Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1545751
MD5: d51eb63974474a6e7547c8f3ee8f5c93
SHA1: 858252c9d48b5849176b19dc464af8a3ce9d6568
SHA256: cbb2935e499f3c88e862bdd46f5710774b232aa9ba85cc30006236a6f4503db2
Tags: exeuser-Bitsight
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function
Entry point lies outside standard sections
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe, 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://193.169.105.15:3000/download/seyhhdBuild.exeC:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A14860 0_2_00007FF6D1A14860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A12080 0_2_00007FF6D1A12080
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A13320 0_2_00007FF6D1A13320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1BED2F1 0_2_00007FF6D1BED2F1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A151A0 0_2_00007FF6D1A151A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A1435B 0_2_00007FF6D1A1435B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A12340 0_2_00007FF6D1A12340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A11340 0_2_00007FF6D1A11340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A135C0 0_2_00007FF6D1A135C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A2504C 0_2_00007FF6D1A2504C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A18880 0_2_00007FF6D1A18880
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A14829 0_2_00007FF6D1A14829
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.2042527988.000001A3BB962000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs file.exe
Source: file.exe, 00000000.00000002.2042835645.000001A3BB963000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs file.exe
Source: classification engine Classification label: mal56.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d10warp.dll Jump to behavior
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static file information: File size 3653120 > 1048576
Source: file.exe Static PE information: Raw size of .abx is bigger than: 0x100000 < 0x379600
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .abx
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: ._/b
Source: file.exe Static PE information: section name: .DIl
Source: file.exe Static PE information: section name: .abx
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A19936 push rsi; iretd 0_2_00007FF6D1A19937
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A23BD7 push rax; ret 0_2_00007FF6D1A23BD8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A22F10 push rdi; retf 0_2_00007FF6D1A22F11
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1A228B9 push rbx; iretd 0_2_00007FF6D1A228C1

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3556 base: 7FF8C8A50008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3556 base: 7FF8C88ED9F0 value: E9 20 26 16 00 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe File opened / queried: HGFS Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened / queried: VBoxMiniRdrDN Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1F53225 rdtsc 0_2_00007FF6D1F53225
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6D1F53225 rdtsc 0_2_00007FF6D1F53225
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\file.exe NtMapViewOfSection: Direct from: 0x7FF6D1CBD61A Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Indirect: 0x7FF6D1C17FD4 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x7FF6D1ED7FE6 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x7FF6D1C71678 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x7FF6D1C66A48 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x7FF6D1F0A270 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x7FF6D1EDF15C Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x7FF6D1CCBF20 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x7FF6D1EF227F Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x7FF6D1F114E7 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x7FF6D1C553C2 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x7FF6D1C3D3FA Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtUnmapViewOfSection: Direct from: 0x7FF6D1C6CE80 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545751 Sample: file.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 56 8 Machine Learning detection for sample 2->8 10 AI detected suspicious sample 2->10 5 file.exe 2->5         started        process3 signatures4 12 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 5->12 14 Found direct / indirect Syscall (likely to bypass EDR) 5->14
No contacted IP infos