Windows Analysis Report
2hp5ee36OS.exe

Overview

General Information

Sample name: 2hp5ee36OS.exe
renamed because original name is a hash value
Original sample name: 1a0fcfdf65df1a067df718ddf594b8e27e17a744.exe
Analysis ID: 1546798
MD5: 26ae69324cec59aec90936fa0c18882e
SHA1: 1a0fcfdf65df1a067df718ddf594b8e27e17a744
SHA256: d014b70080dc2525f222f7eb5aa8c97b35ac366f2c1ad0e0b656f7879d4cb4a1
Tags: exeReversingLabsuser-NDA0E
Infos:

Detection

FloodFix
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FloodFix
AI detected suspicious sample
Machine Learning detection for dropped file
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 2hp5ee36OS.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files\Common Files\System\symsrv.dll Avira: detection malicious, Label: TR/Floxif.BB
Multi AV Scanner detection for dropped file
Source: C:\Program Files\Common Files\System\symsrv.dll ReversingLabs: Detection: 100%
Multi AV Scanner detection for submitted file
Source: 2hp5ee36OS.exe ReversingLabs: Detection: 94%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Program Files\Common Files\System\symsrv.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: 2hp5ee36OS.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Directory created: C:\Program Files\Common Files\System\symsrv.dll Jump to behavior

Spreading
barindex
Yara detected FloodFix
Source: Yara match File source: 0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2hp5ee36OS.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00408F58 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00408F58
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_1000AFBB GetFileAttributesA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_1000AFBB
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_100060BA FindFirstFileA,FindNextFileA,FindClose,GetTickCount, 0_2_100060BA
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_100083FF GetDriveTypeA,FindFirstFileA,FindClose, 0_2_100083FF
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_100066AC FindFirstFileA,FindNextFileA,FindClose,GetTickCount, 0_2_100066AC
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_10007752 GetDriveTypeA,FindFirstFileA,FindClose,SetErrorMode,_rand, 0_2_10007752
Source: 2hp5ee36OS.exe, 00000000.00000003.1399399640.0000000000684000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5isohu.com/
Source: 2hp5ee36OS.exe, 00000000.00000003.1399399640.0000000000684000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5isohu.com/Z
Source: 2hp5ee36OS.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 2hp5ee36OS.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 2hp5ee36OS.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 2hp5ee36OS.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 2hp5ee36OS.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 2hp5ee36OS.exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 2hp5ee36OS.exe String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 2hp5ee36OS.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 2hp5ee36OS.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 2hp5ee36OS.exe String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 2hp5ee36OS.exe String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: 2hp5ee36OS.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 2hp5ee36OS.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: 2hp5ee36OS.exe String found in binary or memory: http://ocsp.digicert.com0H
Source: 2hp5ee36OS.exe String found in binary or memory: http://ocsp.digicert.com0I
Source: 2hp5ee36OS.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: 2hp5ee36OS.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: 2hp5ee36OS.exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 2hp5ee36OS.exe String found in binary or memory: https://www.digicert.com/CPS0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00407462 OpenClipboard, 0_2_00407462
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00407522 SetClipboardData, 0_2_00407522
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_0040720A GetClipboardData, 0_2_0040720A
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_0040727A GetKeyboardState, 0_2_0040727A

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2hp5ee36OS.exe, type: SAMPLE Matched rule: Malware - Floxif Author: Florian Roth
Source: 0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Floxif Malware Author: Florian Roth
Source: 0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects FloodFix Author: ditekSHen
Source: 0.2.2hp5ee36OS.exe.10000000.2.unpack, type: UNPACKEDPE Matched rule: Detects Floxif Malware Author: Florian Roth
Source: 0.2.2hp5ee36OS.exe.10000000.2.unpack, type: UNPACKEDPE Matched rule: Detects FloodFix Author: ditekSHen
Source: 0.0.2hp5ee36OS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Malware - Floxif Author: Florian Roth
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED Matched rule: Detects Floxif Malware Author: Florian Roth
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED Matched rule: Detects FloodFix Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_004070EA NtdllDefWindowProc_A, 0_2_004070EA
Detected potential crypto function
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_1000C855 0_2_1000C855
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_1001A909 0_2_1001A909
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_100129F0 0_2_100129F0
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_10017432 0_2_10017432
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files\Common Files\System\symsrv.dll DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
Sample file is different than original file name gathered from version info
Source: 2hp5ee36OS.exe, 00000000.00000002.1446438155.0000000002161000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameN vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe, 00000000.00000002.1446438155.0000000002161000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLanguagePack vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe, 00000000.00000003.1399399640.0000000000684000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename N vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe, 00000000.00000003.1399399640.0000000000684000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: originalfilename n vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe, 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameLanguagePack vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe, 00000000.00000000.1394963824.000000000048D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameN vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe, 00000000.00000003.1399379165.00000000027F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLanguagePack vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe Binary or memory string: OriginalFilenameN vs 2hp5ee36OS.exe
Uses 32bit PE files
Source: 2hp5ee36OS.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 2hp5ee36OS.exe, type: SAMPLE Matched rule: Malware_Floxif_mpsvc_dll date = 2017-04-07, hash1 = 1e654ee1c4736f4ccb8b5b7aa604782cfb584068df4d9e006de8009e60ab5a14, author = Florian Roth, description = Malware - Floxif, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Floxif_Generic date = 2018-05-11, author = Florian Roth, description = Detects Floxif Malware, score = de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_FloodFix author = ditekSHen, description = Detects FloodFix
Source: 0.2.2hp5ee36OS.exe.10000000.2.unpack, type: UNPACKEDPE Matched rule: MAL_Floxif_Generic date = 2018-05-11, author = Florian Roth, description = Detects Floxif Malware, score = de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.2hp5ee36OS.exe.10000000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_FloodFix author = ditekSHen, description = Detects FloodFix
Source: 0.0.2hp5ee36OS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Malware_Floxif_mpsvc_dll date = 2017-04-07, hash1 = 1e654ee1c4736f4ccb8b5b7aa604782cfb584068df4d9e006de8009e60ab5a14, author = Florian Roth, description = Malware - Floxif, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED Matched rule: MAL_Floxif_Generic date = 2018-05-11, author = Florian Roth, description = Detects Floxif Malware, score = de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED Matched rule: MALWARE_Win_FloodFix author = ditekSHen, description = Detects FloodFix
Source: classification engine Classification label: mal96.troj.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_1000469C LookupPrivilegeValueA,LoadLibraryA,GetProcAddress,AdjustTokenPrivileges,GetLastError, 0_2_1000469C
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00406C12 GetDiskFreeSpaceA, 0_2_00406C12
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_10007965 CreateToolhelp32Snapshot,Module32First,Module32Next,CloseHandle, 0_2_10007965
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00406D62 SizeofResource, 0_2_00406D62
Source: C:\Users\user\Desktop\2hp5ee36OS.exe File created: C:\Program Files\Common Files\System\symsrv.dll Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Mutant created: \Sessions\1\BaseNamedObjects\FSFocus
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 2hp5ee36OS.exe ReversingLabs: Detection: 94%
Source: C:\Users\user\Desktop\2hp5ee36OS.exe File read: C:\Users\user\Desktop\2hp5ee36OS.exe Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Section loaded: ws2help.dll Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Directory created: C:\Program Files\Common Files\System\symsrv.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_1000C855 GetModuleFileNameA,Sleep,GetCurrentThreadId,GetCurrentProcessId,KiUserExceptionDispatcher,GetSystemDirectoryA,GetWindowsDirectoryA,GetTempPathA,GetModuleHandleA,LoadLibraryA,GetProcAddress,WriteProcessMemory,RtlInitializeCriticalSection,RtlInitializeCriticalSection,GetModuleFileNameA,GetShortPathNameA,_rand,Sleep,Sleep,Sleep,Sleep,Sleep,_rand,_rand, 0_2_1000C855
PE file contains an invalid checksum
Source: symsrv.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x1f436
Source: 2hp5ee36OS.exe Static PE information: real checksum: 0x9f638 should be: 0xb4b1f
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00406844 push 00406895h; ret 0_2_0040688D
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00406842 push 00406895h; ret 0_2_0040688D
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_0040785C push 00407888h; ret 0_2_00407880
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00483004 push 00483020h; ret 0_2_00483018
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_004830CC push 004830F2h; ret 0_2_004830EA
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_004078CD push 00407BF0h; ret 0_2_00407BE8
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00407894 push 004078C0h; ret 0_2_004078B8
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00406A28 push 00406A54h; ret 0_2_00406A4C
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00406AE4 push 00406B10h; ret 0_2_00406B08
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_004076FC push ecx; mov dword ptr [esp], eax 0_2_004076FD
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00407BC4 push 00407BF0h; ret 0_2_00407BE8
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_100210F2 push eax; ret 0_2_10021139
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_10021188 push eax; ret 0_2_10021139
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_1002DB93 push es; ret 0_2_1002DB96
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_10013458 push eax; ret 0_2_10013476
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_10001678 push eax; retn 0008h 0_2_10001681
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_100187B0 push eax; ret 0_2_100187DE
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Users\user\Desktop\2hp5ee36OS.exe File created: C:\Program Files\Common Files\System\symsrv.dll Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_004073CA IsIconic, 0_2_004073CA
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Dropped PE file which has not been started: C:\Program Files\Common Files\System\symsrv.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\2hp5ee36OS.exe API coverage: 8.8 %
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00408F58 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00408F58
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_1000AFBB GetFileAttributesA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_1000AFBB
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_100060BA FindFirstFileA,FindNextFileA,FindClose,GetTickCount, 0_2_100060BA
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_100083FF GetDriveTypeA,FindFirstFileA,FindClose, 0_2_100083FF
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_100066AC FindFirstFileA,FindNextFileA,FindClose,GetTickCount, 0_2_100066AC
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_10007752 GetDriveTypeA,FindFirstFileA,FindClose,SetErrorMode,_rand, 0_2_10007752
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00406C7A GetSystemInfo, 0_2_00406C7A
Source: C:\Users\user\Desktop\2hp5ee36OS.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_1000C855 GetModuleFileNameA,Sleep,GetCurrentThreadId,GetCurrentProcessId,KiUserExceptionDispatcher,GetSystemDirectoryA,GetWindowsDirectoryA,GetTempPathA,GetModuleHandleA,LoadLibraryA,GetProcAddress,WriteProcessMemory,RtlInitializeCriticalSection,RtlInitializeCriticalSection,GetModuleFileNameA,GetShortPathNameA,_rand,Sleep,Sleep,Sleep,Sleep,Sleep,_rand,_rand, 0_2_1000C855
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_1000D737 VirtualProtect,VirtualProtect,GetModuleHandleA,Sleep,GetProcessHeap,HeapFree,SetLastError, 0_2_1000D737
Enables debug privileges
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_10017E3B SetUnhandledExceptionFilter, 0_2_10017E3B
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_10017E4D SetUnhandledExceptionFilter, 0_2_10017E4D
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_1000E613 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateFileMappingA,MapViewOfFile,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,UnmapViewOfFile,CreateFileMappingA,MapViewOfFile,MapViewOfFile, 0_2_1000E613
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA, 0_2_00406050
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: GetLocaleInfoA, 0_2_00406C2A
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00406C22 GetLocalTime, 0_2_00406C22
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_1000C20F GetUserNameA,GetModuleHandleA,LoadLibraryA, 0_2_1000C20F
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_10018956 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_10018956
Source: C:\Users\user\Desktop\2hp5ee36OS.exe Code function: 0_2_00406C92 GetVersion, 0_2_00406C92
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546798 Sample: 2hp5ee36OS.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 96 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus detection for dropped file 2->12 14 Antivirus / Scanner detection for submitted sample 2->14 16 5 other signatures 2->16 5 2hp5ee36OS.exe 1 2->5         started        process3 file4 8 C:\Program Files\Common Files\...\symsrv.dll, PE32 5->8 dropped
No contacted IP infos