Windows Analysis Report
Bzw4UJiXNj.exe

Overview

General Information

Sample name:	Bzw4UJiXNj.exe renamed because original name is a hash value
Original sample name:	4b61a3d79a892267bf6e76a54e188cc0.exe
Analysis ID:	1528625
MD5:	4b61a3d79a892267bf6e76a54e188cc0
SHA1:	e1dc7ad66e65bf5ca6701eb224d11761c56b1288
SHA256:	6bff92bd6fb84f1a453ead8ef017b6ae42a78b7fbbbd6414ec8a9cd669bf3b05
Tags:	64exetrojan
Infos:

Detection

Metasploit

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

File is packed with WinRar

Found dropped PE file which has not been started or loaded

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

Avira: detection malicious, Label: TR/Patched.Gen2

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	Virustotal: Detection: 81%			Perma Link

Multi AV Scanner detection for submitted file

Source: Bzw4UJiXNj.exe	ReversingLabs: Detection: 66%
Source: Bzw4UJiXNj.exe	Virustotal: Detection: 69%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Bzw4UJiXNj.exe

Joe Sandbox ML: detected

Source: Bzw4UJiXNj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp, Icon-https.exe.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Bzw4UJiXNj.exe

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DAB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,PostMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF646DAB190
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF646D940BC
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DBFCA0 FindFirstFileExA,	0_2_00007FF646DBFCA0

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior

Source: Icon-https.exe.0.dr	String found in binary or memory: http://www.apache.org/
Source: Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp, Icon-https.exe.0.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Icon-https.exe.0.dr	String found in binary or memory: http://www.zeustech.net/

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe, type: DROPPED

Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646D8C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF646D8C2F0

Detected potential crypto function

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB0754	0_2_00007FF646DB0754
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D8F930	0_2_00007FF646D8F930
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D94928	0_2_00007FF646D94928
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9A4AC	0_2_00007FF646D9A4AC
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA3484	0_2_00007FF646DA3484
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DAB190	0_2_00007FF646DAB190
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D85E24	0_2_00007FF646D85E24
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA1F20	0_2_00007FF646DA1F20
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DACE88	0_2_00007FF646DACE88
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DBC838	0_2_00007FF646DBC838
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D84840	0_2_00007FF646D84840
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC2550	0_2_00007FF646DC2550
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D876C0	0_2_00007FF646D876C0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA53F0	0_2_00007FF646DA53F0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9B534	0_2_00007FF646D9B534
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA21D0	0_2_00007FF646DA21D0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9F180	0_2_00007FF646D9F180
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D8A310	0_2_00007FF646D8A310
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D8C2F0	0_2_00007FF646D8C2F0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D87288	0_2_00007FF646D87288
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9126C	0_2_00007FF646D9126C
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC2080	0_2_00007FF646DC2080
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA8DF4	0_2_00007FF646DA8DF4
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB0754	0_2_00007FF646DB0754
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA2D58	0_2_00007FF646DA2D58
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9AF18	0_2_00007FF646D9AF18
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB8C1C	0_2_00007FF646DB8C1C
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA4B98	0_2_00007FF646DA4B98
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9BB90	0_2_00007FF646D9BB90
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D95B60	0_2_00007FF646D95B60
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB89A0	0_2_00007FF646DB89A0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA3964	0_2_00007FF646DA3964
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9C96C	0_2_00007FF646D9C96C
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC5AF8	0_2_00007FF646DC5AF8
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D81AA4	0_2_00007FF646D81AA4
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA2AB0	0_2_00007FF646DA2AB0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DBFA94	0_2_00007FF646DBFA94
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D91A48	0_2_00007FF646D91A48

Sample file is different than original file name gathered from version info

Source: Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameab.exeF vs Bzw4UJiXNj.exe

Yara signature match

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe, type: DROPPED

Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23

Source: Icon-https.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal96.troj.winEXE@1/3@0/0

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646D8B6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF646D8B6D8

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DA8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF646DA8624

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: Bzw4UJiXNj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bzw4UJiXNj.exe	ReversingLabs: Detection: 66%
Source: Bzw4UJiXNj.exe	Virustotal: Detection: 69%

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File read: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: linkinfo.dll	Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Bzw4UJiXNj.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Bzw4UJiXNj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Bzw4UJiXNj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp, Icon-https.exe.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Bzw4UJiXNj.exe

Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

File is packed with WinRar

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6096718

Jump to behavior

PE file contains sections with non-standard names

Source: Bzw4UJiXNj.exe	Static PE information: section name: .didat
Source: Bzw4UJiXNj.exe	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC5156 push rsi; retf		0_2_00007FF646DC5157
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC5166 push rsi; retf		0_2_00007FF646DC5167

Source: Icon-https.exe.0.dr

Static PE information: section name: .text entropy: 7.021725181628894

Drops PE files

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

Jump to dropped file

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DAB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,PostMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF646DAB190
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF646D940BC
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DBFCA0 FindFirstFileExA,	0_2_00007FF646DBFCA0

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DB16A4 VirtualQuery,GetSystemInfo,

0_2_00007FF646DB16A4

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DB76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF646DB76D8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DC0D20 GetProcessHeap,

0_2_00007FF646DC0D20

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF646DB76D8
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB3354 SetUnhandledExceptionFilter,	0_2_00007FF646DB3354
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF646DB2510
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF646DB3170

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DAB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,PostMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF646DAB190

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DC58E0 cpuid

0_2_00007FF646DC58E0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF646DAA2CC

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DB0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF646DB0754

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646D951A4 GetVersionExW,

0_2_00007FF646D951A4

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

Avira: detection malicious, Label: TR/Patched.Gen2

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	Virustotal: Detection: 81%			Perma Link

Multi AV Scanner detection for submitted file

Source: Bzw4UJiXNj.exe	ReversingLabs: Detection: 66%
Source: Bzw4UJiXNj.exe	Virustotal: Detection: 69%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Bzw4UJiXNj.exe

Joe Sandbox ML: detected

Source: Bzw4UJiXNj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp, Icon-https.exe.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Bzw4UJiXNj.exe

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DAB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,PostMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF646DAB190
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF646D940BC
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DBFCA0 FindFirstFileExA,	0_2_00007FF646DBFCA0

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior

Source: Icon-https.exe.0.dr	String found in binary or memory: http://www.apache.org/
Source: Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp, Icon-https.exe.0.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Icon-https.exe.0.dr	String found in binary or memory: http://www.zeustech.net/

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe, type: DROPPED

Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

0_2_00007FF646D8C2F0

Detected potential crypto function

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB0754	0_2_00007FF646DB0754
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D8F930	0_2_00007FF646D8F930
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D94928	0_2_00007FF646D94928
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9A4AC	0_2_00007FF646D9A4AC
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA3484	0_2_00007FF646DA3484
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DAB190	0_2_00007FF646DAB190
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D85E24	0_2_00007FF646D85E24
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA1F20	0_2_00007FF646DA1F20
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DACE88	0_2_00007FF646DACE88
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DBC838	0_2_00007FF646DBC838
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D84840	0_2_00007FF646D84840
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC2550	0_2_00007FF646DC2550
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D876C0	0_2_00007FF646D876C0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA53F0	0_2_00007FF646DA53F0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9B534	0_2_00007FF646D9B534
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA21D0	0_2_00007FF646DA21D0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9F180	0_2_00007FF646D9F180
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D8A310	0_2_00007FF646D8A310
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D8C2F0	0_2_00007FF646D8C2F0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D87288	0_2_00007FF646D87288
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9126C	0_2_00007FF646D9126C
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC2080	0_2_00007FF646DC2080
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA8DF4	0_2_00007FF646DA8DF4
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB0754	0_2_00007FF646DB0754
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA2D58	0_2_00007FF646DA2D58
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9AF18	0_2_00007FF646D9AF18
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB8C1C	0_2_00007FF646DB8C1C
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA4B98	0_2_00007FF646DA4B98
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9BB90	0_2_00007FF646D9BB90
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D95B60	0_2_00007FF646D95B60
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB89A0	0_2_00007FF646DB89A0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA3964	0_2_00007FF646DA3964
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9C96C	0_2_00007FF646D9C96C
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC5AF8	0_2_00007FF646DC5AF8
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D81AA4	0_2_00007FF646D81AA4
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA2AB0	0_2_00007FF646DA2AB0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DBFA94	0_2_00007FF646DBFA94
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D91A48	0_2_00007FF646D91A48

Sample file is different than original file name gathered from version info

Source: Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameab.exeF vs Bzw4UJiXNj.exe

Yara signature match

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe, type: DROPPED

Source: Icon-https.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal96.troj.winEXE@1/3@0/0

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646D8B6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF646D8B6D8

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DA8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF646DA8624

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: Bzw4UJiXNj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bzw4UJiXNj.exe	ReversingLabs: Detection: 66%
Source: Bzw4UJiXNj.exe	Virustotal: Detection: 69%

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File read: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: linkinfo.dll	Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Bzw4UJiXNj.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Bzw4UJiXNj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Bzw4UJiXNj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp, Icon-https.exe.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Bzw4UJiXNj.exe

Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

File is packed with WinRar

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6096718

Jump to behavior

PE file contains sections with non-standard names

Source: Bzw4UJiXNj.exe	Static PE information: section name: .didat
Source: Bzw4UJiXNj.exe	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC5156 push rsi; retf		0_2_00007FF646DC5157
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC5166 push rsi; retf		0_2_00007FF646DC5167

Source: Icon-https.exe.0.dr

Static PE information: section name: .text entropy: 7.021725181628894

Drops PE files

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

Jump to dropped file

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DAB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,PostMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF646DAB190
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF646D940BC
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DBFCA0 FindFirstFileExA,	0_2_00007FF646DBFCA0

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DB16A4 VirtualQuery,GetSystemInfo,

0_2_00007FF646DB16A4

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DB76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF646DB76D8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DC0D20 GetProcessHeap,

0_2_00007FF646DC0D20

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF646DB76D8
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB3354 SetUnhandledExceptionFilter,	0_2_00007FF646DB3354
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF646DB2510
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF646DB3170

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

0_2_00007FF646DAB190

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DC58E0 cpuid

0_2_00007FF646DC58E0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF646DAA2CC

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

0_2_00007FF646DB0754

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646D951A4 GetVersionExW,

0_2_00007FF646D951A4

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe, type: DROPPED

ID:	1528625
Product:	CloudBasic
Start time:	05:08:06
Start date:	08.10.2024
Sample:	Bzw4UJiXNj.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	4b61a3d79a892267bf6e76a54e188cc0
SHA1:	e1dc7ad66e65bf5ca6701eb224d11761c56b1288
SHA256:	6bff92bd6fb84f1a453ead8ef017b6ae42a78b7fbbbd6414ec8a9cd669bf3b05
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	PE32 executable (GUI) Intel 80386, for MS Windows	07E1BC43F53A20F738039F5BD8D081EC	8F6C6DD58009C7E87BCBE565D2D1702D77E70BA2	62E57F61112880D6D11D3FD7E0FB6BEA47215A5041BD66B170BCE4EF4CE8BF60
C:\Users\user\AppData\Local\Temp\RarSFX0\microsoft_office_word_logo_icon_145724.ico	MS Windows icon resource - 1 icon, -128x-128, 32 bits/pixel	26C3AA5599218EB4B32C5A042F099320	5443FDA4FEC6F022B46DC54A73CAC835ECFD1B87	17C8F8D74D73C1106E25CE25AEDE9408BEA3766E9B05B333DC3EA3DBCEB03C5C
C:\Users\user\AppData\Local\Temp\RarSFX0\microsoft_office_word_logo_icon_145724.png	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	1304E793E5FFC4A9508DD9D334F45BE4	05ABC3179625C6863828A5CFA5AD2A19AAE372D2	E6C42A78E2A0A76DA607F8A3338A779670336B56100B92A618896D4209ED7DD8

Windows Analysis Report
Bzw4UJiXNj.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Bzw4UJiXNj.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Bzw4UJiXNj.exe