Windows Analysis Report
d3d11_hook.exe

Overview

General Information

Sample name: d3d11_hook.exe
Analysis ID: 1545838
MD5: 8176aa431cb8e5204cd512834dcb81b8
SHA1: 8a92ae0db3cc9c7cd5dac2d75358fde13db60b52
SHA256: 60dd5f2cab860dff3fa2a8dc9391ac1fc2de61c03f3d7af92d46bae7ce91b0db
Tags: exeuser-lontze7
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to inject threads in other processes
Found potential dummy code loops (likely to delay analysis)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.6% probability
Source: d3d11_hook.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\WeepingAngel\Desktop\CodeX Injector\Injectzor\CodeX DLL Loader\x64\Release\CodeX DLL injector.pdb source: d3d11_hook.exe
Source: Binary string: C:\Users\WeepingAngel\Desktop\CodeX Injector\Injectzor\CodeX DLL Loader\x64\Release\CodeX DLL injector.pdb%% source: d3d11_hook.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\d3d11_hook.exe Code function: 0_2_00007FF7EFC61250 0_2_00007FF7EFC61250
Source: classification engine Classification label: mal52.evad.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\d3d11_hook.exe Code function: 0_2_00007FF7EFC61250 _time64,srand,rand,SetConsoleTitleW,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,CreateToolhelp32Snapshot,Process32FirstW,_wcsicmp,Process32NextW,CloseHandle,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z,OpenProcess,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,VirtualAllocEx,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z,WriteProcessMemory,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,LoadLibraryW,CreateRemoteThread,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z,WaitForSingleObject,GetExitCodeThread,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z,GetLastError,GetLastError,?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,SleepEx,GetLastError,?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z,CloseHandle,CloseHandle,GetLastError,GetLastError,GetLastError,?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z,CloseHandle,GetLastError,?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,Sleep,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7EFC61250
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4364:120:WilError_03
Source: d3d11_hook.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\d3d11_hook.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\d3d11_hook.exe "C:\Users\user\Desktop\d3d11_hook.exe"
Source: C:\Users\user\Desktop\d3d11_hook.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\d3d11_hook.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\d3d11_hook.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\d3d11_hook.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\d3d11_hook.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\d3d11_hook.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\d3d11_hook.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\d3d11_hook.exe Section loaded: vcruntime140.dll Jump to behavior
Source: d3d11_hook.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: d3d11_hook.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: d3d11_hook.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: d3d11_hook.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: d3d11_hook.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: d3d11_hook.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: d3d11_hook.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: d3d11_hook.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: d3d11_hook.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\WeepingAngel\Desktop\CodeX Injector\Injectzor\CodeX DLL Loader\x64\Release\CodeX DLL injector.pdb source: d3d11_hook.exe
Source: Binary string: C:\Users\WeepingAngel\Desktop\CodeX Injector\Injectzor\CodeX DLL Loader\x64\Release\CodeX DLL injector.pdb%% source: d3d11_hook.exe
Source: d3d11_hook.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: d3d11_hook.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: d3d11_hook.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: d3d11_hook.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: d3d11_hook.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\d3d11_hook.exe Window / User API: threadDelayed 3895 Jump to behavior
Source: C:\Users\user\Desktop\d3d11_hook.exe Window / User API: threadDelayed 6104 Jump to behavior
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 8385 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\d3d11_hook.exe TID: 3636 Thread sleep count: 3895 > 30 Jump to behavior
Source: C:\Users\user\Desktop\d3d11_hook.exe TID: 3636 Thread sleep time: -3895000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3d11_hook.exe TID: 3636 Thread sleep count: 6104 > 30 Jump to behavior
Source: C:\Users\user\Desktop\d3d11_hook.exe TID: 3636 Thread sleep time: -6104000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\d3d11_hook.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\d3d11_hook.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\d3d11_hook.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\d3d11_hook.exe Process Stats: CPU usage > 42% for more than 60s
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\d3d11_hook.exe Code function: 0_2_00007FF7EFC62690 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7EFC62690
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\d3d11_hook.exe Code function: 0_2_00007FF7EFC62388 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7EFC62388
Source: C:\Users\user\Desktop\d3d11_hook.exe Code function: 0_2_00007FF7EFC62690 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7EFC62690
Source: C:\Users\user\Desktop\d3d11_hook.exe Code function: 0_2_00007FF7EFC62834 SetUnhandledExceptionFilter, 0_2_00007FF7EFC62834

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\d3d11_hook.exe Code function: 0_2_00007FF7EFC61250 _time64,srand,rand,SetConsoleTitleW,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,CreateToolhelp32Snapshot,Process32FirstW,_wcsicmp,Process32NextW,CloseHandle,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z,OpenProcess,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,VirtualAllocEx,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z,WriteProcessMemory,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,LoadLibraryW,CreateRemoteThread,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z,WaitForSingleObject,GetExitCodeThread,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z,GetLastError,GetLastError,?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,SleepEx,GetLastError,?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z,CloseHandle,CloseHandle,GetLastError,GetLastError,GetLastError,?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z,CloseHandle,GetLastError,?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,Sleep,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7EFC61250
Source: C:\Users\user\Desktop\d3d11_hook.exe Code function: 0_2_00007FF7EFC6256C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7EFC6256C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545838 Sample: d3d11_hook.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 52 11 AI detected suspicious sample 2->11 6 d3d11_hook.exe 1 2->6         started        process3 signatures4 13 Contains functionality to inject threads in other processes 6->13 15 Found potential dummy code loops (likely to delay analysis) 6->15 9 conhost.exe 6->9         started        process5
No contacted IP infos