Windows Analysis Report
Project3_x64.exe

Overview

General Information

Sample name: Project3_x64.exe
Analysis ID: 1459293
MD5: 0cec602b912f2b9095da3cb976913352
SHA1: 93d045a2ec60fc59f6e797cd0baaa5b16a8df47f
SHA256: 2ef9b1d6ed352daeb147ba4cc47078ad0685487085cc4dcf30f1f566436658d6
Infos:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Machine Learning detection for sample
Source: Project3_x64.exe Joe Sandbox ML: detected
Source: Project3_x64.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\gun\OneDrive\Source\Project3\x64\Release\Project3.pdb source: Project3_x64.exe
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B769C FindFirstFileExW, 0_2_00007FF64E9B769C
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B1000 CreateProcessA,TerminateProcess,CloseHandle,CloseHandle,CreateProcessW,TerminateProcess,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,CreateProcessInternalA,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary,LoadLibraryA,GetProcAddress,CreateProcessInternalW,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,NtCreateProcess,TerminateProcess,CloseHandle,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,NtCreateProcessEx,TerminateProcess,CloseHandle,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,NtCreateUserProcess,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary,GetCurrentProcess,OpenProcessToken,LoadLibraryA,GetProcAddress,CreateProcessWithTokenW,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary,FindCloseChangeNotification,GetCurrentProcess,TerminateProcess, 0_2_00007FF64E9B1000
Detected potential crypto function
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B1000 0_2_00007FF64E9B1000
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B5D08 0_2_00007FF64E9B5D08
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9BDED8 0_2_00007FF64E9BDED8
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B769C 0_2_00007FF64E9B769C
Source: classification engine Classification label: sus24.winEXE@11/0@0/0
Source: Project3_x64.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Project3_x64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Project3_x64.exe "C:\Users\user\Desktop\Project3_x64.exe"
Source: C:\Users\user\Desktop\Project3_x64.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\notepad.exe
Source: C:\Users\user\Desktop\Project3_x64.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\notepad.exe
Source: C:\Users\user\Desktop\Project3_x64.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\notepad.exe
Source: C:\Users\user\Desktop\Project3_x64.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\notepad.exe
Source: C:\Users\user\Desktop\Project3_x64.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\notepad.exe Jump to behavior
Source: C:\Users\user\Desktop\Project3_x64.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\notepad.exe Jump to behavior
Source: C:\Users\user\Desktop\Project3_x64.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\notepad.exe Jump to behavior
Source: C:\Users\user\Desktop\Project3_x64.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\notepad.exe Jump to behavior
Source: C:\Users\user\Desktop\Project3_x64.exe Section loaded: apphelp.dll Jump to behavior
Source: Project3_x64.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Project3_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Project3_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Project3_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Project3_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Project3_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Project3_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Project3_x64.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Project3_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\gun\OneDrive\Source\Project3\x64\Release\Project3.pdb source: Project3_x64.exe
Source: Project3_x64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Project3_x64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Project3_x64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Project3_x64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Project3_x64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B1000 CreateProcessA,TerminateProcess,CloseHandle,CloseHandle,CreateProcessW,TerminateProcess,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,CreateProcessInternalA,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary,LoadLibraryA,GetProcAddress,CreateProcessInternalW,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,NtCreateProcess,TerminateProcess,CloseHandle,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,NtCreateProcessEx,TerminateProcess,CloseHandle,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,NtCreateUserProcess,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary,GetCurrentProcess,OpenProcessToken,LoadLibraryA,GetProcAddress,CreateProcessWithTokenW,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary,FindCloseChangeNotification,GetCurrentProcess,TerminateProcess, 0_2_00007FF64E9B1000
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B769C FindFirstFileExW, 0_2_00007FF64E9B769C
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B6C5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF64E9B6C5C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B1000 CreateProcessA,TerminateProcess,CloseHandle,CloseHandle,CreateProcessW,TerminateProcess,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,CreateProcessInternalA,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary,LoadLibraryA,GetProcAddress,CreateProcessInternalW,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,NtCreateProcess,TerminateProcess,CloseHandle,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,NtCreateProcessEx,TerminateProcess,CloseHandle,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,NtCreateUserProcess,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary,GetCurrentProcess,OpenProcessToken,LoadLibraryA,GetProcAddress,CreateProcessWithTokenW,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary,FindCloseChangeNotification,GetCurrentProcess,TerminateProcess, 0_2_00007FF64E9B1000
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9BA0F4 GetProcessHeap, 0_2_00007FF64E9BA0F4
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B1B9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF64E9B1B9C
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B2384 SetUnhandledExceptionFilter, 0_2_00007FF64E9B2384
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B6C5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF64E9B6C5C
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B21A4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF64E9B21A4
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Project3_x64.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\notepad.exe Jump to behavior
Source: C:\Users\user\Desktop\Project3_x64.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\notepad.exe Jump to behavior
Source: C:\Users\user\Desktop\Project3_x64.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\notepad.exe Jump to behavior
Source: C:\Users\user\Desktop\Project3_x64.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\notepad.exe Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9BDD20 cpuid 0_2_00007FF64E9BDD20
Source: C:\Users\user\Desktop\Project3_x64.exe Code function: 0_2_00007FF64E9B207C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF64E9B207C
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1459293 Sample: Project3_x64.exe Startdate: 19/06/2024 Architecture: WINDOWS Score: 24 16 Machine Learning detection for sample 2->16 6 Project3_x64.exe 2->6         started        process3 process4 8 cmd.exe 6->8         started        10 cmd.exe 6->10         started        12 cmd.exe 6->12         started        14 cmd.exe 6->14         started       
No contacted IP infos