Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1522736
MD5: 7b793a4247b701bd24c86920b237acd0
SHA1: 2ae32267f8cfcc4b602b7de555d91ddd82eb4d09
SHA256: d4eb98701bc0c33b5f9c3e202bf55c1b2e2cb1c1e4b7c81ad6305d7938d0f959
Tags: exeuser-jstrosch
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 78%
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\file.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF449B GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00BF449B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFC75D FindFirstFileW,FindClose, 0_2_00BFC75D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00BF3B56
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00BFBD48
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00BFC7E8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00BFF021
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00BFF17E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00BFF47F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00BF3833
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C02404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_00C02404
Source: file.exe, 00000000.00000002.3817942430.000000000161E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3817750995.000000000150B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://rektware16.temp.swtest.ru/
Source: file.exe, 00000000.00000002.3817942430.000000000161E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://rektware16.temp.swtest.ru/A
Source: file.exe, 00000000.00000003.1375348438.00000000038A1000.00000004.00000020.00020000.00000000.sdmp, ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-authorization].php.0.dr String found in binary or memory: http://rektware16.temp.swtest.ru/ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_
Source: file.exe, 00000000.00000002.3817942430.000000000161E000.00000004.00000020.00020000.00000000.sdmp, ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-authorization].php.0.dr, ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-cabinet].php.0.dr String found in binary or memory: http://www.wysiwygwebbuilder.com
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00C0407C
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00C0427A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00C0407C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_00BF003A
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C1CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00C1CB26

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\file.exe File deleted: C:\Users\user\Desktop\TQDGENUHWP\UMMBDNEQBN.png Jump to behavior
Source: C:\Users\user\Desktop\file.exe File deleted: C:\Users\user\Desktop\AFWAAFRXKO\TQDGENUHWP.xlsx Jump to behavior
Source: C:\Users\user\Desktop\file.exe File deleted: C:\Users\user\Desktop\HTAGVDFUIE.mp3 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File deleted: C:\Users\user\Desktop\TQDGENUHWP.docx Jump to behavior
Source: C:\Users\user\Desktop\file.exe File deleted: C:\Users\user\Desktop\TQDGENUHWP\NHPKIZUUSG.xlsx Jump to behavior

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\file.exe Code function: This is a third-party compiled AutoIt script. 0_2_00B93B4C
Source: file.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000003.1374231232.0000000003B71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_ea2c1207-d
Source: file.exe, 00000000.00000003.1374231232.0000000003B71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_8fbf2c03-e
Source: file.exe, 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_6742bde8-0
Source: file.exe, 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_1ddca0a1-c
Source: file.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_7bd1baaf-a
Source: file.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_c756ca74-2
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFA279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00BFA279
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE8638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00BE8638
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00BF5264
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9E060 0_2_00B9E060
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9E800 0_2_00B9E800
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9FE40 0_2_00B9FE40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA4140 0_2_00BA4140
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB2345 0_2_00BB2345
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C10465 0_2_00C10465
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC6452 0_2_00BC6452
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC25AE 0_2_00BC25AE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB277A 0_2_00BB277A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C108E2 0_2_00C108E2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA6841 0_2_00BA6841
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC69C4 0_2_00BC69C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF8932 0_2_00BF8932
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BEE928 0_2_00BEE928
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC890F 0_2_00BC890F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA8968 0_2_00BA8968
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBCCA1 0_2_00BBCCA1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC6F36 0_2_00BC6F36
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA70FE 0_2_00BA70FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA3190 0_2_00BA3190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B91287 0_2_00B91287
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB3307 0_2_00BB3307
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBF359 0_2_00BBF359
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA5680 0_2_00BA5680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB1604 0_2_00BB1604
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA58C0 0_2_00BA58C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB7813 0_2_00BB7813
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB1AF8 0_2_00BB1AF8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBDAF5 0_2_00BBDAF5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC9C35 0_2_00BC9C35
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C17E0D 0_2_00C17E0D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBBF26 0_2_00BBBF26
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB1F10 0_2_00BB1F10
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00B97F41 appears 35 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00BB8A80 appears 42 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00BB0C63 appears 70 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.3818015386.000000000349E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAMEw vs file.exe
Source: file.exe, 00000000.00000002.3817592143.0000000001384000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAMEa vs file.exe
Source: file.exe, 00000000.00000002.3817592143.0000000001384000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameV vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal68.rans.evad.winEXE@1/37@0/0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFA0F4 GetLastError,FormatMessageW, 0_2_00BFA0F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE84F3 AdjustTokenPrivileges,CloseHandle, 0_2_00BE84F3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00BE8AA3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFB3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_00BFB3BF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00C0EF21
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C084D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 0_2_00C084D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B94FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00B94FE9
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Desktop\rabbit_396521084417386.decrypt Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0C104 LoadLibraryA,GetProcAddress, 0_2_00C0C104
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1027d4 should be: 0xfa552
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB8AC5 push ecx; ret 0_2_00BB8AD8
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00B94A35
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C153DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00C153DF
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB3307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00BB3307
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 4.8 %
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF449B GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00BF449B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFC75D FindFirstFileW,FindClose, 0_2_00BFC75D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00BF3B56
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00BFBD48
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00BFC7E8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00BFF021
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00BFF17E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00BFF47F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00BF3833
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B94AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00B94AFE
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0401F BlockInput, 0_2_00C0401F
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B93B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00B93B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC5BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00BC5BFC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0C104 LoadLibraryA,GetProcAddress, 0_2_00C0C104
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00BE81D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBA2A4 SetUnhandledExceptionFilter, 0_2_00BBA2A4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BBA2D5
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE8A73 LogonUserW, 0_2_00BE8A73
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B93B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00B93B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00B94A35
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF4CFA mouse_event, 0_2_00BF4CFA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00BE81D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF4A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00BF4A08
Source: file.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB87AB cpuid 0_2_00BB87AB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC5007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00BC5007
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD215F GetUserNameW, 0_2_00BD215F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC40BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00BC40BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B94AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00B94AFE
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: file.exe Binary or memory string: WIN_81
Source: file.exe, 00000000.00000002.3817592143.0000000001384000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XP
Source: file.exe Binary or memory string: WIN_XPe
Source: file.exe Binary or memory string: WIN_VISTA
Source: file.exe Binary or memory string: WIN_7
Source: file.exe Binary or memory string: WIN_8
Source: file.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C06399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_00C06399
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00C0685D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522736 Sample: file.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 68 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Binary is likely a compiled AutoIt script file 2->19 21 Machine Learning detection for sample 2->21 5 file.exe 37 2->5         started        process3 file4 9 C:\Users\user\Desktop\file.exe.killrabbit, data 5->9 dropped 11 rabbit_39652108441....decrypt.killrabbit, DOS 5->11 dropped 13 C:\Users\user\...\desktop.ini.killrabbit, COM 5->13 dropped 23 Binary is likely a compiled AutoIt script file 5->23 25 Modifies existing user documents (likely ransomware behavior) 5->25 signatures5
No contacted IP infos