Windows Analysis Report
R.exe

Overview

General Information

Sample name: R.exe
Analysis ID: 1466756
MD5: 24cf2f25cbf27d1ea57a4b995f8d36d9
SHA1: 4ccaac4c85285eeb807de52d190634541ec77593
SHA256: ed01d6efe145985efb364bb7e0929330425586e3fec7090fe751a97a34b6911c
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

Source: R.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\R.exe Code function: 4x nop then sub rsp, 58h 0_2_00007FF78E664AF0
Source: R.exe String found in binary or memory: https://bugs.R-project.org
Source: R.exe String found in binary or memory: https://www.r-project.orgD
Detected potential crypto function
Source: C:\Users\user\Desktop\R.exe Code function: 0_2_00007FF78E662000 0_2_00007FF78E662000
PE file contains more sections than normal
Source: R.exe Static PE information: Number of sections : 11 > 10
Source: classification engine Classification label: clean4.winEXE@4/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_03
Source: R.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\R.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: R.exe String found in binary or memory: Options: -h, --helpprint short help message and exit
Source: R.exe String found in binary or memory: Options: -h, --helpprint short help message and exit
Source: R.exe String found in binary or memory: --help
Source: R.exe String found in binary or memory: --help
Source: R.exe String found in binary or memory: %s --arch %s --help
Source: R.exe String found in binary or memory: %s --arch %s --help
Source: R.exe String found in binary or memory: command --help
Source: R.exe String found in binary or memory: command --help
Source: R.exe String found in binary or memory: "%s/%s/Rterm.exe" --help
Source: R.exe String found in binary or memory: "%s/%s/Rterm.exe" --help
Source: R.exe String found in binary or memory: %s --arch %s --help
Source: R.exe String found in binary or memory: %s --arch %s --help
Source: R.exe String found in binary or memory: command --help
Source: R.exe String found in binary or memory: command --help
Source: R.exe String found in binary or memory: Options: -h, --helpprint short help message and exit
Source: R.exe String found in binary or memory: Options: -h, --helpprint short help message and exit
Source: R.exe String found in binary or memory: %s --arch %s --help
Source: R.exe String found in binary or memory: %s --arch %s --help
Source: R.exe String found in binary or memory: --help
Source: R.exe String found in binary or memory: --help
Source: R.exe String found in binary or memory: command --help
Source: R.exe String found in binary or memory: command --help
Source: R.exe String found in binary or memory: "%s/%s/Rterm.exe" --help
Source: R.exe String found in binary or memory: "%s/%s/Rterm.exe" --help
Source: R.exe String found in binary or memory: -h, --helpprint short help message and exit
Source: R.exe String found in binary or memory: -h, --helpprint short help message and exit
Source: R.exe String found in binary or memory: %s%s%s any other arguments listed by %s --arch %s --help
Source: R.exe String found in binary or memory: %s%s%s any other arguments listed by %s --arch %s --help
Source: R.exe String found in binary or memory: --help--arch3264i386x64valid values for --arch are i386, x64, 32, 64
Source: R.exe String found in binary or memory: --help--arch3264i386x64valid values for --arch are i386, x64, 32, 64
Source: R.exe String found in binary or memory: --help"%s/%s/Rterm.exe" --helpbin/x64
Source: R.exe String found in binary or memory: --help"%s/%s/Rterm.exe" --helpbin/x64
Source: unknown Process created: C:\Users\user\Desktop\R.exe "C:\Users\user\Desktop\R.exe"
Source: C:\Users\user\Desktop\R.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\R.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\bin\x64\R.exe""
Source: C:\Users\user\Desktop\R.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\bin\x64\R.exe"" Jump to behavior
Source: C:\Users\user\Desktop\R.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\R.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: R.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: R.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: R.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\R.exe Code function: 0_2_00007FF78E66CDA8 push rax; iretd 0_2_00007FF78E66CDB6
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\R.exe API coverage: 5.1 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\R.exe Code function: 0_2_00007FF78E661180 Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_initterm,exit, 0_2_00007FF78E661180
Source: C:\Users\user\Desktop\R.exe Code function: 0_2_00007FF78E665BE1 SetUnhandledExceptionFilter, 0_2_00007FF78E665BE1
Source: C:\Users\user\Desktop\R.exe Code function: 0_2_00007FF78E691500 SetUnhandledExceptionFilter, 0_2_00007FF78E691500
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\R.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\bin\x64\R.exe"" Jump to behavior

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1466756 Sample: R.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 4 5 R.exe 1 2->5         started        process3 7 conhost.exe 5->7         started        9 cmd.exe 1 5->9         started       
No contacted IP infos