Windows Analysis Report
3lOLt0TUE4.exe

Overview

General Information

Sample name: 3lOLt0TUE4.exe
renamed because original name is a hash value
Original sample name: 6970f935606328c81997e47b826ae655fa98f6503edf7c98fe84bbfd6bd26177.exe
Analysis ID: 1542046
MD5: 731497243f4c710c562dd084dcd34ec1
SHA1: 4171c0e0095b0baf7b9ceede925ba55cedb22087
SHA256: 6970f935606328c81997e47b826ae655fa98f6503edf7c98fe84bbfd6bd26177
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to behave differently if execute on a Russian/Kazak computer
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain checking for process token information
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 3lOLt0TUE4.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 3lOLt0TUE4.exe ReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for sample
Source: 3lOLt0TUE4.exe Joe Sandbox ML: detected
Source: Binary string: elevation_service.exe.pdb source: 3lOLt0TUE4.exe
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014004569C FindFirstFileExW, 0_2_000000014004569C
Contains functionality to call native functions
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140015450 RtlInitUnicodeString,NtOpenKeyEx, 0_2_0000000140015450
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140015620 RtlInitUnicodeString,NtQueryValueKey, 0_2_0000000140015620
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140015940 NtClose, 0_2_0000000140015940
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140014CF0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlInitUnicodeString,NtCreateKey,NtOpenKeyEx,NtDeleteKey,NtClose,NtQueryKey,NtEnumerateKey,NtQueryValueKey,GetProcAddress,GetProcAddress,RtlFormatCurrentUserKeyPath,GetCommandLineW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetModuleHandleW,GetProcAddress,GetCurrentProcess, 0_2_0000000140014CF0
Detected potential crypto function
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014000FFB0 0_2_000000014000FFB0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140024010 0_2_0000000140024010
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140033075 0_2_0000000140033075
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400240A0 0_2_00000001400240A0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400380AC 0_2_00000001400380AC
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400490E8 0_2_00000001400490E8
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014001E120 0_2_000000014001E120
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014003312A 0_2_000000014003312A
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140034174 0_2_0000000140034174
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400061C0 0_2_00000001400061C0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400261D0 0_2_00000001400261D0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140042288 0_2_0000000140042288
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400442E0 0_2_00000001400442E0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014003B310 0_2_000000014003B310
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140031328 0_2_0000000140031328
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014003F37C 0_2_000000014003F37C
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140045464 0_2_0000000140045464
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400074F0 0_2_00000001400074F0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140019520 0_2_0000000140019520
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014000A680 0_2_000000014000A680
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014003A6B4 0_2_000000014003A6B4
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014003A726 0_2_000000014003A726
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140044740 0_2_0000000140044740
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400027D0 0_2_00000001400027D0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140026850 0_2_0000000140026850
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400268D0 0_2_00000001400268D0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140011910 0_2_0000000140011910
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140047A14 0_2_0000000140047A14
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140042A60 0_2_0000000140042A60
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140032B75 0_2_0000000140032B75
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140032BC0 0_2_0000000140032BC0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014000BBD0 0_2_000000014000BBD0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014002BCBC 0_2_000000014002BCBC
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140026CC0 0_2_0000000140026CC0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014002FDC0 0_2_000000014002FDC0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140017E60 0_2_0000000140017E60
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140072E6B 0_2_0000000140072E6B
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014002BEC0 0_2_000000014002BEC0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_004292A0 0_2_004292A0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_004293B0 0_2_004293B0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0042A810 0_2_0042A810
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_004079F0 0_2_004079F0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00407C00 0_2_00407C00
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00432D40 0_2_00432D40
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0042EEB0 0_2_0042EEB0
Sample file is different than original file name gathered from version info
Source: 3lOLt0TUE4.exe, 00000000.00000000.1816671674.0000000140070000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameelevation_service.exe< vs 3lOLt0TUE4.exe
Source: 3lOLt0TUE4.exe Binary or memory string: OriginalFilenameelevation_service.exe< vs 3lOLt0TUE4.exe
Source: 3lOLt0TUE4.exe Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 3lOLt0TUE4.exe Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal68.expl.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014000DEC0 FormatMessageA,GetLastError,_invalid_parameter_noinfo_noreturn, 0_2_000000014000DEC0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400024F0 StartServiceCtrlDispatcherW,GetLastError,GetLastError, 0_2_00000001400024F0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400024F0 StartServiceCtrlDispatcherW,GetLastError,GetLastError, 0_2_00000001400024F0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-dff86b9b42af94777d8e3ee9-b
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-dff86b9b42af9477-inf
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 3lOLt0TUE4.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: 3lOLt0TUE4.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 3lOLt0TUE4.exe Static file information: File size 1869824 > 1048576
Source: 3lOLt0TUE4.exe Static PE information: Raw size of .reloc is bigger than: 0x100000 < 0x15f000
Source: 3lOLt0TUE4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: elevation_service.exe.pdb source: 3lOLt0TUE4.exe
PE file contains sections with non-standard names
Source: 3lOLt0TUE4.exe Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014007231C push rdx; ret 0_2_0000000140072328
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400024F0 StartServiceCtrlDispatcherW,GetLastError,GetLastError, 0_2_00000001400024F0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140014CF0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlInitUnicodeString,NtCreateKey,NtOpenKeyEx,NtDeleteKey,NtClose,NtQueryKey,NtEnumerateKey,NtQueryValueKey,GetProcAddress,GetProcAddress,RtlFormatCurrentUserKeyPath,GetCommandLineW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetModuleHandleW,GetProcAddress,GetCurrentProcess, 0_2_0000000140014CF0

Malware Analysis System Evasion
barindex
Contains functionality to behave differently if execute on a Russian/Kazak computer
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_004052A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 0_2_004052A0
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014004569C FindFirstFileExW, 0_2_000000014004569C
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014002DFDC VirtualQuery,GetSystemInfo, 0_2_000000014002DFDC
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014002B4C0 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_000000014002B4C0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014002B4C0 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_000000014002B4C0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00000001400036C0 _Init_thread_header,GetProcessHeap,_Init_thread_header, 0_2_00000001400036C0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014002B874 SetUnhandledExceptionFilter, 0_2_000000014002B874
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014002B884 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000000014002B884
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014002BC88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_000000014002BC88
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140034D64 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0000000140034D64
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140002F30 GetSecurityDescriptorDacl,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetAclInformation,_invalid_parameter_noinfo, 0_2_0000000140002F30
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_0000000140046450 cpuid 0_2_0000000140046450
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: EnumSystemLocalesW, 0_2_0000000140045028
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: GetLocaleInfoW, 0_2_00000001400450C0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: GetLocaleInfoW, 0_2_00000001400451D0
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: EnumSystemLocalesW, 0_2_000000014003F220
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00000001400452B8
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: GetLocaleInfoW, 0_2_0000000140045368
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0000000140044A08
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: try_get_function,GetLocaleInfoW, 0_2_000000014003EAF8
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: EnumSystemLocalesW, 0_2_0000000140044D08
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0000000140044DE0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_000000014002E504 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_000000014002E504
Source: C:\Users\user\Desktop\3lOLt0TUE4.exe Code function: 0_2_00420080 VirtualFree,VirtualFree,VirtualAlloc,GetUserNameW,GetComputerNameW,GetComputerNameW, 0_2_00420080
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542046 Sample: 3lOLt0TUE4.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 68 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 14 AI detected suspicious sample 2->14 5 3lOLt0TUE4.exe 2->5         started        process3 signatures4 16 Contains functionality to behave differently if execute on a Russian/Kazak computer 5->16
No contacted IP infos