Windows Analysis Report
SiemensServer.exe

Overview

General Information

Sample name: SiemensServer.exe
Analysis ID: 1540992
MD5: 029364d616c12c1a6ce3f141b3fc5e49
SHA1: 8c2e3778aadeca8f05c06ac8566cfe7d8ab06d06
SHA256: 5f03f3d41fd30591f947ae888b70b2eec33a5b91331ec1cb6976538766f61fff
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Creates an undocumented autostart registry key
Machine Learning detection for sample
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sleep loop found (likely to delay execution)
Uses 32bit PE files

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 94.6% probability
Machine Learning detection for sample
Source: SiemensServer.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SiemensServer.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Installs a raw input device (often for capturing keystrokes)
Source: SiemensServer.exe, 00000000.00000003.1260767550.0000000003C6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES memstr_b0e7a184-7

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: SiemensServer.exe, 00000000.00000000.1192179186.0000000000122000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_4fdaeba7-9
Source: SiemensServer.exe, 00000000.00000000.1192179186.0000000000122000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_aa0fa329-3
Source: SiemensServer.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_492b53e1-7
Source: SiemensServer.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_6152c96b-9
Sample file is different than original file name gathered from version info
Source: SiemensServer.exe, 00000000.00000002.1281328295.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildUnknocc vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000002.1281328295.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildlatfo88 vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1277935417.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildUnknocc vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1277935417.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildlatfo88 vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1269547773.000000000111C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAMEI vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1278540593.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildUnknocc vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1278540593.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildlatfo88 vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1261289911.0000000003BD2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildUnknocc vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1261289911.0000000003BD2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildlatfo88 vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1279378173.0000000001114000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAMEI vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1261394588.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildUnknocc vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1261394588.0000000003BDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildlatfo88 vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1270022111.000000000125E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1270022111.000000000125E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SiemensServer.exe
Source: SiemensServer.exe, 00000000.00000003.1268704486.0000000001107000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAMEI vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2056850349.00000000041AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildcessI vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2042849589.0000000004199000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildcessI vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2053151538.00000000015AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2059280821.0000000004186000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildrrorH# vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2059280821.00000000041AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildcessI vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2043100303.00000000041AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildcessI vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2053620842.00000000016F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2053620842.00000000016F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2043805934.000000000417F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildrrorHM vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2058606510.0000000004186000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildrrorH# vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2051593541.00000000016D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2051593541.00000000016D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SiemensServer.exe
Source: SiemensServer.exe, 00000013.00000003.2061608814.00000000015B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2205493026.0000000001794000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2191431057.000000000178B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2192547096.00000000018CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAMEu&S88 vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2192547096.00000000018CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_&e8> vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2193120427.0000000001797000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000002.2208926403.000000000427E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildUnkno"" vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2176289338.00000000042E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2204607494.000000000427E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildUnkno"" vs SiemensServer.exe
Source: SiemensServer.exe, 00000014.00000003.2177396996.000000000425C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildUnkno"" vs SiemensServer.exe
Source: SiemensServer.exe, 00000017.00000002.2440331513.0000000001288000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME vs SiemensServer.exe
Source: SiemensServer.exe, 00000017.00000002.2462158873.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildtr Gd vs SiemensServer.exe
Source: SiemensServer.exe, 00000017.00000002.2462158873.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildulong vs SiemensServer.exe
Source: SiemensServer.exe, 00000017.00000002.2448523880.00000000013DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAMEEP vs SiemensServer.exe
Source: SiemensServer.exe, 00000017.00000002.2448523880.00000000013DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SiemensServer.exe
Uses 32bit PE files
Source: SiemensServer.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal56.winEXE@5/0@0/0
Source: SiemensServer.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SiemensServer.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Users\user\Desktop\SiemensServer.exe "C:\Users\user\Desktop\SiemensServer.exe"
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Users\user\Desktop\SiemensServer.exe "C:\Users\user\Desktop\SiemensServer.exe"
Source: unknown Process created: C:\Users\user\Desktop\SiemensServer.exe "C:\Users\user\Desktop\SiemensServer.exe"
Source: unknown Process created: C:\Users\user\Desktop\SiemensServer.exe "C:\Users\user\Desktop\SiemensServer.exe"
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Section loaded: sspicli.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SiemensServer.exe Static file information: File size 1336832 > 1048576
Source: SiemensServer.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SiemensServer.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SiemensServer.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SiemensServer.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SiemensServer.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SiemensServer.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SiemensServer.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SiemensServer.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SiemensServer.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SiemensServer.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SiemensServer.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SiemensServer.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\SiemensServer.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SiemensServer.exe Window / User API: threadDelayed 358 Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Window / User API: threadDelayed 389 Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Window / User API: threadDelayed 380 Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Window / User API: threadDelayed 1501 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SiemensServer.exe TID: 6312 Thread sleep count: 1501 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SiemensServer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SiemensServer.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\SiemensServer.exe Thread sleep count: Count: 1501 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\SiemensServer.exe Process information queried: ProcessInformation Jump to behavior
Source: SiemensServer.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SiemensServer.exe, 00000000.00000003.1273875229.0000000003DCE000.00000004.00000020.00020000.00000000.sdmp, SiemensServer.exe, 00000000.00000002.1281998732.0000000003DD4000.00000004.00000020.00020000.00000000.sdmp, SiemensServer.exe, 00000000.00000003.1275679002.0000000003DD2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: SiemensServer.exe, 00000014.00000002.2209608111.0000000004470000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerXe
Source: SiemensServer.exe, 00000000.00000002.1280098334.0000000000DDB000.00000004.00000010.00020000.00000000.sdmp, SiemensServer.exe, 00000013.00000002.2062175379.000000000125B000.00000004.00000010.00020000.00000000.sdmp, SiemensServer.exe, 00000014.00000002.2206666486.000000000141B000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ProgmanManagerCoreWindowonWindowClass.0
Source: SiemensServer.exe, 00000017.00000002.2466060664.0000000003F0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerk
Source: SiemensServer.exe, 00000013.00000003.2056111065.000000000438B000.00000004.00000020.00020000.00000000.sdmp, SiemensServer.exe, 00000013.00000003.2057202868.0000000004397000.00000004.00000020.00020000.00000000.sdmp, SiemensServer.exe, 00000013.00000003.2058632133.0000000004393000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager3
OS version to string mapping found (often used in BOTs)
Source: SiemensServer.exe, 00000017.00000002.2449441892.0000000001424000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XPB
Source: SiemensServer.exe, 00000000.00000003.1266545910.0000000003D1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_81
Source: SiemensServer.exe, 00000017.00000002.2465400587.0000000003ED0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_815{G
Source: SiemensServer.exe, 00000000.00000003.1267034380.00000000012A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XP^
Source: SiemensServer.exe, 00000014.00000003.2188567036.000000000190B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XP
Source: SiemensServer.exe, 00000014.00000003.2194742903.00000000043E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_8]K
Source: SiemensServer.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: SiemensServer.exe, 00000014.00000003.2194742903.00000000043E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_81;
Source: SiemensServer.exe, 00000017.00000002.2465400587.0000000003ED0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_8
Source: SiemensServer.exe, 00000013.00000003.2049754679.00000000042E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_81x
Source: SiemensServer.exe, 00000013.00000003.2049754679.00000000042E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_8U
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1540992 Sample: SiemensServer.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 56 14 Binary is likely a compiled AutoIt script file 2->14 16 Machine Learning detection for sample 2->16 18 AI detected suspicious sample 2->18 5 SiemensServer.exe 1 2->5         started        8 SiemensServer.exe 2->8         started        10 SiemensServer.exe 2->10         started        12 2 other processes 2->12 process3 signatures4 20 Creates an undocumented autostart registry key 5->20 22 Binary is likely a compiled AutoIt script file 5->22
No contacted IP infos