Windows Analysis Report
B2jvp2z64b.exe

Overview

General Information

Sample name: B2jvp2z64b.exe
renamed because original name is a hash value
Original sample name: 32981e515739fc492c8575630ed3073de6709308ed4c8d6969950f4a1f01b954.exe
Analysis ID: 1671295
MD5: 4c330219d80744b009ac5b6cc5a3a7a6
SHA1: b58478003bbe9ae24b7bdcc89f5a4bbb6127c5e6
SHA256: 32981e515739fc492c8575630ed3073de6709308ed4c8d6969950f4a1f01b954
Infos:

Detection

Score: 48
Range: 0 - 100
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Found potential string decryption / allocating functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: B2jvp2z64b.exe Virustotal: Detection: 6% Perma Link
Uses 32bit PE files
Source: B2jvp2z64b.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Code function: 0_2_00403E58 lstrcpyW,lstrcpyW,GetDlgItem,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,InternetOpenW,InternetOpenW,InternetConnectW,GetDlgItem,lstrlenW,InternetSetOptionW,lstrlenW,InternetSetOptionW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrcpyW,lstrcatW,HttpOpenRequestW,HttpSendRequestW,HttpQueryInfoW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,Sleep,CreateThread,ExitThread,HttpQueryInfoW,HttpQueryInfoW,lstrlenW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpyW,lstrcatW,lstrcpyW,lstrcpyW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CloseHandle,CreateThread,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,TerminateThread,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,HttpQueryInfoW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,CloseHandle,lstrcpyW,lstrcatW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetCloseHandle,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,GetDlgItem,TerminateThread,TerminateThread,TerminateThread,TerminateThread,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcpyW,GetDlgItem,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CloseHandle,ExitProcess,ShowWindow,ShowWindow,ShowWindow,SetForegroundWindow,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00403E58
Source: B2jvp2z64b.exe String found in binary or memory: http://sasmain.symantec.com/729532/5M6G000O/004O003NAcWGeQ-CMBH7E-AAAPs-AACo-juFkZ
Source: B2jvp2z64b.exe, 00000000.00000002.615830880.0000000000409000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://sasmain.symantec.com/729532/5M6G000O/004O003NAcWGeQ-CMBH7E-AAAPs-AACo-juFkZhttp://sasmain.sym
Source: B2jvp2z64b.exe String found in binary or memory: http://sasmain.symantec.com/729533/5M6G000O/004O003NAcWGeQ-CMBH7E-AAAPs-AACo-juFkZ
Source: B2jvp2z64b.exe String found in binary or memory: http://sasmain.symantec.com/729537/000O/004O003NAcWGeQ-CMBH7E-AAAPs-AACo-juFkZ
Source: B2jvp2z64b.exe String found in binary or memory: http://spftrl.digitalriver.com/pub/symantec/2004/NAV10ESD.exe
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Code function: String function: 0040654B appears 34 times
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Code function: String function: 0040116F appears 123 times
Uses 32bit PE files
Source: B2jvp2z64b.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Code function: 0_2_00401803 lstrlenW,GetDiskFreeSpaceExA, 0_2_00401803
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Code function: 0_2_00401000 lstrcpyW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,CoInitialize,CoCreateInstance, 0_2_00401000
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Code function: 0_2_0040116F FindResourceW,LoadResource,LockResource, 0_2_0040116F
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Mutant created: \Sessions\1\BaseNamedObjects\0000008300000018000000A8DS
Source: B2jvp2z64b.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\B2jvp2z64b.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: B2jvp2z64b.exe Virustotal: Detection: 6%
Source: B2jvp2z64b.exe String found in binary or memory: PAD3PA0SOFTWARE\Symantec\CCPD-LC\KStore\ERROR!PAPermissions Error!PAERROR: You are required to be logged in with Administrative privileges to run this software!PAWarningA file already exists with this name, do you wish to overwrite it?PAPress Start to begin downloading...Disconnecting...PAPlease specify the location to save the file...URL Parse errorWarning: Unable to store the download location. You will have to re-specify the location to download to if you need to resume the file-transfer.Server responded with invalid redirection location!Download successful!PAPAPAPADownloading...PAServer ErrorPACommunications Error! Reason: Server specified content length as being 0. Possible Solution: File may have already been downloaded. If this is not the case, try again later. If the problem persists, contact the vendor.PAProblem communicating with server! The file may no longer exist on server! Possible Solution: Try again later. If this problem persists, contact the vendor.Server is unable to resume the download!PACommunications ErrorPAProblem communicating with server! Reason: Unable to open URL. Possible Solution: Try again later. If problem persists, contact the vendor.PAError occured communicating with server! Please ensure you have an active internet connection and your proxy settings (if any) are correctly specified.PAConnecting to server...Unable to create save path!StatusPAStatsLaunch program when download completesPAStartStopPAFilename:Filesize:Downloaded:Transfer Rate:PAI would like to specify my Proxy informationPAProxy Server:Port:My proxy requires authenticationPAUsername:Password:OKPASuccess!PAThe software has been successfully downloaded. Click Finish to exit.FinishPAxDS download appears corrupt. Please re-download the xDS.PAError creating thread!PADownload AbortedPAThe download timed outPAThe application could not be loaded. This is most likely due to another instance of this application already runningResumePAShow ProxyPAHide ProxyPAYou did not specify a proxy serverPAYou did not specify a port for your proxyYou have not specified a username for your proxyPAYou did not specify a password for your proxyProxy settings errorPAThe file cannot be saved to the specified location as there is not enough free space availablePAPress Resume to continue downloadingPAThe file could not be created at the location you specifiedError updating local file! You may have to start the download again!Unable to overwrite file! Please ensure that the file is not currently in use!The file you are downloading has been updated. The download will need to be re-started!PA(11
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Window detected: Number of UI elements: 15
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Code function: 0_2_00406E60 push eax; ret 0_2_00406E74
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Code function: 0_2_00406E60 push eax; ret 0_2_00406E9C
Source: C:\Users\user\Desktop\B2jvp2z64b.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\B2jvp2z64b.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\B2jvp2z64b.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\B2jvp2z64b.exe API call chain: ExitProcess graph end node
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Code function: 0_2_00406886 GetProcessHeap,HeapAlloc, 0_2_00406886
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Code function: 0_2_00401CDE GetSystemTime,SystemTimeToFileTime, 0_2_00401CDE
Source: C:\Users\user\Desktop\B2jvp2z64b.exe Code function: 0_2_00405C03 GetVersionExW, 0_2_00405C03
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1671295 Sample: B2jvp2z64b.exe Startdate: 22/04/2025 Architecture: WINDOWS Score: 48 7 Multi AV Scanner detection for submitted file 2->7 5 B2jvp2z64b.exe 1 1 2->5         started        process3
No contacted IP infos