Windows Analysis Report d3r1KVj317.exe

Source: d3r1KVj317.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00695CBB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49704 -> 112.74.185.5:8099

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 112.74.185.5 112.74.185.5

Source: unknown	TCP traffic detected without corresponding DNS query: 112.74.185.5
Source: unknown	TCP traffic detected without corresponding DNS query: 112.74.185.5
Source: unknown	TCP traffic detected without corresponding DNS query: 112.74.185.5
Source: unknown	TCP traffic detected without corresponding DNS query: 112.74.185.5

Source: d3r1KVj317.exe	String found in binary or memory: http://112.74.185.5/3R%E6%8A%80%E6%9C%AF.exe
Source: d3r1KVj317.exe	String found in binary or memory: http://api.ttshitu.com/predict
Source: d3r1KVj317.exe	String found in binary or memory: http://api.ttshitu.com/predictto16unfunction
Source: d3r1KVj317.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_0069A5D9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_0069A5D9

Contains functionality to call native functions

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000D330
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10021370 GetPropA,NtdllDefWindowProc_A,IsWindowVisible,ShowWindow,NtdllDefWindowProc_A,NtdllDefWindowProc_A,SendMessageA,	0_2_10021370
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001D8E0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,	0_2_1001D8E0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10007A30 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10007A30
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,	0_2_10006010
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006210 IsWindowEnabled,SendMessageA,SendMessageA,SendMessageA,IsZoomed,SendMessageA,NtdllDefWindowProc_A,	0_2_10006210
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100062B0 IsWindowEnabled,SendMessageA,NtdllDefWindowProc_A,	0_2_100062B0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10008310 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,	0_2_10008310
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1001D330
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10009340 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,	0_2_10009340
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006350 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10006350
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000C3F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,	0_2_1000C3F0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000E440 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000E440
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100214B0 GetPropA,NtdllDefWindowProc_A,	0_2_100214B0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10004510 NtdllDefWindowProc_A,	0_2_10004510
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006560 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10006560
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10011630 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,CallWindowProcA,	0_2_10011630
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10008710 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,GetParent,	0_2_10008710
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000F750 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000F750
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10014790 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10014790
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001E7F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1001E7F0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001C800 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1001C800
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100098B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,	0_2_100098B0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100048E0 NtdllDefWindowProc_A,	0_2_100048E0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10005900 IsWindowEnabled,EnableWindow,NtdllDefWindowProc_A,	0_2_10005900
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10005940 GetCursorPos,GetWindowRect,PtInRect,PtInRect,PtInRect,PtInRect,PtInRect,KillTimer,NtdllDefWindowProc_A,	0_2_10005940
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000DA90 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000DA90
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10012AD0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10012AD0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10020B70 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10020B70
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000CBC0 GetPropA,NtdllDefWindowProc_A,	0_2_1000CBC0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10004BD0 NtdllDefWindowProc_A,	0_2_10004BD0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10012BF0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10012BF0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10008CB0 GetPropA,NtdllDefWindowProc_A,	0_2_10008CB0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10008D40 GetPropA,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,	0_2_10008D40
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000FD50 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000FD50
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001FD50 GetPropA,GetPropA,NtdllDefWindowProc_A,FindWindowExA,GetPropA,GetWindowRect,	0_2_1001FD50
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10013DA0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10013DA0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10002E40 NtdllDefWindowProc_A,	0_2_10002E40
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10014EA0 GetPropA,NtdllDefWindowProc_A,	0_2_10014EA0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001FEA0 GetPropA,NtdllDefWindowProc_A,InvalidateRect,CallWindowProcA,	0_2_1001FEA0

Detected potential crypto function

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00697B51	0_2_00697B51
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005E0030	0_2_005E0030
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005EB300	0_2_005EB300
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005413CE	0_2_005413CE
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_006843A0	0_2_006843A0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005C1450	0_2_005C1450
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00609480	0_2_00609480
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_0068C536	0_2_0068C536
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00670510	0_2_00670510
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_006905EA	0_2_006905EA
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_006655A0	0_2_006655A0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005FE680	0_2_005FE680
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005C36B0	0_2_005C36B0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005E88A0	0_2_005E88A0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00539A7D	0_2_00539A7D
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10017540	0_2_10017540
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10003970	0_2_10003970
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10002250	0_2_10002250
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100293A1	0_2_100293A1
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000B6E0	0_2_1000B6E0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10028B99	0_2_10028B99
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10017BA0	0_2_10017BA0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000EDA0	0_2_1000EDA0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: String function: 004010F2 appears 138 times
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: String function: 00685E68 appears 73 times
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: String function: 100260E2 appears 34 times
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: String function: 00401156 appears 99 times

Sample file is different than original file name gathered from version info

Source: d3r1KVj317.exe, 00000000.00000000.1468315195.000000000078B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs d3r1KVj317.exe
Source: d3r1KVj317.exe, 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs d3r1KVj317.exe
Source: d3r1KVj317.exe	Binary or memory string: OriginalFilenameSkinH_EL.dll vs d3r1KVj317.exe

Source: d3r1KVj317.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_006A3073 CoCreateInstance,CoCreateInstance,CoCreateInstance,OleRun,

0_2_006A3073

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00696385 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

0_2_00696385

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File created: C:\Users\user\Desktop\SkinH_EL.dll

Source: d3r1KVj317.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File read: C:\Users\user\Desktop\Config.ini

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: d3r1KVj317.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File read: C:\Users\user\Desktop\d3r1KVj317.exe

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File written: C:\Users\user\Desktop\Config.ini

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Window found: window name: SysTabControl32

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Window detected: Number of UI elements: 144

Source: d3r1KVj317.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: d3r1KVj317.exe

Static file information: File size 5066752 > 1048576

Source: d3r1KVj317.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2ad000
Source: d3r1KVj317.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1e5000

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_005DF2B0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00404291 push eax; retf 005Bh	0_2_00404292
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_004033A9 push eax; retf 005Bh	0_2_004033AA
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_0040344E push eax; retf 005Bh	0_2_0040344F
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00403487 push eax; retf 005Bh	0_2_00403488
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_006836F0 push eax; ret	0_2_0068371E
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00406756 push eax; retf 005Bh	0_2_00406757
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00404960 push eax; retf 005Bh	0_2_00404961
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00404927 push eax; retf 005Bh	0_2_00404928
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00404DD6 push ss; ret	0_2_00404DD9
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00685E68 push eax; ret	0_2_00685E86
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10026100 push eax; ret	0_2_1002612E
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100209F7 pushfd ; mov dword ptr [esp], edx	0_2_100209F9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File created: C:\Users\user\Desktop\SkinH_EL.dll

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_0067D2A3 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0067D2A3
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10004E30 IsWindowVisible,GetWindowRect,SelectObject,SelectObject,SetBkMode,SelectObject,SetTextColor,DrawIconEx,GetWindowTextA,DrawTextA,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,SelectObject,DeleteDC,SelectObject,DeleteObject,	0_2_10004E30
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,	0_2_10006010
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10023070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,	0_2_10023070
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10023070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,	0_2_10023070
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10025780 IsIconic,IsZoomed,IsRectEmpty,IsWindowVisible,	0_2_10025780
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10021800 IsZoomed,SendMessageA,IsIconic,SendMessageA,SendMessageA,GetSystemMenu,GetMenuState,SendMessageA,SendMessageA,KillTimer,GetMenuItemID,SendMessageA,CallWindowProcA,	0_2_10021800
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100098B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,	0_2_100098B0

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Process information set: NOOPENFILEERRORBOX

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\SkinH_EL.dll

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\d3r1KVj317.exe

API coverage: 8.5 %

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00695CBB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,

Source: d3r1KVj317.exe, 00000000.00000002.2729506189.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Process information queried: ProcessInformation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_005DF2B0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_005C4160 GetProcessHeap,RtlAllocateHeap,

0_2_005C4160

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00685820 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_00685820

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_0068F4DC GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0068F4DC

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00697B51 __EH_prolog,GetVersion,

0_2_00697B51

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
112.74.185.5	unknown	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

AV Detection

Multi AV Scanner detection for submitted file

Source: d3r1KVj317.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.0% probability

Machine Learning detection for sample

Source: d3r1KVj317.exe

Joe Sandbox ML: detected

Source: d3r1KVj317.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00695CBB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49704 -> 112.74.185.5:8099

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 112.74.185.5 112.74.185.5

Source: unknown	TCP traffic detected without corresponding DNS query: 112.74.185.5
Source: unknown	TCP traffic detected without corresponding DNS query: 112.74.185.5
Source: unknown	TCP traffic detected without corresponding DNS query: 112.74.185.5
Source: unknown	TCP traffic detected without corresponding DNS query: 112.74.185.5

Source: d3r1KVj317.exe	String found in binary or memory: http://112.74.185.5/3R%E6%8A%80%E6%9C%AF.exe
Source: d3r1KVj317.exe	String found in binary or memory: http://api.ttshitu.com/predict
Source: d3r1KVj317.exe	String found in binary or memory: http://api.ttshitu.com/predictto16unfunction
Source: d3r1KVj317.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_0069A5D9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_0069A5D9

Contains functionality to call native functions

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000D330
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10021370 GetPropA,NtdllDefWindowProc_A,IsWindowVisible,ShowWindow,NtdllDefWindowProc_A,NtdllDefWindowProc_A,SendMessageA,	0_2_10021370
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001D8E0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,	0_2_1001D8E0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10007A30 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10007A30
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,	0_2_10006010
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006210 IsWindowEnabled,SendMessageA,SendMessageA,SendMessageA,IsZoomed,SendMessageA,NtdllDefWindowProc_A,	0_2_10006210
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100062B0 IsWindowEnabled,SendMessageA,NtdllDefWindowProc_A,	0_2_100062B0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10008310 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,	0_2_10008310
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1001D330
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10009340 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,	0_2_10009340
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006350 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10006350
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000C3F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,	0_2_1000C3F0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000E440 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000E440
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100214B0 GetPropA,NtdllDefWindowProc_A,	0_2_100214B0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10004510 NtdllDefWindowProc_A,	0_2_10004510
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006560 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10006560
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10011630 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,CallWindowProcA,	0_2_10011630
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10008710 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,GetParent,	0_2_10008710
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000F750 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000F750
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10014790 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10014790
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001E7F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1001E7F0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001C800 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1001C800
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100098B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,	0_2_100098B0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100048E0 NtdllDefWindowProc_A,	0_2_100048E0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10005900 IsWindowEnabled,EnableWindow,NtdllDefWindowProc_A,	0_2_10005900
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10005940 GetCursorPos,GetWindowRect,PtInRect,PtInRect,PtInRect,PtInRect,PtInRect,KillTimer,NtdllDefWindowProc_A,	0_2_10005940
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000DA90 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000DA90
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10012AD0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10012AD0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10020B70 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10020B70
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000CBC0 GetPropA,NtdllDefWindowProc_A,	0_2_1000CBC0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10004BD0 NtdllDefWindowProc_A,	0_2_10004BD0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10012BF0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10012BF0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10008CB0 GetPropA,NtdllDefWindowProc_A,	0_2_10008CB0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10008D40 GetPropA,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,	0_2_10008D40
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000FD50 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000FD50
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001FD50 GetPropA,GetPropA,NtdllDefWindowProc_A,FindWindowExA,GetPropA,GetWindowRect,	0_2_1001FD50
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10013DA0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10013DA0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10002E40 NtdllDefWindowProc_A,	0_2_10002E40
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10014EA0 GetPropA,NtdllDefWindowProc_A,	0_2_10014EA0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001FEA0 GetPropA,NtdllDefWindowProc_A,InvalidateRect,CallWindowProcA,	0_2_1001FEA0

Detected potential crypto function

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00697B51	0_2_00697B51
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005E0030	0_2_005E0030
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005EB300	0_2_005EB300
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005413CE	0_2_005413CE
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_006843A0	0_2_006843A0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005C1450	0_2_005C1450
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00609480	0_2_00609480
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_0068C536	0_2_0068C536
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00670510	0_2_00670510
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_006905EA	0_2_006905EA
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_006655A0	0_2_006655A0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005FE680	0_2_005FE680
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005C36B0	0_2_005C36B0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005E88A0	0_2_005E88A0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00539A7D	0_2_00539A7D
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10017540	0_2_10017540
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10003970	0_2_10003970
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10002250	0_2_10002250
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100293A1	0_2_100293A1
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000B6E0	0_2_1000B6E0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10028B99	0_2_10028B99
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10017BA0	0_2_10017BA0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000EDA0	0_2_1000EDA0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: String function: 004010F2 appears 138 times
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: String function: 00685E68 appears 73 times
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: String function: 100260E2 appears 34 times
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: String function: 00401156 appears 99 times

Sample file is different than original file name gathered from version info

Source: d3r1KVj317.exe, 00000000.00000000.1468315195.000000000078B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs d3r1KVj317.exe
Source: d3r1KVj317.exe, 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs d3r1KVj317.exe
Source: d3r1KVj317.exe	Binary or memory string: OriginalFilenameSkinH_EL.dll vs d3r1KVj317.exe

Source: d3r1KVj317.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_006A3073 CoCreateInstance,CoCreateInstance,CoCreateInstance,OleRun,

0_2_006A3073

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00696385 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

0_2_00696385

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File created: C:\Users\user\Desktop\SkinH_EL.dll

Source: d3r1KVj317.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File read: C:\Users\user\Desktop\Config.ini

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: d3r1KVj317.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File read: C:\Users\user\Desktop\d3r1KVj317.exe

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File written: C:\Users\user\Desktop\Config.ini

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Window found: window name: SysTabControl32

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Window detected: Number of UI elements: 144

Source: d3r1KVj317.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: d3r1KVj317.exe

Static file information: File size 5066752 > 1048576

Source: d3r1KVj317.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2ad000
Source: d3r1KVj317.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1e5000

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_005DF2B0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00404291 push eax; retf 005Bh	0_2_00404292
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_004033A9 push eax; retf 005Bh	0_2_004033AA
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_0040344E push eax; retf 005Bh	0_2_0040344F
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00403487 push eax; retf 005Bh	0_2_00403488
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_006836F0 push eax; ret	0_2_0068371E
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00406756 push eax; retf 005Bh	0_2_00406757
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00404960 push eax; retf 005Bh	0_2_00404961
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00404927 push eax; retf 005Bh	0_2_00404928
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00404DD6 push ss; ret	0_2_00404DD9
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00685E68 push eax; ret	0_2_00685E86
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10026100 push eax; ret	0_2_1002612E
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100209F7 pushfd ; mov dword ptr [esp], edx	0_2_100209F9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File created: C:\Users\user\Desktop\SkinH_EL.dll

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_0067D2A3 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0067D2A3
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10004E30 IsWindowVisible,GetWindowRect,SelectObject,SelectObject,SetBkMode,SelectObject,SetTextColor,DrawIconEx,GetWindowTextA,DrawTextA,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,SelectObject,DeleteDC,SelectObject,DeleteObject,	0_2_10004E30
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,	0_2_10006010
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10023070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,	0_2_10023070
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10023070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,	0_2_10023070
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10025780 IsIconic,IsZoomed,IsRectEmpty,IsWindowVisible,	0_2_10025780
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10021800 IsZoomed,SendMessageA,IsIconic,SendMessageA,SendMessageA,GetSystemMenu,GetMenuState,SendMessageA,SendMessageA,KillTimer,GetMenuItemID,SendMessageA,CallWindowProcA,	0_2_10021800
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100098B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,	0_2_100098B0

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Process information set: NOOPENFILEERRORBOX

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\SkinH_EL.dll

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\d3r1KVj317.exe

API coverage: 8.5 %

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00695CBB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,

Source: d3r1KVj317.exe, 00000000.00000002.2729506189.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Process information queried: ProcessInformation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_005DF2B0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,