Windows Analysis Report
skZwfU6wMR.exe

Overview

General Information

Sample name: skZwfU6wMR.exe
renamed because original name is a hash value
Original sample name: 9caaa34fa5fab572695f49cc496820dc5e4df6d8866b3f89a49e2dab1a6f85d2.exe
Analysis ID: 1543064
MD5: 339e94bff01e66552e855e9ade023163
SHA1: 55ff23f6f35ce96592d41723a933bc928f3afe50
SHA256: 9caaa34fa5fab572695f49cc496820dc5e4df6d8866b3f89a49e2dab1a6f85d2
Tags: exegurt-duna-uauser-JAMESWT_MHT
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: skZwfU6wMR.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: skZwfU6wMR.exe Virustotal: Detection: 45% Perma Link
Source: skZwfU6wMR.exe ReversingLabs: Detection: 52%
Uses 32bit PE files
Source: skZwfU6wMR.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: skZwfU6wMR.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: dccw.pdbGCTL source: skZwfU6wMR.exe
Source: Binary string: dccw.pdb source: skZwfU6wMR.exe
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_0033EDC2 GetObjectW,GetLastError,GetWindowRect,GetLastError,GetDC,GetLastError,CreateCompatibleDC,GetLastError,SelectObject,CreateCompatibleDC,GetLastError,SetStretchBltMode,GetLastError,CreateCompatibleBitmap,GetLastError,SelectObject,StretchBlt,GetLastError,SendMessageW,DeleteObject,ReleaseDC,DeleteDC,DeleteDC,DeleteObject, 0_2_0033EDC2
Detected potential crypto function
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_00336166 0_2_00336166
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_00335245 0_2_00335245
Sample file is different than original file name gathered from version info
Source: skZwfU6wMR.exe Binary or memory string: OriginalFilename vs skZwfU6wMR.exe
Source: skZwfU6wMR.exe, 00000000.00000000.1286934071.0000000000343000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedccw.exej% vs skZwfU6wMR.exe
Source: skZwfU6wMR.exe, 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedccw.exej% vs skZwfU6wMR.exe
Source: skZwfU6wMR.exe Binary or memory string: OriginalFilenamedccw.exej% vs skZwfU6wMR.exe
Uses 32bit PE files
Source: skZwfU6wMR.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal56.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_0034002C FormatMessageW,LocalFree,GetLastError, 0_2_0034002C
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_00340138 CoCreateInstance,SysAllocString,WinSqmAddToStream,SysFreeString, 0_2_00340138
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_0033F117 FindResourceW,GetLastError,LoadResource,GetLastError,SizeofResource,LockResource, 0_2_0033F117
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\DCCW Startup Mutex
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Command line argument: strg 0_2_00333BBD
Source: skZwfU6wMR.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: skZwfU6wMR.exe Virustotal: Detection: 45%
Source: skZwfU6wMR.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Section loaded: dxva2.dll Jump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Section loaded: textshaping.dll Jump to behavior
Source: skZwfU6wMR.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: skZwfU6wMR.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: skZwfU6wMR.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: skZwfU6wMR.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: skZwfU6wMR.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: skZwfU6wMR.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: skZwfU6wMR.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: skZwfU6wMR.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: dccw.pdbGCTL source: skZwfU6wMR.exe
Source: Binary string: dccw.pdb source: skZwfU6wMR.exe
PE file contains an invalid checksum
Source: skZwfU6wMR.exe Static PE information: real checksum: 0x2100c should be: 0x79d41
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_00331D0C pushad ; retf 0_2_00331D0D
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_00340DD1 push ecx; ret 0_2_00340DE4
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\skZwfU6wMR.exe API coverage: 5.2 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_0033F7EE mov esi, dword ptr fs:[00000030h] 0_2_0033F7EE
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_0033F8CD GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_0033F8CD
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_00340A80 SetUnhandledExceptionFilter, 0_2_00340A80
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_003407FD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_003407FD
Source: C:\Users\user\Desktop\skZwfU6wMR.exe Code function: 0_2_00340CC9 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00340CC9
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543064 Sample: skZwfU6wMR.exe Startdate: 27/10/2024 Architecture: WINDOWS Score: 56 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 5 skZwfU6wMR.exe 2->5         started        process3
No contacted IP infos