Windows Analysis Report
I4haBqkYuV.exe

Overview

General Information

Sample name: I4haBqkYuV.exe
renamed because original name is a hash value
Original sample name: a1eb01a712eb890b68aaff8a432268eff970d63e.exe
Analysis ID: 1528903
MD5: 7ab35907f4792e43dc3127eaa1b56da1
SHA1: a1eb01a712eb890b68aaff8a432268eff970d63e
SHA256: 5d02aa5429af6efc68bc78f9b47a570609c0d448265cca5c578e78e0e35dd3a4
Tags: exeuser-JinAgry
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Source: I4haBqkYuV.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \Program\01_Arrow-Symbol\APP-WIN\RoadMarking_ClassificationAIDatasetDivider\Bin\x64\Debug\RoadMarking_ClassificationAIDatasetDivider.pdb99 source: I4haBqkYuV.exe
Source: Binary string: \Program\01_Arrow-Symbol\APP-WIN\RoadMarking_ClassificationAIDatasetDivider\Bin\x64\Debug\RoadMarking_ClassificationAIDatasetDivider.pdb source: I4haBqkYuV.exe
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: 0_2_00007FF601E9A409 __std_fs_directory_iterator_open,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_00007FF601E9A409
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: 0_2_00007FF601E9AB70: __std_fs_read_reparse_data_buffer,DeviceIoControl,GetLastError, 0_2_00007FF601E9AB70
Detected potential crypto function
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: 0_2_00007FF601E979A2 0_2_00007FF601E979A2
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: 0_2_00007FF601E96A4D 0_2_00007FF601E96A4D
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: 0_2_00007FF601E96377 0_2_00007FF601E96377
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: String function: 00007FF602178C80 appears 195 times
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: String function: 00007FF602178C90 appears 195 times
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: String function: 00007FF602178D40 appears 44 times
PE file contains more sections than normal
Source: I4haBqkYuV.exe Static PE information: Number of sections : 11 > 10
Source: classification engine Classification label: clean4.winEXE@2/0@0/0
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: 0_2_00007FF601E97D21 GetDiskFreeSpaceExW,GetLastError,_malloc_dbg,GetFinalPathNameByHandleW,GetLastError,GetDiskFreeSpaceExW,GetLastError, 0_2_00007FF601E97D21
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\I4haBqkYuV.exe "C:\Users\user\Desktop\I4haBqkYuV.exe"
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Section loaded: roadmarkingdatasetaccesslib.dll Jump to behavior
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Section loaded: msvcp140d.dll Jump to behavior
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Section loaded: vcruntime140d.dll Jump to behavior
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Section loaded: vcruntime140_1d.dll Jump to behavior
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Section loaded: ucrtbased.dll Jump to behavior
Source: I4haBqkYuV.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: I4haBqkYuV.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: I4haBqkYuV.exe Static file information: File size 3048448 > 1048576
Source: I4haBqkYuV.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x229200
Source: I4haBqkYuV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: I4haBqkYuV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: I4haBqkYuV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: I4haBqkYuV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: I4haBqkYuV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: I4haBqkYuV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: I4haBqkYuV.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: I4haBqkYuV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \Program\01_Arrow-Symbol\APP-WIN\RoadMarking_ClassificationAIDatasetDivider\Bin\x64\Debug\RoadMarking_ClassificationAIDatasetDivider.pdb99 source: I4haBqkYuV.exe
Source: Binary string: \Program\01_Arrow-Symbol\APP-WIN\RoadMarking_ClassificationAIDatasetDivider\Bin\x64\Debug\RoadMarking_ClassificationAIDatasetDivider.pdb source: I4haBqkYuV.exe
PE file contains sections with non-standard names
Source: I4haBqkYuV.exe Static PE information: section name: .textbss
Source: I4haBqkYuV.exe Static PE information: section name: .msvcjmc
Source: I4haBqkYuV.exe Static PE information: section name: .00cfg
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: 0_2_00007FF601E9A409 __std_fs_directory_iterator_open,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_00007FF601E9A409
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: 0_2_00007FF601E9B54D IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF601E9B54D
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: 0_2_00007FF601E9B54D IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF601E9B54D
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: 0_2_00007FF601E9937E SetUnhandledExceptionFilter, 0_2_00007FF601E9937E
Source: C:\Users\user\Desktop\I4haBqkYuV.exe Code function: 0_2_00007FF602097B20 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF602097B20
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1528903 Sample: I4haBqkYuV.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 4 5 I4haBqkYuV.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos