Windows Analysis Report
ZKNiiqoHKV.exe

Overview

General Information

Sample name: ZKNiiqoHKV.exe
renamed because original name is a hash value
Original sample name: 6bacbe921c817ef6fc3d2fa1b8cd100452d5f002bd76ce536632abc633f571ae.exe
Analysis ID: 1538056
MD5: 1169e07116b990459d7c3d52bc4f58fe
SHA1: f4d6680399237143f914902bf7c8be0475589625
SHA256: 6bacbe921c817ef6fc3d2fa1b8cd100452d5f002bd76ce536632abc633f571ae
Tags: exeuser-0xv
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
PE file contains section with special chars
Entry point lies outside standard sections
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ZKNiiqoHKV.exe ReversingLabs: Detection: 34%
Source: ZKNiiqoHKV.exe Virustotal: Detection: 51% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.6% probability
Machine Learning detection for sample
Source: ZKNiiqoHKV.exe Joe Sandbox ML: detected

System Summary
barindex
PE file contains section with special chars
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name:
PE file contains more sections than normal
Source: ZKNiiqoHKV.exe Static PE information: Number of sections : 13 > 10
Sample file is different than original file name gathered from version info
Source: ZKNiiqoHKV.exe, 00000000.00000002.2911223832.0000000141E04000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameGunzLegacy.exe8 vs ZKNiiqoHKV.exe
Source: ZKNiiqoHKV.exe Binary or memory string: OriginalFilenameGunzLegacy.exe8 vs ZKNiiqoHKV.exe
Source: ZKNiiqoHKV.exe Static PE information: Section: ZLIB complexity 0.993994433008982
Source: ZKNiiqoHKV.exe Static PE information: Section: ZLIB complexity 0.9973697916666666
Source: ZKNiiqoHKV.exe Static PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engine Classification label: mal60.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ZKNiiqoHKV.exe ReversingLabs: Detection: 34%
Source: ZKNiiqoHKV.exe Virustotal: Detection: 51%
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: d3dx9_43.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: fmod64.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exe Section loaded: wldp.dll Jump to behavior
Source: ZKNiiqoHKV.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: ZKNiiqoHKV.exe Static file information: File size 6152208 > 1048576
Source: ZKNiiqoHKV.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x1fe000
Source: ZKNiiqoHKV.exe Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x2ff400
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains sections with non-standard names
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name:
Source: ZKNiiqoHKV.exe Static PE information: section name: .themida
Source: ZKNiiqoHKV.exe Static PE information: section name: .boot
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538056 Sample: ZKNiiqoHKV.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 60 7 Multi AV Scanner detection for submitted file 2->7 9 Machine Learning detection for sample 2->9 11 PE file contains section with special chars 2->11 13 AI detected suspicious sample 2->13 5 ZKNiiqoHKV.exe 2->5         started        process3
No contacted IP infos