Windows Analysis Report
nsHwyCkyFr.exe

Overview

General Information

Sample name: nsHwyCkyFr.exe
renamed because original name is a hash value
Original sample name: 4a010c5abe2f5bb4dd6f31b03058bc1847e985a95a68d4e1bf0fb20c030c2307.exe
Analysis ID: 1555000
MD5: c9c4ac12004cc6b946cb7d49b5eb5ee5
SHA1: 7e738b153194c9f54aac1b433f8e7efff3beafd5
SHA256: 4a010c5abe2f5bb4dd6f31b03058bc1847e985a95a68d4e1bf0fb20c030c2307
Tags: ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: nsHwyCkyFr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: nsHwyCkyFr.exe Static PE information: certificate valid
Source: nsHwyCkyFr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Source: javaw.exe, 00000001.00000002.1364470301.0000000004A00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: nsHwyCkyFr.exe String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: nsHwyCkyFr.exe String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: nsHwyCkyFr.exe String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: nsHwyCkyFr.exe String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: nsHwyCkyFr.exe String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: nsHwyCkyFr.exe String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: javaw.exe, 00000001.00000002.1364470301.0000000004A00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.oracle.com/
Source: nsHwyCkyFr.exe String found in binary or memory: http://ocsps.ssl.com0
Source: nsHwyCkyFr.exe String found in binary or memory: http://ocsps.ssl.com0?
Source: nsHwyCkyFr.exe String found in binary or memory: http://ocsps.ssl.com0_
Source: javaw.exe, 00000001.00000002.1364470301.0000000004A8A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1364232608.0000000004968000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1364470301.0000000004A20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/technetwork/java/javase/documentation/index.html
Source: nsHwyCkyFr.exe String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: nsHwyCkyFr.exe String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: nsHwyCkyFr.exe String found in binary or memory: https://www.ssl.com/repository0
Detected potential crypto function
Source: C:\Users\user\Desktop\nsHwyCkyFr.exe Code function: 0_2_00405D30 0_2_00405D30
Source: C:\Users\user\Desktop\nsHwyCkyFr.exe Code function: 0_2_004013B0 0_2_004013B0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\nsHwyCkyFr.exe Code function: String function: 00406E10 appears 37 times
Uses 32bit PE files
Source: nsHwyCkyFr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engine Classification label: clean4.winEXE@6/2@0/0
Source: C:\Users\user\Desktop\nsHwyCkyFr.exe Code function: 0_2_00401ED0 GetLastError,puts,ShellExecuteA,printf,fclose,MessageBoxA,FormatMessageA,strlen,strcat,LocalFree,fprintf,fprintf,fprintf, 0_2_00401ED0
Source: C:\Users\user\Desktop\nsHwyCkyFr.exe Code function: 0_2_00402CB0 FindResourceExA,LoadResource,LockResource,fprintf,atoi,SetLastError, 0_2_00402CB0
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: nsHwyCkyFr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\nsHwyCkyFr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: nsHwyCkyFr.exe String found in binary or memory: --l4j-Startup error message not defined.Launcher:%s
Source: unknown Process created: C:\Users\user\Desktop\nsHwyCkyFr.exe "C:\Users\user\Desktop\nsHwyCkyFr.exe"
Source: C:\Users\user\Desktop\nsHwyCkyFr.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath " org.develnext.jphp.ext.javafx.FXLauncher
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nsHwyCkyFr.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath " org.develnext.jphp.ext.javafx.FXLauncher Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Users\user\Desktop\nsHwyCkyFr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\nsHwyCkyFr.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Development Kit Jump to behavior
Source: nsHwyCkyFr.exe Static PE information: certificate valid
Source: nsHwyCkyFr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0279A21B push ecx; ret 1_2_0279A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0279A20A push ecx; ret 1_2_0279A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0279BB67 push 00000000h; mov dword ptr [esp], esp 1_2_0279BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0279B3B7 push 00000000h; mov dword ptr [esp], esp 1_2_0279B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0279B947 push 00000000h; mov dword ptr [esp], esp 1_2_0279B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0279C477 push 00000000h; mov dword ptr [esp], esp 1_2_0279C49D
Uses cacls to modify the permissions of files
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: javaw.exe, 00000001.00000002.1363478563.0000000000C48000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: javaw.exe, 00000001.00000003.1360617298.0000000014E6F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000001.00000003.1360617298.0000000014E6F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000001.00000002.1363478563.0000000000C71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000001.00000003.1360617298.0000000014E6F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: javaw.exe, 00000001.00000002.1363478563.0000000000C71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000001.00000003.1360617298.0000000014E6F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: java/lang/VirtualMachineError.classPK
Source: C:\Users\user\Desktop\nsHwyCkyFr.exe Code function: 0_2_00401150 SetUnhandledExceptionFilter,__getmainargs,_iob,_iob,_setmode,_iob,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess, 0_2_00401150
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Memory protected: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\nsHwyCkyFr.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath " org.develnext.jphp.ext.javafx.FXLauncher Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_027903C0 cpuid 1_2_027903C0
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7656 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1555000 Sample: nsHwyCkyFr.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 4 7 nsHwyCkyFr.exe 2->7         started        process3 9 javaw.exe 8 7->9         started        process4 11 icacls.exe 1 9->11         started        process5 13 conhost.exe 11->13         started       
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true