Windows Analysis Report
0urFbKxdvL.exe

Overview

General Information

Sample name: 0urFbKxdvL.exe
renamed because original name is a hash value
Original sample name: 328eea4110a4b59778225e2efef7b9cfd07adfb8d189d9fa2d2e450de274659c.exe
Analysis ID: 1527620
MD5: 0ae609594fbd4bb27287bd63bc9e9529
SHA1: a506ec04296bd6fe7450c59578bd55a94f17aa65
SHA256: 328eea4110a4b59778225e2efef7b9cfd07adfb8d189d9fa2d2e450de274659c
Tags: exeSliverFoxuser-bloated7731
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Queries device information via Setup API
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 0urFbKxdvL.exe Virustotal: Detection: 18% Perma Link
Source: 0urFbKxdvL.exe ReversingLabs: Detection: 32%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 91.2% probability
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_00000001400043D0 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00000001400043D0
Source: 0urFbKxdvL.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: 0urFbKxdvL.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 0urFbKxdvL.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: 0urFbKxdvL.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 0urFbKxdvL.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: 0urFbKxdvL.exe String found in binary or memory: https://sectigo.com/CPS0
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_0000000140004570: IIDFromString,CreateFileW,GetLastError,lstrlenW,wsprintfW,DeviceIoControl,CloseHandle, 0_2_0000000140004570
Detected potential crypto function
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_000000014000CA3C 0_2_000000014000CA3C
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_000000014000D684 0_2_000000014000D684
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_0000000140009CA0 0_2_0000000140009CA0
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_00000001400126C4 0_2_00000001400126C4
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_0000000140007320 0_2_0000000140007320
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_000000014000CD28 0_2_000000014000CD28
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_0000000140003990 0_2_0000000140003990
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_00000001400049C0 0_2_00000001400049C0
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_000000014000E9D4 0_2_000000014000E9D4
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_001E0000 0_2_001E0000
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_001E6947 0_2_001E6947
Sample file is different than original file name gathered from version info
Source: 0urFbKxdvL.exe Binary or memory string: OriginalFilename vs 0urFbKxdvL.exe
Source: 0urFbKxdvL.exe, 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedeviceinstaller.exe vs 0urFbKxdvL.exe
Source: 0urFbKxdvL.exe Binary or memory string: OriginalFilenamedeviceinstaller.exe vs 0urFbKxdvL.exe
Source: classification engine Classification label: mal60.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_0000000140007EB0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,InitiateSystemShutdownExW, 0_2_0000000140007EB0
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Mutant created: \Sessions\1\BaseNamedObjects\e3a596ac-25f6-43e4-910a-e6a0c89ca722
Source: 0urFbKxdvL.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 0urFbKxdvL.exe Virustotal: Detection: 18%
Source: 0urFbKxdvL.exe ReversingLabs: Detection: 32%
Source: 0urFbKxdvL.exe String found in binary or memory: positioned on the newly-added filter. ! Deletes the next occurrence of the specified filter. When the subcommand
Source: 0urFbKxdvL.exe String found in binary or memory: ng of the list. When the subcommand completes, the cursor is positioned on the newly-added filter. + Add after
Source: 0urFbKxdvL.exe String found in binary or memory: cursor is positioned on the newly-added filter.
Source: 0urFbKxdvL.exe String found in binary or memory: cursor is positioned on the newly-added filter.
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Section loaded: amsi.dll Jump to behavior
Source: 0urFbKxdvL.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 0urFbKxdvL.exe Static file information: File size 4338576 > 1048576
Source: 0urFbKxdvL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 0urFbKxdvL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 0urFbKxdvL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 0urFbKxdvL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 0urFbKxdvL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_0000000140004230 GetFullPathNameW,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,GetLastError,FreeLibrary,FreeLibrary,FreeLibrary, 0_2_0000000140004230
PE file contains an invalid checksum
Source: 0urFbKxdvL.exe Static PE information: real checksum: 0x4716e should be: 0x426362
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_001E8C37 push edi; ret 0_2_001E8C4B
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_001E8C5E push ecx; ret 0_2_001E8C63
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_001E8C7C push ecx; ret 0_2_001E8C82
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_001E8C70 push edi; ret 0_2_001E8C7A
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_000000014000CA3C EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_000000014000CA3C

Malware Analysis System Evasion
barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_000000014000112B 0_2_000000014000112B
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\0urFbKxdvL.exe RDTSC instruction interceptor: First address: 140001142 second address: 140001152 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov ecx, eax 0x0000000c fldpi 0x0000000e frndint 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0urFbKxdvL.exe RDTSC instruction interceptor: First address: 140001152 second address: 140001152 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a sub eax, ecx 0x0000000c dec ecx 0x0000000d cmp eax, ecx 0x0000000f jc 00007F9A810F7DADh 0x00000011 fldpi 0x00000013 frndint 0x00000015 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_000000014000112B rdtsc 0_2_000000014000112B
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_0000000140009CA0 SetupDiGetDeviceInstallParamsW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiOpenDevRegKey,RegCloseKey,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SetupDiGetDeviceRegistryPropertyW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiGetDriverInfoDetailW,GetLastError,SetupDiEnumDriverInfoW,SetupDiDestroyDriverInfoList,RegCloseKey, 0_2_0000000140009CA0
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\0urFbKxdvL.exe API coverage: 2.1 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_00000001400043D0 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00000001400043D0
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_001E2917 GetSystemInfo, 0_2_001E2917
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_000000014000112B rdtsc 0_2_000000014000112B
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_000000014000B608 __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException, 0_2_000000014000B608
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_00000001400121B8 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00000001400121B8
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_0000000140004230 GetFullPathNameW,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,GetLastError,FreeLibrary,FreeLibrary,FreeLibrary, 0_2_0000000140004230
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_000000014000C8BC GetProcessHeap, 0_2_000000014000C8BC
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_0000000140010850 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0000000140010850
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_000000014000F644 cpuid 0_2_000000014000F644
Queries device information via Setup API
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_0000000140009CA0 SetupDiGetDeviceInstallParamsW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiOpenDevRegKey,RegCloseKey,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SetupDiGetDeviceRegistryPropertyW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiGetDriverInfoDetailW,GetLastError,SetupDiEnumDriverInfoW,SetupDiDestroyDriverInfoList,RegCloseKey, 0_2_0000000140009CA0
Source: C:\Users\user\Desktop\0urFbKxdvL.exe Code function: 0_2_0000000140010018 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0000000140010018
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527620 Sample: 0urFbKxdvL.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 60 8 Multi AV Scanner detection for submitted file 2->8 10 AI detected suspicious sample 2->10 5 0urFbKxdvL.exe 2->5         started        process3 signatures4 12 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->12 14 Tries to detect virtualization through RDTSC time measurements 5->14
No contacted IP infos