Windows Analysis Report
diCTAJuHTs.exe

Overview

General Information

Sample name: diCTAJuHTs.exe
renamed because original name is a hash value
Original sample name: 9ecab398729b9a2e9d1c843707c40054.exe
Analysis ID: 1580282
MD5: 9ecab398729b9a2e9d1c843707c40054
SHA1: 282b755423a18cf801f013694b9d4a4ff04a0d78
SHA256: 68a7291a46870781bb9088ac64e7890087eb5ca851973c0d8d0b7566e650eabc
Tags: exeuser-abuse_ch
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

AV Detection

barindex
Source: diCTAJuHTs.exe Virustotal: Detection: 37% Perma Link
Source: diCTAJuHTs.exe ReversingLabs: Detection: 42%
Source: diCTAJuHTs.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF2C06C _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 0_2_00007FF7DDF2C06C
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF21DAC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF7DDF21DAC
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF21DAC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF7DDF21DAC
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF2FF2C 0_2_00007FF7DDF2FF2C
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF19760 0_2_00007FF7DDF19760
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF11B80 0_2_00007FF7DDF11B80
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF17FCC 0_2_00007FF7DDF17FCC
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF22BE0 0_2_00007FF7DDF22BE0
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF287F4 0_2_00007FF7DDF287F4
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF1E80C 0_2_00007FF7DDF1E80C
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF30010 0_2_00007FF7DDF30010
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF33C18 0_2_00007FF7DDF33C18
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF2B13C 0_2_00007FF7DDF2B13C
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF1A060 0_2_00007FF7DDF1A060
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF2C06C 0_2_00007FF7DDF2C06C
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF2E0C0 0_2_00007FF7DDF2E0C0
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF2E4EC 0_2_00007FF7DDF2E4EC
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF1790D 0_2_00007FF7DDF1790D
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF2B13C 0_2_00007FF7DDF2B13C
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF1E5A4 0_2_00007FF7DDF1E5A4
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF21DAC 0_2_00007FF7DDF21DAC
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF26DE0 0_2_00007FF7DDF26DE0
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF29200 0_2_00007FF7DDF29200
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF30A18 0_2_00007FF7DDF30A18
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF24684 0_2_00007FF7DDF24684
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF17AA4 0_2_00007FF7DDF17AA4
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF302A4 0_2_00007FF7DDF302A4
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF162D0 0_2_00007FF7DDF162D0
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF182D8 0_2_00007FF7DDF182D8
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF21DAC 0_2_00007FF7DDF21DAC
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF20700 0_2_00007FF7DDF20700
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: String function: 00007FF7DDF12760 appears 41 times
Source: classification engine Classification label: mal48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF16FA0 GetLastError,FormatMessageW,WideCharToMultiByte, 0_2_00007FF7DDF16FA0
Source: diCTAJuHTs.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: diCTAJuHTs.exe Virustotal: Detection: 37%
Source: diCTAJuHTs.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\diCTAJuHTs.exe File read: C:\Users\user\Desktop\diCTAJuHTs.exe Jump to behavior
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Section loaded: wintypes.dll Jump to behavior
Source: diCTAJuHTs.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: diCTAJuHTs.exe Static file information: File size 14444897 > 1048576
Source: diCTAJuHTs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: diCTAJuHTs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: diCTAJuHTs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: diCTAJuHTs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: diCTAJuHTs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: diCTAJuHTs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: diCTAJuHTs.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: diCTAJuHTs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: diCTAJuHTs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: diCTAJuHTs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: diCTAJuHTs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: diCTAJuHTs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: diCTAJuHTs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: diCTAJuHTs.exe Static PE information: section name: _RDATA
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF13C90 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00007FF7DDF13C90
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\diCTAJuHTs.exe API coverage: 6.7 %
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF2C06C _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 0_2_00007FF7DDF2C06C
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF21DAC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF7DDF21DAC
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF21DAC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF7DDF21DAC
Source: diCTAJuHTs.exe Binary or memory string: jqEMu
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF25750 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7DDF25750
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF2DB48 GetProcessHeap, 0_2_00007FF7DDF2DB48
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF25750 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7DDF25750
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF1B0C4 SetUnhandledExceptionFilter, 0_2_00007FF7DDF1B0C4
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF1A8DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7DDF1A8DC
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF1AEE0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7DDF1AEE0
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF33A60 cpuid 0_2_00007FF7DDF33A60
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF1ADC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7DDF1ADC8
Source: C:\Users\user\Desktop\diCTAJuHTs.exe Code function: 0_2_00007FF7DDF30010 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF7DDF30010
No contacted IP infos