Windows Analysis Report
TimerResolution.exe

Overview

General Information

Sample name: TimerResolution.exe
Analysis ID: 1653647
MD5: 5d5b10f027b46bce47b32f6c07b35495
SHA1: 4b9ef1e435900cccae8db2ea488e43bf305177a0
SHA256: 26193ddfb8bc9dec038de4f2003f6a8a7ff99dd1a779815c198cb1616cdb2e89
Tags: exejmutanensoftwareOyuser-SquiblydooBlog
Infos:

Detection

Score: 48
Range: 0 - 100
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: TimerResolution.exe Virustotal: Detection: 13% Perma Link
Source: TimerResolution.exe Static PE information: certificate valid
Source: TimerResolution.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Administrator\source\repos\zabriiii\zabriiii\obj\Debug\TimerResolution.pdbp. source: TimerResolution.exe
Source: Binary string: C:\Users\Administrator\source\repos\zabriiii\zabriiii\obj\Debug\TimerResolution.pdb source: TimerResolution.exe
Source: TimerResolution.exe String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: TimerResolution.exe String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: TimerResolution.exe String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: TimerResolution.exe String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: TimerResolution.exe String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: TimerResolution.exe String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: TimerResolution.exe String found in binary or memory: http://ocsps.ssl.com0
Source: TimerResolution.exe String found in binary or memory: http://ocsps.ssl.com0?
Source: TimerResolution.exe String found in binary or memory: http://ocsps.ssl.com0P
Source: TimerResolution.exe String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: TimerResolution.exe String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: TimerResolution.exe String found in binary or memory: https://www.ssl.com/repository0
Sample file is different than original file name gathered from version info
Source: TimerResolution.exe, 00000000.00000002.871242738.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs TimerResolution.exe
Source: classification engine Classification label: mal48.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\TimerResolution.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TimerResolution.exe.log Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Mutant created: NULL
Source: TimerResolution.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TimerResolution.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\TimerResolution.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TimerResolution.exe Virustotal: Detection: 13%
Source: C:\Users\user\Desktop\TimerResolution.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: TimerResolution.exe Static PE information: certificate valid
Source: TimerResolution.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: TimerResolution.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: TimerResolution.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Administrator\source\repos\zabriiii\zabriiii\obj\Debug\TimerResolution.pdbp. source: TimerResolution.exe
Source: Binary string: C:\Users\Administrator\source\repos\zabriiii\zabriiii\obj\Debug\TimerResolution.pdb source: TimerResolution.exe
Binary contains a suspicious time stamp
Source: TimerResolution.exe Static PE information: 0xC3C2C2AA [Sat Jan 27 23:22:18 2074 UTC]
Source: C:\Users\user\Desktop\TimerResolution.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\TimerResolution.exe Memory allocated: 1170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Memory allocated: 2D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Memory allocated: 1170000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\TimerResolution.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TimerResolution.exe TID: 7164 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TimerResolution.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\TimerResolution.exe Queries volume information: C:\Users\user\Desktop\TimerResolution.exe VolumeInformation Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1653647 Sample: TimerResolution.exe Startdate: 01/04/2025 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 5 TimerResolution.exe 1 2->5         started        process3 file4 8 C:\Users\user\...\TimerResolution.exe.log, CSV 5->8 dropped
No contacted IP infos