Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1521609
MD5:	9d958b1b7187937c564f3a9e1c2f3541
SHA1:	93022628e0119f86c3571dc8e585b37bb46cfc0e
SHA256:	02773e1e5b99fb93addb1bb5278cf5e969127dd8b18a301dc5f556985f630193
Tags:	exex64user-jstrosch
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

PE file contains section with special chars

Creates a DirectInput object (often for capturing keystrokes)

Entry point lies outside standard sections

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Source: file.exe

Static PE information: certificate valid

Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe	String found in binary or memory: http://www.cabal.com0/
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0

Creates a DirectInput object (often for capturing keystrokes)

Source: file.exe

Binary or memory string: DirectInput8Create

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:

PE file contains more sections than normal

Source: file.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2922449901.00000001412FF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSnake.exeD vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSnake.exeD vs file.exe

Source: classification engine

Classification label: sus23.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3dx9_43.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: libogg.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: libvorbis.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fmod64.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: file.exe

Static PE information: certificate valid

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 10156848 > 1048576

Source: file.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x47ca00
Source: file.exe	Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x415a00

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .themida
Source: file.exe	Static PE information: section name: .boot

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127B103 push rdx; retf	0_2_000000014127B10E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127A54E push rdi; retf	0_2_000000014127A556
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141279955 push FFFFFFE8h; retf	0_2_000000014127995A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127BD27 push rsp; retf	0_2_000000014127BD36
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127A92D push rdx; retf	0_2_000000014127A92E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141278588 push rdi; ret	0_2_000000014127858E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127998B push rdi; retf	0_2_000000014127999A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141279961 push rcx; retf	0_2_0000000141279962
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141277D75 push rdi; retf	0_2_0000000141277D76
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127B571 push rdi; retf	0_2_000000014127B572
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00000001412771C3 push rdi; retf	0_2_00000001412771C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127BDCF push FFFFFFA8h; ret	0_2_000000014127BDD6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127A1A3 pushfq ; ret	0_2_000000014127A1A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127BDB7 pushfq ; ret	0_2_000000014127BDBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141277DC0 push rdi; retf	0_2_0000000141277DC1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127A3E5 push rax; retf	0_2_000000014127A3E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127B7E9 push rdi; retf	0_2_000000014127B7EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127B43B push D74EDD55h; retf	0_2_000000014127B441
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127886C pushfq ; ret	0_2_0000000141278886
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127907B push rax; retf	0_2_0000000141279082
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00000001412794CF push rcx; retf	0_2_00000001412794DE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127B0D7 push rdi; retf	0_2_000000014127B0E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00000001412770D3 push FFFFFF85h; retf	0_2_00000001412770E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127A712 push rcx; retf	0_2_000000014127A716
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00000001412776FF push rdi; retf	0_2_0000000141277702
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141278F4E push rbp; ret	0_2_0000000141278F4F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0000000141278F55 push rdx; retf	0_2_0000000141278F82
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127AB55 push rbx; ret	0_2_000000014127AB56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127B35D push rdx; retf	0_2_000000014127B35E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127AB35 push rcx; retf	0_2_000000014127AB3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000000014127BF39 push rdx; retf	0_2_000000014127BF42

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1521609
Product:	CloudBasic
Start time:	01:06:00
Start date:	29.09.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9d958b1b7187937c564f3a9e1c2f3541
SHA1:	93022628e0119f86c3571dc8e585b37bb46cfc0e
SHA256:	02773e1e5b99fb93addb1bb5278cf5e969127dd8b18a301dc5f556985f630193
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
file.exe