Windows Analysis Report
gEP8SOoakR.exe

Overview

General Information

Sample name: gEP8SOoakR.exe
renamed because original name is a hash value
Original sample name: 1af918875c67d204941ec2c8a780e312.exe
Analysis ID: 1542677
MD5: 1af918875c67d204941ec2c8a780e312
SHA1: ce9e2ce0460d9536f863c4fc4042958207f0802a
SHA256: 3621c6a555e79fd6640b3073b245d4e3b225d7a73403e2529d13a82a2b228c7f
Tags: 64exe
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Hijacks the control flow in another process
Machine Learning detection for sample
Sets debug register (to hijack the execution of another thread)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: gEP8SOoakR.exe Avira: detected
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: gEP8SOoakR.exe Joe Sandbox ML: detected
Source: gEP8SOoakR.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\dev\nett\Source\Nett\obj\Release\net40\Nett.pdb source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591B3AC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591BBAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136559465.0000025908B70000.00000004.08000000.00040000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: /obj/Release/net45/CommandLineArgumentsParser.pdb source: gEP8SOoakR.exe, 00000003.00000002.2137807466.0000025909941000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591ABAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136473689.0000025908AC0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\dev\nett\Source\Nett\obj\Release\net40\Nett.pdbSHA256 source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591B3AC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591BBAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136559465.0000025908B70000.00000004.08000000.00040000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: gEP8SOoakR.exe, 00000000.00000002.2148281849.0000023B7B8C0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148438414.0000023B7BACC000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148595797.0000023B7BCC3000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148126231.0000023B7B6CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147812964.0000023B7B2CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147967283.0000023B7B4CE000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136609033.0000025908BBF000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136763598.0000025908DB1000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137405137.00000259095B2000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137074507.00000259091B0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136922310.0000025908FB9000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137249390.00000259093B9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\snaffler\SnaffCore\obj\Release\SnaffCore.pdb source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136232211.0000025908870000.00000004.08000000.00040000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.0000025919941000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: gEP8SOoakR.exe, 00000000.00000002.2148281849.0000023B7B8C0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148438414.0000023B7BACC000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148595797.0000023B7BCC3000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148126231.0000023B7B6CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147812964.0000023B7B2CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147967283.0000023B7B4CE000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136609033.0000025908BBF000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136763598.0000025908DB1000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137405137.00000259095B2000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137074507.00000259091B0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136922310.0000025908FB9000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137249390.00000259093B9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256ySI source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://nlog-project.org/dummynamespace/
Source: gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/3
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/5
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/T
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: gEP8SOoakR.exe, 00000003.00000002.2137807466.0000025909941000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gEP8SOoakR.exe, 00000003.00000002.2137807466.0000025909941000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591ABAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136473689.0000025908AC0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/j-maly/CommandLineParser
Source: gEP8SOoakR.exe, 00000003.00000003.2121654717.0000025909829000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hooks.slack.com/services/T
Source: gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://nlog-project.org/
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
Contains functionality to call native functions
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864C240 RtlGetVersion,memcpy,GetProcessHeap,GetProcessHeap,exit,exit,memcpy,GetTickCount,Sleep,SleepEx,exit,memcpy,memcpy,GetFileAttributesW,GetFileAttributesW,OpenProcess,GetModuleHandleA,GetProcAddress,memcpy,memcpy,GetFileAttributesW,memcpy,memcpy,HeapCreate,VirtualProtect,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,CreateProcessW,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,fwrite,fflush,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,memcpy,memcpy,fwrite,fflush,fwrite,fflush, 0_2_00007FF61864C240
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF61864D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,Thread32Next,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,NtTraceEvent,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk, 3_2_00007FF61864D570
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF61864BEE0 NtTraceEvent, 3_2_00007FF61864BEE0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF61864BF80 GetThreadContext,NtTraceEvent,SetThreadContext,BaseThreadInitThunk,BaseThreadInitThunk, 3_2_00007FF61864BF80
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF6186FCED8 OpenThread,Thread32Next,RtlAddVectoredExceptionHandler,BaseThreadInitThunk,SetThreadContext,NtTraceEvent, 3_2_00007FF6186FCED8
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_0000025906CB1B10 NtProtectVirtualMemory,NtCreateSection, 3_2_0000025906CB1B10
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_0000025906CB1BA8 NtCreateSection, 3_2_0000025906CB1BA8
Detected potential crypto function
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864C240 0_2_00007FF61864C240
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864F6D0 0_2_00007FF61864F6D0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61865A58A 0_2_00007FF61865A58A
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF618646970 0_2_00007FF618646970
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF618644A80 0_2_00007FF618644A80
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF618646760 0_2_00007FF618646760
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864B420 0_2_00007FF61864B420
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864E7F0 0_2_00007FF61864E7F0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF618652CA0 0_2_00007FF618652CA0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF618650460 0_2_00007FF618650460
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF61864C240 3_2_00007FF61864C240
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF61864F6D0 3_2_00007FF61864F6D0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF618652CA0 3_2_00007FF618652CA0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF618650460 3_2_00007FF618650460
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF61865A58A 3_2_00007FF61865A58A
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF618646970 3_2_00007FF618646970
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF618644A80 3_2_00007FF618644A80
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF618646760 3_2_00007FF618646760
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF61864B420 3_2_00007FF61864B420
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF61864E7F0 3_2_00007FF61864E7F0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_0000025906CB0999 3_2_0000025906CB0999
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_0000025906CB0B36 3_2_0000025906CB0B36
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_0000025906CB0730 3_2_0000025906CB0730
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_0000025906CB0AB3 3_2_0000025906CB0AB3
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_0000025906CB0BAD 3_2_0000025906CB0BAD
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF848E61930 3_2_00007FF848E61930
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF848E6C6DE 3_2_00007FF848E6C6DE
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF848E690F2 3_2_00007FF848E690F2
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF848E619E0 3_2_00007FF848E619E0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF848E696BC 3_2_00007FF848E696BC
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF848E60680 3_2_00007FF848E60680
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF848E618D3 3_2_00007FF848E618D3
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF848E618B0 3_2_00007FF848E618B0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: String function: 00007FF6186420F0 appears 78 times
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: String function: 00007FF61864E170 appears 48 times
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: String function: 00007FF6186461C0 appears 86 times
PE file contains more sections than normal
Source: gEP8SOoakR.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: gEP8SOoakR.exe, 00000000.00000002.2147967283.0000023B7B646000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2136922310.0000025909131000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591B3AC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNett.dll* vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: _originalFileName vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNLog.dll: vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSnaffCore.dll4 vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2137807466.0000025909941000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCommandLineArgumentsParser.dllV vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591BBAC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNett.dll* vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000003.2121654717.0000025909829000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSnaffler.exe2 vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591ABAC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCommandLineArgumentsParser.dllV vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2136232211.0000025908870000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSnaffCore.dll4 vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2136559465.0000025908B70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNett.dll* vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNett.dll* vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSnaffler.exe2 vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: _originalFileName vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNLog.dll: vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.0000025919941000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSnaffCore.dll4 vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: _originalFileName vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNLog.dll: vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2136473689.0000025908AC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCommandLineArgumentsParser.dllV vs gEP8SOoakR.exe
Source: classification engine Classification label: mal72.evad.winEXE@4/3@0/0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk, 0_2_00007FF61864D570
Source: C:\Users\user\Desktop\gEP8SOoakR.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gep8sooakr.exe.log Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
Source: gEP8SOoakR.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\gEP8SOoakR.exe "C:\Users\user\Desktop\gEP8SOoakR.exe"
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process created: C:\Users\user\Desktop\gEP8SOoakR.exe C:\Users\user\Desktop\gep8sooakr.exe 1028
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process created: C:\Users\user\Desktop\gEP8SOoakR.exe C:\Users\user\Desktop\gep8sooakr.exe 1028 Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: gEP8SOoakR.exe Static PE information: More than 235 > 100 exports found
Source: gEP8SOoakR.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: gEP8SOoakR.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\dev\nett\Source\Nett\obj\Release\net40\Nett.pdb source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591B3AC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591BBAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136559465.0000025908B70000.00000004.08000000.00040000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: /obj/Release/net45/CommandLineArgumentsParser.pdb source: gEP8SOoakR.exe, 00000003.00000002.2137807466.0000025909941000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591ABAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136473689.0000025908AC0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\dev\nett\Source\Nett\obj\Release\net40\Nett.pdbSHA256 source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591B3AC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591BBAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136559465.0000025908B70000.00000004.08000000.00040000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: gEP8SOoakR.exe, 00000000.00000002.2148281849.0000023B7B8C0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148438414.0000023B7BACC000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148595797.0000023B7BCC3000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148126231.0000023B7B6CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147812964.0000023B7B2CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147967283.0000023B7B4CE000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136609033.0000025908BBF000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136763598.0000025908DB1000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137405137.00000259095B2000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137074507.00000259091B0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136922310.0000025908FB9000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137249390.00000259093B9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\snaffler\SnaffCore\obj\Release\SnaffCore.pdb source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136232211.0000025908870000.00000004.08000000.00040000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.0000025919941000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: gEP8SOoakR.exe, 00000000.00000002.2148281849.0000023B7B8C0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148438414.0000023B7BACC000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148595797.0000023B7BCC3000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148126231.0000023B7B6CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147812964.0000023B7B2CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147967283.0000023B7B4CE000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136609033.0000025908BBF000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136763598.0000025908DB1000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137405137.00000259095B2000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137074507.00000259091B0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136922310.0000025908FB9000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137249390.00000259093B9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256ySI source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 3.2.gEP8SOoakR.exe.25908af0000.2.raw.unpack, ModuleLoader.cs .Net Code: ReadAssemblyFromResource System.Reflection.Assembly.Load(byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864C240 RtlGetVersion,memcpy,GetProcessHeap,GetProcessHeap,exit,exit,memcpy,GetTickCount,Sleep,SleepEx,exit,memcpy,memcpy,GetFileAttributesW,GetFileAttributesW,OpenProcess,GetModuleHandleA,GetProcAddress,memcpy,memcpy,GetFileAttributesW,memcpy,memcpy,HeapCreate,VirtualProtect,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,CreateProcessW,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,fwrite,fflush,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,memcpy,memcpy,fwrite,fflush,fwrite,fflush, 0_2_00007FF61864C240
PE file contains sections with non-standard names
Source: gEP8SOoakR.exe Static PE information: section name: .eh_fram
Source: gEP8SOoakR.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF848E68167 push ebx; ret 3_2_00007FF848E6816A
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF848E600BD pushad ; iretd 3_2_00007FF848E600C1
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Memory allocated: 25907000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Memory allocated: 25921940000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk, 0_2_00007FF61864D570
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\gEP8SOoakR.exe TID: 1120 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: gEP8SOoakR.exe, 00000003.00000002.2137602174.00000259097B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXP0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk, 0_2_00007FF61864D570
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk, 0_2_00007FF61864D570
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864C240 RtlGetVersion,memcpy,GetProcessHeap,GetProcessHeap,exit,exit,memcpy,GetTickCount,Sleep,SleepEx,exit,memcpy,memcpy,GetFileAttributesW,GetFileAttributesW,OpenProcess,GetModuleHandleA,GetProcAddress,memcpy,memcpy,GetFileAttributesW,memcpy,memcpy,HeapCreate,VirtualProtect,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,CreateProcessW,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,fwrite,fflush,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,memcpy,memcpy,fwrite,fflush,fwrite,fflush, 0_2_00007FF61864C240
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864C240 RtlGetVersion,memcpy,GetProcessHeap,GetProcessHeap,exit,exit,memcpy,GetTickCount,Sleep,SleepEx,exit,memcpy,memcpy,GetFileAttributesW,GetFileAttributesW,OpenProcess,GetModuleHandleA,GetProcAddress,memcpy,memcpy,GetFileAttributesW,memcpy,memcpy,HeapCreate,VirtualProtect,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,CreateProcessW,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,fwrite,fflush,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,memcpy,memcpy,fwrite,fflush,fwrite,fflush, 0_2_00007FF61864C240
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF618641154 GetStartupInfoA,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit, 0_2_00007FF618641154
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk, 0_2_00007FF61864D570
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF6186FCEE8 CloseHandle,Thread32Next,RtlAddVectoredExceptionHandler, 0_2_00007FF6186FCEE8
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF6186FCED8 OpenThread,Thread32Next,RtlAddVectoredExceptionHandler, 0_2_00007FF6186FCED8
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF61864D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,Thread32Next,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,NtTraceEvent,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk, 3_2_00007FF61864D570
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF618641154 GetStartupInfoA,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit, 3_2_00007FF618641154
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF6186FCEE8 CloseHandle,Thread32Next,RtlAddVectoredExceptionHandler,BaseThreadInitThunk, 3_2_00007FF6186FCEE8
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 3_2_00007FF6186FCED8 OpenThread,Thread32Next,RtlAddVectoredExceptionHandler,BaseThreadInitThunk,SetThreadContext,NtTraceEvent, 3_2_00007FF6186FCED8
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\gEP8SOoakR.exe NtProtectVirtualMemory: Indirect: 0x7FF618654F98 Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe NtWriteVirtualMemory: Indirect: 0x7FF618654CAB Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe NtProtectVirtualMemory: Indirect: 0x7FF618654D00 Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe NtAllocateVirtualMemory: Indirect: 0x7FF618654B51 Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe NtProtectVirtualMemory: Indirect: 0x7FF618654C80 Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe NtWriteVirtualMemory: Indirect: 0x7FF618654F5F Jump to behavior
Hijacks the control flow in another process
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Memory written: PID: 6192 base: 25906CB0000 value: E9 Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Thread register set: 6192 4 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Process created: C:\Users\user\Desktop\gEP8SOoakR.exe C:\Users\user\Desktop\gep8sooakr.exe 1028 Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Code function: 0_2_00007FF61864C240 RtlGetVersion,memcpy,GetProcessHeap,GetProcessHeap,exit,exit,memcpy,GetTickCount,Sleep,SleepEx,exit,memcpy,memcpy,GetFileAttributesW,GetFileAttributesW,OpenProcess,GetModuleHandleA,GetProcAddress,memcpy,memcpy,GetFileAttributesW,memcpy,memcpy,HeapCreate,VirtualProtect,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,CreateProcessW,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,fwrite,fflush,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,memcpy,memcpy,fwrite,fflush,fwrite,fflush, 0_2_00007FF61864C240
Source: C:\Users\user\Desktop\gEP8SOoakR.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542677 Sample: gEP8SOoakR.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 72 14 Antivirus / Scanner detection for submitted sample 2->14 16 .NET source code contains potential unpacker 2->16 18 Machine Learning detection for sample 2->18 20 AI detected suspicious sample 2->20 6 gEP8SOoakR.exe 1 2->6         started        process3 signatures4 22 Hijacks the control flow in another process 6->22 24 Found direct / indirect Syscall (likely to bypass EDR) 6->24 9 gEP8SOoakR.exe 4 6->9         started        12 conhost.exe 6->12         started        process5 signatures6 26 Sets debug register (to hijack the execution of another thread) 9->26
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true