Windows Analysis Report
9HwMaWcccx.exe

Overview

General Information

Sample name: 9HwMaWcccx.exe
renamed because original name is a hash value
Original sample name: 3f766be1002f79cef2a8b0656f18ecb9.exe
Analysis ID: 1520466
MD5: 3f766be1002f79cef2a8b0656f18ecb9
SHA1: f2dfd38d36c8d938b5b64da74755a2b91a2a4fe6
SHA256: 538657e0e69a3e37da94646672537f3c7764a81d0b0896c7305f06f799245d92
Tags: exeuser-abuse_ch
Infos:

Detection

BlackMoon
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected BlackMoon Ransomware
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 9HwMaWcccx.exe ReversingLabs: Detection: 44%
Machine Learning detection for sample
Source: 9HwMaWcccx.exe Joe Sandbox ML: detected
Source: 9HwMaWcccx.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb@@ source: 9HwMaWcccx.exe
Source: Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb source: 9HwMaWcccx.exe
Source: Binary string: C:\Windows\Start.pdb source: 9HwMaWcccx.exe
Source: Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: 9HwMaWcccx.exe
Source: 9HwMaWcccx.exe String found in binary or memory: http://103.239.244.218:8898/
Source: 9HwMaWcccx.exe String found in binary or memory: http://103.239.244.218:8898/1c5b7aafca5f2cef32b8aea1ded2a1e9ed7a8f4b6d7cc93d3f1b914b61ea0731a?datamo
Source: 9HwMaWcccx.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 9HwMaWcccx.exe String found in binary or memory: http://ocsp.thawte.com0
Source: 9HwMaWcccx.exe String found in binary or memory: http://top6666.top/top/version.txt
Source: 9HwMaWcccx.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 9HwMaWcccx.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 9HwMaWcccx.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 9HwMaWcccx.exe String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2F6F90 _Init_thread_footer,free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00007FF69C2F6F90
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2F7100 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard, 0_2_00007FF69C2F7100
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2F6F90 _Init_thread_footer,free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00007FF69C2F6F90

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected BlackMoon Ransomware
Source: Yara match File source: 9HwMaWcccx.exe, type: SAMPLE
Source: Yara match File source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.9HwMaWcccx.exe.7ff69c32fc80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.9HwMaWcccx.exe.7ff69c33b5c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.9HwMaWcccx.exe.7ff69c33b5c9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.9HwMaWcccx.exe.7ff69c32fc80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1690163995.00007FF69C32E000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9HwMaWcccx.exe PID: 7404, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9HwMaWcccx.exe, type: SAMPLE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.9HwMaWcccx.exe.7ff69c32fc80.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.9HwMaWcccx.exe.7ff69c33b5c9.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.9HwMaWcccx.exe.7ff69c33b5c9.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.9HwMaWcccx.exe.7ff69c32fc80.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C309FB0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree, 0_2_00007FF69C309FB0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C329FD0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn, 0_2_00007FF69C329FD0
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C3097B0: DeviceIoControl, 0_2_00007FF69C3097B0
Detected potential crypto function
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E696A 0_2_00007FF69C2E696A
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E6D5E 0_2_00007FF69C2E6D5E
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2F85B0 0_2_00007FF69C2F85B0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E61DE 0_2_00007FF69C2E61DE
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E65BC 0_2_00007FF69C2E65BC
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E8230 0_2_00007FF69C2E8230
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2FDE20 0_2_00007FF69C2FDE20
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C305E20 0_2_00007FF69C305E20
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E6E05 0_2_00007FF69C2E6E05
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C300A70 0_2_00007FF69C300A70
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E7245 0_2_00007FF69C2E7245
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E6A3F 0_2_00007FF69C2E6A3F
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C303E40 0_2_00007FF69C303E40
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E9AB0 0_2_00007FF69C2E9AB0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2FD2B0 0_2_00007FF69C2FD2B0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2FC690 0_2_00007FF69C2FC690
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E62F1 0_2_00007FF69C2E62F1
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E66E7 0_2_00007FF69C2E66E7
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2FE320 0_2_00007FF69C2FE320
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2FDB70 0_2_00007FF69C2FDB70
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2FAB50 0_2_00007FF69C2FAB50
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C309FB0 0_2_00007FF69C309FB0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E57A5 0_2_00007FF69C2E57A5
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2F2BA0 0_2_00007FF69C2F2BA0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2F139F 0_2_00007FF69C2F139F
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E5F95 0_2_00007FF69C2E5F95
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C303380 0_2_00007FF69C303380
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C31FC10 0_2_00007FF69C31FC10
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2FFBD0 0_2_00007FF69C2FFBD0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C3077C0 0_2_00007FF69C3077C0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C308BC0 0_2_00007FF69C308BC0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2F5070 0_2_00007FF69C2F5070
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E585C 0_2_00007FF69C2E585C
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E709B 0_2_00007FF69C2E709B
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E5CD7 0_2_00007FF69C2E5CD7
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C3050D0 0_2_00007FF69C3050D0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C3020C0 0_2_00007FF69C3020C0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2FCD30 0_2_00007FF69C2FCD30
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E6124 0_2_00007FF69C2E6124
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2F9910 0_2_00007FF69C2F9910
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E650B 0_2_00007FF69C2E650B
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: String function: 00007FF69C2E75E0 appears 47 times
Sample file is different than original file name gathered from version info
Source: 9HwMaWcccx.exe, 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiQVW64.SYSH vs 9HwMaWcccx.exe
Source: 9HwMaWcccx.exe, 00000000.00000000.1690163995.00007FF69C32E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiQVW64.SYSH vs 9HwMaWcccx.exe
Source: 9HwMaWcccx.exe Binary or memory string: OriginalFilenameiQVW64.SYSH vs 9HwMaWcccx.exe
Yara signature match
Source: 9HwMaWcccx.exe, type: SAMPLE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.9HwMaWcccx.exe.7ff69c32fc80.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.9HwMaWcccx.exe.7ff69c33b5c9.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.9HwMaWcccx.exe.7ff69c33b5c9.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.9HwMaWcccx.exe.7ff69c32fc80.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 9HwMaWcccx.exe Binary string: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZstring too longbad cast\\\.\Nal[-] \Device\Nal is already in use.[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver iqvw64e.sysntoskrnl.exe[-] Failed to get ntoskrnl.exe[-] Failed to ClearPiDDBCacheTable[-] Failed to ClearKernelHashBucketList[!] Failed to ClearMmUnloadedDrivers[<] Unloading vulnerable driver[!] Error dumping shit inside the disk[+] Vul driver data destroyed before unlink[-] Failed to translate virtual address 0x[-] Failed to map IO space of 0x[!] Failed to unmap IO space of physical address 0xExAllocatePoolWithTag[!] Failed to find ExAllocatePoolExFreePool[!] Failed to find device_object[!] Failed to find driver_object[!] Failed to find driver_section[!] Failed to find driver name[!] Failed to read driver name[!] Failed to write driver name length[+] MmUnloadedDrivers Cleaned: ExAcquireResourceExclusiveLite[!] Failed to find ExAcquireResourceExclusiveLiteExReleaseResourceLite[!] Failed to find ExReleaseResourceLiteRtlDeleteElementGenericTableAvl[!] Failed to find RtlDeleteElementGenericTableAvlRtlLookupElementGenericTableAvl[!] Failed to find RtlLookupElementGenericTableAvlxxxxxx????xxxxx????xxx????xxxxx????x????xx?x
Source: 9HwMaWcccx.exe Binary string: \Device\Nal
Source: classification engine Classification label: mal68.rans.winEXE@2/0@0/0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C31F770 _invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,FindResourceExW,LoadResource,LockResource,SizeofResource,FindResourceW,LoadResource,LockResource,SizeofResource,WideCharToMultiByte,WideCharToMultiByte, 0_2_00007FF69C31F770
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: 9HwMaWcccx.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 9HwMaWcccx.exe ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\9HwMaWcccx.exe "C:\Users\user\Desktop\9HwMaWcccx.exe"
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Section loaded: d3dcompiler_43.dll Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Section loaded: vcruntime140.dll Jump to behavior
Source: 9HwMaWcccx.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 9HwMaWcccx.exe Static file information: File size 2647552 > 1048576
Source: 9HwMaWcccx.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x225c00
Source: 9HwMaWcccx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 9HwMaWcccx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 9HwMaWcccx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 9HwMaWcccx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 9HwMaWcccx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 9HwMaWcccx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 9HwMaWcccx.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 9HwMaWcccx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb@@ source: 9HwMaWcccx.exe
Source: Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb source: 9HwMaWcccx.exe
Source: Binary string: C:\Windows\Start.pdb source: 9HwMaWcccx.exe
Source: Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: 9HwMaWcccx.exe
Source: 9HwMaWcccx.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9HwMaWcccx.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9HwMaWcccx.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9HwMaWcccx.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9HwMaWcccx.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E8140 InitOnceBeginInitialize,LoadLibraryA,InitOnceComplete,LoadLibraryA,GetProcAddress,abort, 0_2_00007FF69C2E8140
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C3039B1 push 8B48D68Bh; retf 0_2_00007FF69C3039BC
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C309FB0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree, 0_2_00007FF69C309FB0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C32B410 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF69C32B410
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C32B410 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF69C32B410
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C309FB0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree, 0_2_00007FF69C309FB0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C2E8140 InitOnceBeginInitialize,LoadLibraryA,InitOnceComplete,LoadLibraryA,GetProcAddress,abort, 0_2_00007FF69C2E8140
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C3087A0 GetProcessHeap,_Init_thread_footer,_Init_thread_footer, 0_2_00007FF69C3087A0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C32A968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF69C32A968
Source: C:\Users\user\Desktop\9HwMaWcccx.exe Code function: 0_2_00007FF69C32B290 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF69C32B290
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520466 Sample: 9HwMaWcccx.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 68 10 Malicious sample detected (through community Yara rule) 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Yara detected BlackMoon Ransomware 2->14 16 Machine Learning detection for sample 2->16 6 9HwMaWcccx.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos