Windows Analysis Report
signed.exe

Overview

General Information

Sample name: signed.exe
Analysis ID: 1445853
MD5: adac67fa4e7fbd2c7de600768c40ad69
SHA1: c79c40e5272ac11180cf90715156e0538336fdbf
SHA256: 3904b06e1150e4e9e167eb1b63a877ed00c08320c637396f12b98e9f14d71010
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality for read data from the clipboard
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: signed.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\etrnview.exe Avira: detection malicious, Label: TR/Agent.396616
Multi AV Scanner detection for dropped file
Source: C:\Windows\etrnview.exe ReversingLabs: Detection: 62%
Multi AV Scanner detection for submitted file
Source: signed.exe ReversingLabs: Detection: 86%
Uses 32bit PE files
Source: signed.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_0042A31A FindFirstFileA,GetLastError, 0_2_0042A31A
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: signed.exe, etrnview.exe.0.dr String found in binary or memory: http://www.deposchedule.com/
Source: signed.exe String found in binary or memory: http://www.reallegal.com
Source: signed.exe, etrnview.exe.0.dr String found in binary or memory: http://www.reallegal.com/
Source: signed.exe, etrnview.exe.0.dr String found in binary or memory: http://www.reallegal.com/binderpull.asp
Source: signed.exe, etrnview.exe.0.dr String found in binary or memory: http://www.reallegal.com/binderpull.asp.http://www.deposchedule.com/By
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_0041DB44 __EH_prolog,GlobalAlloc,GlobalLock,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GlobalUnlock,GlobalReAlloc,GlobalAlloc,GlobalLock,lstrlenA,lstrlenA,GlobalUnlock,GlobalLock,GlobalUnlock,GlobalReAlloc,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0041DB44
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_0041DB44 __EH_prolog,GlobalAlloc,GlobalLock,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GlobalUnlock,GlobalReAlloc,GlobalAlloc,GlobalLock,lstrlenA,lstrlenA,GlobalUnlock,GlobalLock,GlobalUnlock,GlobalReAlloc,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0041DB44
Creates files inside the system directory
Source: C:\Users\user\Desktop\signed.exe File created: C:\Windows\etrnview.exe Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_00420400 0_2_00420400
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_0042E502 0_2_0042E502
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_00423591 0_2_00423591
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_00433975 0_2_00433975
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_0041C9DD 0_2_0041C9DD
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_0041DB44 0_2_0041DB44
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_0040EC34 0_2_0040EC34
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\signed.exe Code function: String function: 00429E18 appears 80 times
Source: C:\Users\user\Desktop\signed.exe Code function: String function: 00429182 appears 35 times
Source: C:\Users\user\Desktop\signed.exe Code function: String function: 00435B40 appears 31 times
Source: C:\Users\user\Desktop\signed.exe Code function: String function: 0040AC84 appears 84 times
Source: C:\Users\user\Desktop\signed.exe Code function: String function: 0040ABFB appears 85 times
Sample file is different than original file name gathered from version info
Source: signed.exe, 00000000.00000000.2044838263.0000000000449000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameENVELOPE.EXE: vs signed.exe
Source: signed.exe Binary or memory string: OriginalFilenameENVELOPE.EXE: vs signed.exe
Uses 32bit PE files
Source: signed.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal72.winEXE@1/3@1/0
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_004278A6 GetPrivateProfileStringA,GetLastError,FormatMessageA,LocalFree, 0_2_004278A6
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_00405D5A MessageBoxA,LoadStringA,CoInitialize,SHGetMalloc,SHGetSpecialFolderLocation,SHGetSpecialFolderLocation,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SHGetPathFromIDListA,SHGetSpecialFolderLocation,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoCreateInstance,lstrlenA,lstrcatA,lstrcatA,lstrcatA,SHChangeNotify,SHChangeNotify,LoadStringA,LoadStringA,LoadStringA,lstrlenA,lstrlenA,lstrlenA,SHChangeNotify,MessageBoxA,CoUninitialize, 0_2_00405D5A
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_00409099 FindResourceA,LoadResource,LockResource,FreeResource, 0_2_00409099
Source: C:\Users\user\Desktop\signed.exe File created: C:\Users\Public\Desktop\RealLegal E-Transcript Viewer.lnk Jump to behavior
Source: signed.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\signed.exe File read: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: signed.exe ReversingLabs: Detection: 86%
Source: signed.exe String found in binary or memory: This E-Transcript file is in a temporary folder. Do you want to save it to a different folder? If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there.
Source: signed.exe String found in binary or memory: This E-Transcript file is in a temporary folder. Do you want to save it to a different folder?If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there.
Source: signed.exe String found in binary or memory: If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there.
Source: signed.exe String found in binary or memory: If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there.Could not open this E-Transcript file for reading.Could not create the destination E-Transcript file for writing.Could not launch the new copy of the E-Transcript file, will run from the temporary folder instead.c:\pnxtrvu.ini.fts.gidFileOpenLocationTempSaveLocationDisplayBottomDisplayRightDisplayTopDisplayLeftSaveToKeychainDisplayValidShowWordIndexRICHED32.DLLMainWndClassWISplit - \ .ptxTMPTEMPAM PM 0: at /Could not find the transcript file.BININC\viewhelp.hlp~ehRealLegal E-Transcript Viewer.lnkNo main application icon (or file) was defined.Setuppnxbndr.exeptxfile\shell\open\command\StringFileInfo\%04x%04x\FileVersion\VarFileInfo\TranslationA file association could not be created. Contact your system administrator for assistance." %1"ContentType\shell\open\command\ContentTypeptxfileE-Transcript Fileapplication/x-etranscript\etrnview.exeDraftFinalSealedUnsealedSignedUnsigned%s %ld%s %ld - %ld2KWd}
Source: C:\Users\user\Desktop\signed.exe File read: C:\Users\user\Desktop\signed.exe Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: RealLegal E-Transcript Viewer.lnk.0.dr LNK file: ..\..\..\..\..\..\Windows\etrnview.exe
Source: RealLegal E-Transcript Viewer.lnk0.0.dr LNK file: ..\..\..\Windows\etrnview.exe
Source: C:\Users\user\Desktop\signed.exe File opened: C:\Windows\SysWOW64\RICHED32.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: signed.exe Static PE information: section name: RT_CURSOR
Source: signed.exe Static PE information: section name: RT_BITMAP
Source: signed.exe Static PE information: section name: RT_ICON
Source: signed.exe Static PE information: section name: RT_MENU
Source: signed.exe Static PE information: section name: RT_DIALOG
Source: signed.exe Static PE information: section name: RT_STRING
Source: signed.exe Static PE information: section name: RT_ACCELERATOR
Source: signed.exe Static PE information: section name: RT_GROUP_ICON
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_00433794 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00433794
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_0042BE00 push eax; ret 0_2_0042BE2E
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_00429E18 push eax; ret 0_2_00429E36
Drops PE files
Source: C:\Users\user\Desktop\signed.exe File created: C:\Windows\etrnview.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\signed.exe File created: C:\Windows\etrnview.exe Jump to dropped file
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_004017EE __EH_prolog,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,lstrlenA,MessageBoxA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,MessageBoxA,EnableWindow,UpdateWindow,lstrcpyA,lstrcatA,lstrcatA,lstrcmpiA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MessageBoxA,EnableWindow, 0_2_004017EE
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\signed.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealLegal E-Transcript Viewer Jump to behavior
Source: C:\Users\user\Desktop\signed.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealLegal E-Transcript Viewer\RealLegal E-Transcript Viewer.lnk Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_00405155 IsWindowVisible,WinHelpA,GetWindowPlacement,CopyRect,IsZoomed,GetClientRect,PostQuitMessage,IsWindowVisible,IsIconic,GetClientRect,DefWindowProcA,SetWindowLongA, 0_2_00405155
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\signed.exe Dropped PE file which has not been started: C:\Windows\etrnview.exe Jump to dropped file
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_0042A31A FindFirstFileA,GetLastError, 0_2_0042A31A
Source: signed.exe, 00000000.00000002.3284717083.0000000000619000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\signed.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_00433794 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00433794
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_00431CEA SetUnhandledExceptionFilter, 0_2_00431CEA
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_00431CFC SetUnhandledExceptionFilter, 0_2_00431CFC
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\signed.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_0042BB27 GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_0042BB27
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_00430499 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_00430499
Source: C:\Users\user\Desktop\signed.exe Code function: 0_2_0042A6BB EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA, 0_2_0042A6BB
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1445853 Sample: signed.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 72 11 206.23.85.13.in-addr.arpa 2->11 13 Antivirus detection for dropped file 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for dropped file 2->17 19 Multi AV Scanner detection for submitted file 2->19 6 signed.exe 4 5 2->6         started        signatures3 process4 file5 9 C:\Windows\etrnview.exe, PE32 6->9 dropped
No contacted IP infos

Contacted Domains

Name IP Active
206.23.85.13.in-addr.arpa unknown unknown