Windows Analysis Report
PI_20052024.exe

Overview

General Information

Sample name: PI_20052024.exe
Analysis ID: 1447912
MD5: 1184a592120050bb97393bf479962ee7
SHA1: e603527c59975f807615e5e578662b9140896fa3
SHA256: b2455ad91129772b38a764f79b25861dd16fe5140871a73f6908676ef54df951
Tags: exe
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: PI_20052024.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: PI_20052024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_00406435 FindFirstFileA,FindClose, 0_2_00406435
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405889
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: PI_20052024.exe, 00000000.00000002.1498884560.00000000004A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.ne
Source: PI_20052024.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PI_20052024.exe, 00000000.00000003.1454163323.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, PI_20052024.exe, 00000000.00000002.1498884560.00000000004A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error(
Source: PI_20052024.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_00405326 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405326
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403312
Detected potential crypto function
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_004067BE 0_2_004067BE
Sample file is different than original file name gathered from version info
Source: PI_20052024.exe, 00000000.00000000.1453442898.000000000043B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamekvldet altsaxofonisters.exeDVarFileInfo$ vs PI_20052024.exe
Source: PI_20052024.exe Binary or memory string: OriginalFilenamekvldet altsaxofonisters.exeDVarFileInfo$ vs PI_20052024.exe
Uses 32bit PE files
Source: PI_20052024.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean4.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403312
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_004045D7 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004045D7
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar, 0_2_0040216B
Source: C:\Users\user\Desktop\PI_20052024.exe File created: C:\Users\user\AppData\Local\Temp\nsvCAFB.tmp Jump to behavior
Source: PI_20052024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PI_20052024.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe File read: C:\Users\user\Desktop\PI_20052024.exe Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: PI_20052024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
PE file contains an invalid checksum
Source: PI_20052024.exe Static PE information: real checksum: 0x9af8f should be: 0x6fdac
Source: C:\Users\user\Desktop\PI_20052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PI_20052024.exe API coverage: 8.2 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_00406435 FindFirstFileA,FindClose, 0_2_00406435
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405889
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: PI_20052024.exe, 00000000.00000003.1454163323.00000000004BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\PI_20052024.exe API call chain: ExitProcess graph end node
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\PI_20052024.exe Code function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403312
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1447912 Sample: PI_20052024.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 4 4 PI_20052024.exe 3 2->4         started       
No contacted IP infos