Windows Analysis Report
reup.exe

Overview

General Information

Sample name: reup.exe
Analysis ID: 1545842
MD5: 30fd08b6909e7c61ab934da1c9bb8e40
SHA1: 26f97535f923195475166c3fa7bc197aced503a4
SHA256: 63aa7252e7e0fb3da2dad75515190be17087dd67b592d3f6212a9e8f9825ab01
Tags: exeuser-lontze7
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: reup.exe ReversingLabs: Detection: 28%
Source: reup.exe Virustotal: Detection: 30% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.4% probability
Machine Learning detection for sample
Source: reup.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\reup.exe Code function: 0_2_00007FF7F05E14CB CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey, 0_2_00007FF7F05E14CB
Source: C:\Users\user\Desktop\reup.exe Code function: 0_2_00007FF7F05F3290 CryptDeriveKey, 0_2_00007FF7F05F3290
Source: C:\Users\user\Desktop\reup.exe Code function: 0_2_00007FF7F05F32A8 CryptHashData, 0_2_00007FF7F05F32A8
Source: reup.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\reup.exe Code function: 4x nop then sub rsp, 58h 0_2_00007FF7F05E1A80
Source: C:\Users\user\Desktop\reup.exe Code function: 4x nop then push rbx 0_2_00007FF7F05E1E24
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Contains functionality to call native functions
Source: C:\Users\user\Desktop\reup.exe Code function: 0_2_00007FF7F05E7E10 FreeConsole,GetModuleHandleA,GetModuleHandleA,VirtualAlloc,Sleep,SleepEx,GetModuleHandleA,GetCurrentProcess,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,NtProtectVirtualMemory,GetModuleHandleA,GetCurrentThread,NtQueueApcThread, 0_2_00007FF7F05E7E10
Detected potential crypto function
Source: C:\Users\user\Desktop\reup.exe Code function: 0_2_00007FF7F05E4FF0 0_2_00007FF7F05E4FF0
Source: C:\Users\user\Desktop\reup.exe Code function: 0_2_00007FF7F05E3DF0 0_2_00007FF7F05E3DF0
One or more processes crash
Source: C:\Users\user\Desktop\reup.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7384 -s 240
PE file contains more sections than normal
Source: reup.exe Static PE information: Number of sections : 20 > 10
Source: classification engine Classification label: mal60.evad.winEXE@2/5@0/0
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7384
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4c442b6f-c67d-4627-8e59-968eb6e033ab Jump to behavior
Source: reup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\reup.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: reup.exe ReversingLabs: Detection: 28%
Source: reup.exe Virustotal: Detection: 30%
Source: unknown Process created: C:\Users\user\Desktop\reup.exe "C:\Users\user\Desktop\reup.exe"
Source: C:\Users\user\Desktop\reup.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7384 -s 240
Source: C:\Users\user\Desktop\reup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\reup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\reup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\reup.exe Section loaded: cryptbase.dll Jump to behavior
Source: reup.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: reup.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: reup.exe Static PE information: section name: .xdata
Source: reup.exe Static PE information: section name: /4
Source: reup.exe Static PE information: section name: /19
Source: reup.exe Static PE information: section name: /31
Source: reup.exe Static PE information: section name: /45
Source: reup.exe Static PE information: section name: /57
Source: reup.exe Static PE information: section name: /70
Source: reup.exe Static PE information: section name: /81
Source: reup.exe Static PE information: section name: /97
Source: reup.exe Static PE information: section name: /113
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\reup.exe Code function: 0_2_00007FF7F05E1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 0_2_00007FF7F05E1180

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\reup.exe NtProtectVirtualMemory: Indirect: 0x7FF7F05E7F6C Jump to behavior
Source: C:\Users\user\Desktop\reup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545842 Sample: reup.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 60 14 Multi AV Scanner detection for submitted file 2->14 16 Machine Learning detection for sample 2->16 18 AI detected suspicious sample 2->18 6 reup.exe 2->6         started        process3 signatures4 20 Found direct / indirect Syscall (likely to bypass EDR) 6->20 9 WerFault.exe 19 16 6->9         started        process5 file6 12 C:\ProgramData\Microsoft\...\Report.wer, Unicode 9->12 dropped
No contacted IP infos