Windows Analysis Report
electrumx64.exe

Overview

General Information

Sample name: electrumx64.exe
Analysis ID: 1545080
MD5: cf837466c42aa63d4e4df0352a8063ef
SHA1: 461a44b862408c89f16f845b7367b51800344a41
SHA256: 451070b87e0b3acf9de1f6fd858bfadbdaf23fe75cd6f56a29ec817946e70a42
Tags: exeinfostealerShellcodeRunneruser-ninjacatcher
Infos:

Detection

Score: 29
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Tries to delay execution (extensive OutputDebugStringW loop)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: electrumx64.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: electrumx64.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: E:\test\nsNiuniuDUI.pdbp source: electrumx64.exe, 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp
Source: Binary string: E:\test\nsNiuniuDUI.pdb source: electrumx64.exe, electrumx64.exe, 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: electrumx64.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: http://www.leeqia.com
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr String found in binary or memory: https://sectigo.com/CPS0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050F9
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF98060 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_6CF98060
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 0_2_004038AF
Detected potential crypto function
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_0040737E 0_2_0040737E
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_00406EFE 0_2_00406EFE
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_004079A2 0_2_004079A2
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_004049A8 0_2_004049A8
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF62410 0_2_6CF62410
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CFAF620 0_2_6CFAF620
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF6ECC0 0_2_6CF6ECC0
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CFDACC0 0_2_6CFDACC0
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF86DA5 0_2_6CF86DA5
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6D01AFB9 0_2_6D01AFB9
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF6E8B0 0_2_6CF6E8B0
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6D01EB53 0_2_6D01EB53
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF6CAA0 0_2_6CF6CAA0
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CFBEA70 0_2_6CFBEA70
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF86A07 0_2_6CF86A07
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF7CBD0 0_2_6CF7CBD0
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF86572 0_2_6CF86572
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6D01C4BA 0_2_6D01C4BA
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6D01E29F 0_2_6D01E29F
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6D01DD4E 0_2_6D01DD4E
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6D01FF67 0_2_6D01FF67
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CFDB410 0_2_6CFDB410
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF8755F 0_2_6CF8755F
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6D01D7FD 0_2_6D01D7FD
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF87177 0_2_6CF87177
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6D01F22F 0_2_6D01F22F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\electrumx64.exe Code function: String function: 6D01804E appears 45 times
Source: C:\Users\user\Desktop\electrumx64.exe Code function: String function: 6CFA41C0 appears 144 times
Source: C:\Users\user\Desktop\electrumx64.exe Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\Desktop\electrumx64.exe Code function: String function: 6CF7ADD4 appears 66 times
Source: C:\Users\user\Desktop\electrumx64.exe Code function: String function: 6CF80420 appears 50 times
Source: C:\Users\user\Desktop\electrumx64.exe Code function: String function: 6CF7B07D appears 370 times
Source: C:\Users\user\Desktop\electrumx64.exe Code function: String function: 6CF7A7A4 appears 49 times
Source: C:\Users\user\Desktop\electrumx64.exe Code function: String function: 6CF8C900 appears 63 times
Sample file is different than original file name gathered from version info
Source: electrumx64.exe, 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenamensNiuniuSkin.dllX vs electrumx64.exe
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamensNiuniuSkin.dllX vs electrumx64.exe
Uses 32bit PE files
Source: electrumx64.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: nsNiuniuSkin.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9921396439509954
Source: classification engine Classification label: sus29.evad.winEXE@1/5@0/0
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CFD31C0 GetLastError,FormatMessageW,LocalFree, 0_2_6CFD31C0
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CFD0770 FindResourceW,LoadResource,FreeResource,SizeofResource,LockResource,FreeResource, 0_2_6CFD0770
Source: C:\Users\user\Desktop\electrumx64.exe File created: C:\Users\user\AppData\Local\Temp\nshCE55.tmp Jump to behavior
Source: electrumx64.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\electrumx64.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: electrumx64.exe String found in binary or memory: images/add_file.png
Source: electrumx64.exe String found in binary or memory: images/add_file@125.png
Source: electrumx64.exe String found in binary or memory: images/add_file@150.png
Source: electrumx64.exe String found in binary or memory: images/add_file@200.png
Source: electrumx64.exe String found in binary or memory: images/stop.png}TT
Source: electrumx64.exe String found in binary or memory: images/stop.png}TT
Source: electrumx64.exe String found in binary or memory: images/stop@125.png
Source: electrumx64.exe String found in binary or memory: images/stop@125.png
Source: electrumx64.exe String found in binary or memory: images/stop@150.png}Vw@
Source: electrumx64.exe String found in binary or memory: images/stop@150.png}Vw@
Source: electrumx64.exe String found in binary or memory: images/stop@200.png
Source: electrumx64.exe String found in binary or memory: images/stop@200.png
Source: electrumx64.exe String found in binary or memory: images/ticket-help.png|ZuX
Source: electrumx64.exe String found in binary or memory: images/ticket-help2.png
Source: electrumx64.exe String found in binary or memory: images/ticket-help2@125.png
Source: electrumx64.exe String found in binary or memory: images/ticket-help2@150.png
Source: electrumx64.exe String found in binary or memory: images/ticket-help2@200.png
Source: electrumx64.exe String found in binary or memory: images/ticket-help@125.png|
Source: electrumx64.exe String found in binary or memory: images/ticket-help@150.png
Source: electrumx64.exe String found in binary or memory: images/ticket-help@200.png
Source: C:\Users\user\Desktop\electrumx64.exe File read: C:\Users\user\Desktop\electrumx64.exe Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe File opened: C:\Windows\SysWOW64\Msftedit.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: electrumx64.exe Static file information: File size 47521498 > 1048576
Source: electrumx64.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: E:\test\nsNiuniuDUI.pdbp source: electrumx64.exe, 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp
Source: Binary string: E:\test\nsNiuniuDUI.pdb source: electrumx64.exe, electrumx64.exe, 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF80465 push ecx; ret 0_2_6CF80478
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF7D86A push ecx; ret 0_2_6CF7D87D
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Users\user\Desktop\electrumx64.exe File created: C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\electrumx64.exe File created: C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF98747 _memset,BeginPaint,EndPaint,GetClientRect,GetUpdateRect,IsRectEmpty,IsIconic,DeleteDC,DeleteDC,DeleteObject,DeleteObject,KiUserCallbackDispatcher,_memset,UnionRect,_memset,_memset,BeginPaint,SelectObject,SaveDC,IsWindow,IsWindowVisible,IntersectRect,_memset,SelectObject,SendMessageW,73A24D40,SelectObject,DeleteObject,DeleteDC,RestoreDC,GetWindowRect,_memset,SelectObject,_memset,73A24D40,SelectObject,SelectObject,GetStockObject,SelectObject,Rectangle,SelectObject,SaveDC,RestoreDC,EndPaint, 0_2_6CF98747
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CFFCE60 IsIconic,GetWindowRect,CreateRoundRectRgn,SetWindowRgn,DeleteObject, 0_2_6CFFCE60
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF980F0 ScreenToClient,IsIconic,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,GetTickCount,_memset,CreateWindowExW,SendMessageW,SendMessageW,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 0_2_6CF980F0
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF980F0 ScreenToClient,IsIconic,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,GetTickCount,_memset,CreateWindowExW,SendMessageW,SendMessageW,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 0_2_6CF980F0
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF93CE0 IsIconic, 0_2_6CF93CE0
Source: C:\Users\user\Desktop\electrumx64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Users\user\Desktop\electrumx64.exe Section loaded: OutputDebugStringW count: 408
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\electrumx64.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll Jump to dropped file
Source: C:\Users\user\Desktop\electrumx64.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\System.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\electrumx64.exe API coverage: 8.5 %
Source: C:\Users\user\Desktop\electrumx64.exe File Volume queried: C:\Users\user\AppData\Local\Temp\nsxCF02.tmp FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe File Volume queried: C:\Users\user\AppData\Local\Temp\nsxCF02.tmp FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Users\user\Desktop\electrumx64.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\electrumx64.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF7ADDF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CF7ADDF
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF8AB4D __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_6CF8AB4D
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF7ADDF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CF7ADDF
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF80288 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CF80288
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CFA4950 cpuid 0_2_6CFA4950
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\electrumx64.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 0_2_6CF8AA18
Source: C:\Users\user\Desktop\electrumx64.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 0_2_6CF8604D
Source: C:\Users\user\Desktop\electrumx64.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_6CF862DE
Source: C:\Users\user\Desktop\electrumx64.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_6CF8621E
Source: C:\Users\user\Desktop\electrumx64.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 0_2_6CF86381
Source: C:\Users\user\Desktop\electrumx64.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_6CF86345
Source: C:\Users\user\Desktop\electrumx64.exe Code function: GetLocaleInfoA, 0_2_6CF7FCA3
Source: C:\Users\user\Desktop\electrumx64.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6CF85E56
Source: C:\Users\user\Desktop\electrumx64.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 0_2_6CF85FF2
Source: C:\Users\user\Desktop\electrumx64.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_6CF85F4B
Source: C:\Users\user\Desktop\electrumx64.exe Code function: GetLocaleInfoW,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 0_2_6CF898F2
Source: C:\Users\user\Desktop\electrumx64.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_6CF899CC
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF8475D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_6CF8475D
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406831
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF6F510 BindCallBack,GlobalFree,lstrcpynW,GlobalFree,_memset,lstrcpyW,GlobalFree,lstrcpynW,GlobalFree,IsWindow, 0_2_6CF6F510
Source: C:\Users\user\Desktop\electrumx64.exe Code function: 0_2_6CF6F2D0 BindCallBackEx,lstrcpynW,GlobalFree,_memset,lstrcpyW,lstrcpyW,GlobalFree,_memset,lstrcpyW,GlobalFree,lstrcpynW,GlobalFree,IsWindow, 0_2_6CF6F2D0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1545080 Sample: electrumx64.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 29 4 electrumx64.exe 27 2->4         started        file3 8 C:\Users\user\AppData\...\nsNiuniuSkin.dll, PE32 4->8 dropped 10 C:\Users\user\AppData\Local\...\System.dll, PE32 4->10 dropped 12 Tries to delay execution (extensive OutputDebugStringW loop) 4->12 signatures4
No contacted IP infos