Windows Analysis Report
adaFirmar.exe

Overview

General Information

Sample name: adaFirmar.exe
Analysis ID: 1545329
MD5: 6c3d86b342f768fdb57e3d1fcf543cce
SHA1: a449043e7eae780a0b9a66dc995cdb612cf4c41d
SHA256: 95a8277f391d876e1c6686ff255a123573bf4649f8600160e155ef325c1f2b55
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)
Detected potential crypto function
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: adaFirmar.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\adaFirmar.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: adaFirmar.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: R:\TTelecomunicaciones\COITT_macFirmar\obj\Release\adaFirmar.pdb source: adaFirmar.exe
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: adaFirmar.exe String found in binary or memory: http://albertmonter.com
Source: adaFirmar.exe, 00000000.00000002.3310227325.0000000001186000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://albertmonter.com-0b2b9608ed53ToD
Source: adaFirmar.exe String found in binary or memory: http://albertmonter.comD
Source: adaFirmar.exe, 00000000.00000002.3311601309.0000000003411000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://albertmonter.comH
Source: adaFirmar.exe String found in binary or memory: http://albertmonter.comX
Source: adaFirmar.exe String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: adaFirmar.exe String found in binary or memory: http://www.color.org;colorspace.rgb.is.not.allowed_all.the.fonts.must.be.embedded.this.one.isn.t.1Mt
Source: adaFirmar.exe String found in binary or memory: http://www.xfa.org/schema/xfa-data/1.0/
Source: adaFirmar.exe String found in binary or memory: https://?1.not.found.as.file.or.resource_you.can.only.add.a.writer.to.a.pdfdocument.once
Detected potential crypto function
Source: C:\Users\user\Desktop\adaFirmar.exe Code function: 0_2_055C06E0 0_2_055C06E0
Source: C:\Users\user\Desktop\adaFirmar.exe Code function: 0_2_055C06D8 0_2_055C06D8
Sample file is different than original file name gathered from version info
Source: adaFirmar.exe, 00000000.00000002.3310429531.000000000132E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs adaFirmar.exe
Source: adaFirmar.exe, 00000000.00000002.3311601309.0000000003411000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs adaFirmar.exe
Source: adaFirmar.exe, 00000000.00000002.3311601309.0000000003411000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: lU,\\StringFileInfo\\000004B0\\OriginalFilenameL. vs adaFirmar.exe
Source: adaFirmar.exe, 00000000.00000000.2045045375.00000000007E2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameitextsharp.dll4 vs adaFirmar.exe
Source: adaFirmar.exe Binary or memory string: OriginalFilenameitextsharp.dll4 vs adaFirmar.exe
Uses 32bit PE files
Source: adaFirmar.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean3.winEXE@1/0@1/0
Source: C:\Users\user\Desktop\adaFirmar.exe Mutant created: NULL
Source: adaFirmar.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: adaFirmar.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\adaFirmar.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: adaFirmar.exe String found in binary or memory: codabar.must.have.one.of.abcd.as.start.stop.character=Codabar must have one of 'ABCD' as start/stop character.
Source: adaFirmar.exe String found in binary or memory: codabar.must.have.one.of.abcd.as.start.stop.character=Codabar must have one of 'ABCD' as start/stop character.
Source: adaFirmar.exe String found in binary or memory: in.codabar.start.stop.characters.are.only.allowed.at.the.extremes=In codabar worden start/stop karakters enkel toegelaten bij begin en einde van de string.
Source: adaFirmar.exe String found in binary or memory: in.codabar.start.stop.characters.are.only.allowed.at.the.extremes=In codabar worden start/stop karakters enkel toegelaten bij begin en einde van de string.
Source: adaFirmar.exe String found in binary or memory: in.codabar.start.stop.characters.are.only.allowed.at.the.extremes=In codabar, start/stop characters are only allowed at the extremes.
Source: adaFirmar.exe String found in binary or memory: in.codabar.start.stop.characters.are.only.allowed.at.the.extremes=In codabar, start/stop characters are only allowed at the extremes.
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\adaFirmar.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: adaFirmar.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: adaFirmar.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: adaFirmar.exe Static file information: File size 6352896 > 1048576
Source: C:\Users\user\Desktop\adaFirmar.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: adaFirmar.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5e6800
Source: adaFirmar.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: adaFirmar.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: R:\TTelecomunicaciones\COITT_macFirmar\obj\Release\adaFirmar.pdb source: adaFirmar.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\adaFirmar.exe Code function: 0_2_015213C8 push ds; iretd 0_2_015213E5
Source: C:\Users\user\Desktop\adaFirmar.exe Code function: 0_2_01520F60 push ds; iretd 0_2_01520F85
Source: C:\Users\user\Desktop\adaFirmar.exe Code function: 0_2_01521296 push ds; iretd 0_2_015212FD
Source: C:\Users\user\Desktop\adaFirmar.exe Code function: 0_2_01520F04 push ds; iretd 0_2_01520F15
Source: C:\Users\user\Desktop\adaFirmar.exe Code function: 0_2_01520F20 push ds; iretd 0_2_01520F3D
Source: C:\Users\user\Desktop\adaFirmar.exe Code function: 0_2_015209A0 push ds; iretd 0_2_015209CD
Source: C:\Users\user\Desktop\adaFirmar.exe Code function: 0_2_01521328 push ds; iretd 0_2_01521345
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\adaFirmar.exe Memory allocated: 17A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Memory allocated: 3410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Memory allocated: 5410000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\adaFirmar.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545329 Sample: adaFirmar.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 3 7 171.39.242.20.in-addr.arpa 2->7 5 adaFirmar.exe 2 2->5         started        process3
No contacted IP infos

Contacted Domains

Name IP Active
171.39.242.20.in-addr.arpa unknown unknown