Windows Analysis Report
FSJs1TlAyf.exe

Overview

General Information

Sample name: FSJs1TlAyf.exe
renamed because original name is a hash value
Original sample name: ee9523e1c8dacfac2fa2414e6ff2bb3e.exe
Analysis ID: 1520605
MD5: ee9523e1c8dacfac2fa2414e6ff2bb3e
SHA1: 0134b858c8ad7445ea13f7fbd92705dc80dd726f
SHA256: d275d3443707fd0808aadf5e4697b4dc38f5c74034cec06af426142c4ea72bd0
Tags: exeuser-abuse_ch
Infos:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

Source: FSJs1TlAyf.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715206920 FindFirstFileExW,FindClose, 0_2_00007FF715206920
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715220974 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF715220974
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715216208 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF715216208
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715216208 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF715216208
Detected potential crypto function
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715210D6C 0_2_00007FF715210D6C
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71521AFEC 0_2_00007FF71521AFEC
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715211BF4 0_2_00007FF715211BF4
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71521F9D8 0_2_00007FF71521F9D8
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71520FDD0 0_2_00007FF71520FDD0
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715222DDC 0_2_00007FF715222DDC
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71520783C 0_2_00007FF71520783C
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715216054 0_2_00007FF715216054
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715212028 0_2_00007FF715212028
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71521D818 0_2_00007FF71521D818
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715205890 0_2_00007FF715205890
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71521705C 0_2_00007FF71521705C
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF7152110F8 0_2_00007FF7152110F8
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF7152098F0 0_2_00007FF7152098F0
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715228718 0_2_00007FF715228718
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71520FFBC 0_2_00007FF71520FFBC
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71520F814 0_2_00007FF71520F814
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715208FF0 0_2_00007FF715208FF0
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715207314 0_2_00007FF715207314
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715222950 0_2_00007FF715222950
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71520717D 0_2_00007FF71520717D
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715214970 0_2_00007FF715214970
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715220974 0_2_00007FF715220974
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71521D198 0_2_00007FF71521D198
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF7152101A4 0_2_00007FF7152101A4
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715216208 0_2_00007FF715216208
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71520F9FC 0_2_00007FF71520F9FC
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71521F9D8 0_2_00007FF71521F9D8
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF7152249D8 0_2_00007FF7152249D8
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715224C54 0_2_00007FF715224C54
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715218C60 0_2_00007FF715218C60
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71521CCE8 0_2_00007FF71521CCE8
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715216208 0_2_00007FF715216208
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715207B48 0_2_00007FF715207B48
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF7152253D0 0_2_00007FF7152253D0
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71520FBE8 0_2_00007FF71520FBE8
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF7152123F4 0_2_00007FF7152123F4
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: String function: 00007FF715201C40 appears 44 times
Source: classification engine Classification label: clean5.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF7152065C0 GetLastError,FormatMessageW,WideCharToMultiByte, 0_2_00007FF7152065C0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
Source: FSJs1TlAyf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe File read: C:\Users\user\Desktop\FSJs1TlAyf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FSJs1TlAyf.exe "C:\Users\user\Desktop\FSJs1TlAyf.exe"
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: FSJs1TlAyf.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: FSJs1TlAyf.exe Static file information: File size 1908755 > 1048576
Source: FSJs1TlAyf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FSJs1TlAyf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FSJs1TlAyf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FSJs1TlAyf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FSJs1TlAyf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FSJs1TlAyf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: FSJs1TlAyf.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: FSJs1TlAyf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FSJs1TlAyf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FSJs1TlAyf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FSJs1TlAyf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FSJs1TlAyf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FSJs1TlAyf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains an invalid checksum
Source: FSJs1TlAyf.exe Static PE information: real checksum: 0x6b0ea0 should be: 0x1e112c
PE file contains sections with non-standard names
Source: FSJs1TlAyf.exe Static PE information: section name: _RDATA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715202EF0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00007FF715202EF0
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe API coverage: 7.8 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715206920 FindFirstFileExW,FindClose, 0_2_00007FF715206920
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715220974 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF715220974
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715216208 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF715216208
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715216208 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF715216208
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71520A79C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF71520A79C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715222540 GetProcessHeap, 0_2_00007FF715222540
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71520A79C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF71520A79C
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71520A944 SetUnhandledExceptionFilter, 0_2_00007FF71520A944
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71520A184 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF71520A184
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715219B90 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF715219B90
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF715228560 cpuid 0_2_00007FF715228560
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF71520A680 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF71520A680
Source: C:\Users\user\Desktop\FSJs1TlAyf.exe Code function: 0_2_00007FF7152249D8 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF7152249D8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1520605 Sample: FSJs1TlAyf.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 5 5 FSJs1TlAyf.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos