Windows Analysis Report
V5VGF7qJK1.exe

Overview

General Information

Sample name: V5VGF7qJK1.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: acb4da6a31d70d4e9c12e343bc4bab44aebbd6b6ef2bbac8664fc3f61c5eaa1f
Analysis ID: 1467973
MD5: 1f060b61b43241a2e5e52c422121aedb
SHA1: baa7350b232458d27f748a23a9a573c86fa4c518
SHA256: acb4da6a31d70d4e9c12e343bc4bab44aebbd6b6ef2bbac8664fc3f61c5eaa1f
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

Source: V5VGF7qJK1.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\1\s\Recognizer\out\build\x64-release\bin\RelWithDebInfo\storestub.pdbGCTL source: V5VGF7qJK1.exe
Source: Binary string: D:\a\1\s\Recognizer\out\build\x64-release\bin\RelWithDebInfo\storestub.pdb source: V5VGF7qJK1.exe
Source: classification engine Classification label: clean2.winEXE@1/0@0/0
Source: V5VGF7qJK1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\V5VGF7qJK1.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\V5VGF7qJK1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\V5VGF7qJK1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: V5VGF7qJK1.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: V5VGF7qJK1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: V5VGF7qJK1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: V5VGF7qJK1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: V5VGF7qJK1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: V5VGF7qJK1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: V5VGF7qJK1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: V5VGF7qJK1.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: V5VGF7qJK1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\1\s\Recognizer\out\build\x64-release\bin\RelWithDebInfo\storestub.pdbGCTL source: V5VGF7qJK1.exe
Source: Binary string: D:\a\1\s\Recognizer\out\build\x64-release\bin\RelWithDebInfo\storestub.pdb source: V5VGF7qJK1.exe
Source: V5VGF7qJK1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: V5VGF7qJK1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: V5VGF7qJK1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: V5VGF7qJK1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: V5VGF7qJK1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: V5VGF7qJK1.exe Static PE information: section name: _RDATA
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\V5VGF7qJK1.exe API coverage: 2.5 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\V5VGF7qJK1.exe Code function: 0_2_00007FF7E7C217B4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7E7C217B4
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\V5VGF7qJK1.exe Code function: 0_2_00007FF7E7C212B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7E7C212B4
Source: C:\Users\user\Desktop\V5VGF7qJK1.exe Code function: 0_2_00007FF7E7C217B4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7E7C217B4
Source: C:\Users\user\Desktop\V5VGF7qJK1.exe Code function: 0_2_00007FF7E7C21998 SetUnhandledExceptionFilter, 0_2_00007FF7E7C21998
Source: C:\Users\user\Desktop\V5VGF7qJK1.exe Code function: 0_2_00007FF7E7C21688 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7E7C21688

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1467973 Sample: V5VGF7qJK1 Startdate: 05/07/2024 Architecture: WINDOWS Score: 2 4 V5VGF7qJK1.exe 2->4         started       
No contacted IP infos