Windows Analysis Report
_cdrecord.exe

Overview

General Information

Sample name: _cdrecord.exe
Analysis ID: 1543858
MD5: af7468dd406bd65837e1bf8fdb2e2e90
SHA1: 1ecf40e9d93f046ca2462556f13f260f143212db
SHA256: 07fcf0f808b802c8c4b568069f31f4b007cc64fec5af385325150709788ed34b
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to communicate with device drivers
Detected potential crypto function
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: _cdrecord.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\_cdrecord.exe Code function: 0_2_0042FC80: memset,DeviceIoControl,CloseHandle,DeviceIoControl,GetLastError,CloseHandle,CloseHandle, 0_2_0042FC80
Detected potential crypto function
Source: C:\Users\user\Desktop\_cdrecord.exe Code function: 0_2_004329A0 0_2_004329A0
Source: C:\Users\user\Desktop\_cdrecord.exe Code function: 0_2_00431B00 0_2_00431B00
Source: C:\Users\user\Desktop\_cdrecord.exe Code function: 0_2_00432C5C 0_2_00432C5C
Source: C:\Users\user\Desktop\_cdrecord.exe Code function: 0_2_00432470 0_2_00432470
Source: C:\Users\user\Desktop\_cdrecord.exe Code function: 0_2_00414D51 0_2_00414D51
Source: C:\Users\user\Desktop\_cdrecord.exe Code function: 0_2_004325C0 0_2_004325C0
Source: C:\Users\user\Desktop\_cdrecord.exe Code function: 0_2_00431DF0 0_2_00431DF0
Source: C:\Users\user\Desktop\_cdrecord.exe Code function: 0_2_00431E80 0_2_00431E80
Source: C:\Users\user\Desktop\_cdrecord.exe Code function: 0_2_0041477B 0_2_0041477B
Uses 32bit PE files
Source: _cdrecord.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engine Classification label: clean3.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: _cdrecord.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\_cdrecord.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: _cdrecord.exe String found in binary or memory: Use%s -help
Source: _cdrecord.exe String found in binary or memory: start/stop unit
Source: _cdrecord.exe String found in binary or memory: start/stop unit
Source: _cdrecord.exe String found in binary or memory: ?medium load/unloadprevent/allow medium removalstart/stop unitset cd speedqic 02write_g0write_g1write_g5seek_g0seek_g1flush cacheread bufferwrite_bufferread subchannelread tocread headerread disk inforead track inforeserve_track_rzoneread dvd structuresend dvd structuresend opcclose track/sessionread master cuesend_cue_sheetread buffer capBFree: %ld K BSize: %ld K
Source: _cdrecord.exe String found in binary or memory: ?medium load/unloadprevent/allow medium removalstart/stop unitset cd speedqic 02write_g0write_g1write_g5seek_g0seek_g1flush cacheread bufferwrite_bufferread subchannelread tocread headerread disk inforead track inforeserve_track_rzoneread dvd structuresend dvd structuresend opcclose track/sessionread master cuesend_cue_sheetread buffer capBFree: %ld K BSize: %ld K
Source: _cdrecord.exe String found in binary or memory: support ejection of CD via START/STOP command
Source: _cdrecord.exe String found in binary or memory: support ejection of CD via START/STOP command
Source: _cdrecord.exe String found in binary or memory: Loading mechanism typesupport ejection of CD via START/STOP commandlock media on power up via prevent jumperallow media to be locked in the drive via PREVENT/ALLOW commandcurrently in a media-locked state Is %s%s
Source: _cdrecord.exe String found in binary or memory: Loading mechanism typesupport ejection of CD via START/STOP commandlock media on power up via prevent jumperallow media to be locked in the drive via PREVENT/ALLOW commandcurrently in a media-locked state Is %s%s
Source: _cdrecord.exe String found in binary or memory: start/stop
Source: _cdrecord.exe String found in binary or memory: start/stop
Source: unknown Process created: C:\Users\user\Desktop\_cdrecord.exe "C:\Users\user\Desktop\_cdrecord.exe"
Source: C:\Users\user\Desktop\_cdrecord.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\_cdrecord.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\_cdrecord.exe Section loaded: cygwin1.dll Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\_cdrecord.exe Code function: 0_2_004085B5 push E800440Eh; rep ret 0_2_004085BE
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\_cdrecord.exe Code function: 0_2_0042FA68 memset,GetVersionExA, 0_2_0042FA68
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1543858 Sample: _cdrecord.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 3 5 _cdrecord.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos