Windows Analysis Report
isaac-ng.exe

Overview

General Information

Sample name: isaac-ng.exe
Analysis ID: 1670014
MD5: 0befc0730d9fe25f64613131138f4951
SHA1: 7384f5f2d36c43bc5d003f8ed9d56b905135bf24
SHA256: b9c5066cd8282589f83f322db934cfe034c51357f32ed73a24b46f94696ec06c
Tags: exeuser-Pliplam

Detection

Score: 4
Range: 0 - 100
Confidence: 60%

Signatures

Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Uses 32bit PE files
Source: isaac-ng.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: isaac-ng.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\builderbob\projects\Isaac-Repentance-Plus\Bin\Win32\Submission\isaac-ng_Submission.pdb source: isaac-ng.exe
Source: Binary string: E:\builderbob\projects\Isaac-Repentance-Plus\Bin\Win32\Submission\isaac-ng_Submission.pdbK source: isaac-ng.exe
Source: isaac-ng.exe String found in binary or memory: https://isaactest.vgrnd.com/api-file-upload.php
Source: isaac-ng.exe String found in binary or memory: https://isaactest.vgrnd.com/api-file-upload.phpdesync_screenshot.pngsessionidFailed
Creates a DirectInput object (often for capturing keystrokes)
Source: isaac-ng.exe, 00000000.00000000.1141794290.0000000000D42000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: DirectInput8Create memstr_265668cb-8
Detected potential crypto function
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_006A9030 0_2_006A9030
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009A90F0 0_2_009A90F0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009E2800 0_2_009E2800
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_006C7140 0_2_006C7140
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0073E130 0_2_0073E130
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00988110 0_2_00988110
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00A7D2B0 0_2_00A7D2B0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00997AB0 0_2_00997AB0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00A65AE0 0_2_00A65AE0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 0_2_0076A230
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009A72C0 0_2_009A72C0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0099DAE0 0_2_0099DAE0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009F22E0 0_2_009F22E0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_006A5360 0_2_006A5360
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00867B90 0_2_00867B90
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00EF7390 0_2_00EF7390
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00853B20 0_2_00853B20
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076C470 0_2_0076C470
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009CACA0 0_2_009CACA0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009C6CD0 0_2_009C6CD0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00A6F4C0 0_2_00A6F4C0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009CB410 0_2_009CB410
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00C4EDC0 0_2_00C4EDC0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00BB8DF0 0_2_00BB8DF0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00A275C0 0_2_00A275C0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00914D30 0_2_00914D30
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_006A6DD0 0_2_006A6DD0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00943D40 0_2_00943D40
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009C76A0 0_2_009C76A0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00942610 0_2_00942610
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_006A4F60 0_2_006A4F60
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009CA7C0 0_2_009CA7C0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: String function: 00C794C0 appears 193 times
Uses 32bit PE files
Source: isaac-ng.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: clean4.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\isaac-ng.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: isaac-ng.exe String found in binary or memory: resources/gfx/ui/LoadingSpinner.anm2
Source: isaac-ng.exe String found in binary or memory: resources/gfx/ui/LoadingSpinner.anm2IdleWelcome to The Binding of Isaac: Repentance+ Beta!\n\nThis is a fully featured beta, but be aware that it may crash or have other issues. Repentance+ uses its own save files and your Repentance saves are not touched so in the event of save issues, your backups remain intact.\n\nReport bugs to isaac@nicalis.com with the subject line\n#Repentance+Beta %s\n\nEnjoy playing online!v1.9.7.10ACCEPTDENYMods could be unstable until they have been updated to work with The Binding of Isaac: Repentance+. You may enable mods if you wish but do so at your own risk!ENABLEKEEP DISABLEDBy playing online multiplayer, you agree to the collection of data limited to your Steam username, Steam ID, installation directory, save data and game version number.\n\nThis data is collected only for and in relation to online bug fixing. If you don
Source: isaac-ng.exe String found in binary or memory: gfx/ui/loading.anm2
Source: isaac-ng.exe String found in binary or memory: #MOD_UNINSTALLINGgfx/ui/loading.anm2[ModManager] bad room config header in %s!
Source: isaac-ng.exe String found in binary or memory: gfx/ui/loadimages/loadimages-%03u_2.png
Source: isaac-ng.exe String found in binary or memory: gfx/ui/loadimages/greedmode/loadimages-g%03u_2.png
Source: isaac-ng.exe String found in binary or memory: gfx/ui/loadimages/loadimages-%03u.png
Source: isaac-ng.exe String found in binary or memory: gfx/ui/loadimages/greedmode/loadimages-g%03u.png
Source: isaac-ng.exe String found in binary or memory: font/PFTempestaSevenCondensed.fntfont/UpheavalExtended.fntRender Surface (Manager)font/Upheaval.fntstringtable_pc.staoptions.inigfx/ui/loadimages/loadimages-%03u_2.pngstringtable.stagfx/ui/cursor.anm2gfx/ui/Buttons.anm2Couldn't retrieve previous version of options config
Source: isaac-ng.exe String found in binary or memory: font/TeamMeatEx/TeamMeatEx10.fntfont/TeamMeatEx/TeamMeatEx12.fntfont/CJK/LanaPixel.fntfont/KR_MeatFont14.fntgfx/ui/loadimages/greedmode/loadimages-g%03u_2.pnggfx/ui/loadimages/loadimages-%03u.pngfont/TeamMeatEx/TeamMeatEx16.fntgfx/ui/loadimages/greedmode/loadimages-g%03u.pngFramebuffer Width: %d
Source: C:\Users\user\Desktop\isaac-ng.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\isaac-ng.exe Section loaded: steam_api.dll Jump to behavior
Source: C:\Users\user\Desktop\isaac-ng.exe Section loaded: openal32.dll Jump to behavior
Source: C:\Users\user\Desktop\isaac-ng.exe Section loaded: opengl32.dll Jump to behavior
Source: C:\Users\user\Desktop\isaac-ng.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\isaac-ng.exe Section loaded: lua5.3.3r.dll Jump to behavior
Source: C:\Users\user\Desktop\isaac-ng.exe Section loaded: libcurl.dll Jump to behavior
Source: C:\Users\user\Desktop\isaac-ng.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\isaac-ng.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\isaac-ng.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\isaac-ng.exe Section loaded: glu32.dll Jump to behavior
Source: isaac-ng.exe Static PE information: More than 3225 > 100 exports found
Source: isaac-ng.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: isaac-ng.exe Static file information: File size 8731088 > 1048576
Source: isaac-ng.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6a0a00
Source: isaac-ng.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: isaac-ng.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: isaac-ng.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: isaac-ng.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: isaac-ng.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: isaac-ng.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: isaac-ng.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: isaac-ng.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\builderbob\projects\Isaac-Repentance-Plus\Bin\Win32\Submission\isaac-ng_Submission.pdb source: isaac-ng.exe
Source: Binary string: E:\builderbob\projects\Isaac-Repentance-Plus\Bin\Win32\Submission\isaac-ng_Submission.pdbK source: isaac-ng.exe
Source: isaac-ng.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: isaac-ng.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: isaac-ng.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: isaac-ng.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: isaac-ng.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00CC4750 __acrt_iob_func,abort,LoadLibraryA,GetProcAddress, 0_2_00CC4750
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .bind
PE file contains sections with non-standard names
Source: isaac-ng.exe Static PE information: section name: .bind
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009A90F0 push ecx; mov dword ptr [esp], 3F800000h 0_2_009A912A
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00A240D0 push ecx; mov dword ptr [esp], 42200000h 0_2_00A2445F
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076A4C2
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076A550
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076AC6C
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076AC7A
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076ACA0
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076ACAC
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076AE7C
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076AE88
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076AFC1
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076AFCD
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076B2E1
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076B2ED
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076B4AB
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3FC00000h 0_2_0076B4B7
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_0076A230 push ecx; mov dword ptr [esp], 3F800000h 0_2_0076BE97
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009A72C0 push ecx; mov dword ptr [esp], 3F800000h 0_2_009A7351
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009A72C0 push ecx; mov dword ptr [esp], 3F800000h 0_2_009A74BC
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009A72C0 push ecx; mov dword ptr [esp], 3F800000h 0_2_009A7500
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009A72C0 push ecx; mov dword ptr [esp], 41000000h 0_2_009A76C9
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009A72C0 push ecx; mov dword ptr [esp], 41000000h 0_2_009A775E
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009A72C0 push ecx; mov dword ptr [esp], 3F800000h 0_2_009A77B8
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009A72C0 push ecx; mov dword ptr [esp], 41000000h 0_2_009A77FB
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00A5F2C0 push ecx; mov dword ptr [esp], 3F000000h 0_2_00A5F78A
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00853B20 push ecx; mov dword ptr [esp], 3F800000h 0_2_00853FB9
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00A64400 push ecx; mov dword ptr [esp], 3F800000h 0_2_00A6455F
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_009975C0 push ecx; mov dword ptr [esp], 40600000h 0_2_009977B2
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00A275C0 push ecx; mov dword ptr [esp], 3F800000h 0_2_00A278AE
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00A275C0 push ecx; mov dword ptr [esp], 3F800000h 0_2_00A27AF4
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00A275C0 push ecx; mov dword ptr [esp], 3F800000h 0_2_00A28803
Source: isaac-ng.exe Static PE information: section name: .bind entropy: 7.976926687848909
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00CC4750 __acrt_iob_func,abort,LoadLibraryA,GetProcAddress, 0_2_00CC4750
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\isaac-ng.exe Code function: 0_2_00D1F8A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00D1F8A9
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1670014 Sample: isaac-ng.exe Startdate: 21/04/2025 Architecture: WINDOWS Score: 4 4 isaac-ng.exe 2->4         started       
No contacted IP infos