Windows Analysis Report
k4r0jp3daA.exe

Overview

General Information

Sample name: k4r0jp3daA.exe
renamed because original name is a hash value
Original sample name: dd1be96e0ffa6d6edb22f3c8eab32a9b.exe
Analysis ID: 1436921
MD5: dd1be96e0ffa6d6edb22f3c8eab32a9b
SHA1: 6b3b9ce7c5098a432cd13f81b69d34485d9781e6
SHA256: d6512c7074736218fdcc7f19d797d34a85267e188bdac0fc2a1ad0393e8c0881
Tags: 32exe
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: k4r0jp3daA.exe Virustotal: Detection: 19% Perma Link
Uses 32bit PE files
Source: k4r0jp3daA.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: k4r0jp3daA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: BthUdTask.pdbGCTL source: k4r0jp3daA.exe
Source: Binary string: BthUdTask.pdb source: k4r0jp3daA.exe
Sample file is different than original file name gathered from version info
Source: k4r0jp3daA.exe, 00000000.00000002.1969078808.0000000000556000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBthUdTask.exej% vs k4r0jp3daA.exe
Source: k4r0jp3daA.exe Binary or memory string: OriginalFilenameBthUdTask.exej% vs k4r0jp3daA.exe
Uses 32bit PE files
Source: k4r0jp3daA.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3812:120:WilError_03
Source: k4r0jp3daA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\k4r0jp3daA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: k4r0jp3daA.exe Virustotal: Detection: 19%
Source: unknown Process created: C:\Users\user\Desktop\k4r0jp3daA.exe "C:\Users\user\Desktop\k4r0jp3daA.exe"
Source: C:\Users\user\Desktop\k4r0jp3daA.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\k4r0jp3daA.exe Section loaded: devobj.dll Jump to behavior
Source: k4r0jp3daA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: k4r0jp3daA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: k4r0jp3daA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: k4r0jp3daA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: k4r0jp3daA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: k4r0jp3daA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: k4r0jp3daA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: k4r0jp3daA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: BthUdTask.pdbGCTL source: k4r0jp3daA.exe
Source: Binary string: BthUdTask.pdb source: k4r0jp3daA.exe
Binary contains a suspicious time stamp
Source: k4r0jp3daA.exe Static PE information: 0x8262E41A [Wed Apr 27 12:10:02 2039 UTC]
PE file contains an invalid checksum
Source: k4r0jp3daA.exe Static PE information: real checksum: 0x167ce should be: 0x4063d
PE file contains sections with non-standard names
Source: k4r0jp3daA.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\k4r0jp3daA.exe Code function: 0_2_00551FCD push ecx; ret 0_2_00551FE0
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\k4r0jp3daA.exe API coverage: 7.6 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\k4r0jp3daA.exe Code function: 0_2_00551FF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00551FF9
Source: C:\Users\user\Desktop\k4r0jp3daA.exe Code function: 0_2_00551ED5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00551ED5
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436921 Sample: k4r0jp3daA.exe Startdate: 06/05/2024 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 k4r0jp3daA.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos