Windows Analysis Report
MneP65rGYh.exe

Overview

General Information

Sample name: MneP65rGYh.exe
renamed because original name is a hash value
Original sample name: 6e68cb9b06c134b242d25249c90107a63dceb73c.exe
Analysis ID: 1466695
MD5: 8c6088cd4ff4b8ad208e28f7a860af92
SHA1: 6e68cb9b06c134b242d25249c90107a63dceb73c
SHA256: e8570fcecdef82bae672d0ff8bf40119b273f51be6f36f058d46a493b1cd7571
Infos:

Detection

Score: 23
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality to inject code into remote processes
Contains functionality to dynamically determine API calls
Detected potential crypto function
Potential time zone aware malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: MneP65rGYh.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\MneP65rGYh.exe Code function: 0_2_00404270 _splitpath,FindFirstFileA,_splitpath,_makepath,GetFileAttributesA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,FindNextFileA,FindClose, 0_2_00404270
Source: MneP65rGYh.exe String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: MneP65rGYh.exe String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: MneP65rGYh.exe String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: MneP65rGYh.exe String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: MneP65rGYh.exe, ConDrv.0.dr String found in binary or memory: http://www.verydoc.com
Source: MneP65rGYh.exe String found in binary or memory: http://www.verydoc.com)
Source: MneP65rGYh.exe String found in binary or memory: http://www.verydoc.com)Error
Source: MneP65rGYh.exe String found in binary or memory: http://www.verydoc.com)b
Source: MneP65rGYh.exe, ConDrv.0.dr String found in binary or memory: http://www.verypdf.com
Source: MneP65rGYh.exe String found in binary or memory: http://www.verypdf.com/artprint/ghostscript.exe
Source: MneP65rGYh.exe String found in binary or memory: http://www.verypdf.com/artprint/ghostscript.exeCan
Source: MneP65rGYh.exe String found in binary or memory: http://www.verypdf.comCan
Source: MneP65rGYh.exe String found in binary or memory: http://www.verypdf.comThe
Detected potential crypto function
Source: C:\Users\user\Desktop\MneP65rGYh.exe Code function: 0_2_00409B50 0_2_00409B50
Source: C:\Users\user\Desktop\MneP65rGYh.exe Code function: 0_2_00404470 0_2_00404470
Source: C:\Users\user\Desktop\MneP65rGYh.exe Code function: 0_2_004098C0 0_2_004098C0
Source: C:\Users\user\Desktop\MneP65rGYh.exe Code function: 0_2_004076C0 0_2_004076C0
Source: C:\Users\user\Desktop\MneP65rGYh.exe Code function: 0_2_0047C5D0 0_2_0047C5D0
Sample file is different than original file name gathered from version info
Source: MneP65rGYh.exe, 00000000.00000003.1652542621.0000000002B44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVeryDOC XPS to PDF Converter vs MneP65rGYh.exe
Source: MneP65rGYh.exe, 00000000.00000000.1651135848.0000000000860000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVeryDOC XPS to PDF Converter vs MneP65rGYh.exe
Source: MneP65rGYh.exe Binary or memory string: OriginalFilenameVeryDOC XPS to PDF Converter vs MneP65rGYh.exe
Uses 32bit PE files
Source: MneP65rGYh.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: sus23.evad.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_03
Source: MneP65rGYh.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MneP65rGYh.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\MneP65rGYh.exe File read: C:\Users\user\Desktop\MneP65rGYh.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\MneP65rGYh.exe "C:\Users\user\Desktop\MneP65rGYh.exe"
Source: C:\Users\user\Desktop\MneP65rGYh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MneP65rGYh.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\MneP65rGYh.exe Section loaded: msvcp60.dll Jump to behavior
Source: MneP65rGYh.exe Static file information: File size 4587520 > 1048576
Source: MneP65rGYh.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x39d000
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\MneP65rGYh.exe Code function: 0_2_00401380 LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_00401380
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\MneP65rGYh.exe Code function: 0_2_004ADEB0 push eax; ret 0_2_004ADEDE
Source: C:\Users\user\Desktop\MneP65rGYh.exe Code function: 0_2_004031A0 GetSystemDirectoryA,GetPrivateProfileStringA,_splitpath,printf,WritePrivateProfileStringA,printf,GetProfileIntA,_itoa,WriteProfileStringA,printf,printf,ShellExecuteA,_splitpath,_makepath,strstr,strstr,_fullpath,strstr,_fullpath,strstr,strstr,_fullpath,printf,WritePrivateProfileStringA,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf, 0_2_004031A0
Potential time zone aware malware
Source: C:\Users\user\Desktop\MneP65rGYh.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: C:\Users\user\Desktop\MneP65rGYh.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: C:\Users\user\Desktop\MneP65rGYh.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\MneP65rGYh.exe Code function: 0_2_00404270 _splitpath,FindFirstFileA,_splitpath,_makepath,GetFileAttributesA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,FindNextFileA,FindClose, 0_2_00404270
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\MneP65rGYh.exe Code function: 0_2_00401380 LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_00401380
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\MneP65rGYh.exe Code function: 0_2_00401540 _stricmp,sprintf,VirtualProtectEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle, 0_2_00401540

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1466695 Sample: MneP65rGYh.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 23 5 MneP65rGYh.exe 1 2->5         started        signatures3 10 Contains functionality to inject code into remote processes 5->10 8 conhost.exe 5->8         started        process4
No contacted IP infos