Windows Analysis Report
1.exe

Overview

General Information

Sample name: 1.exe
Analysis ID: 1546802
MD5: d940ad60dee55174455c2a43a8353d2e
SHA1: 7b0832cd378423da73831e6a45144248fe5d17e4
SHA256: 47c1439cbe3d3ea852e7e45c2d201cb83e5949193b07d9f321c41e0343eaa6a8
Tags: exeReversingLabsuser-NDA0E
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May infect USB drives
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 1.exe ReversingLabs: Detection: 36%
Machine Learning detection for sample
Source: 1.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D3644 CryptHashData,_strnlen,___crtLCMapStringA,_malloc,___crtLCMapStringA,_strcpy_s,__freea, 0_2_005D3644
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D1906 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,_memset,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,__snwprintf_s,#205, 0_2_005D1906
Uses 32bit PE files
Source: 1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: msinfo32.pdb source: 1.exe
Source: Binary string: d:\_Bld\10657\7994\Sources\obj\Win32\Release\EvaluationContainer.csproj\Microsoft.Mashup.Container.pdb source: 1.exe
Source: Binary string: AcroRd32Info.pdb source: 1.exe
Source: Binary string: AcroRd32Info.pdb7 source: 1.exe
Source: Binary string: C:\re\jdk7u45\229\build\windows-amd64\tmp\sun\launcher\keytool\obj64\keytool.pdb source: 1.exe
Source: Binary string: SqlDumper.pdb source: 1.exe
Source: Binary string: C:\Perforce\FRMain\code\build\win\results\Release\info\arh.pdb source: 1.exe
May infect USB drives
Source: 1.exe Binary or memory string: :\autorun.inf
Source: 1.exe Binary or memory string: [Autorun]
Source: 1.exe String found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl04
Source: 1.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 1.exe String found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
Source: 1.exe String found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
Source: 1.exe String found in binary or memory: http://evcs-ocsp.ws.symantec.com04
Source: 1.exe String found in binary or memory: http://ocsp.geotrust.com0K
Source: 1.exe String found in binary or memory: http://ocsp.thawte.com0
Source: 1.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 1.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 1.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 1.exe String found in binary or memory: http://www.geotrust.com/resources/cps0(
Source: 1.exe String found in binary or memory: http://www.symauth.com/cps0(
Source: 1.exe String found in binary or memory: http://www.symauth.com/cps09
Source: 1.exe String found in binary or memory: http://www.symauth.com/rpa04
Detected potential crypto function
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D9D7A 0_2_005D9D7A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\1.exe Code function: String function: 005D6024 appears 32 times
Sample file is different than original file name gathered from version info
Source: 1.exe, 00000000.00000000.2030756299.00000000005E5000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamearh.exe8 vs 1.exe
Source: 1.exe Binary or memory string: OriginalFilenamearh.exe8 vs 1.exe
Source: 1.exe Binary or memory string: OriginalFilenameSqlDumper.exeJ vs 1.exe
Source: 1.exe Binary or memory string: OriginalFilenameFirewall.exe vs 1.exe
Source: 1.exe Binary or memory string: OriginalFilenameAcroRd32Info.exe< vs 1.exe
Source: 1.exe Binary or memory string: OriginalFilenamekeytool.exeV vs 1.exe
Source: 1.exe Binary or memory string: OriginalFilenamemsinfo.dllj% vs 1.exe
Source: 1.exe Binary or memory string: OriginalFilenameMicrosoft.Mashup.Container.exeT vs 1.exe
Uses 32bit PE files
Source: 1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 1.exe Binary or memory string: d:\_Bld\10657\7994\Sources\obj\Win32\Release\EvaluationContainer.csproj\Microsoft.Mashup.Container.pdb
Source: 1.exe Binary or memory string: @`@*\AC:\Program Files\Microsoft Visual Studio\VB98\pjtbinder.vbp
Source: classification engine Classification label: mal52.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: 1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.81%
Source: C:\Users\user\Desktop\1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 1.exe ReversingLabs: Detection: 36%
Source: 1.exe String found in binary or memory: -installAppSilent
Source: 1.exe String found in binary or memory: -help
Source: 1.exe String found in binary or memory: arh -help
Source: 1.exe String found in binary or memory: arh -installAppSilent { (-location <loc>) -desktopShortcut -programMenu } <file>
Source: 1.exe String found in binary or memory: arh -help
Source: 1.exe String found in binary or memory: arh -installAppSilent { (-location <loc>) -desktopShortcut -programMenu } <file>
Source: 1.exe String found in binary or memory: -help
Source: 1.exe String found in binary or memory: arh -help
Source: 1.exe String found in binary or memory: arh -installAppSilent { (-location <loc>) -desktopShortcut -programMenu } <file>
Source: 1.exe String found in binary or memory: -installAppSilent
Source: 1.exe String found in binary or memory: -helpusage:
Source: 1.exe String found in binary or memory: -installAppSilent-locationargument -location already specified
Source: unknown Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
Source: C:\Users\user\Desktop\1.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\1.exe Section loaded: msi.dll Jump to behavior
Source: 1.exe Static file information: File size 1212233 > 1048576
Source: 1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msinfo32.pdb source: 1.exe
Source: Binary string: d:\_Bld\10657\7994\Sources\obj\Win32\Release\EvaluationContainer.csproj\Microsoft.Mashup.Container.pdb source: 1.exe
Source: Binary string: AcroRd32Info.pdb source: 1.exe
Source: Binary string: AcroRd32Info.pdb7 source: 1.exe
Source: Binary string: C:\re\jdk7u45\229\build\windows-amd64\tmp\sun\launcher\keytool\obj64\keytool.pdb source: 1.exe
Source: Binary string: SqlDumper.pdb source: 1.exe
Source: Binary string: C:\Perforce\FRMain\code\build\win\results\Release\info\arh.pdb source: 1.exe
Source: 1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D4CEC LoadLibraryW,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_005D4CEC
PE file contains an invalid checksum
Source: 1.exe Static PE information: real checksum: 0x2563c should be: 0x133046
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D6069 push ecx; ret 0_2_005D607C
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\1.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\1.exe API coverage: 9.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D24BC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_005D24BC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D4CEC LoadLibraryW,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_005D4CEC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D1C57 WideCharToMultiByte,GetProcessHeap,HeapFree, 0_2_005D1C57
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D24BC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_005D24BC
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D44B5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_005D44B5
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D66B0 SetUnhandledExceptionFilter, 0_2_005D66B0
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D49C3 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005D49C3
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\1.exe Code function: GetLocaleInfoA, 0_2_005DD040
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_005D7356 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_005D7356

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546802 Sample: 1.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 52 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 6 1.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos