Windows Analysis Report
ROADToken.exe

Overview

General Information

Sample name: ROADToken.exe
Analysis ID: 1523555
MD5: ea187fb031f817208b3344cee20ab38b
SHA1: dfc3dc7bc0892634692d8febee175ab594b6a998
SHA256: bb43eba3a8e8792e36d93e2c62c8f15fb1cfebccc98a94b3c2b4a051c92f7a1c
Tags: exe
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ROADToken.exe Avira: detected
Source: ROADToken.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\YanalA\Desktop\w\PT\tools\ROADtoken\obj\Debug\ROADToken.pdby/ source: ROADToken.exe
Source: Binary string: C:\Users\YanalA\Desktop\w\PT\tools\ROADtoken\obj\Debug\ROADToken.pdb source: ROADToken.exe
Source: BrowserCore.exe, 00000002.00000002.1647734504.000001A0D1A95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comr
Source: ROADToken.exe String found in binary or memory: https://login.microsoftonline.com
Source: ROADToken.exe String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
Source: ROADToken.exe, 00000000.00000002.1648413134.0000000002581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?sso_nonce=
Source: ROADToken.exe String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?sso_nonce=_
Detected potential crypto function
Source: C:\Users\user\Desktop\ROADToken.exe Code function: 0_2_00A80848 0_2_00A80848
Source: C:\Users\user\Desktop\ROADToken.exe Code function: 0_2_00A8057D 0_2_00A8057D
Sample file is different than original file name gathered from version info
Source: ROADToken.exe, 00000000.00000002.1648063781.000000000086E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ROADToken.exe
Source: classification engine Classification label: mal48.winEXE@4/2@0/0
Source: C:\Users\user\Desktop\ROADToken.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ROADToken.exe.log Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03
Source: ROADToken.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ROADToken.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\ROADToken.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ROADToken.exe "C:\Users\user\Desktop\ROADToken.exe"
Source: C:\Users\user\Desktop\ROADToken.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ROADToken.exe Process created: C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe "C:\Program Files\Windows Security\BrowserCore\browsercore.exe"
Source: C:\Users\user\Desktop\ROADToken.exe Process created: C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe "C:\Program Files\Windows Security\BrowserCore\browsercore.exe" Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe Section loaded: microsoftaccounttokenprovider.dll Jump to behavior
Source: C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A9927F85-A304-4390-8B23-A75F1C668600}\InprocServer32 Jump to behavior
Source: ROADToken.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ROADToken.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: ROADToken.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\YanalA\Desktop\w\PT\tools\ROADtoken\obj\Debug\ROADToken.pdby/ source: ROADToken.exe
Source: Binary string: C:\Users\YanalA\Desktop\w\PT\tools\ROADtoken\obj\Debug\ROADToken.pdb source: ROADToken.exe
Binary contains a suspicious time stamp
Source: ROADToken.exe Static PE information: 0xFD6CACEB [Thu Sep 25 03:50:03 2104 UTC]
Source: C:\Users\user\Desktop\ROADToken.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ROADToken.exe Memory allocated: A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Memory allocated: 2580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Memory allocated: 2380000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ROADToken.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ROADToken.exe TID: 5772 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ROADToken.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ROADToken.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ROADToken.exe Process created: C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe "C:\Program Files\Windows Security\BrowserCore\browsercore.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ROADToken.exe Queries volume information: C:\Users\user\Desktop\ROADToken.exe VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523555 Sample: ROADToken.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 48 15 Antivirus / Scanner detection for submitted sample 2->15 6 ROADToken.exe 2 2->6         started        process3 file4 13 C:\Users\user\AppData\...\ROADToken.exe.log, CSV 6->13 dropped 9 conhost.exe 6->9         started        11 BrowserCore.exe 1 6->11         started        process5
No contacted IP infos