Windows Analysis Report
V2-Office-C2R-Update-16.exe

Overview

General Information

Sample name: V2-Office-C2R-Update-16.exe
Analysis ID: 1520505
MD5: 2552e2bfaa2cee3699f2f291f7a369c5
SHA1: 9c7800d70eeba2a7b77e0a8093624f2952b966a3
SHA256: 60ea622fee92bb134018b84e719a064e1f163bd41c71017d791551ddc0f8ba8e
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Uses 32bit PE files

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 94.5% probability
Machine Learning detection for sample
Source: V2-Office-C2R-Update-16.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: V2-Office-C2R-Update-16.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_004054C6 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054C6
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_00405E9C FindFirstFileA,FindClose, 0_2_00405E9C
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: V2-Office-C2R-Update-16.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: V2-Office-C2R-Update-16.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_00404FCB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FCB
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_0040310D EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040310D
Detected potential crypto function
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_00406B01 0_2_00406B01
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_0040632A 0_2_0040632A
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_004047DC 0_2_004047DC
Uses 32bit PE files
Source: V2-Office-C2R-Update-16.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_0040429B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_0040429B
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar, 0_2_00402036
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe File created: C:\Users\user\AppData\Local\Temp\nstB5BF.tmp Jump to behavior
Source: V2-Office-C2R-Update-16.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe File read: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe File created: C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_004054C6 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054C6
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_00405E9C FindFirstFileA,FindClose, 0_2_00405E9C
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: V2-Office-C2R-Update-16.exe, 00000000.00000002.1417244942.000000000047E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: I-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Fy;
Source: V2-Office-C2R-Update-16.exe, 00000000.00000002.1417244942.000000000047E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5HSCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe Code function: 0_2_0040310D EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040310D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520505 Sample: V2-Office-C2R-Update-16.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 48 10 Machine Learning detection for sample 2->10 12 AI detected suspicious sample 2->12 5 V2-Office-C2R-Update-16.exe 13 2->5         started        process3 file4 8 C:\Users\user\AppData\Local\...\System.dll, PE32 5->8 dropped
No contacted IP infos