Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1522708
MD5: 30b8e89d006911aedd4ddd9f199cea4b
SHA1: fdb6adf5fee95333a5f0811249ef35a9b0a6a5a4
SHA256: 2315b5fa9423d0538154c84333a95d3fcea5011f9fb3b1585608b3ffcd70d4ca
Tags: exeuser-jstrosch
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Enables debug privileges
Found evasive API chain (may stop execution after accessing registry keys)
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 73%
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll Jump to behavior
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: IDR_BINARY type: PE32 executable (console) Intel 80386, for MS Windows
Source: file.exe Static PE information: Resource name: IDR_BINARY type: PE32 executable (console) Intel 80386, for MS Windows
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal56.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401170 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_00401170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004014C0 GetModuleHandleA,FindResourceA,SizeofResource,LoadResource,LockResource,??2@YAPAXI@Z,memset,memcpy,FreeResource, 0_2_004014C0
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401F71 push ecx; ret 0_2_00401F84
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: RegQueryValue,DecisionNodes,Sleep
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401740 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 0_2_00401740
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401740 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 0_2_00401740
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401CA3 SetUnhandledExceptionFilter, 0_2_00401CA3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401FD8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00401FD8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522708 Sample: file.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 56 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 5 file.exe 2->5         started        process3
No contacted IP infos