Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546539
MD5:	481c8b24c57da4a1a61f3ba321f84c5c
SHA1:	57b83e709ddf9067f94e3831f6cc2e18f59c42ee
SHA256:	f3daf351dc8d9b8ec19991e83ad7344d18124790592e971cf3d93070c0800c33
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2192766894.0000000005240000.00000004.00001000.00020000.00000000.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EF927		0_2_007EF927
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007ECA6D		0_2_007ECA6D

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2336985253.000000000159E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2153345254.0000000000676000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067F306 push edx; mov dword ptr [esp], 7FF24C0Fh	0_2_0067F313
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FC6FB push ebx; mov dword ptr [esp], 75FF5AA7h	0_2_00800391
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EE752 push 1AA157B5h; mov dword ptr [esp], ebx	0_2_007EE7E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EE752 push ebx; mov dword ptr [esp], esi	0_2_007EE81B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EE752 push ebp; mov dword ptr [esp], edi	0_2_007EE84A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067E871 push edx; mov dword ptr [esp], edi	0_2_0067EB33
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EE922 push ebx; mov dword ptr [esp], ebp	0_2_007EE9AA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EE922 push edi; mov dword ptr [esp], eax	0_2_007EEA68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FB076 push 0775148Fh; mov dword ptr [esp], eax	0_2_007FB081
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00681064 push esi; mov dword ptr [esp], 74EF328Ah	0_2_00683161
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00681064 push 7193EE01h; mov dword ptr [esp], ebp	0_2_00683BC5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AD085 push 111338B1h; mov dword ptr [esp], edi	0_2_008AD0AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067C054 push esi; mov dword ptr [esp], edi	0_2_0067C055
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067F05E push edx; mov dword ptr [esp], eax	0_2_0067E9D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F7026 push ss; ret	0_2_007F703A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008720E6 push eax; mov dword ptr [esp], ecx	0_2_008721A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FC000 push 22A0110Fh; mov dword ptr [esp], ecx	0_2_007FC00B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F80F3 push edx; mov dword ptr [esp], ebp	0_2_007F81E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F80F3 push eax; mov dword ptr [esp], esi	0_2_007F81ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067D0F0 push edi; iretd	0_2_0067D0FB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067D0FC push 148DDD91h; mov dword ptr [esp], ebp	0_2_0067D846
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FF0DA push edx; mov dword ptr [esp], edi	0_2_007FF0EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EF0C1 push eax; mov dword ptr [esp], ebp	0_2_007EF12C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EF0C1 push 16D9FD06h; mov dword ptr [esp], ebx	0_2_007EF18E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EF0C1 push ebx; mov dword ptr [esp], ebp	0_2_007EF1B2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EF0C1 push ebx; mov dword ptr [esp], ecx	0_2_007EF1D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EF0C1 push ebp; mov dword ptr [esp], ecx	0_2_007EF256
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006810A2 push ebx; mov dword ptr [esp], eax	0_2_006810AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006810A2 push esi; mov dword ptr [esp], edx	0_2_0068313F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067C0B4 push ecx; mov dword ptr [esp], eax	0_2_0067C0BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081D07E push ecx; mov dword ptr [esp], 7F3E914Ah	0_2_0081D0B8

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 67DE26 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 844723 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 81EFC1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 67DD51 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 8AE6C4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 685D83 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 55F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 75F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0F7B second address: 7E0F7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE604 second address: 7EE613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnc 00007FB5DCEC5E08h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EE772 second address: 7EE7BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 push esi 0x00000008 jno 00007FB5DCC70B26h 0x0000000e jmp 00007FB5DCC70B30h 0x00000013 pop esi 0x00000014 push esi 0x00000015 jmp 00007FB5DCC70B38h 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FB5DCC70B30h 0x00000022 push edi 0x00000023 pop edi 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EEDD9 second address: 7EEDF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E11h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EEDF2 second address: 7EEDF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EEDF6 second address: 7EEDFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1E7F second address: 7F1E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1E83 second address: 7F1E89 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1E89 second address: 7F1ED0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB5DCC70B38h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov esi, 1474B0ECh 0x00000015 push 00000000h 0x00000017 call 00007FB5DCC70B29h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB5DCC70B32h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1ED0 second address: 7F1ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1ED6 second address: 7F1EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1EDA second address: 7F1F10 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB5DCEC5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FB5DCEC5E10h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push edi 0x00000017 jnl 00007FB5DCEC5E0Ch 0x0000001d pop edi 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1F10 second address: 7F1F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1F15 second address: 7F1F80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007FB5DCEC5E15h 0x00000012 pop eax 0x00000013 jl 00007FB5DCEC5E19h 0x00000019 call 00007FB5DCEC5E11h 0x0000001e stc 0x0000001f pop ecx 0x00000020 push 00000003h 0x00000022 xor dword ptr [ebp+122D29DDh], eax 0x00000028 push 00000000h 0x0000002a mov ecx, edx 0x0000002c push 00000003h 0x0000002e or dword ptr [ebp+122D2442h], edx 0x00000034 call 00007FB5DCEC5E09h 0x00000039 jc 00007FB5DCEC5E10h 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1F80 second address: 7F1F8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1F8B second address: 7F200B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FB5DCEC5E10h 0x0000000f mov eax, dword ptr [eax] 0x00000011 push ebx 0x00000012 push ecx 0x00000013 jns 00007FB5DCEC5E06h 0x00000019 pop ecx 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007FB5DCEC5E19h 0x00000024 pop eax 0x00000025 call 00007FB5DCEC5E19h 0x0000002a mov di, dx 0x0000002d pop ecx 0x0000002e lea ebx, dword ptr [ebp+12447D6Dh] 0x00000034 jmp 00007FB5DCEC5E0Eh 0x00000039 xchg eax, ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c jl 00007FB5DCEC5E08h 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F20A1 second address: 7F2110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007FB5DCC70B2Ch 0x0000000b popad 0x0000000c xor dword ptr [esp], 1BB7F37Bh 0x00000013 jnl 00007FB5DCC70B2Ch 0x00000019 push 00000003h 0x0000001b push edi 0x0000001c push esi 0x0000001d movzx edi, si 0x00000020 pop esi 0x00000021 pop edx 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 add dword ptr [ebp+122D1CA0h], eax 0x0000002b pop edx 0x0000002c push 00000003h 0x0000002e push ecx 0x0000002f mov dword ptr [ebp+122D2530h], eax 0x00000035 pop ecx 0x00000036 push D109BDD1h 0x0000003b push edx 0x0000003c push eax 0x0000003d pushad 0x0000003e popad 0x0000003f pop eax 0x00000040 pop edx 0x00000041 xor dword ptr [esp], 1109BDD1h 0x00000048 mov edx, dword ptr [ebp+122D3B33h] 0x0000004e lea ebx, dword ptr [ebp+12447D76h] 0x00000054 mov di, si 0x00000057 sub dword ptr [ebp+122D288Fh], edx 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F2110 second address: 7F2117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F2117 second address: 7F211C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 803B7D second address: 803B82 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 811F6B second address: 811F71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 811F71 second address: 811F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FB5DCEC5E10h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80FE82 second address: 80FE86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810186 second address: 810192 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB5DCEC5E0Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810192 second address: 8101AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FB5DCC70B34h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8101AE second address: 8101B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810440 second address: 810445 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81073E second address: 81076F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB5DCEC5E06h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push eax 0x0000000e jbe 00007FB5DCEC5E08h 0x00000014 pushad 0x00000015 jmp 00007FB5DCEC5E12h 0x0000001a jbe 00007FB5DCEC5E06h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810A3D second address: 810A41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810A41 second address: 810A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCEC5E0Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FB5DCEC5E12h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810A6A second address: 810A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810A72 second address: 810AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB5DCEC5E0Eh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FB5DCEC5E14h 0x00000013 jno 00007FB5DCEC5E0Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810AA6 second address: 810ABD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FB5DCC70B26h 0x00000009 jc 00007FB5DCC70B26h 0x0000000f jg 00007FB5DCC70B26h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 811041 second address: 811054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jns 00007FB5DCEC5E0Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 811054 second address: 811059 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 808DB1 second address: 808DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FB5DCEC5E16h 0x0000000b popad 0x0000000c jmp 00007FB5DCEC5E13h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 808DE1 second address: 808DF1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB5DCC70B32h 0x00000008 jnl 00007FB5DCC70B26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 811725 second address: 81172F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB5DCEC5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81198F second address: 811999 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB5DCC70B26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 811999 second address: 8119B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnl 00007FB5DCEC5E06h 0x0000000d jnl 00007FB5DCEC5E06h 0x00000013 pop edi 0x00000014 pop edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

ID:	1546539
Product:	CloudBasic
Start time:	05:01:09
Start date:	01.11.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	481c8b24c57da4a1a61f3ba321f84c5c
SHA1:	57b83e709ddf9067f94e3831f6cc2e18f59c42ee
SHA256:	f3daf351dc8d9b8ec19991e83ad7344d18124790592e971cf3d93070c0800c33
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
file.exe