Windows Analysis Report
Image Quote 011698.exe

Overview

General Information

Sample name: Image Quote 011698.exe
Analysis ID: 1501083
MD5: 94c86f3cce220982807b72d29661c971
SHA1: 272c1496f143a9100bc98c92871cfd272f053b3b
SHA256: 131e90fc74d13419eca131909b92daab5a260bfbdbb8dfe1c31dafa16d224705
Tags: exe

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Image Quote 011698.exe ReversingLabs: Detection: 55%
Source: Image Quote 011698.exe Virustotal: Detection: 33% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for sample
Source: Image Quote 011698.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Image Quote 011698.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: Image Quote 011698.exe, 00000000.00000002.2579153279.0000000001082000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_12755b49-8
Source: Image Quote 011698.exe, 00000000.00000002.2579153279.0000000001082000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_bb84c96a-b
Source: Image Quote 011698.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_848e5001-e
Source: Image Quote 011698.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_929d7af1-9
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Image Quote 011698.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FC8060 0_2_00FC8060
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_01032046 0_2_01032046
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_01028298 0_2_01028298
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FFE4FF 0_2_00FFE4FF
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FF676B 0_2_00FF676B
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_01054873 0_2_01054873
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FCCAF0 0_2_00FCCAF0
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FECAA0 0_2_00FECAA0
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FF6DD9 0_2_00FF6DD9
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FDAFAC 0_2_00FDAFAC
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FC91C0 0_2_00FC91C0
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FE1394 0_2_00FE1394
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FDB731 0_2_00FDB731
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FE1706 0_2_00FE1706
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FE781B 0_2_00FE781B
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FE19B0 0_2_00FE19B0
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FD997D 0_2_00FD997D
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FC7920 0_2_00FC7920
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FE7A4A 0_2_00FE7A4A
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FE7CA7 0_2_00FE7CA7
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FE1C77 0_2_00FE1C77
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FF9EEE 0_2_00FF9EEE
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_0104BE44 0_2_0104BE44
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FCBF40 0_2_00FCBF40
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FE1F32 0_2_00FE1F32
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: String function: 00FCCFA0 appears 34 times
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: String function: 00FE0A30 appears 46 times
Uses 32bit PE files
Source: Image Quote 011698.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal64.winEXE@1/0@0/0
Source: Image Quote 011698.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Image Quote 011698.exe ReversingLabs: Detection: 55%
Source: Image Quote 011698.exe Virustotal: Detection: 33%
Source: Image Quote 011698.exe Static file information: File size 1524736 > 1048576
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FE0A76 push ecx; ret 0_2_00FE0A89
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FD9339 LdrInitializeThunk, 0_2_00FD9339
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FE4CE8 mov eax, dword ptr fs:[00000030h] 0_2_00FE4CE8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Image Quote 011698.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Image Quote 011698.exe Code function: 0_2_00FE0698 cpuid 0_2_00FE0698
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501083 Sample: Image Quote 011698.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 64 8 Multi AV Scanner detection for submitted file 2->8 10 Binary is likely a compiled AutoIt script file 2->10 12 Machine Learning detection for sample 2->12 14 2 other signatures 2->14 5 Image Quote 011698.exe 2->5         started        process3 signatures4 16 Binary is likely a compiled AutoIt script file 5->16
No contacted IP infos