Windows Analysis Report
mwxZCB2H4p.exe

Overview

General Information

Sample name: mwxZCB2H4p.exe
renamed because original name is a hash value
Original sample name: 0--caa9e43f3ef3c754ca7097afdc8e58b7ec5a7ad5.exe
Analysis ID: 1546795
MD5: 4177c8eec4bc090b5d40d78cb9b2997c
SHA1: caa9e43f3ef3c754ca7097afdc8e58b7ec5a7ad5
SHA256: 23d262493fcf4d1c896754ba8748ca6b1186db3f17304bcfa28b0b737917f771
Tags: exeReversingLabsuser-NDA0E
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: mwxZCB2H4p.exe ReversingLabs: Detection: 52%
Machine Learning detection for sample
Source: mwxZCB2H4p.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: mwxZCB2H4p.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: PerformanceCounterInstaller.pdb source: mwxZCB2H4p.exe
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: mwxZCB2H4p.exe
Source: Binary string: mshta.pdb\/ source: mwxZCB2H4p.exe
Source: Binary string: dwtrig20.pdbsplab1\otools\BBT_TEMP\DWTRIG20O.pdb source: mwxZCB2H4p.exe, 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, mwxZCB2H4p.exe, 00000003.00000000.1276930809.0000000030001000.00000020.00000001.01000000.00000003.sdmp
Source: Binary string: g:\Acro_root_at\Acrobat\Viewer\Win\output\acrobat\AcroRd32Exe.pdb source: mwxZCB2H4p.exe
Source: Binary string: dwtrig20.pdbsplab1\otools\BBT_TEMP\DWTRIG20O.pdbpe0Xe0 source: mwxZCB2H4p.exe
Source: Binary string: g:\acro_root_at\acrobat\systemsynchronizer\synchronizerapp\build\win\release\AdobeCollabSync.pdb source: mwxZCB2H4p.exe
Source: Binary string: dwtrig20.pdb source: mwxZCB2H4p.exe
Source: Binary string: dw20.pdb\devsplab1\otools\BBT_TEMP\DW20O.pdb source: mwxZCB2H4p.exe
Source: Binary string: g:\acro_root_at\acrobat\installers\bootstrapexe_small\release\Setup.pdb source: mwxZCB2H4p.exe
Source: Binary string: PerformanceCounterInstaller.pdbx2 source: mwxZCB2H4p.exe
Source: Binary string: dw20.pdb source: mwxZCB2H4p.exe
Source: Binary string: splab1\otools\BBT_TEMP\DWTRIG20O.pdb source: mwxZCB2H4p.exe
Source: Binary string: mshta.pdb source: mwxZCB2H4p.exe
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: mwxZCB2H4p.exe
Source: Binary string: \devsplab1\otools\BBT_TEMP\DW20O.pdb source: mwxZCB2H4p.exe
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49763
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49972
Source: mwxZCB2H4p.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mwxZCB2H4p.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: mwxZCB2H4p.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: mwxZCB2H4p.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mwxZCB2H4p.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mwxZCB2H4p.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: mwxZCB2H4p.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: mwxZCB2H4p.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mwxZCB2H4p.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: mwxZCB2H4p.exe String found in binary or memory: http://ocsp.digicert.com0
Source: mwxZCB2H4p.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: mwxZCB2H4p.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: mwxZCB2H4p.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: mwxZCB2H4p.exe String found in binary or memory: http://www.7-zip.org/8
Source: mwxZCB2H4p.exe String found in binary or memory: http://www.digicert.com/CPS0
Sample file is different than original file name gathered from version info
Source: mwxZCB2H4p.exe, 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedwtrig20.exe vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe Binary or memory string: OriginalFilenamedwtrig20.exe vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe Binary or memory string: OriginalFilenameFirewall.exe vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe Binary or memory string: OriginalFilenamePerformanceCounterInstaller.exeX vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe Binary or memory string: OriginalFilenameMSHTA.EXEj% vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe Binary or memory string: OriginalFilenameSetup.exeF vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe Binary or memory string: OriginalFilenameAcroRd32.exeB vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe Binary or memory string: OriginalFilenameDW20.Exel& vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe Binary or memory string: OriginalFilenameAdobeCollabSync.exeb! vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe Binary or memory string: OriginalFilenameWCChromeNativeMessagingHost.exeB vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe Binary or memory string: OriginalFilename7zFM.exe, vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe Binary or memory string: OriginalFilename7z.exe, vs mwxZCB2H4p.exe
Uses 32bit PE files
Source: mwxZCB2H4p.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: mwxZCB2H4p.exe Binary or memory string: @p@*\AC:\Program Files\Microsoft Visual Studio\VB98\pjtbinder.vbp
Source: mwxZCB2H4p.exe Binary or memory string: B*\AC:\virus\ash\ash.vbp|$@"
Source: classification engine Classification label: mal52.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\mwxZCB2H4p.exe Code function: 3_2_300026B1 CoCreateInstance,CoCreateInstance,SysAllocString,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysFreeString,CoCreateInstance,SysAllocString,SysFreeString, 3_2_300026B1
Source: mwxZCB2H4p.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mwxZCB2H4p.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.72%
Source: C:\Users\user\Desktop\mwxZCB2H4p.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mwxZCB2H4p.exe ReversingLabs: Detection: 52%
Source: mwxZCB2H4p.exe String found in binary or memory: -help
Source: mwxZCB2H4p.exe String found in binary or memory: Check charset encoding and -scs switch.Cannot find listfilebsobbbtbdba-helph?asut012sea0-SeLockMemoryPrivilegeSeCreateSymbolicLinkPrivilegeSeRestorePrivilege
Source: C:\Users\user\Desktop\mwxZCB2H4p.exe Section loaded: apphelp.dll Jump to behavior
Source: mwxZCB2H4p.exe Static file information: File size 6839806 > 1048576
Source: mwxZCB2H4p.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: PerformanceCounterInstaller.pdb source: mwxZCB2H4p.exe
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: mwxZCB2H4p.exe
Source: Binary string: mshta.pdb\/ source: mwxZCB2H4p.exe
Source: Binary string: dwtrig20.pdbsplab1\otools\BBT_TEMP\DWTRIG20O.pdb source: mwxZCB2H4p.exe, 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, mwxZCB2H4p.exe, 00000003.00000000.1276930809.0000000030001000.00000020.00000001.01000000.00000003.sdmp
Source: Binary string: g:\Acro_root_at\Acrobat\Viewer\Win\output\acrobat\AcroRd32Exe.pdb source: mwxZCB2H4p.exe
Source: Binary string: dwtrig20.pdbsplab1\otools\BBT_TEMP\DWTRIG20O.pdbpe0Xe0 source: mwxZCB2H4p.exe
Source: Binary string: g:\acro_root_at\acrobat\systemsynchronizer\synchronizerapp\build\win\release\AdobeCollabSync.pdb source: mwxZCB2H4p.exe
Source: Binary string: dwtrig20.pdb source: mwxZCB2H4p.exe
Source: Binary string: dw20.pdb\devsplab1\otools\BBT_TEMP\DW20O.pdb source: mwxZCB2H4p.exe
Source: Binary string: g:\acro_root_at\acrobat\installers\bootstrapexe_small\release\Setup.pdb source: mwxZCB2H4p.exe
Source: Binary string: PerformanceCounterInstaller.pdbx2 source: mwxZCB2H4p.exe
Source: Binary string: dw20.pdb source: mwxZCB2H4p.exe
Source: Binary string: splab1\otools\BBT_TEMP\DWTRIG20O.pdb source: mwxZCB2H4p.exe
Source: Binary string: mshta.pdb source: mwxZCB2H4p.exe
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: mwxZCB2H4p.exe
Source: Binary string: \devsplab1\otools\BBT_TEMP\DW20O.pdb source: mwxZCB2H4p.exe
PE file contains an invalid checksum
Source: mwxZCB2H4p.exe Static PE information: real checksum: 0x11e87 should be: 0x694dde
PE file contains sections with non-standard names
Source: mwxZCB2H4p.exe Static PE information: section name: .cdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mwxZCB2H4p.exe Code function: 3_2_30006501 push ecx; ret 3_2_30006511
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\mwxZCB2H4p.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\mwxZCB2H4p.exe API coverage: 8.0 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\mwxZCB2H4p.exe Code function: 3_2_300063F9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_300063F9
Source: C:\Users\user\Desktop\mwxZCB2H4p.exe Code function: 3_2_30005916 LocalAlloc,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,LocalFree,LocalFree, 3_2_30005916
Source: C:\Users\user\Desktop\mwxZCB2H4p.exe Code function: 3_2_30002406 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 3_2_30002406
Source: C:\Users\user\Desktop\mwxZCB2H4p.exe Code function: 3_2_30006380 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,VirtualProtect, 3_2_30006380
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546795 Sample: mwxZCB2H4p.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 52 7 Multi AV Scanner detection for submitted file 2->7 9 Machine Learning detection for sample 2->9 5 mwxZCB2H4p.exe 2->5         started        process3
No contacted IP infos