Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1522741
MD5: 4140300748e5cf4ebf35d94f2c8623a6
SHA1: 949bb17c71feaba800d5e4a0010b2985c3a06645
SHA256: a250695f8ca2289a78da279d21d400f3ee2fb0f44642469d44a1c63d5eeeedeb
Tags: exeuser-jstrosch
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Uses Windows timers to delay execution
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 88.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 3_2_000D60DD
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 3_2_000D63F9
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000DEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_000DEB60
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D6CA9 GetFileAttributesW,FindFirstFileW,FindClose, 3_2_000D6CA9
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000DF56F FindFirstFileW,FindClose, 3_2_000DF56F
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000DF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_000DF5FA
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_000E1B2F
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_000E1C8A
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_000E1F94
Source: unknown TCP traffic detected without corresponding DNS query: 46.183.218.37
Source: unknown TCP traffic detected without corresponding DNS query: 46.183.218.37
Source: unknown TCP traffic detected without corresponding DNS query: 46.183.218.37
Source: unknown TCP traffic detected without corresponding DNS query: 46.183.218.37
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 3_2_000E4EB5
Source: file.exe, 00000003.00000002.2537954444.0000000000E20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.183.218.37/
Source: file.exe, 00000003.00000003.1803668616.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2538244077.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.2403832167.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1483001479.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.2403629641.0000000000E8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2538171597.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.183.218.37/community/wiki-self-signed/name-signed.php
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 3_2_000E6B0C
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_000E6D07
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 3_2_000E6B0C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 3_2_000D2B37
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FF7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,6FCFCB00,6FCFC2F0,SetCapture,ClientToScreen,6FCFC530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_000FF7FF

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\file.exe Code function: This is a third-party compiled AutoIt script. 3_2_00093D19
Source: file.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000003.00000000.1281622742.000000000013E000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_97758e61-2
Source: file.exe, 00000003.00000000.1281622742.000000000013E000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_5c844094-2
Source: file.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_17a53d1c-7
Source: file.exe String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_a5c52a71-8
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_00093742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow, 3_2_00093742
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_001000AF NtdllDialogWndProc_W, 3_2_001000AF
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_00100133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W, 3_2_00100133
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0010044C NtdllDialogWndProc_W, 3_2_0010044C
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FE9AF NtdllDialogWndProc_W,CallWindowProcW, 3_2_000FE9AF
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AAAFC NtdllDialogWndProc_W, 3_2_000AAAFC
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AAB4F NtdllDialogWndProc_W, 3_2_000AAB4F
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FEC7C NtdllDialogWndProc_W, 3_2_000FEC7C
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FECD4 6FCFC580,6FCFC6F0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W, 3_2_000FECD4
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FEEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W, 3_2_000FEEEB
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AB11F NtdllDialogWndProc_W,74D2C8D0,NtdllDialogWndProc_W, 3_2_000AB11F
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FF1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W, 3_2_000FF1D7
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FF2D0 SendMessageW,NtdllDialogWndProc_W, 3_2_000FF2D0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FF351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, 3_2_000FF351
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AB385 GetParent,NtdllDialogWndProc_W, 3_2_000AB385
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AB55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient, 3_2_000AB55D
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FF5AB NtdllDialogWndProc_W, 3_2_000FF5AB
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FF5DA NtdllDialogWndProc_W, 3_2_000FF5DA
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FF609 NtdllDialogWndProc_W, 3_2_000FF609
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FF654 NtdllDialogWndProc_W, 3_2_000FF654
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FF689 ClientToScreen,6FCFC5D0,NtdllDialogWndProc_W, 3_2_000FF689
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AB715 NtdllDialogWndProc_W, 3_2_000AB715
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FF7C3 GetWindowLongW,NtdllDialogWndProc_W, 3_2_000FF7C3
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FF7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,6FCFCB00,6FCFC2F0,SetCapture,ClientToScreen,6FCFC530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_000FF7FF
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D6606: CreateFileW,DeviceIoControl,CloseHandle, 3_2_000D6606
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000CAF64 GetCurrentProcess,OpenProcessToken,743B7ED0,CloseHandle,CreateProcessWithLogonW,743B7F30, 3_2_000CAF64
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 3_2_000D79D3
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000A3200 3_2_000A3200
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000A3B70 3_2_000A3B70
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000C410F 3_2_000C410F
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000B02A4 3_2_000B02A4
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000C038E 3_2_000C038E
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0009E3B0 3_2_0009E3B0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000C467F 3_2_000C467F
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000B06D9 3_2_000B06D9
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FAACE 3_2_000FAACE
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000C4BEF 3_2_000C4BEF
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000BCCC1 3_2_000BCCC1
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_00096F07 3_2_00096F07
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0009AF50 3_2_0009AF50
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000BB043 3_2_000BB043
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AB11F 3_2_000AB11F
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000BD1B9 3_2_000BD1B9
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000F31BC 3_2_000F31BC
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000B123A 3_2_000B123A
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000C724D 3_2_000C724D
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D13CA 3_2_000D13CA
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000993F0 3_2_000993F0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AF563 3_2_000AF563
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000DB6CC 3_2_000DB6CC
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000996C0 3_2_000996C0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000977B0 3_2_000977B0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000FF7FF 3_2_000FF7FF
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000C79C9 3_2_000C79C9
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AFA57 3_2_000AFA57
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_00099B60 3_2_00099B60
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AFE6F 3_2_000AFE6F
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000B9ED0 3_2_000B9ED0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_00097FA3 3_2_00097FA3
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000AEC2F appears 68 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000BF8A0 appears 35 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000B6AC0 appears 42 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal72.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000DCE7A GetLastError,FormatMessageW, 3_2_000DCE7A
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000CAB84 AdjustTokenPrivileges,CloseHandle, 3_2_000CAB84
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000CB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 3_2_000CB134
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000DE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 3_2_000DE1FD
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle, 3_2_000D6532
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000EC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket, 3_2_000EC18C
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0009406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 3_2_0009406B
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AE01E LoadLibraryA,GetProcAddress, 3_2_000AE01E
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000A288A push 66000A23h; retn 0010h 3_2_000A28E1
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000B6B05 push ecx; ret 3_2_000B6B18
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000BBDAA push edi; ret 3_2_000BBDAC
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000BBEC3 push esi; ret 3_2_000BBEC5
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000F8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 3_2_000F8111
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 3_2_000AEB42
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000B123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_000B123A
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses Windows timers to delay execution
Source: C:\Users\user\Desktop\file.exe User Timer Set: Timeout: 750ms Jump to behavior
Source: C:\Users\user\Desktop\file.exe User Timer Set: Timeout: 750ms Jump to behavior
Source: C:\Users\user\Desktop\file.exe User Timer Set: Timeout: 750ms Jump to behavior
Source: C:\Users\user\Desktop\file.exe User Timer Set: Timeout: 750ms Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 1201 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 4436 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 3.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7960 Thread sleep time: -44360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7188 Thread sleep time: -30000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\file.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\file.exe Thread sleep count: Count: 1201 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread sleep count: Count: 4436 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 3_2_000D60DD
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 3_2_000D63F9
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000DEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_000DEB60
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D6CA9 GetFileAttributesW,FindFirstFileW,FindClose, 3_2_000D6CA9
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000DF56F FindFirstFileW,FindClose, 3_2_000DF56F
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000DF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_000DF5FA
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_000E1B2F
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_000E1C8A
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_000E1F94
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000ADDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 3_2_000ADDC0
Source: file.exe, 00000003.00000002.2538200594.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.2403832167.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.2403920605.0000000000E25000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1803722667.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.2403681761.0000000000E97000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E6AAF BlockInput, 3_2_000E6AAF
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_00093D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 3_2_00093D19
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000C3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW, 3_2_000C3920
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000AE01E LoadLibraryA,GetProcAddress, 3_2_000AE01E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000CA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 3_2_000CA66C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000B8189 SetUnhandledExceptionFilter, 3_2_000B8189
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000B81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_000B81AC
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000CB106 LogonUserW, 3_2_000CB106
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_00093D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 3_2_00093D19
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D411C SendInput,keybd_event, 3_2_000D411C
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D74BB mouse_event, 3_2_000D74BB
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000CA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 3_2_000CA66C
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000D71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 3_2_000D71FA
Source: file.exe Binary or memory string: Shell_TrayWnd
Source: file.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000B65C4 cpuid 3_2_000B65C4
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW, 3_2_000E091D
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0010B340 GetUserNameW, 3_2_0010B340
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000C1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 3_2_000C1E8E
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000ADDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 3_2_000ADDC0
OS version to string mapping found (often used in BOTs)
Source: file.exe Binary or memory string: WIN_81
Source: file.exe Binary or memory string: WIN_XP
Source: file.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: file.exe Binary or memory string: WIN_XPe
Source: file.exe Binary or memory string: WIN_VISTA
Source: file.exe Binary or memory string: WIN_7
Source: file.exe Binary or memory string: WIN_8
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 3_2_000E8C4F
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000E923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 3_2_000E923B
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_000C58C5 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset, 3_2_000C58C5
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522741 Sample: file.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 72 11 Antivirus / Scanner detection for submitted sample 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Binary is likely a compiled AutoIt script file 2->15 17 2 other signatures 2->17 5 file.exe 2->5         started        process3 dnsIp4 9 46.183.218.37, 443, 49713 DATACLUBLV Latvia 5->9 19 Binary is likely a compiled AutoIt script file 5->19 21 Uses Windows timers to delay execution 5->21 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.183.218.37
 unknown Latvia
52048 DATACLUBLV false