Windows Analysis Report
IdleScheduleEventAction.exe

Overview

General Information

Sample name: IdleScheduleEventAction.exe
Analysis ID: 1543855
MD5: 1ed391e2331503d76e6ea51b3f51c2c8
SHA1: 057ff605c6e668a8d3c6cfcfe6de55a34803df2c
SHA256: 8ebf6900fc6c59e517e52f49a2fa803e9197164dca32c957f7210795f3a0f99c

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains long sleeps (>= 3 min)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Source: IdleScheduleEventAction.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\home\jenkins\agent\workspace\d_Addins_VantageCoreAddin_master\build\x64\Release\IdleScheduleEventAction.pdb source: IdleScheduleEventAction.exe
Source: Binary string: C:\home\jenkins\agent\workspace\d_Addins_VantageCoreAddin_master\build\x64\Release\IdleScheduleEventAction.pdb(( source: IdleScheduleEventAction.exe
Source: classification engine Classification label: clean2.winEXE@1/0@0/0
Source: IdleScheduleEventAction.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IdleScheduleEventAction.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\IdleScheduleEventAction.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\IdleScheduleEventAction.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\IdleScheduleEventAction.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\IdleScheduleEventAction.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\IdleScheduleEventAction.exe Section loaded: vcruntime140.dll Jump to behavior
Source: IdleScheduleEventAction.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: IdleScheduleEventAction.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: IdleScheduleEventAction.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: IdleScheduleEventAction.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: IdleScheduleEventAction.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: IdleScheduleEventAction.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: IdleScheduleEventAction.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: IdleScheduleEventAction.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: IdleScheduleEventAction.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\home\jenkins\agent\workspace\d_Addins_VantageCoreAddin_master\build\x64\Release\IdleScheduleEventAction.pdb source: IdleScheduleEventAction.exe
Source: Binary string: C:\home\jenkins\agent\workspace\d_Addins_VantageCoreAddin_master\build\x64\Release\IdleScheduleEventAction.pdb(( source: IdleScheduleEventAction.exe
Source: IdleScheduleEventAction.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: IdleScheduleEventAction.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: IdleScheduleEventAction.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: IdleScheduleEventAction.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: IdleScheduleEventAction.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\IdleScheduleEventAction.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\IdleScheduleEventAction.exe TID: 1052 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\IdleScheduleEventAction.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\IdleScheduleEventAction.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1543855 Sample: IdleScheduleEventAction.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 2 4 IdleScheduleEventAction.exe 2->4         started       
No contacted IP infos