Windows Analysis Report
PH5N7O0v0i.exe

Overview

General Information

Sample name:	PH5N7O0v0i.exe renamed because original name is a hash value
Original sample name:	d6b848fa155783904192cd7a36ae0388217edbf6.exe
Analysis ID:	1542937
MD5:	ae42e4ddb7c36c1ea3e5a997add11009
SHA1:	d6b848fa155783904192cd7a36ae0388217edbf6
SHA256:	b1733e0795d0eb508e3c7619b84ff3122455e5350f3d0e566f551e64b31c3efc
Tags:	dllexeJohnWalkerTexasLoaderJWTLJWTLoaderReversingLabsuser-NDA0E
Infos:

Detection

JohnWalkerTexasLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected JohnWalkerTexasLoader

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Uses Windows timers to delay execution

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected potential crypto function

PE file does not import any functions

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: PH5N7O0v0i.exe

ReversingLabs: Detection: 23%

Source: PH5N7O0v0i.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: PH5N7O0v0i.exe

Source: PH5N7O0v0i.exe	String found in binary or memory: https://github.com/reproteq/DiffPatchWpf3Copyright
Source: PH5N7O0v0i.exe	String found in binary or memory: https://ipinfo.io/country
Source: PH5N7O0v0i.exe	String found in binary or memory: https://ipinfo.io/ip

Detected potential crypto function

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA16B82	0_2_00007FFB4AA16B82
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA15DD6	0_2_00007FFB4AA15DD6
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA112D3	0_2_00007FFB4AA112D3
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA112FB	0_2_00007FFB4AA112FB
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA1BAFB	0_2_00007FFB4AA1BAFB
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA11300	0_2_00007FFB4AA11300
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA112F8	0_2_00007FFB4AA112F8
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA110AD	0_2_00007FFB4AA110AD
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA111FA	0_2_00007FFB4AA111FA

PE file does not import any functions

Source: PH5N7O0v0i.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: PH5N7O0v0i.exe, 00000000.00000000.1495108184.00000202E4EF4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs PH5N7O0v0i.exe
Source: PH5N7O0v0i.exe	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs PH5N7O0v0i.exe

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Mutant created: NULL

Source: PH5N7O0v0i.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PH5N7O0v0i.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PH5N7O0v0i.exe

ReversingLabs: Detection: 23%

Source: PH5N7O0v0i.exe

String found in binary or memory: EHH-ADD!IJJoEHH5JKK

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PH5N7O0v0i.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PH5N7O0v0i.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: PH5N7O0v0i.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PH5N7O0v0i.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: PH5N7O0v0i.exe

Binary contains a suspicious time stamp

Source: PH5N7O0v0i.exe

Static PE information: 0xFC4F2E5B [Thu Feb 21 14:34:03 2104 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4A8FD2A5 pushad ; iretd	0_2_00007FFB4A8FD2A6
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA173D5 push ecx; retf	0_2_00007FFB4AA173DC
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA1815A push ebx; ret	0_2_00007FFB4AA1816A
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA100BD pushad ; iretd	0_2_00007FFB4AA100C1
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA17A09 push cs; ret	0_2_00007FFB4AA17A0F

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	User Timer Set: Timeout: 125ms	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	User Timer Set: Timeout: 1ms	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Memory allocated: 202E5230000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Memory allocated: 202FEC90000 memory reserve \| memory write watch			Jump to behavior

Potential time zone aware malware

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E52EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MB9
Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E52EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E52EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MBS

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Users\user\Desktop\PH5N7O0v0i.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E532F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: //%ProgramFilews Defender\MsMpeng.exe
Source: PH5N7O0v0i.exe, 00000000.00000002.2760586493.00000202E52BF000.00000004.00000020.00020000.00000000.sdmp, PH5N7O0v0i.exe, 00000000.00000002.2763950096.00000202FF8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E532F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ws Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected JohnWalkerTexasLoader

Source: Yara match

File source: Process Memory Space: PH5N7O0v0i.exe PID: 5652, type: MEMORYSTR

Remote Access Functionality

Yara detected JohnWalkerTexasLoader

Source: Yara match

File source: Process Memory Space: PH5N7O0v0i.exe PID: 5652, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: PH5N7O0v0i.exe

ReversingLabs: Detection: 23%

Source: PH5N7O0v0i.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: PH5N7O0v0i.exe

Source: PH5N7O0v0i.exe	String found in binary or memory: https://github.com/reproteq/DiffPatchWpf3Copyright
Source: PH5N7O0v0i.exe	String found in binary or memory: https://ipinfo.io/country
Source: PH5N7O0v0i.exe	String found in binary or memory: https://ipinfo.io/ip

Detected potential crypto function

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA16B82	0_2_00007FFB4AA16B82
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA15DD6	0_2_00007FFB4AA15DD6
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA112D3	0_2_00007FFB4AA112D3
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA112FB	0_2_00007FFB4AA112FB
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA1BAFB	0_2_00007FFB4AA1BAFB
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA11300	0_2_00007FFB4AA11300
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA112F8	0_2_00007FFB4AA112F8
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA110AD	0_2_00007FFB4AA110AD
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA111FA	0_2_00007FFB4AA111FA

PE file does not import any functions

Source: PH5N7O0v0i.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: PH5N7O0v0i.exe, 00000000.00000000.1495108184.00000202E4EF4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs PH5N7O0v0i.exe
Source: PH5N7O0v0i.exe	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs PH5N7O0v0i.exe

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Mutant created: NULL

Source: PH5N7O0v0i.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PH5N7O0v0i.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PH5N7O0v0i.exe

ReversingLabs: Detection: 23%

Source: PH5N7O0v0i.exe

String found in binary or memory: EHH-ADD!IJJoEHH5JKK

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PH5N7O0v0i.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PH5N7O0v0i.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: PH5N7O0v0i.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PH5N7O0v0i.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: PH5N7O0v0i.exe

Binary contains a suspicious time stamp

Source: PH5N7O0v0i.exe

Static PE information: 0xFC4F2E5B [Thu Feb 21 14:34:03 2104 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4A8FD2A5 pushad ; iretd	0_2_00007FFB4A8FD2A6
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA173D5 push ecx; retf	0_2_00007FFB4AA173DC
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA1815A push ebx; ret	0_2_00007FFB4AA1816A
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA100BD pushad ; iretd	0_2_00007FFB4AA100C1
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA17A09 push cs; ret	0_2_00007FFB4AA17A0F

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	User Timer Set: Timeout: 125ms	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	User Timer Set: Timeout: 1ms	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Memory allocated: 202E5230000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Memory allocated: 202FEC90000 memory reserve \| memory write watch			Jump to behavior

Potential time zone aware malware

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E52EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MB9
Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E52EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E52EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MBS

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Users\user\Desktop\PH5N7O0v0i.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E532F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: //%ProgramFilews Defender\MsMpeng.exe
Source: PH5N7O0v0i.exe, 00000000.00000002.2760586493.00000202E52BF000.00000004.00000020.00020000.00000000.sdmp, PH5N7O0v0i.exe, 00000000.00000002.2763950096.00000202FF8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E532F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ws Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected JohnWalkerTexasLoader

Source: Yara match

File source: Process Memory Space: PH5N7O0v0i.exe PID: 5652, type: MEMORYSTR

Remote Access Functionality

Yara detected JohnWalkerTexasLoader

Source: Yara match

File source: Process Memory Space: PH5N7O0v0i.exe PID: 5652, type: MEMORYSTR

ID:	1542937
Product:	CloudBasic
Start time:	22:42:11
Start date:	26.10.2024
Sample:	PH5N7O0v0i.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ae42e4ddb7c36c1ea3e5a997add11009
SHA1:	d6b848fa155783904192cd7a36ae0388217edbf6
SHA256:	b1733e0795d0eb508e3c7619b84ff3122455e5350f3d0e566f551e64b31c3efc
Filetype:	Win64 Executable GUI Net Framework (217006/5) 49.88%

Windows Analysis Report
PH5N7O0v0i.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report PH5N7O0v0i.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
PH5N7O0v0i.exe