Windows Analysis Report
Convert.exe

Overview

General Information

Sample name: Convert.exe
Analysis ID: 1558891
MD5: e14d3585a6b4feb3897d76d42c6b8d83
SHA1: 6d78a56a86327839f683f7fbf28c579896e5b05a
SHA256: 608c1b94fb38dc8c67287f4fb8523ecf99c205422b5c439cdbc61385dc1f7835
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: Convert.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Convert.exe String found in binary or memory: http://www.joshmadison.com/software
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_004597D5 GetAsyncKeyState,SendMessageA, 0_2_004597D5
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_004560CD GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_004560CD
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_00452C1A GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_00452C1A
Detected potential crypto function
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_00455429 0_2_00455429
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_00451470 0_2_00451470
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_0044A620 0_2_0044A620
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_0044BE7C 0_2_0044BE7C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Convert.exe Code function: String function: 004469E0 appears 76 times
Source: C:\Users\user\Desktop\Convert.exe Code function: String function: 004428C0 appears 2745 times
Source: C:\Users\user\Desktop\Convert.exe Code function: String function: 00453EEE appears 34 times
Source: C:\Users\user\Desktop\Convert.exe Code function: String function: 00453DF5 appears 127 times
Source: C:\Users\user\Desktop\Convert.exe Code function: String function: 00442D50 appears 350 times
Uses 32bit PE files
Source: Convert.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean4.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_0045377E __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow, 0_2_0045377E
Source: Convert.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Convert.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Convert.exe Window found: window name: SysTabControl32 Jump to behavior
Source: Convert.exe Static PE information: section name: RT_CURSOR
Source: Convert.exe Static PE information: section name: RT_BITMAP
Source: Convert.exe Static PE information: section name: RT_ICON
Source: Convert.exe Static PE information: section name: RT_MENU
Source: Convert.exe Static PE information: section name: RT_DIALOG
Source: Convert.exe Static PE information: section name: RT_STRING
Source: Convert.exe Static PE information: section name: RT_ACCELERATOR
Source: Convert.exe Static PE information: section name: RT_GROUP_ICON
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_0044C828 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0044C828
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_004469E0 push eax; ret 0_2_004469FE
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_004359AD push es; iretd 0_2_004359B7
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_00446CB0 push eax; ret 0_2_00446CDE
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_0044F3D0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA, 0_2_0044F3D0
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_00445986 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00445986
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_00442A90 IsIconic, 0_2_00442A90
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_0044EC20 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC, 0_2_0044EC20
Source: C:\Users\user\Desktop\Convert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Convert.exe API coverage: 8.5 %
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_0044C828 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0044C828
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_0044B865 SetUnhandledExceptionFilter, 0_2_0044B865
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_0044B877 SetUnhandledExceptionFilter, 0_2_0044B877
Source: C:\Users\user\Desktop\Convert.exe Code function: 0_2_00455429 __EH_prolog,GetVersion, 0_2_00455429
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1558891 Sample: Convert.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 4 4 Convert.exe 3 2->4         started       
No contacted IP infos