Windows Analysis Report
eVirFdGeXm.exe

Overview

General Information

Sample name: eVirFdGeXm.exe
renamed because original name is a hash value
Original sample name: 11e3134472c0035f17a22bfbd2f66416.exe
Analysis ID: 1537103
MD5: 11e3134472c0035f17a22bfbd2f66416
SHA1: 073a4f5698987a9e1d36beadbec29570f9906d46
SHA256: ef2a8077afd8c42e52b49a2c4f7a1ca49f59f83ef9af4e508bf438b64bc36b11
Tags: 64exe
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Binary contains a suspicious time stamp
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

Source: eVirFdGeXm.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: dccw.pdbGCTL source: eVirFdGeXm.exe
Source: Binary string: dccw.pdb source: eVirFdGeXm.exe
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC71EBC4 GetObjectW,GetLastError,GetWindowRect,GetLastError,GetDC,GetLastError,CreateCompatibleDC,GetLastError,SelectObject,CreateCompatibleDC,GetLastError,SetStretchBltMode,GetLastError,CreateCompatibleBitmap,GetLastError,SelectObject,StretchBlt,GetLastError,SendMessageW,DeleteObject,ReleaseDC,DeleteDC,DeleteDC,DeleteObject, 0_2_00007FF6BC71EBC4
Detected potential crypto function
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC711170 0_2_00007FF6BC711170
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC714120 0_2_00007FF6BC714120
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC71EBC4 0_2_00007FF6BC71EBC4
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC712518 0_2_00007FF6BC712518
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC71892C 0_2_00007FF6BC71892C
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC71388C 0_2_00007FF6BC71388C
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC712E8C 0_2_00007FF6BC712E8C
Sample file is different than original file name gathered from version info
Source: eVirFdGeXm.exe Binary or memory string: OriginalFilename vs eVirFdGeXm.exe
Source: eVirFdGeXm.exe, 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedccw.exej% vs eVirFdGeXm.exe
Source: eVirFdGeXm.exe Binary or memory string: OriginalFilenamedccw.exej% vs eVirFdGeXm.exe
Source: classification engine Classification label: clean4.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC720478 FormatMessageW,LocalFree,GetLastError, 0_2_00007FF6BC720478
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC711780 CoCreateInstance, 0_2_00007FF6BC711780
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC71E884 FindResourceW,GetLastError,LoadResource,GetLastError,SizeofResource,LockResource,GlobalAlloc,GetLastError,GlobalLock,GetLastError,memcpy,CreateStreamOnHGlobal,GlobalUnlock,GlobalFree,GlobalUnlock,GetLastError,GdipAlloc,GdipCreateBitmapFromStream,GdipCreateHBITMAPFromBitmap,GetObjectW,GetLastError, 0_2_00007FF6BC71E884
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\DCCW Startup Mutex
Source: eVirFdGeXm.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Section loaded: dxva2.dll Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Section loaded: textshaping.dll Jump to behavior
Source: eVirFdGeXm.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: eVirFdGeXm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eVirFdGeXm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eVirFdGeXm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eVirFdGeXm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eVirFdGeXm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eVirFdGeXm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: eVirFdGeXm.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: eVirFdGeXm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: dccw.pdbGCTL source: eVirFdGeXm.exe
Source: Binary string: dccw.pdb source: eVirFdGeXm.exe
Source: eVirFdGeXm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eVirFdGeXm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eVirFdGeXm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eVirFdGeXm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eVirFdGeXm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: eVirFdGeXm.exe Static PE information: 0x9AF322B1 [Sat May 18 06:09:53 2052 UTC]
PE file contains an invalid checksum
Source: eVirFdGeXm.exe Static PE information: real checksum: 0x1f5dd should be: 0x90725
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\eVirFdGeXm.exe API coverage: 5.0 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC71F7DC GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_00007FF6BC71F7DC
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC721010 SetUnhandledExceptionFilter, 0_2_00007FF6BC721010
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC720CE8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF6BC720CE8
Source: C:\Users\user\Desktop\eVirFdGeXm.exe Code function: 0_2_00007FF6BC7211E4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 0_2_00007FF6BC7211E4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1537103 Sample: eVirFdGeXm.exe Startdate: 18/10/2024 Architecture: WINDOWS Score: 4 4 eVirFdGeXm.exe 2->4         started       
No contacted IP infos