Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1522730
MD5: e7077a89901f62b2ef9559d7631d02c0
SHA1: 204fb5dc840946279b429199e075164ed59aecae
SHA256: 6e99f41ac17bbbcfbb0bcd6ea1f2b3a9c7b659981ff6da15ff24d44385d58f3b
Tags: exeuser-jstrosch
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Uses Windows timers to delay execution
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 81.2% probability
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009C449B GetFileAttributesW,FindFirstFileW,FindClose, 5_2_009C449B
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 5_2_009CC7E8
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CC75D FindFirstFileW,FindClose, 5_2_009CC75D
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 5_2_009CF021
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 5_2_009CF17E
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 5_2_009CF47F
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009C3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 5_2_009C3833
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009C3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 5_2_009C3B56
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 5_2_009CBD48
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009D2404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 5_2_009D2404
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009D407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 5_2_009D407C
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009D427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 5_2_009D427A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009D407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 5_2_009D407C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009C003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 5_2_009C003A
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009ECB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 5_2_009ECB26

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\file.exe Code function: This is a third-party compiled AutoIt script. 5_2_00963B4C
Source: file.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_180bf91c-4
Source: file.exe, 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_a27351e6-7
Source: file.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_81aa0bf0-6
Source: file.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_de2b9b68-f
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CA279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 5_2_009CA279
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009B88D9 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock, 5_2_009B88D9
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009C5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 5_2_009C5264
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_0096E060 5_2_0096E060
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00974140 5_2_00974140
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00982345 5_2_00982345
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00996452 5_2_00996452
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009E0465 5_2_009E0465
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009925AE 5_2_009925AE
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_0098277A 5_2_0098277A
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009E08E2 5_2_009E08E2
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_0096E800 5_2_0096E800
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00976841 5_2_00976841
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009969C4 5_2_009969C4
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_0099890F 5_2_0099890F
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009C8932 5_2_009C8932
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009BE928 5_2_009BE928
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00978968 5_2_00978968
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_0098CCA1 5_2_0098CCA1
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00996F36 5_2_00996F36
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009770FE 5_2_009770FE
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00973190 5_2_00973190
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00961287 5_2_00961287
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00983307 5_2_00983307
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_0098F359 5_2_0098F359
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00975680 5_2_00975680
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00981604 5_2_00981604
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009758C0 5_2_009758C0
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00987813 5_2_00987813
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00981AF8 5_2_00981AF8
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_0098DAF5 5_2_0098DAF5
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00999C35 5_2_00999C35
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009E7E0D 5_2_009E7E0D
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_0096FE40 5_2_0096FE40
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00981F10 5_2_00981F10
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_0098BF26 5_2_0098BF26
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00980C63 appears 70 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00988A80 appears 42 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00967F41 appears 35 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal52.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CA0F4 GetLastError,FormatMessageW, 5_2_009CA0F4
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009B84F3 AdjustTokenPrivileges,CloseHandle, 5_2_009B84F3
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009B8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 5_2_009B8AA3
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CB3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 5_2_009CB3BF
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009DEF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 5_2_009DEF21
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009D84D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 5_2_009D84D0
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00964FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 5_2_00964FE9
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009DC104 LoadLibraryA,GetProcAddress, 5_2_009DC104
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0xcdca7 should be: 0xcee16
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00988AC5 push ecx; ret 5_2_00988AD8
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00964A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 5_2_00964A35
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009E53DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 5_2_009E53DF
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00983307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 5_2_00983307
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses Windows timers to delay execution
Source: C:\Users\user\Desktop\file.exe User Timer Set: Timeout: 750ms Jump to behavior
Source: C:\Users\user\Desktop\file.exe User Timer Set: Timeout: 750ms Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 7529 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 3.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7724 Thread sleep time: -75290s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\file.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\file.exe Thread sleep count: Count: 7529 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009C449B GetFileAttributesW,FindFirstFileW,FindClose, 5_2_009C449B
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 5_2_009CC7E8
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CC75D FindFirstFileW,FindClose, 5_2_009CC75D
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 5_2_009CF021
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 5_2_009CF17E
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 5_2_009CF47F
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009C3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 5_2_009C3833
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009C3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 5_2_009C3B56
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009CBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 5_2_009CBD48
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00964AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 5_2_00964AFE
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009D401F BlockInput, 5_2_009D401F
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00963B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 5_2_00963B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00995BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 5_2_00995BFC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009DC104 LoadLibraryA,GetProcAddress, 5_2_009DC104
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009B81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 5_2_009B81D4
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_0098A2A4 SetUnhandledExceptionFilter, 5_2_0098A2A4
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_0098A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0098A2D5
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009B8A73 LogonUserW, 5_2_009B8A73
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00963B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 5_2_00963B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00964A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 5_2_00964A35
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009C4CCE mouse_event, 5_2_009C4CCE
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009B81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 5_2_009B81D4
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009C4A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 5_2_009C4A08
Source: file.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009887AB cpuid 5_2_009887AB
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00995007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_00995007
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009A215F GetUserNameW, 5_2_009A215F
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009940BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 5_2_009940BA
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00964AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 5_2_00964AFE
OS version to string mapping found (often used in BOTs)
Source: file.exe Binary or memory string: WIN_81
Source: file.exe Binary or memory string: WIN_XP
Source: file.exe Binary or memory string: WIN_XPe
Source: file.exe Binary or memory string: WIN_VISTA
Source: file.exe Binary or memory string: WIN_7
Source: file.exe Binary or memory string: WIN_8
Source: file.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009D6399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 5_2_009D6399
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_009D685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 5_2_009D685D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522730 Sample: file.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 52 8 Binary is likely a compiled AutoIt script file 2->8 10 AI detected suspicious sample 2->10 5 file.exe 2->5         started        process3 signatures4 12 Binary is likely a compiled AutoIt script file 5->12 14 Uses Windows timers to delay execution 5->14
No contacted IP infos