signature Overview 6 Spreading: 6 System Summary: 6 Persistence and Installation Behavior: 6 Malware Analysis System Evasion: 6 Anti Debugging: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 9 Dropped Files 9 Screenshots 9 Thumbnails 9 Startup 9 Created / dropped Files 10 Domains and IPs 10 Contacted Domains 10 Contacted IPs 10 Static File Info 10 General 10 File Icon 10 Static PE Info 10 General 10 Entrypoint Preview 11 Data Directories 12 Sections 12 Resources 13 Imports 13 Version Infos 13 Possible Origin 13 Network Behavior 14 Code Manipulations 14 Statistics 14
Copyright Joe Security LLC 2019 Page 2 of 14 System Behavior 14 Analysis Process: iexpress.exe PID: 4152 Parent PID: 1472 14 General 14 File Activities 14 Disassembly 14 Code Analysis 14
Copyright Joe Security LLC 2019 Page 3 of 14 Analysis Report iexpress.exe
Overview
General Information
Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 185077 Start date: 24.10.2019 Start time: 15:15:57 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 25s Hypervisor based Inspection enabled: false Report type: light Sample file name: iexpress.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winEXE@1/0@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 90.7% (good quality ratio 48.4%) Quality average: 27.8% Quality standard deviation: 31.7% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 2 0 - 100 true
Confidence
Strategy Score Range Further Analysis Required? Confidence
Copyright Joe Security LLC 2019 Page 4 of 14 Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Mitre Att&ck Matrix
Copyright Joe Security LLC 2019 Page 5 of 14 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Winlogon Port Monitors File System Credential System Time Application Data from Local Data Standard Remote Helper DLL Logical Offsets Dumping Discovery 1 Deployment System Encrypted 1 Cryptographic Management Software Protocol 1 Replication Service Port Monitors Accessibility Binary Padding Network File and Remote Services Data from Exfiltration Over Fallback Through Execution Features Sniffing Directory Removable Other Network Channels Removable Discovery 1 Media Medium Media Drive-by Windows Accessibility Path Rootkit Input System Windows Data from Automated Custom Compromise Management Features Interception Capture Information Remote Network Shared Exfiltration Cryptographic Instrumentation Discovery 3 Management Drive Protocol
Signature Overview
• Spreading • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection
Click to jump to signature section
Spreading:
Contains functionality to enumerate / list files inside a directory
System Summary:
Detected potential crypto function
PE file contains strange resources
Sample file is different than original file name gathered from version info
Classification label
Contains functionality for error logging
Contains functionality to load and extract PE file embedded resources
PE file has an executable .text section and no other executable section
Reads software policies
Executable creates window controls seldom found in malware
PE file has a high image base, often used for DLLs
PE file contains a mix of data directories often seen in goodware
Contains modern PE file flags such as dynamic base (ASLR) or NX
PE file contains a debug data directory
Binary contains paths to debug symbols
Persistence and Installation Behavior:
Contains functionality to read ini properties file for application configuration
Malware Analysis System Evasion:
Found large amount of non-executed APIs Copyright Joe Security LLC 2019 Page 6 of 14 Program does not show much activity (idle)
Contains functionality to enumerate / list files inside a directory
Contains functionality to query system information
Anti Debugging:
Program does not show much activity (idle)
Contains functionality to register its own exception handler
Language, Device and Operating System Detection:
Contains functionality to query local / system time
Contains functionality to query windows version
Behavior Graph
Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped
Is Windows Process
Behavior Graph Number of created Registry Values Number of created Files ID: 185077 Visual Basic Sample: iexpress.exe Startdate: 24/10/2019 Delphi Architecture: WINDOWS Java Score: 2 .Net C# or VB.NET
C, C++ or other language
started Is malicious
Internet iexpress.exe
Simulations
Behavior and APIs
No simulations
Antivirus, Machine Learning and Genetic Malware Detection
Copyright Joe Security LLC 2019 Page 7 of 14 Initial Sample
Source Detection Scanner Label Link iexpress.exe 0% Virustotal Browse iexpress.exe 0% Metadefender Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
No Antivirus matches
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
Copyright Joe Security LLC 2019 Page 8 of 14 JA3 Fingerprints
No context
Dropped Files
No context
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Startup
System is w10x64 iexpress.exe (PID: 4152 cmdline: 'C:\Users\user\Desktop\iexpress.exe' MD5: 6CE1AADAE5F10999B2F4287649D5B334) cleanup
Copyright Joe Security LLC 2019 Page 9 of 14 Created / dropped Files
No created / dropped files found
Domains and IPs
Contacted Domains
No contacted domains info
Contacted IPs
No contacted IP infos
Static File Info
General File type: PE32+ executable (GUI) x86-64, for MS Windows Entropy (8bit): 6.767913871987805 TrID: Win64 Executable GUI (202006/5) 92.02% Win64 Executable (generic) (12005/4) 5.47% Generic Win/DOS Executable (2004/3) 0.91% DOS Executable Generic (2002/1) 0.91% Java Script embedded in Visual Basic Script (1500/0) 0.68%
File name: iexpress.exe File size: 167424 MD5: 6ce1aadae5f10999b2f4287649d5b334 SHA1: e07692215ae111830484fbf44c9d644f1193dc7c SHA256: 00bec77c6658f77c0988a162d61dcf234a0620d314d23c9 3bffe2925d9f5bb5e SHA512: 542021c837ddf6d3ded6624b1373748f539f682e77febaf4 bda056442399208fc8605162d8571be5738b5d55efdc340 f4183c372b74f377c748582d2c060acd2 SSDEEP: 3072:WcGp4EmUsXladvtre7ePgxNNDnGOb+ahXNqJo hePnq45L84r:RGSEmUssdl+NDGOb+asEwv5L File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... g..<#.xo #.xo#.xo...o".xo...o".xo...o6.xo#.yo..xo...o1.xo...o).xo...o" .xo...o".xoRich#.xo...... PE..d...... P...
File Icon
Icon Hash: e8feeeeee6667618
Static PE Info
General Entrypoint: 0x14000fdd8 Entrypoint Section: .text Digitally signed: false Imagebase: 0x140000000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA Time Stamp: 0x5010A6CD [Thu Jul 26 02:09:17 2012 UTC] TLS Callbacks: CLR (.Net) Version:
Copyright Joe Security LLC 2019 Page 10 of 14 General OS Version Major: 6 OS Version Minor: 2 File Version Major: 6 File Version Minor: 2 Subsystem Version Major: 6 Subsystem Version Minor: 2 Import Hash: 6eb63c97f69c75599c91eb5181d1442b
Entrypoint Preview
Instruction dec eax sub esp, 28h call 00007FF464A1BEA8h dec eax add esp, 28h jmp 00007FF464A1B877h int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 nop word ptr [eax+eax+00000000h] dec eax cmp ecx, dword ptr [00001309h] jne 00007FF464A1BAD4h dec eax rol ecx, 10h test cx, FFFFh jne 00007FF464A1BAC5h retn 0000h dec eax ror ecx, 10h jmp 00007FF464A1BACDh int3 int3 int3 int3 int3 int3 int3 int3 dec eax mov dword ptr [esp+08h], ecx push ebp dec eax mov ebp, esp dec eax sub esp, 00000080h dec eax lea ecx, dword ptr [000021D1h] call dword ptr [00006CE3h] dec eax mov eax, dword ptr [000022BCh] dec eax mov dword ptr [esp+48h], eax inc ebp
Copyright Joe Security LLC 2019 Page 11 of 14 Instruction xor eax, eax dec eax lea edx, dword ptr [esp+50h] dec eax mov ecx, dword ptr [esp+48h] call dword ptr [00006CBCh] dec eax mov dword ptr [esp+40h], eax dec eax cmp dword ptr [esp+40h], 00000000h je 00007FF464A1BB04h dec eax mov dword ptr [esp+38h], 00000000h dec eax lea eax, dword ptr [esp+58h] dec eax mov dword ptr [esp+30h], eax dec eax lea eax, dword ptr [esp+60h] dec eax mov dword ptr [esp+28h], eax dec eax lea eax, dword ptr [0000217Bh] dec eax mov dword ptr [esp+20h], eax dec esp mov ecx, dword ptr [esp+40h]
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x16000 0xdc .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x18000 0x157d8 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x15000 0x6cc .pdata IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x2e000 0x104 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x1040 0x1c .text IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x1a60 0x70 .text IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x16610 0x530 .idata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0xfcec 0xfe00 False 0.547720841535 data 6.34304608093 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0x11000 0x3354 0x1000 False 0.115478515625 data 1.22469096808 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .pdata 0x15000 0x6cc 0x800 False 0.48974609375 data 4.32406620771 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .idata 0x16000 0x1638 0x1800 False 0.416829427083 data 4.68987904546 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .rsrc 0x18000 0x157d8 0x15800 False 0.620083121366 data 7.02066874618 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .reloc 0x2e000 0x2c2 0x400 False 0.216796875 data 1.97539787963 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
Copyright Joe Security LLC 2019 Page 12 of 14 Resources
Name RVA Size Type Language Country MUI 0x2d6f0 0xe8 data English United States RT_BITMAP 0x261b0 0x71d8 data English United States RT_ICON 0x18750 0x128 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x18878 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x18de0 0x2e8 dBase IV DBT of @.DBF, block length 512, next free English United States block index 40, next free block 2022147975, next used block 128 RT_ICON 0x190c8 0x8a8 dBase IV DBT of @.DBF, block length 1024, next free English United States block index 40, next free block 0, next used block 0 RT_ICON 0x19970 0x668 data English United States RT_ICON 0x19fd8 0xea8 data English United States RT_ICON 0x1ae80 0x468 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x1b2e8 0x10a8 data English United States RT_ICON 0x1c390 0x25a8 data English United States RT_ICON 0x1e938 0x77e0 PNG image data, 256 x 256, 8-bit/color RGBA, non- English United States interlaced RT_GROUP_ICON 0x26118 0x92 data English United States RT_VERSION 0x2d388 0x368 data English United States RT_MANIFEST 0x18380 0x3cf XML 1.0 document, ASCII text, with CRLF line English United States terminators
Imports
DLL Import KERNEL32.dll CopyFileA, SetFileAttributesA, FindClose, GetPrivateProfileStringA, LocalAlloc, WritePrivateProfileStringA, GetSystemInfo, GetModuleFileNameA, GetPrivateProfileSectionA, CompareStringA, GetUserDefaultUILanguage, GetVersionExA, CloseHandle, GetVersion, LocalFree, DeleteFileA, FreeResource, MapViewOfFile, UnmapViewOfFile, _llseek, FreeLibrary, LoadResource, _lwrite, GlobalLock, _lclose, GetTickCount, EnumResourceTypesA, FindResourceExA, GlobalAlloc, GetProcAddress, EnumResourceLanguagesA, GlobalUnlock, SetLastError, GlobalFree, GetTempFileNameA, CreateFileMappingA, MoveFileA, LockResource, _lread, LoadLibraryExA, EnumResourceNamesA, GetFileInformationByHandle, GetTempPathA, GetCurrentDirectoryA, GetSystemTime, WideCharToMultiByte, MultiByteToWideChar, lstrcmpiA, GetLastError, FindFirstFileA, CreateDirectoryA, GetShortPathNameA, ReadFile, CreateProcessA, GetExitCodeProcess, GetFileAttributesA, GetPrivateProfileIntA, WriteFile, FormatMessageA, GetModuleHandleW, WritePrivateProfileSectionA, lstrcmpA, Sleep, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, IsDBCSLeadByte, CreateFileA, SizeofResource, GetFullPathNameA GDI32.dll GetStockObject, GetDeviceCaps, CreateFontIndirectA, DeleteObject, GetObjectA, CreateFontIndirectW USER32.dll CheckRadioButton, IsDlgButtonChecked, ShowWindow, CheckDlgButton, GetWindowRect, SystemParametersInfoW, CharPrevA, SetDlgItemTextA, GetWindowLongPtrA, SendDlgItemMessageA, MsgWaitForMultipleObjects, LoadStringA, GetParent, MessageBeep, CharNextA, SetFocus, SendMessageA, GetDC, MessageBoxA, PeekMessageA, ReleaseDC, GetDlgItem, SetWindowLongPtrA, PostMessageA, DispatchMessageA, GetSystemMetrics, EnableWindow, CallWindowProcA, GetDlgItemTextA msvcrt.dll memcpy, _itoa, _itoa_s, free, _fmode, __C_specific_handler, _initterm, __setusermatherr, _ismbblead, _cexit, ? terminate@@YAXXZ, _commode, _acmdln, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, wcsncmp, mbstowcs, _splitpath_s, strtoul, toupper, memcpy_s, _vsnprintf, strtok, strchr, malloc, memset ntdll.dll RtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind COMCTL32.dll CreatePropertySheetPageA, PropertySheetA, DestroyPropertySheetPage COMDLG32.dll GetOpenFileNameA, GetSaveFileNameA VERSION.dll GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA imagehlp.dll CheckSumMappedFile ADVAPI32.dll RegOpenKeyExA, RegCloseKey, RegQueryValueExA
Version Infos
Description Data LegalCopyright Microsoft Corporation. All rights reserved. InternalName IEXPRESS FileVersion 10.00.9200.16384 (win8_rtm.120725-1247) CompanyName Microsoft Corporation ProductName Windows Internet Explorer ProductVersion 10.00.9200.16384 FileDescription Wizard OriginalFilename IEXPRESS.EXE Translation 0x0409 0x04b0
Possible Origin
Copyright Joe Security LLC 2019 Page 13 of 14 Language of compilation system Country where language is spoken Map
English United States
Network Behavior
No network behavior found
Code Manipulations
Statistics
System Behavior
Analysis Process: iexpress.exe PID: 4152 Parent PID: 1472
General
Start time: 15:17:17 Start date: 24/10/2019 Path: C:\Users\user\Desktop\iexpress.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\iexpress.exe' Imagebase: 0x7ff65ab80000 File size: 167424 bytes MD5 hash: 6CE1AADAE5F10999B2F4287649D5B334 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
Source File Path Offset Length Completion Count Address Symbol
Disassembly
Code Analysis
Copyright Joe Security LLC 2019 Page 14 of 14