Windows Analysis Report
7zba89tklZ.exe

Overview

General Information

Sample name: 7zba89tklZ.exe
renamed because original name is a hash value
Original sample name: 2b5e1dfe4e4db4e886b079f054182055.exe
Analysis ID: 1579669
MD5: 2b5e1dfe4e4db4e886b079f054182055
SHA1: d90e2828ea0082917583975f4a054f7c85d45053
SHA256: 92382cc3402b6fb7cbd68fe7fa49a00ae204682a90fe0b4e69a6ef2c6d324793
Tags: exeuser-abuse_ch
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Virustotal: Detection: 62% Perma Link
Source: 7zba89tklZ.exe Virustotal: Detection: 62% Perma Link
Source: 7zba89tklZ.exe ReversingLabs: Detection: 60%
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Joe Sandbox ML: detected
Source: 7zba89tklZ.exe Joe Sandbox ML: detected
Source: 7zba89tklZ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 7zba89tklZ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004F184C __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_004F184C
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004F184C __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_004F184C
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004F17EC OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_004F17EC
Source: C:\Users\user\Desktop\7zba89tklZ.exe Process Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004F7529 0_2_004F7529
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004F19DF 0_2_004F19DF
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004FB464 0_2_004FB464
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004FBC1E 0_2_004FBC1E
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004FB836 0_2_004FB836
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004FAC31 0_2_004FAC31
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004FB0C6 0_2_004FB0C6
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: 3_2_0037B836 3_2_0037B836
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: 3_2_0037AC31 3_2_0037AC31
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: 3_2_0037BC1E 3_2_0037BC1E
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: 3_2_0037B464 3_2_0037B464
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: 3_2_0037B0C6 3_2_0037B0C6
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: 3_2_00377529 3_2_00377529
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: 3_2_003719DF 3_2_003719DF
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: String function: 00371000 appears 40 times
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: String function: 004F1000 appears 40 times
Source: 7zba89tklZ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal76.evad.winEXE@3/2@0/0
Source: C:\Users\user\Desktop\7zba89tklZ.exe File created: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Mutant created: \Sessions\1\BaseNamedObjects\DiamoTrix
Source: C:\Users\user\Desktop\7zba89tklZ.exe Command line argument: DiamoTrix 0_2_004F2235
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Command line argument: DiamoTrix 3_2_00372235
Source: 7zba89tklZ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7zba89tklZ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7zba89tklZ.exe Virustotal: Detection: 62%
Source: 7zba89tklZ.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\7zba89tklZ.exe File read: C:\Users\user\Desktop\7zba89tklZ.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\7zba89tklZ.exe "C:\Users\user\Desktop\7zba89tklZ.exe"
Source: unknown Process created: C:\Users\user\Desktop\7zba89tklZ.exe "C:\Users\user\Desktop\7zba89tklZ.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Microsoft\svcapp.exe "C:\Users\user\AppData\Local\Microsoft\svcapp.exe"
Source: C:\Users\user\Desktop\7zba89tklZ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Section loaded: netutils.dll Jump to behavior
Source: 7zba89tklZ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 7zba89tklZ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 7zba89tklZ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 7zba89tklZ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 7zba89tklZ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 7zba89tklZ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004F1000 LoadLibraryA,GetProcAddress, 0_2_004F1000
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004F982B push ecx; ret 0_2_004F983E
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004FDB85 push ecx; ret 0_2_004FDB98
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: 3_2_0037982B push ecx; ret 3_2_0037983E
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: 3_2_0037DB85 push ecx; ret 3_2_0037DB98
Source: C:\Users\user\Desktop\7zba89tklZ.exe File created: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Jump to dropped file
Source: C:\Users\user\Desktop\7zba89tklZ.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemHandler Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemHandler Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemHandler Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemHandler Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\7zba89tklZ.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\7zba89tklZ.exe Window / User API: threadDelayed 596 Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Window / User API: threadDelayed 5050 Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Window / User API: threadDelayed 3903 Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe API coverage: 9.9 %
Source: C:\Users\user\Desktop\7zba89tklZ.exe TID: 1996 Thread sleep count: 596 > 30 Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe TID: 1996 Thread sleep time: -29800000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe TID: 5568 Thread sleep count: 5050 > 30 Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe TID: 5568 Thread sleep time: -4646000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe TID: 5568 Thread sleep count: 3903 > 30 Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe TID: 5568 Thread sleep time: -3590760s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\7zba89tklZ.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\7zba89tklZ.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Users\user\Desktop\7zba89tklZ.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7zba89tklZ.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7zba89tklZ.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe API call chain: ExitProcess graph end node

Anti Debugging

barindex
Source: C:\Users\user\Desktop\7zba89tklZ.exe Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004F2235 CreateMutexA,GetLastError,CloseHandle,ExitProcess,IsDebuggerPresent,CreateThread,Sleep, 0_2_004F2235
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004F1000 LoadLibraryA,GetProcAddress, 0_2_004F1000
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004FCA46 SetUnhandledExceptionFilter, 0_2_004FCA46
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004F8A8F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004F8A8F
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_005002B8 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005002B8
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: 3_2_0037CA46 SetUnhandledExceptionFilter, 3_2_0037CA46
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: 3_2_003802B8 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_003802B8
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: 3_2_00378A8F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00378A8F
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 0_2_00501453
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: GetLocaleInfoW,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 0_2_00502CBB
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_00502D95
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0050125C
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 0_2_00502A77
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_00501624
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_005016E4
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_00501351
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_0050174B
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 0_2_00501BCC
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 0_2_005013F8
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 0_2_00501787
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: GetLocaleInfoA, 0_2_00502BAC
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 3_2_00381453
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: GetLocaleInfoW,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 3_2_00382CBB
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_00382D95
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 3_2_00381624
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 3_2_00382A77
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_0038125C
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_003816E4
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 3_2_00381351
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_0038174B
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: GetLocaleInfoA, 3_2_00382BAC
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 3_2_00381787
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 3_2_003813F8
Source: C:\Users\user\AppData\Local\Microsoft\svcapp.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 3_2_00381BCC
Source: C:\Users\user\Desktop\7zba89tklZ.exe Code function: 0_2_004FDD2F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004FDD2F
No contacted IP infos