Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1546920
MD5: b51e761b009c658073fd0dc66c8f808f
SHA1: 8dd8a45980efcae93eec634987396a0a6a3e62e9
SHA256: bf2165a4bdafb0945c8b370758e6d0b9ab145147e7ddab448a01b3b25c2ad8a7
Tags: exeuser-Bitsight
Infos:

Detection

NetSupport RAT
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Downloads\bild.exe ReversingLabs: Detection: 28%
Source: C:\Users\Public\Downloads\remcmdstub.exe ReversingLabs: Detection: 13%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.2% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary, 1_2_110AD570
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\Public\Downloads\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe
Source: Binary string: msvcr100.i386.pdb source: bild.exe, bild.exe, 00000001.00000002.3511237810.000000006C941000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: bild.exe, 00000001.00000002.3511448274.000000006CA22000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000001.00000002.3510810648.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: bild.exe, 00000001.00000002.3511143904.000000006C790000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: file.exe, 00000000.00000003.1663707824.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000001.00000000.1666036569.0000000000F22000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000001.00000002.3509963877.0000000000F22000.00000002.00000001.01000000.00000009.sdmp, bild.exe.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: bild.exe, 00000001.00000002.3511143904.000000006C790000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: bild.exe, 00000001.00000002.3511372115.000000006CA05000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FA273 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_009FA273
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0A537 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00A0A537
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 1_2_1102D330
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA, 1_2_11065890
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError, 1_2_1106A0A0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle, 1_2_111266E0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose, 1_2_1110AFD0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49730 -> 185.215.113.64:443
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.64 185.215.113.64
Source: Joe Sandbox View IP Address: 104.26.1.231 104.26.1.231
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49738
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.64
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.64
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.64
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: geo.netsupportsoftware.com
Source: unknown HTTP traffic detected: POST http://185.215.113.64/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 185.215.113.64Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
Source: bild.exe, bild.exe, 00000001.00000002.3511143904.000000006C790000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr String found in binary or memory: http://%s/fakeurl.htm
Source: bild.exe, bild.exe, 00000001.00000002.3511143904.000000006C790000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr String found in binary or memory: http://%s/testpage.htm
Source: bild.exe, 00000001.00000002.3511143904.000000006C790000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: bild.exe, bild.exe, 00000001.00000002.3510810648.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://127.0.0.1
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000001.00000002.3510810648.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: remcmdstub.exe.0.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: remcmdstub.exe.0.dr String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: remcmdstub.exe.0.dr String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
Source: remcmdstub.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: remcmdstub.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: bild.exe, 00000001.00000002.3509543073.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/es
Source: bild.exe, 00000001.00000002.3509543073.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: bild.exe, 00000001.00000002.3509543073.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp(E
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000001.00000002.3510810648.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: bild.exe, 00000001.00000002.3509543073.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspX
Source: remcmdstub.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: remcmdstub.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: remcmdstub.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: remcmdstub.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: remcmdstub.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1663707824.00000000050DB000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1663707824.00000000050DB000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: http://s2.symcb.com0
Source: remcmdstub.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: remcmdstub.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: remcmdstub.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: remcmdstub.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1663707824.00000000050DB000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1663707824.00000000050DB000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1663707824.00000000050DB000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000001.00000002.3510841859.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000001.00000002.3510841859.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000001.00000002.3510841859.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://www.pci.co.uk/support
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000001.00000002.3510841859.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1663707824.00000000050DB000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1663707824.00000000050DB000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1663707824.00000000050DB000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1663707824.00000000050DB000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: remcmdstub.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Contains functionality for read data from the clipboard
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard, 1_2_1101F6B0
Contains functionality to modify clipboard data
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard, 1_2_1101F6B0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11032EE0 GetClipboardFormatNameA,SetClipboardData, 1_2_11032EE0
Contains functionality to read the clipboard data
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110321E0 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree, 1_2_110321E0
Contains functionality to record screenshots
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110076F0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor, 1_2_110076F0
Potential key logger detected (key state polling based)
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState, 1_2_11113880
Yara detected Keylogger Generic
Source: Yara match File source: 0.3.file.exe.4f04800.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.3510810648.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bild.exe PID: 1456, type: MEMORYSTR
Source: Yara match File source: C:\Users\Public\Downloads\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA, 1_2_111158B0
Abnormal high CPU Usage
Source: C:\Users\Public\Downloads\bild.exe Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F7070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_009F7070
Contains functionality to launch a process as a different user
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1115DB40 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec, 1_2_1115DB40
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 1_2_1102D330
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A05984 0_2_00A05984
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F8409 0_2_009F8409
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A030E6 0_2_00A030E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A1E8D4 0_2_00A1E8D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FE045 0_2_009FE045
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FD1D2 0_2_009FD1D2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0E94A 0_2_00A0E94A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0FAC8 0_2_00A0FAC8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FBA1A 0_2_009FBA1A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F3203 0_2_009F3203
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0F25E 0_2_00A0F25E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A063F2 0_2_00A063F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FDBE2 0_2_009FDBE2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A02B3A 0_2_00A02B3A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A12B78 0_2_00A12B78
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A1A35E 0_2_00A1A35E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FEC97 0_2_009FEC97
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A02DB5 0_2_00A02DB5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A05DB9 0_2_00A05DB9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FD5E4 0_2_009FD5E4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F5E96 0_2_009F5E96
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A19EB0 0_2_00A19EB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0F693 0_2_00A0F693
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0EE46 0_2_00A0EE46
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A04FB5 0_2_00A04FB5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F3FC5 0_2_009F3FC5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F276C 0_2_009F276C
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110733B0 1_2_110733B0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11029590 1_2_11029590
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11061C90 1_2_11061C90
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11033010 1_2_11033010
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11163220 1_2_11163220
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11167485 1_2_11167485
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110454F0 1_2_110454F0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1101B760 1_2_1101B760
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_111258B0 1_2_111258B0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1101BBA0 1_2_1101BBA0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11087C60 1_2_11087C60
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11070090 1_2_11070090
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11080480 1_2_11080480
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1115E980 1_2_1115E980
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1101C9C0 1_2_1101C9C0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110088AB 1_2_110088AB
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11050D80 1_2_11050D80
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C75A980 1_2_6C75A980
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C783DB8 1_2_6C783DB8
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C7838A3 1_2_6C7838A3
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C783923 1_2_6C783923
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C784910 1_2_6C784910
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C75DBA0 1_2_6C75DBA0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C7684F0 1_2_6C7684F0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C784528 1_2_6C784528
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C751760 1_2_6C751760
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C78A063 1_2_6C78A063
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C784156 1_2_6C784156
Enables security privileges
Source: C:\Users\Public\Downloads\bild.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 11146450 appears 599 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 6C7530A0 appears 46 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 110278E0 appears 47 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 6C767D00 appears 116 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 6C756F50 appears 150 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 1116F010 appears 37 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 11029450 appears 992 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 111603E3 appears 41 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 6C767A90 appears 45 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 1105DD10 appears 289 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 11081BB0 appears 42 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 6C767C70 appears 35 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 11164010 appears 32 times
Source: C:\Users\Public\Downloads\bild.exe Code function: String function: 6C779480 appears 49 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00A0CDF0 appears 37 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00A0CEC0 appears 53 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00A0D870 appears 31 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.1663707824.000000000506E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepcicl32.dll2 vs file.exe
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclient32.exe. vs file.exe
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenametcctl32.dll2 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal88.rans.evad.winEXE@3/12@1/2
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11059C50 GetLastError,FormatMessageA,LocalFree, 1_2_11059C50
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges, 1_2_1109D440
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1109D4D0 AdjustTokenPrivileges,CloseHandle, 1_2_1109D4D0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11115B70 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize, 1_2_11115B70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A08BD0 FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00A08BD0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError, 1_2_11127E10
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\Downloads\__tmp_rar_sfx_access_check_5997468 Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe Command line argument: sfxname 0_2_00A0C131
Source: C:\Users\user\Desktop\file.exe Command line argument: sfxstime 0_2_00A0C131
Source: C:\Users\user\Desktop\file.exe Command line argument: STARTDLG 0_2_00A0C131
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\Public\Downloads\bild.exe "C:\Users\Public\Downloads\bild.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\Public\Downloads\bild.exe "C:\Users\Public\Downloads\bild.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: pcicl32.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: pcichek.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: pcicapi.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: nsmtrace.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: nslsp.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: pcihooks.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: pciinv.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File written: C:\Users\Public\Downloads\client32.ini Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe File opened: C:\Windows\SysWOW64\riched32.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 2137945 > 1048576
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\Public\Downloads\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe
Source: Binary string: msvcr100.i386.pdb source: bild.exe, bild.exe, 00000001.00000002.3511237810.000000006C941000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: bild.exe, 00000001.00000002.3511448274.000000006CA22000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000001.00000002.3510810648.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: bild.exe, 00000001.00000002.3511143904.000000006C790000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: file.exe, 00000000.00000003.1663707824.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000001.00000000.1666036569.0000000000F22000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000001.00000002.3509963877.0000000000F22000.00000002.00000001.01000000.00000009.sdmp, bild.exe.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: bild.exe, 00000001.00000002.3511143904.000000006C790000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: bild.exe, 00000001.00000002.3511372115.000000006CA05000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,HttpSendRequestA,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary, 1_2_11029590
File is packed with WinRar
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\Downloads\__tmp_rar_sfx_access_check_5997468 Jump to behavior
PE file contains sections with non-standard names
Source: PCICL32.DLL.0.dr Static PE information: section name: .hhshare
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0D8B6 push ecx; ret 0_2_00A0D8C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0CDF0 push eax; ret 0_2_00A0CE0E
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1116F055 push ecx; ret 1_2_1116F068
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11169F49 push ecx; ret 1_2_11169F5C
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11040E01 push 3BFFFFFEh; ret 1_2_11040E06
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C786BBF push ecx; ret 1_2_6C786BD2
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C7794C5 push ecx; ret 1_2_6C7794D8
Source: msvcr100.dll.0.dr Static PE information: section name: .text entropy: 6.909044922675825
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\Downloads\remcmdstub.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\Downloads\TCCTL32.DLL Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\Downloads\bild.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\Downloads\msvcr100.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\Downloads\pcicapi.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\Downloads\PCICL32.DLL Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\Downloads\HTCTL32.DLL Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\Downloads\PCICHEK.DLL Jump to dropped file
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C767030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod, 1_2_6C767030
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C755490 GetPrivateProfileIntA, 1_2_6C755490
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C7550E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA, 1_2_6C7550E0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C755117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA, 1_2_6C755117
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError, 1_2_11127E10
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary, 1_2_11139090
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows, 1_2_1115B1D0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt, 1_2_11113290
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos, 1_2_110CB2B0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos, 1_2_110CB2B0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer, 1_2_110254A0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId, 1_2_110258F0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer, 1_2_11023BA0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId, 1_2_11024280
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11112670 IsIconic,GetTickCount, 1_2_11112670
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA, 1_2_111229D0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA, 1_2_111229D0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId, 1_2_110C0BB0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop, 1_2_1115ADD0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop, 1_2_1115ADD0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11143570 GetTickCount,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_11143570
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C7591F0 1_2_6C7591F0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C764F30 1_2_6C764F30
Delayed program exit found
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110B8200 Sleep,ExitProcess, 1_2_110B8200
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\Downloads\bild.exe Window / User API: threadDelayed 4576 Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Window / User API: threadDelayed 468 Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Window / User API: threadDelayed 3592 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\Public\Downloads\remcmdstub.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\Public\Downloads\TCCTL32.DLL Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\Public\Downloads\HTCTL32.DLL Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\Public\Downloads\bild.exe Evaded block: after key decision
Source: C:\Users\Public\Downloads\bild.exe Evaded block: after key decision
Source: C:\Users\Public\Downloads\bild.exe Evaded block: after key decision
Source: C:\Users\Public\Downloads\bild.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Users\Public\Downloads\bild.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\Public\Downloads\bild.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\Public\Downloads\bild.exe API coverage: 6.2 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C764F30 1_2_6C764F30
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\Public\Downloads\bild.exe TID: 5000 Thread sleep time: -1144000s >= -30000s Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe TID: 2104 Thread sleep time: -46800s >= -30000s Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe TID: 5000 Thread sleep time: -898000s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\Public\Downloads\bild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\Public\Downloads\bild.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C763130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6C763226h 1_2_6C763130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FA273 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_009FA273
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0A537 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00A0A537
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 1_2_1102D330
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA, 1_2_11065890
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError, 1_2_1106A0A0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle, 1_2_111266E0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose, 1_2_1110AFD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0C8D5 VirtualQuery,GetSystemInfo, 0_2_00A0C8D5
Source: HTCTL32.DLL.0.dr Binary or memory string: VMware
Source: file.exe, 00000000.00000003.1666782617.00000000008B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: bild.exe, 00000001.00000002.3511143904.000000006C790000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.clayl*
Source: HTCTL32.DLL.0.dr Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: TCCTL32.DLL.0.dr Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: bild.exe, 00000001.00000002.3510425370.000000000341C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: HTCTL32.DLL.0.dr Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: TCCTL32.DLL.0.dr Binary or memory string: VMWare
Source: bild.exe, 00000001.00000002.3509543073.000000000073E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: file.exe, 00000000.00000003.1666782617.00000000008B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\B
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Downloads\bild.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0DA75 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00A0DA75
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11147750 GetLastError,wsprintfA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,SetLastError,GetKeyState, 1_2_11147750
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,HttpSendRequestA,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary, 1_2_11029590
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A14A5A mov eax, dword ptr fs:[00000030h] 0_2_00A14A5A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A18AAA GetProcessHeap, 0_2_00A18AAA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0DA75 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00A0DA75
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0DBC3 SetUnhandledExceptionFilter, 0_2_00A0DBC3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A15B53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00A15B53
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0DD7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00A0DD7C
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle, 1_2_11093080
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter, 1_2_110310C0
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_11161D01
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_1116DD89
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C7728E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6C7728E1
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C7787F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6C7787F5
Contains functionality to execute programs as a different user
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110F4560 GetTickCount,LogonUserA,GetTickCount,GetLastError, 1_2_110F4560
Contains functionality to simulate keystroke presses
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1111FCA0 GetForegroundWindow,GetClassNameA,GetWindowTextA,keybd_event,keybd_event,keybd_event, 1_2_1111FCA0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\Public\Downloads\bild.exe "C:\Users\Public\Downloads\bild.exe" Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1109E190 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent, 1_2_1109E190
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1109E910 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid, 1_2_1109E910
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000001.00000002.3510810648.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, bild.exe, 00000001.00000002.3510810648.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr Binary or memory string: Shell_TrayWnd
Source: file.exe, 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, bild.exe, bild.exe, 00000001.00000002.3510810648.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr Binary or memory string: Progman
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0D8CB cpuid 0_2_00A0D8CB
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00A0932F
Source: C:\Users\Public\Downloads\bild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 1_2_11173A35
Source: C:\Users\Public\Downloads\bild.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 1_2_11173D69
Source: C:\Users\Public\Downloads\bild.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_11173CC6
Source: C:\Users\Public\Downloads\bild.exe Code function: GetLocaleInfoA, 1_2_1116B38E
Source: C:\Users\Public\Downloads\bild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 1_2_11173933
Source: C:\Users\Public\Downloads\bild.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 1_2_111739DA
Source: C:\Users\Public\Downloads\bild.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_1117383E
Source: C:\Users\Public\Downloads\bild.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_11173D2D
Source: C:\Users\Public\Downloads\bild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 1_2_11173C06
Source: C:\Users\Public\Downloads\bild.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_6C78DC56
Source: C:\Users\Public\Downloads\bild.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_6C781CC1
Source: C:\Users\Public\Downloads\bild.exe Code function: GetLocaleInfoA, 1_2_6C78DC99
Source: C:\Users\Public\Downloads\bild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 1_2_6C781DB6
Source: C:\Users\Public\Downloads\bild.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 1_2_6C781E5D
Source: C:\Users\Public\Downloads\bild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 1_2_6C781EB8
Source: C:\Users\Public\Downloads\bild.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 1_2_6C78DB7C
Source: C:\Users\Public\Downloads\bild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 1_2_6C782089
Source: C:\Users\Public\Downloads\bild.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_6C782175
Source: C:\Users\Public\Downloads\bild.exe Code function: EnumSystemLocalesA, 1_2_6C782151
Source: C:\Users\Public\Downloads\bild.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_6C7821DC
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\Downloads\bild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110F33F0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree, 1_2_110F33F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0C131 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle, 0_2_00A0C131
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_1103B160 SHGetFolderPathA,GetUserNameA,DeleteFileA,_sprintf,_fputs,_free,GetFileAttributesA,SetFileAttributesA, 1_2_1103B160
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11174AE9 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 1_2_11174AE9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FA8E0 GetVersionExW, 0_2_009FA8E0
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep, 1_2_11070090
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError, 1_2_110D8200
Source: C:\Users\Public\Downloads\bild.exe Code function: 1_2_6C75A980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange, 1_2_6C75A980
Yara detected NetSupport remote tool
Source: Yara match File source: 1.2.bild.exe.6ca20000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.bild.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.bild.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.bild.exe.6ca00000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.4f04800.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.bild.exe.6c750000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.1666036569.0000000000F22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.3510841859.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.3511143904.000000006C790000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.3510810648.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1663707824.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.3509963877.0000000000F22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.3509543073.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1663707824.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bild.exe PID: 1456, type: MEMORYSTR
Source: Yara match File source: C:\Users\Public\Downloads\bild.exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\Downloads\pcicapi.dll, type: DROPPED
Source: Yara match File source: C:\Users\Public\Downloads\PCICHEK.DLL, type: DROPPED
Source: Yara match File source: C:\Users\Public\Downloads\HTCTL32.DLL, type: DROPPED
Source: Yara match File source: C:\Users\Public\Downloads\TCCTL32.DLL, type: DROPPED
Source: Yara match File source: C:\Users\Public\Downloads\PCICL32.DLL, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546920 Sample: file.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 88 22 geo.netsupportsoftware.com 2->22 28 Suricata IDS alerts for network traffic 2->28 30 Multi AV Scanner detection for dropped file 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 3 other signatures 2->34 7 file.exe 16 2->7         started        signatures3 process4 file5 14 C:\Users\Public\Downloads\remcmdstub.exe, PE32 7->14 dropped 16 C:\Users\Public\Downloads\pcicapi.dll, PE32 7->16 dropped 18 C:\Users\Public\Downloads\bild.exe, PE32 7->18 dropped 20 5 other files (2 malicious) 7->20 dropped 10 bild.exe 17 7->10         started        process6 dnsIp7 24 185.215.113.64, 443, 49730 WHOLESALECONNECTIONSNL Portugal 10->24 26 geo.netsupportsoftware.com 104.26.1.231, 49731, 80 CLOUDFLARENETUS United States 10->26 36 Multi AV Scanner detection for dropped file 10->36 38 Contains functionalty to change the wallpaper 10->38 40 Delayed program exit found 10->40 42 Contains functionality to detect sleep reduction / modifications 10->42 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.64
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
104.26.1.231
 geo.netsupportsoftware.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
geo.netsupportsoftware.com 104.26.1.231 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geo.netsupportsoftware.com/location/loca.asp false
    		unknown
    http://185.215.113.64/fakeurl.htm true
      		unknown