Windows Analysis Report
52B9Zcz8vg.exe

Overview

General Information

Sample name:	52B9Zcz8vg.exe
Analysis ID:	1542943
MD5:	9d80eed9593bb17dd2b0a75a39d5a40f
SHA1:	7095f632db75b4417f9766e8f1adb1aef15e0dc3
SHA256:	2fc0fb4f71399f85680dd803fb017a00696e6e4261f90ce98dea61e49cbec0c2
Infos:

Detection

JohnWalkerTexasLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected JohnWalkerTexasLoader

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Uses Windows timers to delay execution

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected potential crypto function

PE file does not import any functions

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 52B9Zcz8vg.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 52B9Zcz8vg.exe

ReversingLabs: Detection: 44%

Source: 52B9Zcz8vg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: 52B9Zcz8vg.exe

Source: 52B9Zcz8vg.exe, 00000000.00000002.2134986003.000002392EE61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MainWindow.xaml
Source: 52B9Zcz8vg.exe, 00000000.00000002.2134986003.000002392EE61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/MainWindow.xaml
Source: 52B9Zcz8vg.exe, 00000000.00000002.2134986003.000002392EE61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.baml
Source: 52B9Zcz8vg.exe, 00000000.00000002.2134986003.000002392EF52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api-debug.php
Source: 52B9Zcz8vg.exe, 00000000.00000002.2134986003.000002392EF52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api.php
Source: 52B9Zcz8vg.exe	String found in binary or memory: http://xilloolli.com/api.phpEhttp://xilloolli.com/api-debug.php
Source: 52B9Zcz8vg.exe	String found in binary or memory: https://github.com/reproteq/DiffPatchWpf3Copyright
Source: 52B9Zcz8vg.exe	String found in binary or memory: https://ipinfo.io/country
Source: 52B9Zcz8vg.exe	String found in binary or memory: https://ipinfo.io/ip
Source: 52B9Zcz8vg.exe	String found in binary or memory: https://oklibed.com

Detected potential crypto function

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB67986B82	0_2_00007FFB67986B82
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB67985DD6	0_2_00007FFB67985DD6
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB67980ED2	0_2_00007FFB67980ED2
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB67980DD2	0_2_00007FFB67980DD2

PE file does not import any functions

Source: 52B9Zcz8vg.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 52B9Zcz8vg.exe, 00000000.00000000.878594498.000002392D164000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs 52B9Zcz8vg.exe
Source: 52B9Zcz8vg.exe	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs 52B9Zcz8vg.exe

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

Mutant created: NULL

Source: 52B9Zcz8vg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 52B9Zcz8vg.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 52B9Zcz8vg.exe

ReversingLabs: Detection: 44%

Source: 52B9Zcz8vg.exe

String found in binary or memory: EHH-ADD!IJJoEHH5JKK

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 52B9Zcz8vg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 52B9Zcz8vg.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 52B9Zcz8vg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 52B9Zcz8vg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: 52B9Zcz8vg.exe

Binary contains a suspicious time stamp

Source: 52B9Zcz8vg.exe

Static PE information: 0xFD7F9319 [Thu Oct 9 11:52:57 2104 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB6786D2A5 pushad ; iretd	0_2_00007FFB6786D2A6
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB6798C218 pushad ; retn 67A1h	0_2_00007FFB6798E071
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB67988135 push ebx; ret	0_2_00007FFB6798814A

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	User Timer Set: Timeout: 125ms	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	User Timer Set: Timeout: 1ms	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Memory allocated: 2392ED50000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Memory allocated: 23946E60000 memory reserve \| memory write watch			Jump to behavior

Potential time zone aware malware

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Users\user\Desktop\52B9Zcz8vg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected JohnWalkerTexasLoader

Source: Yara match	File source: 52B9Zcz8vg.exe, type: SAMPLE
Source: Yara match	File source: 0.0.52B9Zcz8vg.exe.2392d140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.878519821.000002392D142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 52B9Zcz8vg.exe PID: 7304, type: MEMORYSTR

Remote Access Functionality

Yara detected JohnWalkerTexasLoader

Source: Yara match	File source: 52B9Zcz8vg.exe, type: SAMPLE
Source: Yara match	File source: 0.0.52B9Zcz8vg.exe.2392d140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.878519821.000002392D142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 52B9Zcz8vg.exe PID: 7304, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 52B9Zcz8vg.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 52B9Zcz8vg.exe

ReversingLabs: Detection: 44%

Source: 52B9Zcz8vg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: 52B9Zcz8vg.exe

Source: 52B9Zcz8vg.exe, 00000000.00000002.2134986003.000002392EE61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MainWindow.xaml
Source: 52B9Zcz8vg.exe, 00000000.00000002.2134986003.000002392EE61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/MainWindow.xaml
Source: 52B9Zcz8vg.exe, 00000000.00000002.2134986003.000002392EE61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.baml
Source: 52B9Zcz8vg.exe, 00000000.00000002.2134986003.000002392EF52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api-debug.php
Source: 52B9Zcz8vg.exe, 00000000.00000002.2134986003.000002392EF52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api.php
Source: 52B9Zcz8vg.exe	String found in binary or memory: http://xilloolli.com/api.phpEhttp://xilloolli.com/api-debug.php
Source: 52B9Zcz8vg.exe	String found in binary or memory: https://github.com/reproteq/DiffPatchWpf3Copyright
Source: 52B9Zcz8vg.exe	String found in binary or memory: https://ipinfo.io/country
Source: 52B9Zcz8vg.exe	String found in binary or memory: https://ipinfo.io/ip
Source: 52B9Zcz8vg.exe	String found in binary or memory: https://oklibed.com

Detected potential crypto function

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB67986B82	0_2_00007FFB67986B82
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB67985DD6	0_2_00007FFB67985DD6
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB67980ED2	0_2_00007FFB67980ED2
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB67980DD2	0_2_00007FFB67980DD2

PE file does not import any functions

Source: 52B9Zcz8vg.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 52B9Zcz8vg.exe, 00000000.00000000.878594498.000002392D164000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs 52B9Zcz8vg.exe
Source: 52B9Zcz8vg.exe	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs 52B9Zcz8vg.exe

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

Mutant created: NULL

Source: 52B9Zcz8vg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 52B9Zcz8vg.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 52B9Zcz8vg.exe

ReversingLabs: Detection: 44%

Source: 52B9Zcz8vg.exe

String found in binary or memory: EHH-ADD!IJJoEHH5JKK

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 52B9Zcz8vg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 52B9Zcz8vg.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 52B9Zcz8vg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 52B9Zcz8vg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: 52B9Zcz8vg.exe

Binary contains a suspicious time stamp

Source: 52B9Zcz8vg.exe

Static PE information: 0xFD7F9319 [Thu Oct 9 11:52:57 2104 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB6786D2A5 pushad ; iretd	0_2_00007FFB6786D2A6
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB6798C218 pushad ; retn 67A1h	0_2_00007FFB6798E071
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Code function: 0_2_00007FFB67988135 push ebx; ret	0_2_00007FFB6798814A

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	User Timer Set: Timeout: 125ms	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	User Timer Set: Timeout: 1ms	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Memory allocated: 2392ED50000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Memory allocated: 23946E60000 memory reserve \| memory write watch			Jump to behavior

Potential time zone aware malware

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Users\user\Desktop\52B9Zcz8vg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\52B9Zcz8vg.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\52B9Zcz8vg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected JohnWalkerTexasLoader

Source: Yara match	File source: 52B9Zcz8vg.exe, type: SAMPLE
Source: Yara match	File source: 0.0.52B9Zcz8vg.exe.2392d140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.878519821.000002392D142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 52B9Zcz8vg.exe PID: 7304, type: MEMORYSTR

Remote Access Functionality

Yara detected JohnWalkerTexasLoader

Source: Yara match	File source: 52B9Zcz8vg.exe, type: SAMPLE
Source: Yara match	File source: 0.0.52B9Zcz8vg.exe.2392d140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.878519821.000002392D142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 52B9Zcz8vg.exe PID: 7304, type: MEMORYSTR

ID:	1542943
Product:	CloudBasic
Start time:	23:18:48
Start date:	26.10.2024
Sample:	52B9Zcz8vg.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	9d80eed9593bb17dd2b0a75a39d5a40f
SHA1:	7095f632db75b4417f9766e8f1adb1aef15e0dc3
SHA256:	2fc0fb4f71399f85680dd803fb017a00696e6e4261f90ce98dea61e49cbec0c2
Filetype:	Win64 Executable GUI Net Framework (217006/5) 49.88%

Windows Analysis Report
52B9Zcz8vg.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 52B9Zcz8vg.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
52B9Zcz8vg.exe