Windows Analysis Report
xin.exe

Overview

General Information

Sample name: xin.exe
Analysis ID: 1524235
MD5: 6cd2bc8e57214a9143084b8cad228c75
SHA1: b71d3c77d96604c904702b45904b72b889808125
SHA256: fd1da56c56e1143d0b08fe9e139075d8c2d9d5ba70117c9ef6a2f9e715198e37
Tags: exeuser-aachum
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Reads the System eventlog
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables security privileges
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: xin.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for sample
Source: xin.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: xin.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: xin.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: xin.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: xin.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: xin.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: xin.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xin.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: xin.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: xin.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: xin.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: xin.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: xin.exe String found in binary or memory: http://ocsp.digicert.com0
Source: xin.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: xin.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: xin.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: xin.exe String found in binary or memory: http://www.digicert.com/CPS0

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the System eventlog
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior

System Summary
barindex
.NET source code contains very large array initializations
Source: xin.exe, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 450048
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Strings.cs Large array initialization: Strings: array initializer size 6160
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0515D608 3_2_0515D608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0515DF11 3_2_0515DF11
Enables security privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Security Jump to behavior
PE / OLE file has an invalid certificate
Source: xin.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: xin.exe, 00000000.00000002.1439477835.0000000003E35000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameHederal.exe" vs xin.exe
Source: xin.exe, 00000000.00000002.1437001628.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs xin.exe
Uses 32bit PE files
Source: xin.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: xin.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.xin.exe.3e35570.0.raw.unpack, PBE.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, PBE.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Strings.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, TripleDes.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Strings.cs Base64 encoded string: 'Gg0hLjoEMyo4eS8eAzEzEzwmGi0UCz8aLiolAC9GBSc6DD9CGiU+GCQuWCshIVgjO1ozGTgmDi8hNVlU'
Source: classification engine Classification label: mal84.evad.winEXE@4/2@0/0
Source: C:\Users\user\Desktop\xin.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xin.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: xin.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xin.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\xin.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: xin.exe ReversingLabs: Detection: 55%
Source: unknown Process created: C:\Users\user\Desktop\xin.exe "C:\Users\user\Desktop\xin.exe"
Source: C:\Users\user\Desktop\xin.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\xin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: textshaping.dll Jump to behavior
Source: xin.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: xin.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: xin.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains an invalid checksum
Source: xin.exe Static PE information: real checksum: 0x78249 should be: 0x760f2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\xin.exe Code function: 0_2_02E32C09 pushad ; retn 0071h 0_2_02E32C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0515BE49 push C00508E7h; iretd 3_2_0515BE55
Source: xin.exe Static PE information: section name: .text entropy: 7.996829369194556
Source: 0.2.xin.exe.3e35570.0.raw.unpack, AesFastEngine.cs High entropy of concatenated method names: 'Shift', 'FFmulX', 'Inv_Mcol', 'SubWord', 'GenerateWorkingKey', 'Init', 'GetBlockSize', 'ProcessBlock', 'Reset', 'UnPackBlock'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, UserExt.cs High entropy of concatenated method names: '_003CDomainExists_003Eb__2', 'GAInXb1qTgvQOvf8KJ4', 'LKEH8R1pMCS1a4IQ0dd', 'SZ2y2I1ZfeGKq7mXdOB', 'avIhFc1kGEBjtqdoevi', 'DomainExists', 'PreCheck', 'f1ZkOtF1Uy5DHm2EtRf', 'p7Ig5vF5JcTglN3OtHO', 'DrJymHFnAUFto8kDf38'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Tables8kGcmMultiplier.cs High entropy of concatenated method names: 'Init', 'MultiplyH', 'LpmMGPiUXOMjht9aASa', 'iw0rwDiaiaHjyQ9ZQ4Z', 'Y3BN5DiLo28roh6cXwo', 'do8s0SiZnxJK7WVjmhK', 'ahvks6ikhVTptv8Rexb', 'v0n1agiCGjEiyswvwuC', 'bLZCF7irKcG06cvTDCw', 'X5QcSiiqGxGThEJmNu4'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, StringDecrypt.cs High entropy of concatenated method names: 'Xor', 'FromBase64', 'BytesToStringConverted', 'Read', 'FHwCvVP4DxkintHJqdc', 'jEpDBlPRXXbQ59tSVh4', 'Wmp4ewPJ4SdFRPF9r9j', 'eNDMMoPSgrtheMynHN6', 'g6LDtRPEIy6t9hG9Usx', 'mW5XHrPOA6iqsYhCrGG'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Form1.cs High entropy of concatenated method names: '_003CReadLine_003Eb__2_0', 'TEy5og170yM3gmDDaXM', 'zBrNyX1orS97yY5fGW5', 'b2ca251JSMtOgW2sWLx', 'GcrWd31S29oktkDp7fL', 'Form1_Load', 'ReadLine', 'Dispose', 'InitializeComponent', 'UdEF99FtYYTbhTTheLB'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRoot13.cs High entropy of concatenated method names: '_003C_002Ecctor_003Eb__0', '_003C_002Ecctor_003Eb__1', 'ixF2do12oqmIg7jAddT', 'nEK3b51ckeHKSCYHf5f', 'whrBfI1vxQPCqg8x8gO', '_003CField23_003Eb__0', 'SrPOGf1P10iyfvNL3Jq', 'VeO4Rg1xHxheqhKdHsU', '_003CGetText_003Eb__0', 'oneMeR1K2QrZCsDY9JZ'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, AesGcm256.cs High entropy of concatenated method names: 'Decrypt', 'Decrypt', 'cum62dPtu91Y0FF2taj', 'SyIwA6PWTEGq89mnepj', 'TYxaZwPGtaou3lId2SK', 'MdBBThPlxa65Ng1RpqU', 'yJuTwhPCAkEMPVlDm8Q', 'vIaUJlPrq2B97QmoBBv', 'yKNZHIPUQiAJYK4IeHb', 'FQcN2HPaPD5kHcM6e4A'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, PBKDF2.cs High entropy of concatenated method names: 'GetBytes', 'Func', 'GetBytesFromInt', 'PAVIqwn0R7u5ClGPIj6', 'zYeEVfnHDgHkc2OaTWe', 'EQOiHVnwhCrt0O8Iy3l', 'adRXIinTyMXbKxUaoNB', 'GwEcTWny8rBW2ViwGOP', 's7FuGcnNGag66dj6t0J', 'I23sHNnYAffnE56Ms0r'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Asn1Der.cs High entropy of concatenated method names: 'Parse', 'rKQdSQnUcWUwfLyRpLt', 'fmtcTSnaET38j2W0UXY', 'NRWJtSnLonJWn3EBcyZ', 'nHwS4JnZBsL51bnXuSA', 'iaJ39qnkq9y2HYjsr1C', 'LDVPYenq21VeH9373Bs', 'dLo8CXnC5K8Zw3VSpju', 'iXNEBknryPsl0gmccG1'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRoot25.cs High entropy of concatenated method names: 'Field2', 'Field3', 'sPBGU3v0GHQxbPZbG6p', 'EbGcMbvHihImJQVNVkn', 'Qq9qSFvyP604TgYldu9', 'mJvwUqvNr6o3TR0R8oY', 'FJJc4LvYnQdCL88ZPP9', 'IZdvDQv9qjMTBOaYP2e', 'ToKrjovD4V3GhgIXOcE', 'yh31Tov3nqFVEfBCKL0'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRoot20.cs High entropy of concatenated method names: 'Field1', 'Field5', 'Field2', 'Field3', 'Field4', 'Key4Database', 'Key3Database', 'aRyZexcVQZI3JbYoBK3', 'y03y7ecWFKREB905SPO', 'mYuOjscGoBE9TWhPw5S'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs High entropy of concatenated method names: 'Dispose', 'Ot7kSbnFcl5ebkWV7OD', 'oR3ub1nhZwcoK97Sdrb', 'SRXiUGnilrDy1g5hMRG', 'm4MHqqnPDfkeMPgcqAv', 'uJ9JTrn2mQy08CKH1sA', 'zn8H3rnM3UHBDjFYPrU', 'd2ykmAnxgCYA9wo4QUu', 'a8A3SIndc80ZVGH7sYB'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRootReaderSql.cs High entropy of concatenated method names: '_003C_002Ector_003Eb__9_0', 'dMyv5O1arIGQRsu18mx', 'q2cbFd1r5AUWvLmMX5w', 'kKnHi61UZ5nW5Jgk9LE', 'GatherValue', 'ReadMasterOfContext', 'ReadContextTable', 'GetOffset', 'ReadContextValue', 'ConvertToULong'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Extembus.cs High entropy of concatenated method names: 'ExpandEnvironmentVariable', 'RF', 'RFAT', 't64agdMJweLt6NEKvTw', 'qUsqHlMS7whMl7n9e8P', 'mFSuRYM7N1BoHpEuET4', 't4jHngMoZx3pAHYKwTf', 'xnPBWMMu19OuGDuTdbs', 'QprdIwMm1irLO61gVIO', 'AUHwO4MskFeGERBK8xr'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, GcmBlockCipher.cs High entropy of concatenated method names: 'GetBlockSize', 'Init', 'GetMac', 'GetOutputSize', 'GetUpdateOutputSize', 'ProcessByte', 'ProcessBytes', 'Process', 'DoFinal', 'Reset'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Strings.cs High entropy of concatenated method names: 'Init', 'Decrypt', 'Get', 'jUiOmTdGb0DiEdHq2J8', 'A1c5lXdtZc3wYJmhX5R', 'iXxrn3dlc0ZRLVjZjX3', 'IHcZoFdVEqHS1ZtYBji', 'Si3OOudWk86RdLVhaV7', 'Qn8ayydC6R6itq10A4i', 'yIcnOSdr342yV4MPlpZ'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, ComInvoker.cs High entropy of concatenated method names: 'Failed', 'g3yWUc1mxK92aLsy0K8', 'VCjRhh1sVymJrS0V7AN', 'RunRecoveryCRXElevated', 'EncryptData', 'DecryptData', 'DecryptData', 'ByteArrayToBSTR', 'BSTRToByteArray', 'SysAllocStringByteLen'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, SystemInfoHelper.cs High entropy of concatenated method names: '_003CCloseBrowser_003Eb__1', 'JvPPjn59wLg68wJxUIl', 'P6ckLo5NNqfOI9gqmL3', 'gvCIKi5Yvafq7Nj9tjp', '_003CCloseBrowser_003Eb__1_0', '_003CFindProc_003Eb__9_0', '_003CListOfPrograms_003Eb__10_0', '_003CAvailableLanguages_003Eb__11_0', 'RlRtaO584BFatgNEbc3', 'egOQii5BgYehFDVI8C1'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRoot27.cs High entropy of concatenated method names: '_003CField4_003Eb__0', 'WNASsS6BKWnk0ElrakQ', 'U4QtWC6zyA0CJbE6gcs', 'LIJvaE6bdL39J80O3Tu', 'ns9VeG683qLiiBtSAeh', 'Field2', 'Field3', 'Field4', 'G5M06t229LsMWPZXrJY', 'YAZLU52MMHD89GQwyuc'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRoot23.cs High entropy of concatenated method names: 'Field2', 'Field3', 'IdY8AIvpUskxRW3xf8l', 'lSrghJvEMqIQ3BbYDo0', 'tdpZksvOiSOiB5QF2Xl', 'q891niv4WTkN6YldDF5', 'o5OGoKvR7Le93njGkS4', 'JsZJY4vkUt4ESh6KOWM', 'c4aCjRvqrmj8uGXS9Ja'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, DeviceMonitor.cs High entropy of concatenated method names: 'CaptureScreen', 'CaptureWindow', 'MonitorSize', 'GetImageBase', 'ConvertToBytes', 'dPL4rex2KOUa09N230h', 'OCGhmNxMPCmWsnFuBRX', 'AGh8VHxFFBZhHfGVpH6', 'JF6WGwxhMHC2J46Fej5', 'mAj84YxivgH6X2XpW4R'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Auhi.cs High entropy of concatenated method names: 'I\u04341', 'I\u04342', 'I\u04343', 'I\u04344', 'fu81OQc0OZNbGrjnpSD', 'CXxCWJcw2vwreErUldI', 'niP0NCcTejbSCxyQLTs', 'UtTfVBcH83pLiLPTqUW', 'aqXwiXcyal7J2LsIsJr', 'jA5NoCcNWbAhLNBlY3l'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, API.cs High entropy of concatenated method names: 'Func', 'm1', 'm2', 'm3', 'm4', 'm7', 'm8', 'm9', 'm10', 'm11'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, WinApiFile.cs High entropy of concatenated method names: 'Open', 'Open', 'Open', 'Close', 'MoveFilePointer', 'MoveFilePointer', 'Read', 'Dispose', 'Dispose', 'ThrowLastWin32Err'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FileHelper.cs High entropy of concatenated method names: 'Search', 'ChromeGetName', 'ChrRm', 'ChrLm', 'Y5wFwgdxvVxewA9i9UN', 'HDRIEFddsFCrMnxLMMm', 'JsygwidiPaagmIVwHhh', 'wpfux4dPfXiEPxuybYN', 'o8SYcTdQBHdFtCybK70', 'c5jKKqdnUyv2hAESfAF'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, ContextSwitcher.cs High entropy of concatenated method names: 'EnableAllTokenPrivileges', 'EnableAllTokenPrivileges', 'EnableTokenPrivileges', 'EnableTokenPrivileges', 'GetSystemProcessHandle', 'Lgp3M310uqcfcmQhlGQ', 'YSZC6Z1wE84x1mDL0Mx', 'GlZwYn1TG8k2Mdt6Vbn', 'CompareIgnoreCase', 'GetTokenPrivileges'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRootRoot.cs High entropy of concatenated method names: 'Field1', 'GR17OtvKdbtcEmLoCKr', 'FWL4NEvgXRcZHw7mkrU', 'WcPLyNvefxorrEpUU1D', 'hcLvsfvV1lEX2dkL3Ei', 'cYwVBlvW983O0vHRrIZ', 'HlaTlSvGcLrq0brJ03S', 'wVjCqOvtROeva0BLBnc', 'U43NwAv1W6L7eA1v9C7', 'SKg1VJv5u9SWpVkraBk'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRoot19.cs High entropy of concatenated method names: 'Field1', 'Field2', 'Field3', 'b1VMnpbjUuu288qkNK', 'cNpy0a8M8qjL7sGhVN', 'DwTZDKB0WwTa5wSgAZ', 'umFMDCzleup0Jxm0SV', 'x0V5VNcj3q9HcunemBu', 'NWYh75ccX5wlKPgwUv6', 'arTOYgcvm5IZFXK5IlF'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, CryptoHelper.cs High entropy of concatenated method names: 'GetDecoded', 'DecryptBlob', 'Encrypt', 'cryptUnprotectData', 'GetMd5Hash', 'GetHexString', 'kSkNVQhkNKIUdsZ6Ts6', 'wwW9PBhq1jxHJI9Mb92', 'dPDDINhpg5OLCEkUQKV', 'ksW4YXhEHHiBpl4nTTk'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, EnvCheck.cs High entropy of concatenated method names: 'IsTimeFastForwarded', 'IsFirstEventLogLessThanDayOld', 'H1u14txBnNG9n7ZcLUw', 'KQZ32gxzD2V2fGyQbkX', 'vr1njIdjA6JHlu1NImF', 'QUN3YqdcnQ5tG07WXey', 'X5VC4QdvXV7yN2xudWY', 'hxBXT7d2A61ba4TVCcp', 'W9UDhBdM3AbfCpy4UPO', 'ddEd7ldFXgK8H1nuNEs'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, BerkeleyDB.cs High entropy of concatenated method names: 'Extract', 'Hs6mhFh6JM0B0iMl9X5', 'hBEQ41h1NNCFrb3qddY', 'yuJ9Ieh5EZbSL1C33Zr', 'KUmGXRhKaELRUGJAF2i', 'ae3qTShgHxCY166nuNg', 'xCAIFbheCoSNxLLYxaL', 'JtwR3ihVFkCS5cYFIa1', 'FUqbFBhWWTsTT3le8xo', 'yqJV9hhGrKEpDD9GRuc'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, StringExt.cs High entropy of concatenated method names: 'ChangeType', 'StripQuotes', 'HexToBytes', 'hgEjetFiO4AqwDI0VZw', 'aIf5fTFFaIaB1wvM4y2', 'JhoZBEFhxKGNOaDYwnk', 'LTaxu9FPRJHIFdX0o98', 'oEUb0lFxa6cnao1y1bg', 'SBtsKEFdpuosxR6Xsii'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, TripleDes.cs High entropy of concatenated method names: 'ComputeVoid', 'Compute', 'DecryptStringDesCbc', 'DecryptByteDesCbc', 'becuyGPAKITmgVVvOYT', 'y4YMaxPfuZxhY94kcej', 'gjsuVePw3EYP0eAJE0U', 'LqAQ32PT67mYas8OyTN', 'sxX8AvP0QBWk07yQp8c', 'qwJivkPHuwmZum3mKo4'
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\xin.exe Memory allocated: 1490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Memory allocated: 2E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Memory allocated: 4E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 4AD0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\xin.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\xin.exe TID: 7708 Thread sleep count: 294 > 30 Jump to behavior
Source: C:\Users\user\Desktop\xin.exe TID: 7708 Thread sleep count: 197 > 30 Jump to behavior
Source: C:\Users\user\Desktop\xin.exe TID: 7656 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7748 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: xin.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: xin.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: xin.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: 0.2.xin.exe.3e35570.0.raw.unpack, ContextSwitcher.cs Reference to suspicious API methods: NativeMethods.OpenProcess(processAccessMask, bInheritHandle: false, process.Id)
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\xin.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\xin.exe Code function: 0_2_02E32125 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_02E32125
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\xin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\xin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000 Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 472000 Jump to behavior
Source: C:\Users\user\Desktop\xin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9D3008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\xin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\xin.exe Queries volume information: C:\Users\user\Desktop\xin.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524235 Sample: xin.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 84 17 Multi AV Scanner detection for submitted file 2->17 19 .NET source code references suspicious native API functions 2->19 21 .NET source code contains very large array initializations 2->21 23 2 other signatures 2->23 6 xin.exe 2 2->6         started        process3 file4 15 C:\Users\user\AppData\Local\...\xin.exe.log, CSV 6->15 dropped 25 Contains functionality to inject code into remote processes 6->25 27 Writes to foreign memory regions 6->27 29 Allocates memory in foreign processes 6->29 31 Injects a PE file into a foreign processes 6->31 10 RegAsm.exe 3 6->10         started        13 conhost.exe 6->13         started        signatures5 process6 signatures7 33 Reads the System eventlog 10->33
No contacted IP infos