Windows Analysis Report
autocad.exe

Overview

General Information

Sample name: autocad.exe
Analysis ID: 1445859
MD5: 4c2a76ceee9becfeffe78265166182ba
SHA1: c70b71f7aa367d88c6ec5942269a45cbc66510b3
SHA256: ea139458b4e88736a3d48e81569178fd5c11156990b6a90e2d35f41b1ad9bac1
Infos:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Submitted sample is a known malware sample
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)

Classification

Source: autocad.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: d:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: autocad.exe

System Summary
barindex
Submitted sample is a known malware sample
Source: autocad.exe Initial file: MD5: 4c2a76ceee9becfeffe78265166182ba Family: xHunt Alias: SectorD01, xHunt Description: xHunt, uncovered by PaloAlto, is an attack campaign on Kuwait shipping and transportation organizations. The names of the tools collected include backdoor tools Sakabota, Hisoka, Netero and Killua. These tools not only use HTTP for their command and control (C2) channels, but some use DNS tunneling or emails to communicate with their C2 as well. References: https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/Data Source: https://github.com/RedDrip7/APT_Digital_Weapon
PE file contains executable resources (Code or Archives)
Source: autocad.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: classification engine Classification label: clean1.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\autocad.exe File created: C:\Users\user\AppData\Roaming\WinRAR Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:120:WilError_03
Source: autocad.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\autocad.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\autocad.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\autocad.exe "C:\Users\user\Desktop\autocad.exe"
Source: C:\Users\user\Desktop\autocad.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\autocad.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\autocad.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\autocad.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\autocad.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\autocad.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\autocad.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\autocad.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\autocad.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: autocad.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: autocad.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: autocad.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: autocad.exe
Source: C:\Users\user\Desktop\autocad.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1445859 Sample: autocad.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 1 10 Submitted sample is a known malware sample 2->10 6 autocad.exe 3 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos