Windows Analysis Report
launcher.exe

Overview

General Information

Sample Name: launcher.exe
Analysis ID: 559688
MD5: c9cc40ba96923d0e612d7d6755872da3
SHA1: ae0e3636450733ba8caa861962665e799a0849ad
SHA256: 9cb691875fb810b4cd4acb4c9b45d5e03a6aca27ecbe0630319162a895c0d128
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Contains long sleeps (>= 3 min)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Source: launcher.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: D:\dev\Galos\cs-script.npp\src\launcher\obj\Release\launcher.pdb source: launcher.exe

System Summary
barindex
Sample file is different than original file name gathered from version info
Source: launcher.exe Binary or memory string: OriginalFilename vs launcher.exe
Source: launcher.exe, 00000001.00000002.294792027.0000018CDBD4C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs launcher.exe
Source: launcher.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\launcher.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: launcher.exe String found in binary or memory: -stop_roslyn
Source: launcher.exe String found in binary or memory: /stop_roslyn
Source: launcher.exe String found in binary or memory: /stop_roslyn
Source: launcher.exe String found in binary or memory: -start
Source: launcher.exe String found in binary or memory: -start
Source: launcher.exe String found in binary or memory: /stop_roslyn
Source: launcher.exe String found in binary or memory: /stop_roslyn
Source: launcher.exe String found in binary or memory: -stop_roslyn
Source: C:\Users\user\Desktop\launcher.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: classification engine Classification label: clean2.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\launcher.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\launcher.exe.log Jump to behavior
Source: launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: launcher.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\dev\Galos\cs-script.npp\src\launcher\obj\Release\launcher.pdb source: launcher.exe
Source: C:\Users\user\Desktop\launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\launcher.exe TID: 6224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\launcher.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe Memory allocated: page read and write | page guard Jump to behavior

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\launcher.exe Queries volume information: C:\Users\user\Desktop\launcher.exe VolumeInformation Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 559688 Sample: launcher.exe Startdate: 25/01/2022 Architecture: WINDOWS Score: 2 4 launcher.exe 1 2->4         started       
No contacted IP infos