Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1499933
MD5: 33b62d366ac20de98dedfaf74b4afefc
SHA1: a43dbbcf422f038f2601c21112af93eb8f4514e0
SHA256: b61490f4f0edf574703224d38c5c00b867b6191bbf09b10bf1a81b7cd8a1e9b6
Tags: exe
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then push rbp 0_2_000000014001E0F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then lea rcx, qword ptr [0000000140021051h] 0_2_0000000140011F60
Source: file.exe String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe String found in binary or memory: http://ocsp.entrust.net03
Source: file.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe String found in binary or memory: http://www.entrust.net/rpa03
Source: file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: file.exe String found in binary or memory: https://www.entrust.net/rpa0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: file.exe, type: SAMPLE Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 0.2.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 0.0.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 0.0.file.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 0.2.file.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 00000000.00000000.2045918617.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects executables packed with Enigma Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0000000140012926 0_2_0000000140012926
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00000001400060F8 0_2_00000001400060F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0000000140012155 0_2_0000000140012155
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000014001E3AF 0_2_000000014001E3AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00000001400093C0 0_2_00000001400093C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00000001400044D8 0_2_00000001400044D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0000000140005797 0_2_0000000140005797
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0000000140014EB0 0_2_0000000140014EB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0000000140003ED0 0_2_0000000140003ED0
Yara signature match
Source: file.exe, type: SAMPLE Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 0.2.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 0.0.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 0.0.file.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 0.2.file.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 00000000.00000000.2045918617.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: classification engine Classification label: mal64.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\cdf89ae526ad4cbd86c91c09eed01dbb
Source: C:\Users\user\Desktop\file.exe File created: c:\Users\user\AppData\Local\Temp\setupF0B.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: file.exe Static file information: File size 5800616 > 1048576
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000014000D0C5 push rdi; ret 0_2_000000014000D0C6

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXE
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXEZ
Source: file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE[,
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXEZ
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE{
Source: file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXEW,
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXE
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 0.5 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: vboxtray.exe
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: qemu-ga`Y
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: vboxtray.exe`
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: vmwareuser.exe
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: qemu-ga
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: vmwaretray.exe
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareuser.exeZ
Source: file.exe, file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: QEMU HARDDISK
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qemu-gaz
Source: file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Stop reversing the programReconsider your life choicesAnd go touch some grassbasic_string::append\\.\PhysicalDrive0DADY HARDDISKQEMU HARDDISKbasic_string: construction from null is not valid
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: vboxservice.exe@
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: vboxservice.exe
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe{
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwaretray.exe{
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exe{
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0000000140033E66 RtlAddVectoredExceptionHandler, 0_2_0000000140033E66

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x14009F39D Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x1400E8171 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtOpenSection: Indirect: 0x1401CB085 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x140057AC0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtQueryAttributesFile: Indirect: 0x1401CB96F Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtTerminateProcess: Indirect: 0x1401CACCC Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x14005CC8A Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtClose: Indirect: 0x1401CB606
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x140069067 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x1400E385B Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x1400DCB84 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtOpenKey: Indirect: 0x1401CA475 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Direct from: 0x1400E7F74 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtUnmapViewOfSection: Indirect: 0x1401CB3DF Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtProtectVirtualMemory: Indirect: 0x1401CCBD7 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000014001B3C0 cpuid 0_2_000000014001B3C0
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wireshark.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1499933 Sample: file.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 64 8 Malicious sample detected (through community Yara rule) 2->8 10 Machine Learning detection for sample 2->10 12 AI detected suspicious sample 2->12 5 file.exe 1 2->5         started        process3 signatures4 14 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 5->14 16 Found direct / indirect Syscall (likely to bypass EDR) 5->16
No contacted IP infos