Windows Analysis Report
STjk6HCD1P.exe

Overview

General Information

Sample name:	STjk6HCD1P.exe renamed because original name is a hash value
Original sample name:	c75b5515952ea615219e1991c4592236.exe
Analysis ID:	1445944
MD5:	c75b5515952ea615219e1991c4592236
SHA1:	2ade0a6c621b36f727e461059c3cdf2126d4bfca
SHA256:	2b3aa9f8d949be0919837b8f00c79700c0db437a6a8f042fcff2ec4b2c03c584
Tags:	exe
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Uses 32bit PE files

Source: STjk6HCD1P.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: STjk6HCD1P.exe

Static PE information: certificate valid

Source: STjk6HCD1P.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_00406435 FindFirstFileA,FindClose,	0_2_00406435
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405889
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: STjk6HCD1P.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: STjk6HCD1P.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_00405326 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405326

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_6E441D68 GetDlgCtrlID,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,SendMessageA,GlobalUnlock,CloseClipboard,CallWindowProcA,

0_2_6E441D68

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403312

Detected potential crypto function

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_004067BE		0_2_004067BE
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_6E491A98		0_2_6E491A98

Sample file is different than original file name gathered from version info

Source: STjk6HCD1P.exe, 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameKsodrSetup.exe2 vs STjk6HCD1P.exe
Source: STjk6HCD1P.exe	Binary or memory string: OriginalFilenameKsodrSetup.exe2 vs STjk6HCD1P.exe

Uses 32bit PE files

Source: STjk6HCD1P.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: clean5.winEXE@1/4@1/0

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

0_2_00403312

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_004045D7 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004045D7

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Mutant created: \Sessions\1\BaseNamedObjects\{53172BE5-3880-4172-A62C-B5EB4447E1DB}
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Mutant created: \Sessions\1\BaseNamedObjects\------------ksodr setup------------

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

File created: C:\Users\user\AppData\Local\Temp\nsd6C9.tmp

Jump to behavior

Source: STjk6HCD1P.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

File read: C:\Users\user\Desktop\STjk6HCD1P.exe

Jump to behavior

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

File written: C:\Users\user\AppData\Local\Temp\nsj786.tmp\ioSpecial.ini

Jump to behavior

Source: STjk6HCD1P.exe

Static PE information: certificate valid

Source: STjk6HCD1P.exe

Static file information: File size 45208600 > 1048576

Source: STjk6HCD1P.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_6E491A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6E491A98

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_6E492F60 push eax; ret

0_2_6E492F8E

Drops PE files

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	File created: C:\Users\user\AppData\Local\Temp\nsj786.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	File created: C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll			Jump to dropped file

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_6E44140B wsprintfA,lstrcpyA,GetPrivateProfileStringA,lstrcpyA,CharNextA,

0_2_6E44140B

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj786.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll			Jump to dropped file

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_00406435 FindFirstFileA,FindClose,	0_2_00406435
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405889
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_6E491A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6E491A98

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

0_2_00403312

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
171.39.242.20.in-addr.arpa	unknown	unknown

ID:	1445944
Product:	CloudBasic
Start time:	20:10:20
Start date:	22.05.2024
Sample:	STjk6HCD1P.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c75b5515952ea615219e1991c4592236
SHA1:	2ade0a6c621b36f727e461059c3cdf2126d4bfca
SHA256:	2b3aa9f8d949be0919837b8f00c79700c0db437a6a8f042fcff2ec4b2c03c584
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	5F35212D7E90EE622B10BE39B09BD270	C4BC9593902ADF6DAAEF37E456DC6100D50D0925	31944B93E44301974D9C6F810D2DA792E34A53DCACD619A08CB0385AC59E513D
C:\Users\user\AppData\Local\Temp\nsj786.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FCCFF8CB7A1067E23FD2E2B63971A8E1	30E2A9E137C1223A78A0F7B0BF96A1C361976D91	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
C:\Users\user\AppData\Local\Temp\nsj786.tmp\ioSpecial.ini	Generic INItialization configuration [Field 1]	94740F4A460E681D8A2D8049BB60E15E	0341DA4ECD78CF25C1CE8D5F1AF9CD4769B17B82	C478BD3110458BBB3821C99709F6A199D5EE4EF545834FA2C7EDB72D703CAEE8
C:\Users\user\AppData\Local\Temp\nsj786.tmp\modern-wizard.bmp	PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118	CBE40FD2B1EC96DAEDC65DA172D90022	366C216220AA4329DFF6C485FD0E9B0F4F0A7944	3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2

Windows Analysis Report
STjk6HCD1P.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report STjk6HCD1P.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
STjk6HCD1P.exe