Windows Analysis Report
jwJP7IUDX3.exe

Overview

General Information

Sample name: jwJP7IUDX3.exe
renamed because original name is a hash value
Original sample name: 3403126f9657859c42f0e1dd6d317bc3dae3871d.exe
Analysis ID: 1546810
MD5: 3e0bca337790aa542d011fbd5939f260
SHA1: 3403126f9657859c42f0e1dd6d317bc3dae3871d
SHA256: b676ad7b0faaffff944eae7018735ab3691dcf5573dbb3807211c3ac0fc56c26
Tags: exeReversingLabsuser-NDA0E
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Program does not show much activity (idle)
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: jwJP7IUDX3.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: jwJP7IUDX3.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: jwJP7IUDX3.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: jwJP7IUDX3.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: jwJP7IUDX3.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_000812E8 FindFirstFileExW, 0_2_000812E8
Source: jwJP7IUDX3.exe String found in binary or memory: https://code.visualstudio.com/0
Detected potential crypto function
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_00071000 0_2_00071000
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_0007184E 0_2_0007184E
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_0007CAC2 0_2_0007CAC2
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_00073F3E 0_2_00073F3E
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_000875CD 0_2_000875CD
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_000711D3 0_2_000711D3
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_00079E60 0_2_00079E60
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_00071692 0_2_00071692
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_0007BF6C 0_2_0007BF6C
Uses 32bit PE files
Source: jwJP7IUDX3.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal68.evad.winEXE@1/0@0/0
Source: jwJP7IUDX3.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: jwJP7IUDX3.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32 Jump to behavior
Source: jwJP7IUDX3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jwJP7IUDX3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jwJP7IUDX3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jwJP7IUDX3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jwJP7IUDX3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jwJP7IUDX3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: jwJP7IUDX3.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: jwJP7IUDX3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jwJP7IUDX3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jwJP7IUDX3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jwJP7IUDX3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jwJP7IUDX3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jwJP7IUDX3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: jwJP7IUDX3.exe Static PE information: section name: .text entropy: 6.873548869979149
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_000812E8 FindFirstFileExW, 0_2_000812E8
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_0007CAC2 CheckRemoteDebuggerPresent, 0_2_0007CAC2
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_00080C30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00080C30
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_0007165B mov eax, dword ptr fs:[00000030h] 0_2_0007165B
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_00082375 mov eax, dword ptr fs:[00000030h] 0_2_00082375
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_0007FBCD mov eax, dword ptr fs:[00000030h] 0_2_0007FBCD
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_00083442 GetProcessHeap, 0_2_00083442
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_0007DC0B SetUnhandledExceptionFilter, 0_2_0007DC0B
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_00080C30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00080C30
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_0007DA77 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0007DA77
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_0007DF36 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0007DF36
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_0007DD46 cpuid 0_2_0007DD46
Source: C:\Users\user\Desktop\jwJP7IUDX3.exe Code function: 0_2_0007D95E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0007D95E
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546810 Sample: jwJP7IUDX3.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 68 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 14 AI detected suspicious sample 2->14 5 jwJP7IUDX3.exe 1 2->5         started        process3 signatures4 16 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 5->16
No contacted IP infos