Windows Analysis Report
j1gw88aHdL.exe

Overview

General Information

Sample name: j1gw88aHdL.exe
renamed because original name is a hash value
Original sample name: fd682a2c1ed42403a8e943010f660f79.exe
Analysis ID: 1580957
MD5: fd682a2c1ed42403a8e943010f660f79
SHA1: 0c20c808746dd38cffe1d474ade5031d1611f041
SHA256: 131a0064f14f3bad96b0be6d61638f0ef51d110109d4242134af9261a191ffc1
Tags: exeuser-abuse_ch
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: j1gw88aHdL.exe Virustotal: Detection: 9% Perma Link
Source: j1gw88aHdL.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BF9280 FindFirstFileExW,FindClose, 0_2_00007FF7D4BF9280
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C11874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF7D4C11874
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BF83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00007FF7D4BF83C0
Detected potential crypto function
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BF1000 0_2_00007FF7D4BF1000
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C16964 0_2_00007FF7D4C16964
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C035A0 0_2_00007FF7D4C035A0
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C0E570 0_2_00007FF7D4C0E570
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C05D30 0_2_00007FF7D4C05D30
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C01D54 0_2_00007FF7D4C01D54
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C0DEF0 0_2_00007FF7D4C0DEF0
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C09EA0 0_2_00007FF7D4C09EA0
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C15E7C 0_2_00007FF7D4C15E7C
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BF9800 0_2_00007FF7D4BF9800
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C01F60 0_2_00007FF7D4C01F60
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C08794 0_2_00007FF7D4C08794
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C19728 0_2_00007FF7D4C19728
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C01740 0_2_00007FF7D4C01740
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C080E4 0_2_00007FF7D4C080E4
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C140AC 0_2_00007FF7D4C140AC
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C108C8 0_2_00007FF7D4C108C8
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C11874 0_2_00007FF7D4C11874
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BF89E0 0_2_00007FF7D4BF89E0
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C039A4 0_2_00007FF7D4C039A4
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C02164 0_2_00007FF7D4C02164
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C01944 0_2_00007FF7D4C01944
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BFA2DB 0_2_00007FF7D4BFA2DB
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C0DA5C 0_2_00007FF7D4C0DA5C
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C13C10 0_2_00007FF7D4C13C10
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C02C10 0_2_00007FF7D4C02C10
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C15C00 0_2_00007FF7D4C15C00
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C01B50 0_2_00007FF7D4C01B50
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BFACAD 0_2_00007FF7D4BFACAD
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BFA47B 0_2_00007FF7D4BFA47B
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C16418 0_2_00007FF7D4C16418
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C108C8 0_2_00007FF7D4C108C8
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: String function: 00007FF7D4BF2710 appears 52 times
Source: classification engine Classification label: mal48.winEXE@1/0@0/0
Source: j1gw88aHdL.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: j1gw88aHdL.exe Virustotal: Detection: 9%
Source: C:\Users\user\Desktop\j1gw88aHdL.exe File read: C:\Users\user\Desktop\j1gw88aHdL.exe Jump to behavior
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Section loaded: wintypes.dll Jump to behavior
Source: j1gw88aHdL.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: j1gw88aHdL.exe Static file information: File size 17226969 > 1048576
Source: j1gw88aHdL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: j1gw88aHdL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: j1gw88aHdL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: j1gw88aHdL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: j1gw88aHdL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: j1gw88aHdL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: j1gw88aHdL.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: j1gw88aHdL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: j1gw88aHdL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: j1gw88aHdL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: j1gw88aHdL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: j1gw88aHdL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: j1gw88aHdL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BF76C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError, 0_2_00007FF7D4BF76C0
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\j1gw88aHdL.exe API coverage: 5.2 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BF9280 FindFirstFileExW,FindClose, 0_2_00007FF7D4BF9280
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C11874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF7D4C11874
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BF83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00007FF7D4BF83C0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C0A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7D4C0A614
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C13480 GetProcessHeap, 0_2_00007FF7D4C13480
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C0A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7D4C0A614
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BFC8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7D4BFC8A0
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BFD12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7D4BFD12C
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BFD30C SetUnhandledExceptionFilter, 0_2_00007FF7D4BFD30C
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C19570 cpuid 0_2_00007FF7D4C19570
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4BFD010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7D4BFD010
Source: C:\Users\user\Desktop\j1gw88aHdL.exe Code function: 0_2_00007FF7D4C15E7C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF7D4C15E7C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580957 Sample: j1gw88aHdL.exe Startdate: 26/12/2024 Architecture: WINDOWS Score: 48 7 Multi AV Scanner detection for submitted file 2->7 5 j1gw88aHdL.exe 2->5         started        process3
No contacted IP infos