Windows Analysis Report
RemoteDelProf.exe

Overview

General Information

Sample name: RemoteDelProf.exe
Analysis ID: 1566857
MD5: 8614f771d622fd11ecf75a01fa2373b1
SHA1: 8425e4813d0fe74f30f4dfbbad9721a3fca7b143
SHA256: a32555ec55b0918b0d67e2cd28c29b7dd55571535ec63bfa0c683851a6f4a0db
Infos:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: RemoteDelProf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: RemoteDelProf.exe Static PE information: certificate valid
Source: RemoteDelProf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: RemoteDelProf.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: RemoteDelProf.exe String found in binary or memory: http://www.autoitscript.com/atools/
Source: RemoteDelProf.exe, ConDrv.0.dr String found in binary or memory: http://www.autoitscript.com/tools
Source: RemoteDelProf.exe String found in binary or memory: http://www.autoitscript.com/tools:
Source: RemoteDelProf.exe String found in binary or memory: http://www.autoitscript.com/toolsB
Source: RemoteDelProf.exe String found in binary or memory: http://www.autoitscript.com/toolsThis
Detected potential crypto function
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BB9381 0_2_00BB9381
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BC155F 0_2_00BC155F
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BB86CC 0_2_00BB86CC
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BB97A1 0_2_00BB97A1
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BBEAA0 0_2_00BBEAA0
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BA1AE9 0_2_00BA1AE9
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BB8BA1 0_2_00BB8BA1
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BB8F75 0_2_00BB8F75
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: String function: 00BBA6CE appears 36 times
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: String function: 00BBF6E4 appears 49 times
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: String function: 00BA7D43 appears 34 times
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: String function: 00BBA69B appears 177 times
Uses 32bit PE files
Source: RemoteDelProf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean5.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: RemoteDelProf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RemoteDelProf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RemoteDelProf.exe String found in binary or memory: ERROR: exception of unknown type! Try --help
Source: RemoteDelProf.exe String found in binary or memory: ERROR: exception of unknown type! Try --help
Source: RemoteDelProf.exe String found in binary or memory: Try --help
Source: RemoteDelProf.exe String found in binary or memory: Try --help
Source: RemoteDelProf.exe String found in binary or memory: Try --help
Source: RemoteDelProf.exe String found in binary or memory: Try --help
Source: RemoteDelProf.exe String found in binary or memory: Try --help
Source: RemoteDelProf.exe String found in binary or memory: Try --help
Source: unknown Process created: C:\Users\user\Desktop\RemoteDelProf.exe "C:\Users\user\Desktop\RemoteDelProf.exe"
Source: C:\Users\user\Desktop\RemoteDelProf.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RemoteDelProf.exe Section loaded: apphelp.dll Jump to behavior
Source: RemoteDelProf.exe Static PE information: certificate valid
Source: RemoteDelProf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: RemoteDelProf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RemoteDelProf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RemoteDelProf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RemoteDelProf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RemoteDelProf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BC6133 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_00BC6133
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BBB000 push dword ptr [ecx-75h]; iretd 0_2_00BBB008
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BBF729 push ecx; ret 0_2_00BBF73C
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BBA773 push ecx; ret 0_2_00BBA786
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\RemoteDelProf.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\RemoteDelProf.exe API coverage: 9.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\RemoteDelProf.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BB8554 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00BB8554
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BC6133 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_00BC6133
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BC04DA SetUnhandledExceptionFilter, 0_2_00BC04DA
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BBD4C1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BBD4C1
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BB8554 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00BB8554
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BAB6F9 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BAB6F9
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BB7FAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00BB7FAA
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 0_2_00BC00E1
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 0_2_00BC5065
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 0_2_00BC62E7
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 0_2_00BC72C5
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 0_2_00BC631B
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 0_2_00BC54FD
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_00BC645A
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 0_2_00BC56AC
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_00BC5614
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_00BC479F
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 0_2_00BC5720
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_00BC58F2
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: GetLocaleInfoA, 0_2_00BBE87F
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_00BC59B3
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_00BC5A1A
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 0_2_00BC5A56
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 0_2_00BBBBAE
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 0_2_00BC4E0D
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: GetLocaleInfoA, 0_2_00BC3F6A
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BC0C52 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00BC0C52
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BA204B LookupAccountNameW,GetLastError,LookupAccountNameW,IsValidSid,ConvertSidToStringSidW,LocalFree, 0_2_00BA204B
Source: C:\Users\user\Desktop\RemoteDelProf.exe Code function: 0_2_00BA81A0 GetVersionExW, 0_2_00BA81A0

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1566857 Sample: RemoteDelProf.exe Startdate: 02/12/2024 Architecture: WINDOWS Score: 5 5 RemoteDelProf.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos