Windows Analysis Report
antispam.exe

Overview

General Information

Sample name: antispam.exe
Analysis ID: 1533402
MD5: e5ad838952e63778a5708d2efc4cda86
SHA1: 1a3f14465460a61e012d11cccf301424f2c0f11d
SHA256: e3f10c90a0614e13074f69193a9bd3310332392d17c52fbe6596fd6596327811
Tags: exeuser-Racco42
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses ipconfig to lookup or modify the Windows network settings
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to execute programs as a different user
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Source: antispam.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\lfkmf\source\repos\AuthFormCpp\x64\Release\AuthFormCpp.pdb%% source: antispam.exe
Source: Binary string: C:\Users\lfkmf\source\repos\AuthFormCpp\x64\Release\AuthFormCpp.pdb source: antispam.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\antispam.exe Code function: 0_2_00007FF6A1F715B0 0_2_00007FF6A1F715B0
Source: C:\Users\user\Desktop\antispam.exe Code function: 0_2_00007FF6A1F71FC0 0_2_00007FF6A1F71FC0
Source: C:\Users\user\Desktop\antispam.exe Code function: 0_2_00007FF6A1F71230 0_2_00007FF6A1F71230
Source: qwertyuio.txt.0.dr Binary string: Boot Device: \Device\HarddiskVolume1
Source: classification engine Classification label: mal48.evad.winEXE@18/2@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3740:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6780:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_03
Source: C:\Users\user\Desktop\antispam.exe File created: C:\Users\user\AppData\Local\Temp\qwertyuio.txt Jump to behavior
Source: antispam.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\antispam.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\antispam.exe "C:\Users\user\Desktop\antispam.exe"
Source: C:\Users\user\Desktop\antispam.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\antispam.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\antispam.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c route print
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Users\user\Desktop\antispam.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Users\user\Desktop\antispam.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c route print Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c ipconfig /all Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ROUTE.EXE route print Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: esscli.dll Jump to behavior
Source: C:\Windows\System32\ROUTE.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\ROUTE.EXE Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\ROUTE.EXE Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\ROUTE.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\Desktop\antispam.exe Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe Automated click: OK
Source: antispam.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: antispam.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: antispam.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: antispam.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: antispam.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: antispam.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: antispam.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: antispam.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: antispam.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\lfkmf\source\repos\AuthFormCpp\x64\Release\AuthFormCpp.pdb%% source: antispam.exe
Source: Binary string: C:\Users\lfkmf\source\repos\AuthFormCpp\x64\Release\AuthFormCpp.pdb source: antispam.exe
Source: antispam.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: antispam.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: antispam.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: antispam.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: antispam.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior
barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: qwertyuio.txt.0.dr Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: ROUTE.EXE, 00000008.00000002.1859464175.0000022AFC069000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\antispam.exe Code function: 0_2_00007FF6A1F746E4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6A1F746E4
Source: C:\Users\user\Desktop\antispam.exe Code function: 0_2_00007FF6A1F748C4 SetUnhandledExceptionFilter, 0_2_00007FF6A1F748C4
Source: C:\Users\user\Desktop\antispam.exe Code function: 0_2_00007FF6A1F73DC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF6A1F73DC0
Source: C:\Users\user\Desktop\antispam.exe Code function: 0_2_00007FF6A1F746E4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6A1F746E4
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\antispam.exe Code function: 0_2_00007FF6A1F71FC0 CreatePipe,SetHandleInformation,memcpy,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,ReadFile,memcpy,ReadFile,CloseHandle,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,Concurrency::cancel_current_task,DefWindowProcW,PostQuitMessage,SendMessageW,GetWindowTextW,GetWindowTextLengthW,GetWindowTextW,wcschr,wcscpy_s,wcscpy_s,memset,GetComputerNameExW,lstrcmpiW,LogonUserW,FlushFileBuffers,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,memcpy,memcpy,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,FlushFileBuffers,MessageBoxW,PostQuitMessage,CloseHandle,memcpy,memcpy,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,FlushFileBuffers,MessageBoxW,Concurrency::cancel_current_task,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn, 0_2_00007FF6A1F71FC0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\antispam.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c route print Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c ipconfig /all Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ROUTE.EXE route print Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe Code function: 0_2_00007FF6A1F745C4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6A1F745C4
Source: C:\Users\user\Desktop\antispam.exe Code function: 0_2_00007FF6A1F715B0 InitCommonControlsEx,LoadIconW,LoadCursorW,LoadIconW,GetTempPathW,memcpy,_invalid_parameter_noinfo_noreturn,CreateFileW,AllocConsole,GetConsoleWindow,GetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,SetConsoleTitleW,__acrt_iob_func,freopen_s,__acrt_iob_func,freopen_s,__acrt_iob_func,freopen_s,GetStdHandle,SetStdHandle,GetStdHandle,SetStdHandle,GetStdHandle,SetStdHandle,printf,SleepEx,printf,RegisterClassExW,CreateWindowExW,GetWindowLongW,SetWindowLongW,CreateWindowExW,LoadBitmapW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,CreateFontW,SendMessageW,CreateWindowExW,SendMessageW,NetGetJoinInformation,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,GetUserNameExW,SendMessageW,SendMessageW,CreateWindowExW,SendMessageW,CreateWindowExW,CreateWindowExW,SendMessageW,CreateWindowExW,SendMessageW,ShowWindow,UpdateWindow,GetMessageW,TranslateMessage,DispatchMessageW,GetMessageW,_invalid_parameter_noinfo_noreturn, 0_2_00007FF6A1F715B0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1533402 Sample: antispam.exe Startdate: 14/10/2024 Architecture: WINDOWS Score: 48 7 antispam.exe 2 2->7         started        process3 9 cmd.exe 1 7->9         started        12 conhost.exe 7->12         started        14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        signatures4 35 Uses ipconfig to lookup or modify the Windows network settings 9->35 18 systeminfo.exe 2 1 9->18         started        21 conhost.exe 9->21         started        37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->37 23 ROUTE.EXE 1 14->23         started        25 conhost.exe 14->25         started        27 ipconfig.exe 1 16->27         started        29 conhost.exe 16->29         started        process5 signatures6 33 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->33 31 WmiPrvSE.exe 18->31         started        process7
No contacted IP infos