Windows Analysis Report
MP_TLK4EE_M_01G_Rev_E.exe

Overview

General Information

Sample name: MP_TLK4EE_M_01G_Rev_E.exe
Analysis ID: 1530954
MD5: f1dd6bc64a726d4ecd808ce54c6dee6f
SHA1: 45248f50638d1419b227afa2596340a757d736a3
SHA256: 9637c20db05893ed94aef7fa8e5bbb6e55cee7b77c18e1c7fdca89171acef042
Infos:

Detection

Score: 10
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Checks for kernel debuggers (COM1)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: MP_TLK4EE_M_01G_Rev_E.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: MP_TLK4EE_M_01G_Rev_E.exe String found in binary or memory: http://192.168.86.1/download.html
Source: MP_TLK4EE_M_01G_Rev_E.exe String found in binary or memory: http://192.168.86.1/download.htmlHost192.168.86.1Content-Typemultipart/form-data;
Source: MP_TLK4EE_M_01G_Rev_E.exe String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: MP_TLK4EE_M_01G_Rev_E.exe String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtdurn:oasis:names:tc:entity:xmlns:x
Source: MP_TLK4EE_M_01G_Rev_E.exe String found in binary or memory: http://www.xmlspy.com)
Uses 32bit PE files
Source: MP_TLK4EE_M_01G_Rev_E.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean10.evad.winEXE@1/0@0/1
Source: Yara match File source: MP_TLK4EE_M_01G_Rev_E.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.1320318006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: MP_TLK4EE_M_01G_Rev_E.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Window found: window name: TComboBox Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Automated click: Continue
Source: Window Recorder Window detected: More than 3 window changes detected
Source: MP_TLK4EE_M_01G_Rev_E.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: MP_TLK4EE_M_01G_Rev_E.exe Static file information: File size 2429952 > 1048576
Source: MP_TLK4EE_M_01G_Rev_E.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x106200
Source: MP_TLK4EE_M_01G_Rev_E.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x118600
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Window / User API: foregroundWindowGot 536 Jump to behavior
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Window / User API: foregroundWindowGot 496 Jump to behavior
Source: MP_TLK4EE_M_01G_Rev_E.exe, 00000000.00000002.2587860474.000000000092F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP-
Source: MP_TLK4EE_M_01G_Rev_E.exe, 00000000.00000002.2587860474.0000000000960000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW/g
Source: MP_TLK4EE_M_01G_Rev_E.exe, 00000000.00000002.2587860474.0000000000960000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel debuggers (COM1)
Source: C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe File opened: COM1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1530954 Sample: MP_TLK4EE_M_01G_Rev_E.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 10 4 MP_TLK4EE_M_01G_Rev_E.exe 6 2->4         started        dnsIp3 8 127.0.0.1 unknown unknown 4->8 10 Checks for kernel debuggers (COM1) 4->10 signatures4
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true