Windows Analysis Report
stopka2017.exe

Overview

General Information

Sample name: stopka2017.exe
Analysis ID: 1467972
MD5: 68d9fe381653db089a1e64d02f6177e6
SHA1: 9b7655142f01fd2b6b5c964f640404fb72b0e3b5
SHA256: 63afd59bc83f6d3742a63702fa0b0eaa452471a814c4dcf416801475b4b15ae7
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Creates HTA files
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Execution From GUID Like Folder Names
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: stopka2017.exe Virustotal: Detection: 13% Perma Link
Uses 32bit PE files
Source: stopka2017.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\Projets\vbsedit_source\script2exe\Release\hta2exe.pdb source: stopka2017.exe
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_00409F80 FindFirstFileW,FindClose, 0_2_00409F80

System Summary
barindex
Creates HTA files
Source: C:\Users\user\Desktop\stopka2017.exe File created: C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_004060A9 0_2_004060A9
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: stopka2017.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal60.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_0040A030 SHGetFolderPathW,FindResourceW,LoadResource,LockResource,SizeofResource,_memset,SHCreateDirectoryExW,_swprintf,SHCreateDirectoryExW,CreateFileW,FindResourceW,LoadResource,SizeofResource,LockResource,WriteFile,FreeResource,CloseHandle,GetDesktopWindow,MessageBoxW,ShellExecuteW, 0_2_0040A030
Source: C:\Users\user\Desktop\stopka2017.exe File created: C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC} Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Command line argument: \Temp 0_2_0040A030
Source: C:\Users\user\Desktop\stopka2017.exe Command line argument: #129 0_2_0040A030
Source: C:\Users\user\Desktop\stopka2017.exe Command line argument: #%d 0_2_0040A030
Source: C:\Users\user\Desktop\stopka2017.exe Command line argument: HtaEdit 0_2_0040A030
Source: C:\Users\user\Desktop\stopka2017.exe Command line argument: mshta.exe 0_2_0040A030
Source: C:\Users\user\Desktop\stopka2017.exe Command line argument: open 0_2_0040A030
Source: stopka2017.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\stopka2017.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: stopka2017.exe Virustotal: Detection: 13%
Source: unknown Process created: C:\Users\user\Desktop\stopka2017.exe "C:\Users\user\Desktop\stopka2017.exe"
Source: C:\Users\user\Desktop\stopka2017.exe Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta"
Source: C:\Users\user\Desktop\stopka2017.exe Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: adsldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: stopka2017.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Projets\vbsedit_source\script2exe\Release\hta2exe.pdb source: stopka2017.exe
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_00407665 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_00407665
PE file contains an invalid checksum
Source: stopka2017.exe Static PE information: real checksum: 0x1822d should be: 0x4e895
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_00404145 push ecx; ret 0_2_00404158
Source: C:\Users\user\Desktop\stopka2017.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\stopka2017.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_00409F80 FindFirstFileW,FindClose, 0_2_00409F80
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00401000
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_00407665 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_00407665
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00401000
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_00402437 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00402437
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_00407A9F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00407A9F
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_00404778 SetUnhandledExceptionFilter, 0_2_00404778
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\stopka2017.exe Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\stopka2017.exe Code function: GetLocaleInfoA, 0_2_004097E2
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exe Code function: 0_2_0040103B GetSystemTimeAsFileTime,__aulldiv, 0_2_0040103B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467972 Sample: stopka2017.exe Startdate: 05/07/2024 Architecture: WINDOWS Score: 60 14 Multi AV Scanner detection for submitted file 2->14 16 Sigma detected: Suspicious Script Execution From Temp Folder 2->16 18 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->18 6 stopka2017.exe 5 2->6         started        process3 file4 12 C:\Users\user\AppData\...\Stopka2017.hta, HTML 6->12 dropped 20 Creates HTA files 6->20 10 mshta.exe 6->10         started        signatures5 process6
No contacted IP infos