Windows Analysis Report
RKVaYznwyT.exe

Overview

General Information

Sample name: RKVaYznwyT.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: 7a7f4077096e5048ab837413f71d7d8e04f04e4fe9bdcafe93113dd60562bf4f
Analysis ID: 1541502
MD5: fdb7614d7064da1a089a7f330177b2dd
SHA1: ea44186936ad92c902ff1e8d9019efd46904e53f
SHA256: 7a7f4077096e5048ab837413f71d7d8e04f04e4fe9bdcafe93113dd60562bf4f
Infos:

Detection

Score: 23
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

AI detected suspicious sample
Creates a process in suspended mode (likely to inject code)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 94.3% probability
PE file contains more sections than normal
Source: RKVaYznwyT.exe Static PE information: Number of sections : 14 > 10
Source: RKVaYznwyT.exe Static PE information: Section: /19 ZLIB complexity 0.9985184957349081
Source: RKVaYznwyT.exe Static PE information: Section: /46 ZLIB complexity 0.999921875
Source: RKVaYznwyT.exe Static PE information: Section: /99 ZLIB complexity 1.0000082179172511
Source: RKVaYznwyT.exe Static PE information: Section: /112 ZLIB complexity 0.9919689685314685
Source: classification engine Classification label: sus23.winEXE@4/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_03
Source: RKVaYznwyT.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RKVaYznwyT.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RKVaYznwyT.exe String found in binary or memory: p->status= pageSize= s.nelems= schedtick= span.list=, s.base()=, s.npages=-start_date//*[symid='/dev/stderr/dev/stdout30517578125: frame.sp=<invalid op> in space CloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGOTRACEBACKGetFileTypeIdeographicInstCap
Source: RKVaYznwyT.exe String found in binary or memory: p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=, s.base()=, s.npages=-start_date//*[symid='/dev/stderr/dev/stdout30517578125: frame.sp=<invalid op> in space CloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGOTRACEBACKGetFileTypeIdeogra
Source: RKVaYznwyT.exe String found in binary or memory: m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=, s.base()=, s.npages=-start_date//*[symid='/dev/stderr/dev/stdout30517578125: frame.sp=<invalid op> in space CloseHandleCreateFileWDeleteFileWExitPro
Source: RKVaYznwyT.exe String found in binary or memory: gcwaiting= gp.status= heap_live= idleprocs= in status m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=, s.base()=, s.npages=-start_date//*[symid='/dev/stderr/dev/stdout30517578125: frame.sp=<invalid op> in space CloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGOTRACEBACKGetFileTypeIdeographicInstCaptureInstRuneAnyInstallPathMedefaidrinMoveFileExWNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPau_Cin_HauRegCloseKeySYMCLI_SID=SYSTEMROOT=SetFileTimeSignWritingSoft_DottedVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_Space[:^xdigit:]_SYMINQ.TXTalarm clockapppathrootbad addressbad messagebad timedivbroken pipecgocall nilclobberfreeclosesocketcreated by crypt32.dllfile existsfinal tokenfloat32nan2float64nan2float64nan3gatekeeper gccheckmarkgetpeernamegetsocknamei/o timeoutlost mcachemSpanManualmethodargs(mswsock.dllno root keyparse errorruntime: P runtime: p scheddetailschema1 %s
Source: unknown Process created: C:\Users\user\Desktop\RKVaYznwyT.exe "C:\Users\user\Desktop\RKVaYznwyT.exe"
Source: C:\Users\user\Desktop\RKVaYznwyT.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RKVaYznwyT.exe Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Users\user\Desktop\RKVaYznwyT.exe Process created: C:\Windows\System32\HOSTNAME.EXE hostname Jump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: winrnr.dll Jump to behavior
Source: RKVaYznwyT.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: RKVaYznwyT.exe Static file information: File size 4375040 > 1048576
Source: RKVaYznwyT.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15fc00
Source: RKVaYznwyT.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x18fe00
PE file contains sections with non-standard names
Source: RKVaYznwyT.exe Static PE information: section name: /4
Source: RKVaYznwyT.exe Static PE information: section name: /19
Source: RKVaYznwyT.exe Static PE information: section name: /32
Source: RKVaYznwyT.exe Static PE information: section name: /46
Source: RKVaYznwyT.exe Static PE information: section name: /63
Source: RKVaYznwyT.exe Static PE information: section name: /80
Source: RKVaYznwyT.exe Static PE information: section name: /99
Source: RKVaYznwyT.exe Static PE information: section name: /112
Source: RKVaYznwyT.exe Static PE information: section name: /124
Source: RKVaYznwyT.exe Static PE information: section name: .symtab
Source: C:\Users\user\Desktop\RKVaYznwyT.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RKVaYznwyT.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Potential time zone aware malware
Source: C:\Users\user\Desktop\RKVaYznwyT.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: HOSTNAME.EXE, 00000002.00000002.1710624664.000002B580939000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: RKVaYznwyT.exe, 00000000.00000002.1712910823.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RKVaYznwyT.exe Process created: C:\Windows\System32\HOSTNAME.EXE hostname Jump to behavior

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541502 Sample: RKVaYznwyT Startdate: 24/10/2024 Architecture: WINDOWS Score: 23 12 AI detected suspicious sample 2->12 6 RKVaYznwyT.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started        10 HOSTNAME.EXE 1 6->10         started       
No contacted IP infos