Windows Analysis Report
z39UartAssist.exe

Overview

General Information

Sample name: z39UartAssist.exe
Analysis ID: 1541089
MD5: b117bdf393de8ff72d5a0b68731fcf54
SHA1: d8f63074a1ee7c0140d1316b985a3e4ae5017496
SHA256: ccc1e602d6a8ceeae8f1009170e8d46bc2cbc57d3583f483745c0d5e855ffd0a
Tags: exeuser-Porcupine
Infos:

Detection

Score: 26
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Sample is not signed and drops a device driver
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates driver files
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: z39UartAssist.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Contains functionality to get notified if a device is plugged in / out
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004720C4 PostMessageA,RegisterDeviceNotificationA, 0_2_004720C4
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004D097C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_004D097C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004E4360 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_004E4360
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004D0B9C FindFirstFileA,GetLastError, 0_2_004D0B9C
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /assistcenter/uartassist_upgrade/?ver=50014&ident=SYWVSLRYMZWXKN5D&stamp=01729767727 HTTP/1.0Host: www.cmsoft.cnUser-Agent: Mozilla/4.0Accept: */*Accept-Language: zh-cnAccept-Encoding: identityConnection: closeCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004712DC @TSyncUart@RecvData$qqrpvi,ClearCommError,ReadFile, 0_2_004712DC
Source: global traffic HTTP traffic detected: GET /assistcenter/uartassist_upgrade/?ver=50014&ident=SYWVSLRYMZWXKN5D&stamp=01729767727 HTTP/1.0Host: www.cmsoft.cnUser-Agent: Mozilla/4.0Accept: */*Accept-Language: zh-cnAccept-Encoding: identityConnection: closeCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: www.cmsoft.cn
Source: z39UartAssist.exe String found in binary or memory: http://crl.gdca.com.cn/crl/GDCA_TrustAUTH_R4_Generic_CA.crl0
Source: z39UartAssist.exe String found in binary or memory: http://crl.gdca.com.cn/crl/GDCA_TrustAUTH_R5_ROOT.crl0
Source: z39UartAssist.exe, z39UartAssist.exe, 00000000.00000002.2976743314.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://free.cmsoft.cn/assistcenter/
Source: z39UartAssist.exe, 00000000.00000002.2976743314.00000000005DF000.00000040.00000001.01000000.00000003.sdmp, z39UartAssist.exe, 00000000.00000003.1750748185.000000000420C000.00000004.00001000.00020000.00000000.sdmp, z39UartAssist.exe, 00000000.00000002.2977965266.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, z39UartAssist.exe, 00000000.00000002.2978007112.000000000420C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://free.cmsoft.cn/assistcenter/help/UartAssist
Source: z39UartAssist.exe, 00000000.00000002.2978007112.000000000420C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://free.cmsoft.cn/download/cmsoft/assistant/uartassist5.0.14.zip
Source: z39UartAssist.exe, z39UartAssist.exe, 00000000.00000002.2976743314.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://free.cmsoft.cn/tools/ntp/?handler=%d
Source: z39UartAssist.exe, 00000000.00000002.2976743314.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://free.cmsoft.cn/tools/ntp/?handler=%dtimestamp
Source: z39UartAssist.exe, z39UartAssist.exe, 00000000.00000002.2976743314.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://free.scomm.cn/assistcenter/
Source: z39UartAssist.exe String found in binary or memory: http://ocsp2.gdca.com.cn/ocsp0
Source: z39UartAssist.exe, z39UartAssist.exe, 00000000.00000002.2976743314.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.cmsoft.cn
Source: z39UartAssist.exe, z39UartAssist.exe, 00000000.00000002.2976743314.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.cmsoft.cn/assistcenter/
Source: z39UartAssist.exe, 00000000.00000003.1750748185.000000000420C000.00000004.00001000.00020000.00000000.sdmp, z39UartAssist.exe, 00000000.00000002.2977965266.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, z39UartAssist.exe, 00000000.00000002.2978007112.000000000420C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.cmsoft.cn/assistcenter/images/assist_dll3.raw
Source: z39UartAssist.exe, 00000000.00000003.1750748185.000000000420C000.00000004.00001000.00020000.00000000.sdmp, z39UartAssist.exe, 00000000.00000002.2977965266.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, z39UartAssist.exe, 00000000.00000002.2978007112.000000000420C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.cmsoft.cn/assistcenter/uartassist_upgrade/
Source: z39UartAssist.exe, 00000000.00000002.2977572678.0000000002453000.00000004.00001000.00020000.00000000.sdmp, z39UartAssist.exe, 00000000.00000003.1750748185.000000000420C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.cmsoft.cn/assistcenter/uartassist_upgrade/?ver=50014&ident=SYWVSLRYMZWXKN5D&stamp=0172976
Source: z39UartAssist.exe, 00000000.00000002.2976743314.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.cmsoft.cnhttp://www.cmsoft.cn/assistcenter/http://www.scomm.cn/assistcenter/http://free.c
Source: z39UartAssist.exe String found in binary or memory: http://www.gdca.com.cn/cert/GDCA_TrustAUTH_R5_ROOT.der0)
Source: z39UartAssist.exe String found in binary or memory: http://www.gdca.com.cn/cps/cps0F
Source: z39UartAssist.exe String found in binary or memory: http://www.gdca.com.cn/cps/cps0L
Source: z39UartAssist.exe, z39UartAssist.exe, 00000000.00000002.2976743314.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.scomm.cn/assistcenter/
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00554DA4 GlobalAlloc,GlobalLock,SetClipboardData,GlobalUnlock, 0_2_00554DA4
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00554E88 GetClipboardData,GlobalLock,GlobalUnlock, 0_2_00554E88
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0052EDE0 GetKeyboardState,KiUserCallbackDispatcher, 0_2_0052EDE0
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0046C9A4 @TcmTrayIcon@ShiftState$qv,GetKeyState,GetKeyState,GetKeyState, 0_2_0046C9A4
Contains functionality to call native functions
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00531CA0 NtdllDefWindowProc_A,GetCapture,KiUserCallbackDispatcher, 0_2_00531CA0
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00522408 NtdllDefWindowProc_A, 0_2_00522408
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0051D2B8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_0051D2B8
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0051D368 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_0051D368
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0040A5B4: CreateFileA,DeviceIoControl,CloseHandle, 0_2_0040A5B4
Creates driver files
Source: C:\Users\user\Desktop\z39UartAssist.exe File created: C:\Users\user\AppData\Roaming\Cmsoft\uartassist.sys Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0043E9B4 0_2_0043E9B4
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0043D04C 0_2_0043D04C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0046B150 0_2_0046B150
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0045E018 0_2_0045E018
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004121D4 0_2_004121D4
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0046E1DC 0_2_0046E1DC
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0049C298 0_2_0049C298
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00402304 0_2_00402304
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0048846C 0_2_0048846C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0048861C 0_2_0048861C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0045A6D0 0_2_0045A6D0
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0047C68C 0_2_0047C68C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00564A10 0_2_00564A10
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00490CCC 0_2_00490CCC
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00492CCC 0_2_00492CCC
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00456CB0 0_2_00456CB0
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00498D64 0_2_00498D64
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00448F50 0_2_00448F50
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0047D080 0_2_0047D080
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00443188 0_2_00443188
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0044F34C 0_2_0044F34C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00457338 0_2_00457338
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004593CC 0_2_004593CC
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0048D444 0_2_0048D444
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004AB454 0_2_004AB454
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00453568 0_2_00453568
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00495668 0_2_00495668
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00459688 0_2_00459688
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00487744 0_2_00487744
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0045D790 0_2_0045D790
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0046F80C 0_2_0046F80C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0043D808 0_2_0043D808
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0046D830 0_2_0046D830
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0048FA74 0_2_0048FA74
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0055DB54 0_2_0055DB54
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00465CC0 0_2_00465CC0
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0046FC98 0_2_0046FC98
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004ADE84 0_2_004ADE84
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00465EBC 0_2_00465EBC
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: String function: 00568B2C appears 372 times
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: String function: 004E23C4 appears 31 times
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: String function: 00568A48 appears 33 times
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: String function: 0055D764 appears 39 times
PE / OLE file has an invalid certificate
Source: z39UartAssist.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: z39UartAssist.exe, 00000000.00000000.1730503720.0000000000639000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUartAssist. vs z39UartAssist.exe
Source: z39UartAssist.exe, 00000000.00000002.2977124136.000000000063F000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUartAssist. vs z39UartAssist.exe
Source: z39UartAssist.exe Binary or memory string: OriginalFilenameUartAssist. vs z39UartAssist.exe
Uses 32bit PE files
Source: z39UartAssist.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: z39UartAssist.exe Static PE information: Section: UPX1 ZLIB complexity 0.9978593495728234
Source: classification engine Classification label: sus26.evad.winEXE@1/1@1/1
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0050B290 GetLastError,FormatMessageA, 0_2_0050B290
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004C0904 FindResourceA, 0_2_004C0904
Source: C:\Users\user\Desktop\z39UartAssist.exe File created: C:\Users\user\AppData\Roaming\Cmsoft Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Mutant created: NULL
Source: Yara match File source: 0.2.z39UartAssist.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2976743314.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\z39UartAssist.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: assist.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Window found: window name: TComboBox Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe Automated click: OK
Source: C:\Users\user\Desktop\z39UartAssist.exe File opened: C:\Windows\SysWOW64\RICHED32.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004A55DC FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_004A55DC
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004A4FC8 push ecx; mov dword ptr [esp], edx 0_2_004A4FC9
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004BA15C push 004BA494h; ret 0_2_004BA48C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0042A11C push ecx; mov dword ptr [esp], eax 0_2_0042A121
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00486200 push 0048622Ch; ret 0_2_00486224
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004BA538 push ecx; mov dword ptr [esp], eax 0_2_004BA539
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004265B8 push ecx; mov dword ptr [esp], ecx 0_2_004265BC
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00436664 push 004366BAh; ret 0_2_004366B2
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004BA15C push 004BA494h; ret 0_2_004BA48C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004E88EC push ecx; mov dword ptr [esp], edx 0_2_004E88F0
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00432A34 push ecx; mov dword ptr [esp], edx 0_2_00432A39
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00432DFC push ecx; mov dword ptr [esp], edx 0_2_00432E01
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00489114 push 00489140h; ret 0_2_00489138
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0042113C push 0042117Fh; ret 0_2_00421177
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0043B194 push 0043B1C0h; ret 0_2_0043B1B8
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0045B2D8 push ecx; mov dword ptr [esp], eax 0_2_0045B2DD
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004852B0 push ecx; mov dword ptr [esp], edx 0_2_004852B5
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0048D390 push ecx; mov dword ptr [esp], eax 0_2_0048D393
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0043B3A4 push 0043B3D0h; ret 0_2_0043B3C8
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004C9548 push ecx; mov dword ptr [esp], edx 0_2_004C954D
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00485510 push 0048553Ch; ret 0_2_00485534
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004BD69C push ecx; mov dword ptr [esp], edx 0_2_004BD6A1
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004C7748 push ecx; mov dword ptr [esp], edx 0_2_004C774A
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004CB79C push ecx; mov dword ptr [esp], ecx 0_2_004CB79D
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00401960 push 0040198Ch; ret 0_2_00401984
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004BFAF4 push ecx; mov dword ptr [esp], edx 0_2_004BFAF9
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00427AA8 push 00427ADBh; ret 0_2_00427AD3
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00433D78 push 00433DA4h; ret 0_2_00433D9C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004C3D98 push ecx; mov dword ptr [esp], edx 0_2_004C3D9A
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00421D9C push 00421DC8h; ret 0_2_00421DC0
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004BFE7C push ecx; mov dword ptr [esp], edx 0_2_004BFE81
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00489E10 push 00489E3Ch; ret 0_2_00489E34
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive0 0_2_0040A5B4
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive0 0_2_0040A298
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\z39UartAssist.exe File created: C:\Users\user\AppData\Roaming\Cmsoft\uartassist.sys Jump to behavior

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive0 0_2_0040A5B4
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive0 0_2_0040A298
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00534500 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 0_2_00534500
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0046C9F0 @TcmTrayIcon@DoMessage$qqrr17Messages@TMessage,@TcmTrayIcon@ShiftState$qv,GetCursorPos,@TcmTrayIcon@ShiftState$qv,GetCursorPos,@TcmTrayIcon@ShiftState$qv,GetCursorPos,IsIconic,PostMessageA,@TcmTrayIcon@ShiftState$qv,GetCursorPos,@TcmTrayIcon@ShiftState$qv,GetCursorPos,@TcmTrayIcon@ShiftState$qv,GetCursorPos,@TcmTrayIcon@ShiftState$qv,GetCursorPos, 0_2_0046C9F0
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00446D9C IsIconic,_ChecksumView, 0_2_00446D9C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0046CE7C @TcmTrayIcon@Restore$qqrv,IsIconic,ShowWindow,SetForegroundWindow, 0_2_0046CE7C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0046CE24 @TcmTrayIcon@Minimize$qqrv,IsIconic,ShowWindow, 0_2_0046CE24
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0051D2B8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_0051D2B8
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0051D368 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_0051D368
Source: C:\Users\user\Desktop\z39UartAssist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0046A64C 0_2_0046A64C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00412750 0_2_00412750
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_0051C168
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00472254 SetupDiGetClassDevsA,SetupDiGetDeviceRegistryPropertyA,SetupDiEnumDeviceInfo,RegOpenKeyExA,RegEnumValueA,RegCloseKey,SetupDiDestroyDeviceInfoList, 0_2_00472254
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\z39UartAssist.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\z39UartAssist.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\z39UartAssist.exe API coverage: 9.3 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00412750 0_2_00412750
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\Desktop\z39UartAssist.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004D097C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_004D097C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004E4360 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_004E4360
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004D0B9C FindFirstFileA,GetLastError, 0_2_004D0B9C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0050B820 GetSystemInfo, 0_2_0050B820
Source: z39UartAssist.exe, 00000000.00000002.2977239467.0000000000894000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllfP6,
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004A55DC FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_004A55DC
Source: z39UartAssist.exe, z39UartAssist.exe, 00000000.00000002.2976743314.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Shell_TrayWnd
Source: z39UartAssist.exe, z39UartAssist.exe, 00000000.00000002.2976743314.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ProgMan
Source: z39UartAssist.exe, 00000000.00000002.2976743314.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: SeShutdownPrivilegeShell_TrayWndShell_TrayWndButtonShell_TrayWndReBarWindow32Shell_TrayWndTrayNotifyWndProgManSOFTWARE\Microsoft\Windows\CurrentVersionSoftware\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersProgramFilesDirDesktopStart MenuFavoritesSendToPrograms...\\Iphlpapi.dllGetAdaptersInfoIphlpapi.dllSendARPSYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\IPAddressSubnetMaskDefaultGateway--------%ld--
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0046A6A4 cpuid 0_2_0046A6A4
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_004E4518
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_004E4624
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: GetLocaleInfoA, 0_2_00475224
Queries device information via Setup API
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00472254 SetupDiGetClassDevsA,SetupDiGetDeviceRegistryPropertyA,SetupDiEnumDeviceInfo,RegOpenKeyExA,RegEnumValueA,RegCloseKey,SetupDiDestroyDeviceInfoList, 0_2_00472254
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004D2760 GetLocalTime, 0_2_004D2760
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_004660F8 GetTimeZoneInformation, 0_2_004660F8
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00563464 GetVersion,GetCurrentThreadId, 0_2_00563464
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00464470 closesocket,WaitForSingleObject,socket,htons,bind,listen,htons,connect,getsockname,htons,CreateThread,closesocket, 0_2_00464470
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0047E908 @TcmSocket@Open$qqrv,IsWindow,SendMessageA,@TcmSocket@IsEmptyAddr$qqrp9TInetAddr,@TcmSocket@ShowError$qqrpci,CreateSemaphoreA,socket,@TcmSocket@ErrorCheck$qqripc,WSAAsyncSelect,@TcmSocket@ErrorCheck$qqripc,@TcmSocket@Bind$qqrp9TInetAddr,@TcmSocket@Listen$qqrp9TInetAddr,@TcmSocket@Connect$qqrv,SetTimer,@TcmSocket@IsEmptyAddr$qqrp9TInetAddr,@TcmSocket@Connect$qqrv,socket,@TcmSocket@Bind$qqrp9TInetAddr,@TcmSocket@Listen$qqrp9TInetAddr,WSAAsyncSelect,closesocket,@TcmSocket@DeclareConnect$qqro,WSAAsyncSelect,closesocket,SetTimer, 0_2_0047E908
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0047ED7C @TcmSocket@Close$qqrv,WSAAsyncSelect,@TcmSocket@CloseClientAll$qqrv,@TcmSocket@ClearMultiListenPorts$qqrv,@TcmSocket@ClearMultiListenPorts$qqrv,KillTimer,closesocket,@TcmSocket@ErrorCheck$qqripc,@TcmSocket@DeclareConnect$qqro, 0_2_0047ED7C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00480FA0 @TcmSocket@ClearMultiListenPorts$qqrv,WSAAsyncSelect,closesocket, 0_2_00480FA0
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_00481014 @TcmSocket@SetMultiListenPorts$qqrpxc,@TcmSocket@ClearMultiListenPorts$qqrv,@TcmSocket@AddMultiListenPort$qqri,@TcmSocket@AddMultiListenPort$qqri, 0_2_00481014
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0048118C @TcmSocket@AddMultiListenPort$qqri, 0_2_0048118C
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0047F400 @TcmSocket@Bind$qqrp9TInetAddr,htons,bind,@TcmSocket@ErrorCheck$qqripc,htons,bind,@TcmSocket@ErrorCheck$qqripc, 0_2_0047F400
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0047D6E0 @TcmSocket@ComboBox_BindServerClients$qqrp18Stdctrls@TComboBox, 0_2_0047D6E0
Source: C:\Users\user\Desktop\z39UartAssist.exe Code function: 0_2_0047F808 @TcmSocket@Listen$qqrp9TInetAddr,listen,@TcmSocket@ErrorCheck$qqripc, 0_2_0047F808
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541089 Sample: z39UartAssist.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 26 12 www.cmsoft.cn 2->12 5 z39UartAssist.exe 2 2->5         started        process3 dnsIp4 14 www.cmsoft.cn 114.55.6.143, 49732, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 5->14 10 C:\Users\user\AppData\...\uartassist.sys, ASCII 5->10 dropped 16 Contains functionality to infect the boot sector 5->16 18 Sample is not signed and drops a device driver 5->18 20 Contains functionality to detect sleep reduction / modifications 5->20 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
114.55.6.143
 www.cmsoft.cn China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false

Contacted Domains

Name IP Active
www.cmsoft.cn 114.55.6.143 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.cmsoft.cn/assistcenter/uartassist_upgrade/?ver=50014&ident=SYWVSLRYMZWXKN5D&stamp=01729767727 false
    		unknown