Windows Analysis Report
czcansrv.exe

Overview

General Information

Sample name:	czcansrv.exe
Analysis ID:	1542032
MD5:	52d32df86af95f0844fc3dd43956c997
SHA1:	44789fd469a3164712d00e89e7b2b7d3aa4d02e9
SHA256:	3ad754f08c2f4c4fca7ff66937838429c893e3bceb2b6aa73768c90eb1276664
Infos:

Detection

Score:	28
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

AI detected suspicious sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Uses 32bit PE files

Source: czcansrv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: czcansrv.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Agent1\work\435\s\Sources\CZCanSrv\ReleaseMinDependency\CZCanSrv.pdb source: czcansrv.exe

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00E222F3 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00E222F3

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DCE0DA Sleep,WSAGetOverlappedResult,WSARecv,WaitForSingleObject,SetEvent,SetEvent,GetTickCount,SetEvent,

0_2_00DCE0DA

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DEC41B: EnterCriticalSection,DeviceIoControl,GetLastError,GetLastError,GetOverlappedResult,GetLastError,LeaveCriticalSection,

0_2_00DEC41B

Contains functionality to delete services

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DCC525 OpenSCManagerA,MessageBoxA,OpenServiceA,CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00DCC525

Detected potential crypto function

Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E101EF	0_2_00E101EF
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E121A6	0_2_00E121A6
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E2C280	0_2_00E2C280
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DC4390	0_2_00DC4390
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E125D6	0_2_00E125D6
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E2A547	0_2_00E2A547
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E10546	0_2_00E10546
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E346A0	0_2_00E346A0
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DCC6AE	0_2_00DCC6AE
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DE674B	0_2_00DE674B
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DF4760	0_2_00DF4760
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E1088E	0_2_00E1088E
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E2C92F	0_2_00E2C92F
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DE2C07	0_2_00DE2C07
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E10C1C	0_2_00E10C1C
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DCEDB2	0_2_00DCEDB2
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DE8D44	0_2_00DE8D44
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DE4D0E	0_2_00DE4D0E
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E10FB9	0_2_00E10FB9
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DD8F6C	0_2_00DD8F6C
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DD30C2	0_2_00DD30C2
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E11347	0_2_00E11347
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E116AC	0_2_00E116AC
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E2B930	0_2_00E2B930
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E11A20	0_2_00E11A20
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DC3BFE	0_2_00DC3BFE
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E1FDC5	0_2_00E1FDC5
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E11D85	0_2_00E11D85
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E0FEA7	0_2_00E0FEA7
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E2BE40	0_2_00E2BE40
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DE3F48	0_2_00DE3F48

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\czcansrv.exe	Code function: String function: 00DEDD71 appears 109 times
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: String function: 00DEE970 appears 61 times
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: String function: 00E21708 appears 33 times
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: String function: 00DC2AB0 appears 42 times
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: String function: 00E1E6C5 appears 54 times
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: String function: 00DEDD1C appears 49 times

Uses 32bit PE files

Source: czcansrv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus28.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: OpenSCManagerA,GetModuleFileNameA,CreateServiceA,CloseServiceHandle,MessageBoxA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00DCA4C1

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DC63EB CoCreateInstance,

0_2_00DC63EB

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DCB1AF __EH_prolog3_catch_GS,LoadLibraryExA,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary,

0_2_00DCB1AF

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DCC41F StartServiceCtrlDispatcherA,

0_2_00DCC41F

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DCC41F StartServiceCtrlDispatcherA,

0_2_00DCC41F

Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: 0$	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: UnregServer	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: RegServer	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: AtlServer	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: Service	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: RegUser	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: AppID	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: LocalService	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: 0$	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: 0$	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: 0$	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: 0$	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: UnregServer	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: RegServer	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: AtlServer	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: Service	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: RegUser	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: AppID	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: LocalService	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: 0$	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: 0$	0_2_00DCCEF1
Source: C:\Users\user\Desktop\czcansrv.exe	Command line argument: 0$	0_2_00DCCEF1

Source: czcansrv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\czcansrv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\czcansrv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\czcansrv.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\czcansrv.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: czcansrv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: czcansrv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: czcansrv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: czcansrv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: czcansrv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: czcansrv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: czcansrv.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: czcansrv.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Agent1\work\435\s\Sources\CZCanSrv\ReleaseMinDependency\CZCanSrv.pdb source: czcansrv.exe

Source: czcansrv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: czcansrv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: czcansrv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: czcansrv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: czcansrv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DEA8DC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00DEA8DC

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DEE310 push ecx; ret		0_2_00DEE9D3
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DEDD3F push ecx; ret		0_2_00DEDD52

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DCC41F StartServiceCtrlDispatcherA,

0_2_00DCC41F

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DC1CED LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00DC1CED

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\czcansrv.exe

API coverage: 1.0 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00E222F3 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00E222F3

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DFDC97 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_00DFDC97

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DEE767 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00DEE767

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DFDC97 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

0_2_00DFDC97

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DEA8DC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00DEA8DC

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E190C2 mov ecx, dword ptr fs:[00000030h]	0_2_00E190C2
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E21965 mov eax, dword ptr fs:[00000030h]	0_2_00E21965
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E217BC mov eax, dword ptr fs:[00000030h]	0_2_00E217BC
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E21779 mov eax, dword ptr fs:[00000030h]	0_2_00E21779
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E21736 mov eax, dword ptr fs:[00000030h]	0_2_00E21736
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E218DD mov eax, dword ptr fs:[00000030h]	0_2_00E218DD
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E21817 mov eax, dword ptr fs:[00000030h]	0_2_00E21817
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E21996 mov eax, dword ptr fs:[00000030h]	0_2_00E21996
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00E21921 mov eax, dword ptr fs:[00000030h]	0_2_00E21921

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00E247B4 GetProcessHeap,

0_2_00E247B4

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DEE767 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DEE767
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DEE8FE SetUnhandledExceptionFilter,	0_2_00DEE8FE
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DFD7E9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DFD7E9
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: 0_2_00DEDF29 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00DEDF29

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DEEBA1 cpuid

0_2_00DEEBA1

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\czcansrv.exe	Code function: EnumSystemLocalesW,	0_2_00E1E0C3
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: GetLocaleInfoW,	0_2_00E280CC
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00E2819B
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: EnumSystemLocalesW,	0_2_00E1E254
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: EnumSystemLocalesW,	0_2_00E1E222
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: GetLocaleInfoW,	0_2_00E1EB7F
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: EnumSystemLocalesW,	0_2_00E27ABB
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: EnumSystemLocalesW,	0_2_00E27BBF
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: EnumSystemLocalesW,	0_2_00E27B24
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00E27C4A
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: GetLocaleInfoW,	0_2_00E27E9D
Source: C:\Users\user\Desktop\czcansrv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00E27FC6

Source: C:\Users\user\Desktop\czcansrv.exe

Code function: 0_2_00DD82B9 GetLocalTime,

0_2_00DD82B9

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1542032
Product:	CloudBasic
Start time:	13:19:01
Start date:	25.10.2024
Sample:	czcansrv.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	52d32df86af95f0844fc3dd43956c997
SHA1:	44789fd469a3164712d00e89e7b2b7d3aa4d02e9
SHA256:	3ad754f08c2f4c4fca7ff66937838429c893e3bceb2b6aa73768c90eb1276664
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
czcansrv.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report czcansrv.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
czcansrv.exe