Windows Analysis Report
Shiits.exe

Overview

General Information

Sample name: Shiits.exe
Analysis ID: 1527846
MD5: d2511e01ff27f951a58bc2e848d1f6e6
SHA1: 1cd2625285abcac930c0899aeafe2fe12a3b2207
SHA256: 6d0f9739a3fabe26232452cec79ec7706f811c6ea22f4eb7e63739e8bf6da926
Tags: exeuser-adrian__luca
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Shiits.exe ReversingLabs: Detection: 31%
Source: Shiits.exe Virustotal: Detection: 43% Perma Link
Uses 32bit PE files
Source: Shiits.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Shiits.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_004066F3 FindFirstFileW,FindClose, 0_2_004066F3
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405ABE
Source: Shiits.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_00405553 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405553
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403489
Detected potential crypto function
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_00404D90 0_2_00404D90
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_00406ABA 0_2_00406ABA
Sample file is different than original file name gathered from version info
Source: Shiits.exe, 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameloyaliteters radierne.exeR vs Shiits.exe
Source: Shiits.exe Binary or memory string: OriginalFilenameloyaliteters radierne.exeR vs Shiits.exe
Uses 32bit PE files
Source: Shiits.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403489
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_00404814 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404814
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_004020FE CoCreateInstance, 0_2_004020FE
Source: C:\Users\user\Desktop\Shiits.exe File created: C:\Users\user\AppData\Local\Temp\nsiA846.tmp Jump to behavior
Source: Shiits.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Shiits.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Shiits.exe ReversingLabs: Detection: 31%
Source: Shiits.exe Virustotal: Detection: 43%
Source: C:\Users\user\Desktop\Shiits.exe File read: C:\Users\user\Desktop\Shiits.exe Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shiits.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Shiits.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
PE file contains an invalid checksum
Source: Shiits.exe Static PE information: real checksum: 0x9103c should be: 0x7de48
Source: C:\Users\user\Desktop\Shiits.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Shiits.exe API coverage: 8.1 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_004066F3 FindFirstFileW,FindClose, 0_2_004066F3
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405ABE
Source: C:\Users\user\Desktop\Shiits.exe API call chain: ExitProcess graph end node
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Shiits.exe Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403489
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527846 Sample: Shiits.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 48 7 Multi AV Scanner detection for submitted file 2->7 5 Shiits.exe 3 2->5         started        process3
No contacted IP infos