Windows Analysis Report
download.php

Overview

General Information

Sample Name: download.php (renamed file extension from php to exe)
Analysis ID: 606090
MD5: a2c883b0e7a1b002b088f52f647f2e2f
SHA1: 0ed075b4c2163cac0463f4f6b7961d0850e1fc05
SHA256: 27d4749a0db6fffdcc3744cb2ed29e8ffa8cc00140ee61faa3a4b0446d512076
Infos:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Program does not show much activity (idle)

Classification

Uses 32bit PE files
Source: download.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
Source: download.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0040AEF4 FindFirstFileW,FindClose, 1_2_0040AEF4
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 1_2_0040A928
Source: download.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: download.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Uses 32bit PE files
Source: download.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: download.exe, 00000001.00000002.247687779.00000000004C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs download.exe
Source: download.exe, 00000001.00000003.247257082.0000000002268000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs download.exe
Source: download.exe Binary or memory string: OriginalFileName vs download.exe
PE file contains strange resources
Source: download.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: download.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_004AF110
Detected potential crypto function
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004323DC 1_2_004323DC
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004255DC 1_2_004255DC
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0040E9C4 1_2_0040E9C4
Source: C:\Users\user\Desktop\download.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\download.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\download.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_004AF110
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource, 1_2_004AF9F0
Source: download.exe String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
Source: download.exe String found in binary or memory: /LOADINF="filename"
Source: classification engine Classification label: clean5.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0041A4DC GetDiskFreeSpaceW, 1_2_0041A4DC
Source: download.exe Static file information: File size 1735928 > 1048576
Source: download.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004B5000 push 004B50DEh; ret 1_2_004B50D6
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004B5980 push 004B5A48h; ret 1_2_004B5A40
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_00458000 push ecx; mov dword ptr [esp], ecx 1_2_00458005
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0049B03C push ecx; mov dword ptr [esp], edx 1_2_0049B03D
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004A00F8 push ecx; mov dword ptr [esp], edx 1_2_004A00F9
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_00458084 push ecx; mov dword ptr [esp], ecx 1_2_00458089
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004B1084 push 004B10ECh; ret 1_2_004B10E4
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004A1094 push ecx; mov dword ptr [esp], edx 1_2_004A1095
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0041A0B4 push ecx; mov dword ptr [esp], ecx 1_2_0041A0B8
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004270BC push 00427104h; ret 1_2_004270FC
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_00458108 push ecx; mov dword ptr [esp], ecx 1_2_0045810D
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004321C8 push ecx; mov dword ptr [esp], edx 1_2_004321C9
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004A21D8 push ecx; mov dword ptr [esp], edx 1_2_004A21D9
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0049E1B8 push ecx; mov dword ptr [esp], edx 1_2_0049E1B9
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0049A260 push 0049A378h; ret 1_2_0049A370
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_00455268 push ecx; mov dword ptr [esp], ecx 1_2_0045526C
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004252D4 push ecx; mov dword ptr [esp], eax 1_2_004252D9
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004592FC push ecx; mov dword ptr [esp], edx 1_2_004592FD
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0045B284 push ecx; mov dword ptr [esp], edx 1_2_0045B285
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_00430358 push ecx; mov dword ptr [esp], eax 1_2_00430359
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_00430370 push ecx; mov dword ptr [esp], eax 1_2_00430371
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_00459394 push ecx; mov dword ptr [esp], ecx 1_2_00459398
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004A1428 push ecx; mov dword ptr [esp], edx 1_2_004A1429
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0049B424 push ecx; mov dword ptr [esp], edx 1_2_0049B425
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004A24D8 push ecx; mov dword ptr [esp], edx 1_2_004A24D9
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004224F0 push 004225F4h; ret 1_2_004225EC
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004304F0 push ecx; mov dword ptr [esp], eax 1_2_004304F1
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_00499490 push ecx; mov dword ptr [esp], edx 1_2_00499493
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_00458564 push ecx; mov dword ptr [esp], edx 1_2_00458565
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_00458574 push ecx; mov dword ptr [esp], edx 1_2_00458575
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_00457574 push ecx; mov dword ptr [esp], ecx 1_2_00457578
PE file contains sections with non-standard names
Source: download.exe Static PE information: section name: .didata
Source: C:\Users\user\Desktop\download.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 1_2_004AF91C
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0040AEF4 FindFirstFileW,FindClose, 1_2_0040AEF4
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 1_2_0040A928
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\download.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 1_2_0040B044
Source: C:\Users\user\Desktop\download.exe Code function: GetLocaleInfoW, 1_2_0041E034
Source: C:\Users\user\Desktop\download.exe Code function: GetLocaleInfoW, 1_2_0041E080
Source: C:\Users\user\Desktop\download.exe Code function: GetLocaleInfoW, 1_2_004AF218
Source: C:\Users\user\Desktop\download.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_0040A4CC
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_00405AE0 cpuid 1_2_00405AE0
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy, 1_2_004B5114
Source: C:\Users\user\Desktop\download.exe Code function: 1_2_0041C3D8 GetLocalTime, 1_2_0041C3D8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 606090 Sample: download.php Startdate: 08/04/2022 Architecture: WINDOWS Score: 5 4 download.exe 2->4         started       
No contacted IP infos