Windows Analysis Report
e3f6uu0uqV.exe

Overview

General Information

Sample name: e3f6uu0uqV.exe
(renamed file extension from bin to exe, renamed because original name is a hash value)
Original sample name: 5f726d95a9ba1aebe43e8188edddb26556c730e03fb6227745e8afbf07d80c54.bin
Analysis ID: 1545043
MD5: b42c964e0e6aa56983e77542692320cd
SHA1: b75ceacd2e7f73b2c5c8b95373e08665a28a1ae3
SHA256: 5f726d95a9ba1aebe43e8188edddb26556c730e03fb6227745e8afbf07d80c54

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Program does not show much activity (idle)
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: e3f6uu0uqV.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: e3f6uu0uqV.exe Static PE information: certificate valid
Source: e3f6uu0uqV.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\cclibs\Desktop\ccx-process-redirect-script\Release\CCXProcess.pdb source: e3f6uu0uqV.exe
Source: Binary string: C:\Users\cclibs\Desktop\ccx-process-redirect-script\Release\CCXProcess.pdb%%$GCTL source: e3f6uu0uqV.exe
Source: e3f6uu0uqV.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: e3f6uu0uqV.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: e3f6uu0uqV.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: e3f6uu0uqV.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: e3f6uu0uqV.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: e3f6uu0uqV.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: e3f6uu0uqV.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: e3f6uu0uqV.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: e3f6uu0uqV.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: e3f6uu0uqV.exe String found in binary or memory: http://ocsp.digicert.com0
Source: e3f6uu0uqV.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: e3f6uu0uqV.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: e3f6uu0uqV.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: e3f6uu0uqV.exe String found in binary or memory: http://www.digicert.com/CPS0
Uses 32bit PE files
Source: e3f6uu0uqV.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean1.winEXE@1/0@0/0
Source: e3f6uu0uqV.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\e3f6uu0uqV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\e3f6uu0uqV.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\e3f6uu0uqV.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\e3f6uu0uqV.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\e3f6uu0uqV.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\e3f6uu0uqV.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: e3f6uu0uqV.exe Static PE information: certificate valid
Source: e3f6uu0uqV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: e3f6uu0uqV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: e3f6uu0uqV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: e3f6uu0uqV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: e3f6uu0uqV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: e3f6uu0uqV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: e3f6uu0uqV.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: e3f6uu0uqV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\cclibs\Desktop\ccx-process-redirect-script\Release\CCXProcess.pdb source: e3f6uu0uqV.exe
Source: Binary string: C:\Users\cclibs\Desktop\ccx-process-redirect-script\Release\CCXProcess.pdb%%$GCTL source: e3f6uu0uqV.exe
Source: e3f6uu0uqV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: e3f6uu0uqV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: e3f6uu0uqV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: e3f6uu0uqV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: e3f6uu0uqV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1545043 Sample: e3f6uu0uqV.bin Startdate: 30/10/2024 Architecture: WINDOWS Score: 1 4 e3f6uu0uqV.exe 2->4         started       
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true