Edit tour
Windows
Analysis Report
gpg4win-4.3.1.exe
Overview
General Information
| Sample name: | gpg4win-4.3.1.exe |
| Analysis ID: | 1558749 |
| MD5: | cff05af81adc5ca0066baf07d17edb24 |
| SHA1: | 7c5fa919c2eb90194e844de027a36e87c7be8a80 |
| SHA256: | 2db44b086d860c51a4f45f43a739cd20fb0822189deb1c1cf13e4b5a3b05bc3b |
| Infos: |  |
 | |
Detection
| Score: | 36 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 20% |
Signatures
Contains functionality to infect the boot sector
Tries to delay execution (extensive OutputDebugStringW loop)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Classes Autorun Keys Modification
Sigma detected: Office Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
gpg4win-4.3.1.exe (PID: 7552 cmdline: "C:\Users\ user\Deskt op\gpg4win -4.3.1.exe " MD5: CFF05AF81ADC5CA0066BAF07D17EDB24) 
gnupg-w32-2.4.5_20240307-bin.exe (PID: 7844 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\gnupg- w32-2.4.5_ 20240307-b in.exe" /S /D=C:\Pro gram Files (x86)\Gpg 4win\..\Gn uPG MD5: 6EFB76E751A360F5EF7BDEE99B93A0F4) 
regsvr32.exe (PID: 7976 cmdline: "C:\Window s\system32 \regsvr32" /s "C:\Pr ogram File s (x86)\Gp g4win\bin_ 64\gpgol.d ll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7988 cmdline:
/s "C:\Pr ogram File s (x86)\Gp g4win\bin_ 64\gpgol.d ll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - regsvr32.exe (PID: 8004 cmdline:
"C:\Window s\system32 \regsvr32" /s "C:\Pr ogram File s (x86)\Gp g4win\bin_ 64\gpgex.d ll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 8016 cmdline:
/s "C:\Pr ogram File s (x86)\Gp g4win\bin_ 64\gpgex.d ll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
kleopatra.exe (PID: 3100 cmdline: "C:\Progra m Files (x 86)\Gpg4wi n\bin\kleo patra.exe" MD5: 56B7ADD491410755AF6CAD3FCA38E0D5) - gpgme-w32spawn.exe (PID: 5464 cmdline:
"C:\\Progr am Files ( x86)\\Gpg4 win\\bin\\ gpgme-w32s pawn.exe" "C:\\Users \\user\\Ap pData\\Loc al\\Temp\\ gpgme-q4mV po" "C:\\P rogram Fil es (x86)\\ GnuPG\\bin \\gpgconf. exe" "--li st-dirs" MD5: 368AC6DD68419C1F1155AC365E8F97ED) 
gpgconf.exe (PID: 7320 cmdline: "C:\\\\Pro gram Files (x86)\\\\ GnuPG\\\\b in\\\\gpgc onf.exe" " --list-dir s" MD5: BB95839098AAB6A4A89666798E5DD267) 
conhost.exe (PID: 7416 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpgme-w32spawn.exe (PID: 2288 cmdline:
"C:\\Progr am Files ( x86)\\Gpg4 win\\bin\\ gpgme-w32s pawn.exe" "C:\\Users \\user\\Ap pData\\Loc al\\Temp\\ gpgme-yqo9 FC" "C:\\P rogram Fil es (x86)\\ GnuPG\\bin \\gpgconf. exe" "--li st-compone nts" MD5: 368AC6DD68419C1F1155AC365E8F97ED) - gpgconf.exe (PID: 764 cmdline:
"C:\\\\Pro gram Files (x86)\\\\ GnuPG\\\\b in\\\\gpgc onf.exe" " --list-com ponents" MD5: BB95839098AAB6A4A89666798E5DD267) - conhost.exe (PID: 3276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpgme-w32spawn.exe (PID: 6060 cmdline:
"C:\\Progr am Files ( x86)\\Gpg4 win\\bin\\ gpgme-w32s pawn.exe" "C:\\Users \\user\\Ap pData\\Loc al\\Temp\\ gpgme-Tp2I WQ" "C:\\P rogram Fil es (x86)\\ GnuPG\\bin \\gpg.exe" "--versio n" MD5: 368AC6DD68419C1F1155AC365E8F97ED) - gpg.exe (PID: 5916 cmdline:
"C:\\\\Pro gram Files (x86)\\\\ GnuPG\\\\b in\\\\gpg. exe" "--ve rsion" MD5: B21D70FE736A3661FB304DC7F08A5CFE) - conhost.exe (PID: 1096 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpgme-w32spawn.exe (PID: 1528 cmdline:
"C:\\Progr am Files ( x86)\\Gpg4 win\\bin\\ gpgme-w32s pawn.exe" "C:\\Users \\user\\Ap pData\\Loc al\\Temp\\ gpgme-x5JU d5" "C:\\P rogram Fil es (x86)\\ GnuPG\\bin \\gpgsm.ex e" "--vers ion" MD5: 368AC6DD68419C1F1155AC365E8F97ED) - gpgsm.exe (PID: 1592 cmdline:
"C:\\\\Pro gram Files (x86)\\\\ GnuPG\\\\b in\\\\gpgs m.exe" "-- version" MD5: DC58D4DF08480AF127DEFC59162F10D0) - conhost.exe (PID: 3348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpgme-w32spawn.exe (PID: 1864 cmdline:
"C:\\Progr am Files ( x86)\\Gpg4 win\\bin\\ gpgme-w32s pawn.exe" "C:\\Users \\user\\Ap pData\\Loc al\\Temp\\ gpgme-8DQm vj" "C:\\P rogram Fil es (x86)\\ GnuPG\\bin \\gpgconf. exe" "--ve rsion" MD5: 368AC6DD68419C1F1155AC365E8F97ED) - gpgconf.exe (PID: 1944 cmdline:
"C:\\\\Pro gram Files (x86)\\\\ GnuPG\\\\b in\\\\gpgc onf.exe" " --version" MD5: BB95839098AAB6A4A89666798E5DD267) - conhost.exe (PID: 1992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpgconf.exe (PID: 2240 cmdline:
"C:\Progra m Files (x 86)\GnuPG\ bin\gpgcon f.exe" --l aunch gpg- agent MD5: BB95839098AAB6A4A89666798E5DD267) - conhost.exe (PID: 2508 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpg-agent.exe (PID: 3108 cmdline:
"C:\Progra m Files (x 86)\GnuPG\ bin\gpg-ag ent.exe" - -gpgconf-t est MD5: 5F18625EF82543F30A920DB287955861) - gpg-connect-agent.exe (PID: 4864 cmdline:
"C:\Progra m Files (x 86)\GnuPG\ bin\gpg-co nnect-agen t.exe" NOP MD5: D09810711F80F7406FB05A8EDD9031D3) - gpg-agent.exe (PID: 5568 cmdline:
"C:\Progra m Files (x 86)\GnuPG\ bin\gpg-ag ent.exe" - -homedir C :\Users\us er\AppData \Roaming\g nupg --use -standard- socket --d aemon MD5: 5F18625EF82543F30A920DB287955861) - gpgconf.exe (PID: 2292 cmdline:
"C:\Progra m Files (x 86)\GnuPG\ bin\gpgcon f.exe" --s how-versio ns MD5: BB95839098AAB6A4A89666798E5DD267) - conhost.exe (PID: 2624 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - dirmngr.exe (PID: 2012 cmdline:
"C:\Progra m Files (x 86)\GnuPG\ bin\dirmng r.exe" --g pgconf-ver sions MD5: 7F37052A56F1750AD04874A00CAF9172) - gpgme-w32spawn.exe (PID: 3412 cmdline:
"C:\\Progr am Files ( x86)\\Gpg4 win\\bin\\ gpgme-w32s pawn.exe" "C:\\Users \\user\\Ap pData\\Loc al\\Temp\\ gpgme-Tcwx Nx" "C:\\P rogram Fil es (x86)\\ GnuPG\\bin \\gpg.exe" "--disabl e-dirmngr" "--no-aut o-check-tr ustdb" "-- batch" "-- status-fd" "1" "--lo gger-fd" " 5" "--no-t ty" "--cha rset=utf8" "--enable -progress- filter" "- -exit-on-s tatus-writ e-error" " --ttyname= /dev/tty" "--with-co lons" "--w ith-secret " "--with- keygrip" " --list-key s" "--" MD5: 368AC6DD68419C1F1155AC365E8F97ED) - gpg.exe (PID: 3752 cmdline:
"C:\\\\Pro gram Files (x86)\\\\ GnuPG\\\\b in\\\\gpg. exe" "--di sable-dirm ngr" "--no -auto-chec k-trustdb" "--batch" "--status -fd" "4" " --logger-f d" "12" "- -no-tty" " --charset= utf8" "--e nable-prog ress-filte r" "--exit -on-status -write-err or" "--tty name=/dev/ tty" "--wi th-colons" "--with-s ecret" "-- with-keygr ip" "--lis t-keys" "- -" MD5: B21D70FE736A3661FB304DC7F08A5CFE) - conhost.exe (PID: 7584 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpgme-w32spawn.exe (PID: 3576 cmdline:
"C:\\Progr am Files ( x86)\\Gpg4 win\\bin\\ gpgme-w32s pawn.exe" "C:\\Users \\user\\Ap pData\\Loc al\\Temp\\ gpgme-BdRI 5L" "C:\\P rogram Fil es (x86)\\ GnuPG\\bin \\gpgsm.ex e" "--logg er-fd" "7" "--server " MD5: 368AC6DD68419C1F1155AC365E8F97ED) - gpgsm.exe (PID: 5508 cmdline:
"C:\\\\Pro gram Files (x86)\\\\ GnuPG\\\\b in\\\\gpgs m.exe" "-- logger-fd" "16" "--s erver" MD5: DC58D4DF08480AF127DEFC59162F10D0) - conhost.exe (PID: 7576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - keyboxd.exe (PID: 4980 cmdline:
"C:\Progra m Files (x 86)\GnuPG\ bin\keybox d.exe" --h omedir C:\ Users\user \AppData\R oaming\gnu pg --daemo n MD5: D95399DEB3305DD68C00D4E5E1BACAA9) - gpgme-w32spawn.exe (PID: 4316 cmdline:
"C:\\Progr am Files ( x86)\\Gpg4 win\\bin\\ gpgme-w32s pawn.exe" "C:\\Users \\user\\Ap pData\\Loc al\\Temp\\ gpgme-t7bU n0" "C:\\P rogram Fil es (x86)\\ GnuPG\\bin \\gpgconf. exe" "--li st-compone nts" MD5: 368AC6DD68419C1F1155AC365E8F97ED) - gpgconf.exe (PID: 1404 cmdline:
"C:\\\\Pro gram Files (x86)\\\\ GnuPG\\\\b in\\\\gpgc onf.exe" " --list-com ponents" MD5: BB95839098AAB6A4A89666798E5DD267) - conhost.exe (PID: 7568 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpgme-w32spawn.exe (PID: 2008 cmdline:
"C:\\Progr am Files ( x86)\\Gpg4 win\\bin\\ gpgme-w32s pawn.exe" "C:\\Users \\user\\Ap pData\\Loc al\\Temp\\ gpgme-7MhV Ge" "C:\\P rogram Fil es (x86)\\ GnuPG\\bin \\gpgconf. exe" "--li st-options " "gpg" MD5: 368AC6DD68419C1F1155AC365E8F97ED) - gpgconf.exe (PID: 7020 cmdline:
"C:\\\\Pro gram Files (x86)\\\\ GnuPG\\\\b in\\\\gpgc onf.exe" " --list-opt ions" "gpg " MD5: BB95839098AAB6A4A89666798E5DD267) - conhost.exe (PID: 6004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpg.exe (PID: 5848 cmdline:
"C:\Progra m Files (x 86)\GnuPG\ bin\gpg.ex e" --dump- option-tab le MD5: B21D70FE736A3661FB304DC7F08A5CFE) - gpg.exe (PID: 7736 cmdline:
"C:\Progra m Files (x 86)\GnuPG\ bin\gpg.ex e" --gpgco nf-list MD5: B21D70FE736A3661FB304DC7F08A5CFE)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Code function: | 15_2_655C2E38 | |
| Source: | Code function: | 15_2_655C2EB2 | |
| Source: | Code function: | 15_2_655C2964 | |
| Source: | Code function: | 15_2_655C28C5 | |
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00408C5A | |
| Source: | Code function: | 0_2_00408D46 | |
| Source: | Code function: | 0_2_004036C8 | |
| Source: | Code function: | 3_2_00408A56 | |
| Source: | Code function: | 3_2_00408B42 | |
| Source: | Code function: | 3_2_004036C8 | |
| Source: | Code function: | 15_2_00413B49 | |
| Source: | Code function: | 15_2_00413B20 | |
| Source: | Code function: | 13_2_00B74B81 | |
| Source: | Code function: | 13_2_00B75B11 | |
| Source: | Code function: | 15_2_6B4982F0 | |
| Source: | Code function: | 15_2_6B4982F0 | |
| Source: | Code function: | 15_2_6B48A090 | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | |||