Windows Analysis Report
4WRYCj0Ea4.exe

Overview

General Information

Sample name: 4WRYCj0Ea4.exe
renamed because original name is a hash value
Original sample name: 0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd.exe
Analysis ID: 1530951
MD5: ed60b3913e6694f4a0ed2fe25551bd1f
SHA1: 18a2ee2fcd433f0fe27e0b6fc13bdfc890fc637b
SHA256: 0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd
Tags: 185-235-241-208exeuser-JAMESWT_MHT

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected potential crypto function
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 4WRYCj0Ea4.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 4WRYCj0Ea4.exe ReversingLabs: Detection: 62%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 91.3% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Code function: 0_2_00007FF67DC54580 ?homePath@QDir@@SA?AVQString@@XZ,??YQString@@QEAAAEAV0@PEBD@Z,??0QString@@QEAA@$$QEAV0@@Z,?copy@QFile@@SA_NAEBVQString@@0@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??0QString@@QEAA@PEBD@Z,?addDatabase@QSqlDatabase@@SA?AV1@AEBVQString@@0@Z,??1QString@@QEAA@XZ,?homePath@QDir@@SA?AVQString@@XZ,??YQString@@QEAAAEAV0@PEBD@Z,??0QString@@QEAA@$$QEAV0@@Z,?setDatabaseName@QSqlDatabase@@QEAAXAEBVQString@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?open@QSqlDatabase@@QEAA_NXZ,??0QMessageLogger@@QEAA@PEBDH0@Z,?debug@QMessageLogger@@QEBA?AVQDebug@@XZ,??6QDebug@@QEAAAEAV0@PEBD@Z,??1QDebug@@QEAA@XZ,??0QMessageLogger@@QEAA@PEBDH0@Z,?debug@QMessageLogger@@QEBA?AVQDebug@@XZ,??6QDebug@@QEAAAEAV0@PEBD@Z,?lastError@QSqlDatabase@@QEBA?AVQSqlError@@XZ,?text@QSqlError@@QEBA?AVQString@@XZ,??1QString@@QEAA@XZ,??1QSqlError@@QEAA@XZ,??1QDebug@@QEAA@XZ,??1QSqlDatabase@@QEAA@XZ,??1QString@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??0QSqlQuery@@QEAA@AEBVQSqlDatabase@@@Z,??0QString@@QEAA@PEBD@Z,?prepare@QSqlQuery@@QEAA_NAEBVQString@@@Z,??1QString@@QEAA@XZ,?exec@QSqlQuery@@QEAA_NXZ,??0QMessageLogger@@QEAA@PEBDH0@Z,?debug@QMessageLogger@@QEBA?AVQDebug@@XZ,??6QDebug@@QEAAAEAV0@PEBD@Z,??1QDebug@@QEAA@XZ,??0QMessageLogger@@QEAA@PEBDH0@Z,?debug@QMessageLogger@@QEBA?AVQDebug@@XZ,??6QDebug@@QEAAAEAV0@PEBD@Z,?lastError@QSqlDatabase@@QEBA?AVQSqlError@@XZ,?text@QSqlError@@QEBA?AVQString@@XZ,??1QString@@QEAA@XZ,??1QSqlError@@QEAA@XZ,??1QDebug@@QEAA@XZ,??1QSqlQuery@@QEAA@XZ,?next@QSqlQuery@@QEAA_NXZ,?value@QSqlQuery@@QEBA?AVQVariant@@H@Z,?toByteArray@QVariant@@QEBA?AVQByteArray@@XZ,??1QVariant@@QEAA@XZ,?length@QByteArray@@QEBA_JXZ,?right@QByteArray@@QEGBA?AV1@_J@Z,?length@QByteArray@@QEBA_JXZ,?right@QByteArray@@QEGBA?AV1@_J@Z,?left@QByteArray@@QEHAA?AV1@_J@Z,??1QByteArray@@QEAA@XZ,?data@QByteArray@@QEAAPEADXZ,?data@QByteArray@@QEAAPEADXZ,?data@QByteArray@@QEAAPEADXZ,?length@QByteArray@@QEBA_JXZ,EVP_DecryptInit_ex,?fromRawData@QByteArray@@SA?AV1@PEBD_J@Z,?homePath@QDir@@SA?AVQString@@XZ,??YQString@@QEAAAEAV0@PEBD@Z,??0QString@@QEAA@$$QEAV0@@Z,??0QFile@@QEAA@AEBVQString@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?open@QFile@@UEAA_NV?$QFlags@W4OpenModeFlag@QIODeviceBase@@@@@Z,?value@QSqlQuery@@QEBA?AVQVariant@@H@Z,?toString@QVariant@@QEBA?AVQString@@XZ,?castHelper@QByteArrayView@@CAPEBDPEBD@Z,?fromUtf8@QString@@SA?AV1@VQByteArrayView@@@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??0QString@@QEAA@$$QEAV0@@Z,??0QString@@QEAA@$$QEAV0@@Z,??0QString@@QEAA@$$QEAV0@@Z,memmove,??0QString@@QEAA@$$QEAV0@@Z,memmove,??0QString@@QEAA@$$QEAV0@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??1QVariant@@QEAA@XZ,?value@QSqlQuery@@QEBA?AVQVariant@@H@Z,?toString@QVariant@@QEBA?AVQString@@XZ,?castHelper@QByteArrayView@@CAPEBDPEBD@Z,?fromUtf8@QString@@SA?AV1@VQByteArrayView@@@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??0QString@@QEAA@$$QEAV0@@Z,??0QString@@QEAA@$$QEAV0@@Z,??0QString@@QEAA@$$QEAV0@@Z,memmove,??0QString@@QEAA@$$QEAV0@@Z,memmove,??0QString@@QEAA@$$QEAV0@@Z,??1QString@@QEAA@XZ,??1QSt 0_2_00007FF67DC54580
Source: 4WRYCj0Ea4.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 4WRYCj0Ea4.exe String found in binary or memory: http://185.235.241.208:1224
Source: 4WRYCj0Ea4.exe String found in binary or memory: https://hello.freeconference.com/login/access-code
Source: 4WRYCj0Ea4.exe String found in binary or memory: https://hello.freeconference.com/login/access-code&HideSho&w&Close:/logo.icohttp://185.235.241.208:1
Detected potential crypto function
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Code function: 0_2_00007FF67DC52B30 0_2_00007FF67DC52B30
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Code function: 0_2_00007FF67DC532A0 0_2_00007FF67DC532A0
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Code function: 0_2_00007FF67DC525C0 0_2_00007FF67DC525C0
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Code function: 0_2_00007FF67DC54580 0_2_00007FF67DC54580
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Code function: 0_2_00007FF67DC56880 0_2_00007FF67DC56880
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Code function: 0_2_00007FF67DC55460 0_2_00007FF67DC55460
Sample file is different than original file name gathered from version info
Source: 4WRYCj0Ea4.exe Binary or memory string: OriginalFilename vs 4WRYCj0Ea4.exe
Source: 4WRYCj0Ea4.exe, 00000000.00000002.3379383849.00007FF67DC6E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFCCCall.exe0 vs 4WRYCj0Ea4.exe
Source: 4WRYCj0Ea4.exe Binary or memory string: OriginalFilenameFCCCall.exe0 vs 4WRYCj0Ea4.exe
Source: classification engine Classification label: mal60.winEXE@1/0@0/0
Source: 4WRYCj0Ea4.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 4WRYCj0Ea4.exe ReversingLabs: Detection: 62%
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Section loaded: libcrypto-1_1-x64.dll Jump to behavior
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Section loaded: qt6webuserwidgets.dll Jump to behavior
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Section loaded: qt6widgets.dll Jump to behavior
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Section loaded: qt6webusercore.dll Jump to behavior
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Section loaded: qt6gui.dll Jump to behavior
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Section loaded: qt6sql.dll Jump to behavior
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Section loaded: qt6network.dll Jump to behavior
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Section loaded: qt6core.dll Jump to behavior
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Section loaded: vcruntime140.dll Jump to behavior
Source: 4WRYCj0Ea4.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 4WRYCj0Ea4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4WRYCj0Ea4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4WRYCj0Ea4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4WRYCj0Ea4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4WRYCj0Ea4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4WRYCj0Ea4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 4WRYCj0Ea4.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 4WRYCj0Ea4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4WRYCj0Ea4.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4WRYCj0Ea4.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4WRYCj0Ea4.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4WRYCj0Ea4.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4WRYCj0Ea4.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Code function: 0_2_00007FF67DC59438 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF67DC59438
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Code function: 0_2_00007FF67DC5961C SetUnhandledExceptionFilter, 0_2_00007FF67DC5961C
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Code function: 0_2_00007FF67DC59438 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF67DC59438
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Code function: 0_2_00007FF67DC58FD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF67DC58FD4
Source: C:\Users\user\Desktop\4WRYCj0Ea4.exe Code function: 0_2_00007FF67DC59688 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF67DC59688
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1530951 Sample: 4WRYCj0Ea4.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 60 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 AI detected suspicious sample 2->11 5 4WRYCj0Ea4.exe 2->5         started        process3
No contacted IP infos