Windows Analysis Report
usb_trj.exe

Overview

General Information

Sample name: usb_trj.exe
Analysis ID: 1615131
MD5: 1ec4818ef1d1445cba1ef871fb6c8a12
SHA1: f0f21705a96d37d599db4ed9be753669777bf8a7
SHA256: 220014864346178df1998c0bac4169934a5ed153c8efea0282f452787cfb9ec7
Infos:

Detection

Score: 56
Range: 0 - 100
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to detect sleep reduction / modifications
Joe Sandbox ML detected suspicious sample
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: usb_trj.exe Virustotal: Detection: 13% Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 91.7% probability
Uses 32bit PE files
Source: usb_trj.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004053B8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_004053B8
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00442B80 GetKeyboardState, 0_2_00442B80
Contains functionality to call native functions
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00432AB8 NtdllDefWindowProc_A, 0_2_00432AB8
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0044CF50 NtdllDefWindowProc_A, 0_2_0044CF50
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00433260 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00433260
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00433310 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00433310
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00445A10 NtdllDefWindowProc_A,GetCapture, 0_2_00445A10
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0043BDA0 GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_0043BDA0
Detected potential crypto function
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0042CFB0 0_2_0042CFB0
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0043BDA0 0_2_0043BDA0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\usb_trj.exe Code function: String function: 00406388 appears 93 times
Source: C:\Users\user\Desktop\usb_trj.exe Code function: String function: 004042E8 appears 69 times
PE file contains executable resources (Code or Archives)
Source: usb_trj.exe Static PE information: Resource name: RT_CURSOR type: DOS executable (COM, 0x8C-variant)
Source: usb_trj.exe Static PE information: Resource name: RT_DIALOG type: COM executable for DOS
Uses 32bit PE files
Source: usb_trj.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: usb_trj.exe Static PE information: Section: UPX1 ZLIB complexity 0.9893180115582192
Source: classification engine Classification label: mal56.evad.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0041E118 GetLastError,FormatMessageA, 0_2_0041E118
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0040856E GetDiskFreeSpaceA, 0_2_0040856E
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0040D77C CreateToolhelp32Snapshot, 0_2_0040D77C
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004163B0 FindResourceA,LoadResource,SizeofResource,LockResource, 0_2_004163B0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2844:120:WilError_03
Source: C:\Users\user\Desktop\usb_trj.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\usb_trj.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: usb_trj.exe Virustotal: Detection: 13%
Source: unknown Process created: C:\Users\user\Desktop\usb_trj.exe "C:\Users\user\Desktop\usb_trj.exe"
Source: C:\Users\user\Desktop\usb_trj.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\usb_trj.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\usb_trj.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\usb_trj.exe Section loaded: uxtheme.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004242E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004242E4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0044CD24 push 0044CDB1h; ret 0_2_0044CDA9
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0040E008 push 0040E034h; ret 0_2_0040E02C
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004240EC push 00424118h; ret 0_2_00424110
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0040610C push 00406138h; ret 0_2_00406130
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00406184 push 004061B0h; ret 0_2_004061A8
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004161B8 push ecx; mov dword ptr [esp], edx 0_2_004161BA
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004362D8 push 00436304h; ret 0_2_004362FC
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004283C4 push ecx; mov dword ptr [esp], edx 0_2_004283C8
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004225F0 push 004226C0h; ret 0_2_004226B8
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00428664 push ecx; mov dword ptr [esp], edx 0_2_00428668
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004227D0 push 004227FCh; ret 0_2_004227F4
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0043C854 push 0043C8BFh; ret 0_2_0043C8B7
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00426864 push 00426890h; ret 0_2_00426888
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00426818 push 0042685Ah; ret 0_2_00426852
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0042895C push 00428988h; ret 0_2_00428980
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00410966 push 004109DEh; ret 0_2_004109D6
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00410968 push 004109DEh; ret 0_2_004109D6
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00442920 push ecx; mov dword ptr [esp], ecx 0_2_00442924
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004269CC push 004269F8h; ret 0_2_004269F0
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0041A9DE push 0041AA8Bh; ret 0_2_0041AA83
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004109E0 push 00410A88h; ret 0_2_00410A80
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0041A9E0 push 0041AA8Bh; ret 0_2_0041AA83
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00424A70 push 00424ABFh; ret 0_2_00424AB7
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00424AE0 push 00424B0Ch; ret 0_2_00424B04
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00422A88 push 00422AB4h; ret 0_2_00422AAC
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00410A8A push 00410BB8h; ret 0_2_00410BB0
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0041AA90 push 0041AB20h; ret 0_2_0041AB18
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0040CB58 push ecx; mov dword ptr [esp], edx 0_2_0040CB5D
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00422B7C push 00422BA8h; ret 0_2_00422BA0
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00424B18 push 00424B44h; ret 0_2_00424B3C
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00424BC0 push 00424BECh; ret 0_2_00424BE4
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00448268 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 0_2_00448268
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00432B40 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_00432B40
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0041AD24 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_0041AD24
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00447134 IsIconic,GetCapture, 0_2_00447134
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00433260 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00433260
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00433310 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00433310
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004479E8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_004479E8
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0042FB68 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 0_2_0042FB68
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004242E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004242E4

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00427550 0_2_00427550
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\usb_trj.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_004320B0
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\usb_trj.exe API coverage: 4.9 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_00427550 0_2_00427550
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004053B8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_004053B8
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0041E6A8 GetSystemInfo, 0_2_0041E6A8
Source: C:\Users\user\Desktop\usb_trj.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004242E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004242E4
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\usb_trj.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405570
Source: C:\Users\user\Desktop\usb_trj.exe Code function: GetLocaleInfoA,GetACP, 0_2_0040C3A4
Source: C:\Users\user\Desktop\usb_trj.exe Code function: GetLocaleInfoA, 0_2_0040AE44
Source: C:\Users\user\Desktop\usb_trj.exe Code function: GetLocaleInfoA, 0_2_0040AE90
Source: C:\Users\user\Desktop\usb_trj.exe Code function: GetLocaleInfoA, 0_2_00405E66
Source: C:\Users\user\Desktop\usb_trj.exe Code function: GetLocaleInfoA, 0_2_00405E68
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_004098E0 GetLocalTime, 0_2_004098E0
Source: C:\Users\user\Desktop\usb_trj.exe Code function: 0_2_0044CD24 GetVersion, 0_2_0044CD24
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1615131 Sample: usb_trj.exe Startdate: 14/02/2025 Architecture: WINDOWS Score: 56 11 Multi AV Scanner detection for submitted file 2->11 13 Joe Sandbox ML detected suspicious sample 2->13 6 usb_trj.exe 1 2->6         started        process3 signatures4 15 Contains functionality to detect sleep reduction / modifications 6->15 9 conhost.exe 6->9         started        process5
No contacted IP infos