Windows Analysis Report
nteste.exe

Overview

General Information

Sample name: nteste.exe
Analysis ID: 1546271
MD5: 5367157a35583431b54b30426831640a
SHA1: 8cb18452a832b235e376274f3f67125ed73da76c
SHA256: a1ea9eb86e26f04236bf7f47a63912af16f70463c47f8fd785f6e0f97d41c769
Tags: exeuser-Porcupine
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality to dynamically determine API calls
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\CamScanner 23-10-2024 19.12.pdf Joe Sandbox ML: detected
Machine Learning detection for sample
Source: nteste.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: nteste.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00403E52 FindFirstFileW, 0_2_00403E52
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_004045A6 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 0_2_004045A6
Detected potential crypto function
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_004162A0 0_2_004162A0
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_0040C507 0_2_0040C507
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_0041F230 0_2_0041F230
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00422366 0_2_00422366
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_0040537A 0_2_0040537A
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_004263B0 0_2_004263B0
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00426570 0_2_00426570
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_0041A862 0_2_0041A862
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00426A60 0_2_00426A60
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00422AA0 0_2_00422AA0
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00427B13 0_2_00427B13
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_0041FC50 0_2_0041FC50
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00423CF0 0_2_00423CF0
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00425C80 0_2_00425C80
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00427CA1 0_2_00427CA1
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00401D5A 0_2_00401D5A
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00427D7B 0_2_00427D7B
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00425E90 0_2_00425E90
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\nteste.exe Code function: String function: 004020F6 appears 69 times
Source: C:\Users\user\Desktop\nteste.exe Code function: String function: 00427400 appears 234 times
Sample file is different than original file name gathered from version info
Source: nteste.exe, 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename7z.sfx.exe, vs nteste.exe
Source: nteste.exe Binary or memory string: OriginalFilename7z.sfx.exe, vs nteste.exe
Uses 32bit PE files
Source: nteste.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@1/3@0/0
Source: CamScanner 23-10-2024 19.13.pdf.0.dr Initial sample: https:\057\057v3.camscanner.com\057user\057download
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_004134A3 __EH_prolog,_CxxThrowException,_CxxThrowException,CoCreateInstance, 0_2_004134A3
Source: C:\Users\user\Desktop\nteste.exe File created: C:\Users\user\Desktop\CamScanner 23-10-2024 19.12.pdf Jump to behavior
Source: nteste.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\nteste.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe File read: C:\Users\user\Desktop\nteste.exe Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: nteste.exe Static file information: File size 2743085 > 1048576
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_0040195E LoadLibraryW,GetProcAddress,memset,FreeLibrary, 0_2_0040195E
PE file contains sections with non-standard names
Source: nteste.exe Static PE information: section name: .sxdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00427400 push eax; ret 0_2_0042741E
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00427790 push eax; ret 0_2_004277BE
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_0041FED0 push ecx; mov dword ptr [esp], ecx 0_2_0041FED1
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_00403E52 FindFirstFileW, 0_2_00403E52
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_004045A6 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 0_2_004045A6
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_0040592F GetSystemInfo, 0_2_0040592F
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_0040195E LoadLibraryW,GetProcAddress,memset,FreeLibrary, 0_2_0040195E
Source: C:\Users\user\Desktop\nteste.exe Code function: 0_2_004200F0 GetVersionExW, 0_2_004200F0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546271 Sample: nteste.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 48 10 Machine Learning detection for sample 2->10 12 Machine Learning detection for dropped file 2->12 5 nteste.exe 3 2->5         started        process3 file4 8 C:\Users\...\CamScanner 23-10-2024 19.12.pdf, PDF 5->8 dropped
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true