Windows Analysis Report
jZBSswQjhQ.exe

Overview

General Information

Sample name: jZBSswQjhQ.exe
renamed because original name is a hash value
Original sample name: 58a4b10369cd855f0427cf1139f0d64a.exe
Analysis ID: 1532972
MD5: 58a4b10369cd855f0427cf1139f0d64a
SHA1: f03481b84c1351881ba87531f93ce0bc12f7eaa9
SHA256: 6397988f8f46b82fd519b0a6bfdfeb35966158304369c5608a92adb75ef700fc
Tags: exeuser-abuse_ch
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Entry point lies outside standard sections
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: jZBSswQjhQ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: jZBSswQjhQ.exe Static PE information: certificate valid
Source: Binary string: C:\TenProtect\thunk\output\Release\tpsvc.pdb source: jZBSswQjhQ.exe
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: jZBSswQjhQ.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: jZBSswQjhQ.exe String found in binary or memory: http://ocsp.thawte.com0
Source: jZBSswQjhQ.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: jZBSswQjhQ.exe String found in binary or memory: http://s.symcd.com06
Source: jZBSswQjhQ.exe String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: jZBSswQjhQ.exe String found in binary or memory: http://s2.symcb.com0
Source: jZBSswQjhQ.exe String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: jZBSswQjhQ.exe String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: jZBSswQjhQ.exe String found in binary or memory: http://sf.symcd.com0&
Source: jZBSswQjhQ.exe String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: jZBSswQjhQ.exe String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: jZBSswQjhQ.exe String found in binary or memory: http://sv.symcd.com0&
Source: jZBSswQjhQ.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: jZBSswQjhQ.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: jZBSswQjhQ.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: jZBSswQjhQ.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: jZBSswQjhQ.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: jZBSswQjhQ.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: jZBSswQjhQ.exe String found in binary or memory: http://www.symauth.com/cps0(
Source: jZBSswQjhQ.exe String found in binary or memory: http://www.symauth.com/rpa00
Source: jZBSswQjhQ.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: jZBSswQjhQ.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: jZBSswQjhQ.exe String found in binary or memory: https://d.symcb.com/rpa0.
Sample file is different than original file name gathered from version info
Source: jZBSswQjhQ.exe Binary or memory string: OriginalFilename vs jZBSswQjhQ.exe
Source: jZBSswQjhQ.exe, 00000000.00000000.2110969864.000000000040C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTPSVC.EXE vs jZBSswQjhQ.exe
Source: jZBSswQjhQ.exe Binary or memory string: OriginalFilenameTPSVC.EXE vs jZBSswQjhQ.exe
Uses 32bit PE files
Source: jZBSswQjhQ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean3.winEXE@1/0@1/0
Source: C:\Users\user\Desktop\jZBSswQjhQ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\jZBSswQjhQ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\jZBSswQjhQ.exe Section loaded: tpsvcbase.dll Jump to behavior
Source: jZBSswQjhQ.exe Static PE information: certificate valid
Source: jZBSswQjhQ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\TenProtect\thunk\output\Release\tpsvc.pdb source: jZBSswQjhQ.exe
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .tp3
PE file contains sections with non-standard names
Source: jZBSswQjhQ.exe Static PE information: section name: .tp3
Source: jZBSswQjhQ.exe Static PE information: section name: .tp3
Source: jZBSswQjhQ.exe Static PE information: section name: .tp3
Source: jZBSswQjhQ.exe Static PE information: section name: .tp3
Source: jZBSswQjhQ.exe Static PE information: section name: .tp3
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\jZBSswQjhQ.exe Code function: 0_2_0040ED17 push ss; retf 0_2_00410323
Source: jZBSswQjhQ.exe Static PE information: section name: .tp3 entropy: 7.869411093870724
Source: jZBSswQjhQ.exe Static PE information: section name: .tp3 entropy: 7.560376174712344
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532972 Sample: jZBSswQjhQ.exe Startdate: 14/10/2024 Architecture: WINDOWS Score: 3 7 198.187.3.20.in-addr.arpa 2->7 5 jZBSswQjhQ.exe 2->5         started        process3
No contacted IP infos

Contacted Domains

Name IP Active
198.187.3.20.in-addr.arpa unknown unknown