Windows Analysis Report
ghXWQEsbaV.exe

Overview

General Information

Sample name: ghXWQEsbaV.exe
(renamed file extension from bin to exe, renamed because original name is a hash value)
Original sample name: 2ccda41e7724e08b58cc1ab45785a994ed9aa02b26304b36842b744bba9c4f30.bin
Analysis ID: 1579934
MD5: 8dfeda23d5b11396a0ecb39ed563f539
SHA1: fe3abcdc59cd077ecf316cddba14d0b95c240951
SHA256: 2ccda41e7724e08b58cc1ab45785a994ed9aa02b26304b36842b744bba9c4f30

Detection

Score: 23
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

AI detected suspicious sample
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

AV Detection

barindex
Source: Submited Sample Integrated Neural Analysis Model: Matched 81.4% probability
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe File created: C:\Users\user\AppData\Local\Temp\DeepL auto-start 0install Stub Error Log.txt Jump to behavior
Source: ghXWQEsbaV.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: .pdbm source: ghXWQEsbaV.exe, 00000000.00000002.1670789355.000000000058A000.00000004.00000020.00020000.00000000.sdmp
Source: ghXWQEsbaV.exe String found in binary or memory: https://appdownload.deepl.com/windows/0install/deepl.xml
Source: ghXWQEsbaV.exe, 00000000.00000000.1666918884.0000000000046000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameZeroInstall.Stub.exe4 vs ghXWQEsbaV.exe
Source: ghXWQEsbaV.exe Binary or memory string: OriginalFilenameZeroInstall.Stub.exe4 vs ghXWQEsbaV.exe
Source: classification engine Classification label: sus23.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ghXWQEsbaV.exe.log Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Mutant created: NULL
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe File created: C:\Users\user\AppData\Local\Temp\DeepL auto-start 0install Stub Error Log.txt Jump to behavior
Source: ghXWQEsbaV.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ghXWQEsbaV.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ghXWQEsbaV.exe String found in binary or memory: run --no-wait --command auto-start https://appdownload.deepl.com/windows/0install/deepl.xml
Source: ghXWQEsbaV.exe String found in binary or memory: YDeepL auto-start 0install Stub Error Log.txt
Source: ghXWQEsbaV.exe String found in binary or memory: DeepL auto-start
Source: ghXWQEsbaV.exe String found in binary or memory: FileDescriptionDeepL auto-start0
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe File read: C:\Users\user\Desktop\ghXWQEsbaV.exe Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: ghXWQEsbaV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ghXWQEsbaV.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: ghXWQEsbaV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: .pdbm source: ghXWQEsbaV.exe, 00000000.00000002.1670789355.000000000058A000.00000004.00000020.00020000.00000000.sdmp
Source: ghXWQEsbaV.exe Static PE information: 0xD5070209 [Sat Apr 3 19:31:21 2083 UTC]
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe File created: C:\Users\user\AppData\Local\Temp\DeepL auto-start 0install Stub Error Log.txt Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Memory allocated: 2160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Memory allocated: 1A160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe TID: 7468 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe Queries volume information: C:\Users\user\Desktop\ghXWQEsbaV.exe VolumeInformation Jump to behavior
No contacted IP infos