Windows Analysis Report
jeIXtJsk2r.exe

Overview

General Information

Sample name: jeIXtJsk2r.exe
renamed because original name is a hash value
Original sample name: 17725_235193913_c3ca3f043643f5cc2c60d2c5a652a3cb567031cd25d19455e91058fd10c8dc55_wbcore.exe
Analysis ID: 1545669
MD5: b9d8166f79d114394b66df653c504a7d
SHA1: 336dde02524e671f35fd7e002f92019eef7d00c9
SHA256: c3ca3f043643f5cc2c60d2c5a652a3cb567031cd25d19455e91058fd10c8dc55
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

Source: jeIXtJsk2r.exe Static PE information: certificate valid
Source: jeIXtJsk2r.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\code\2009\Development\VistaBlinds\WBInstall\WBInstall\x64\Release\WBInstall.pdb source: jeIXtJsk2r.exe
Source: jeIXtJsk2r.exe String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: jeIXtJsk2r.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: jeIXtJsk2r.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: jeIXtJsk2r.exe String found in binary or memory: http://ocsp.thawte.com0
Source: jeIXtJsk2r.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: jeIXtJsk2r.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: jeIXtJsk2r.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Detected potential crypto function
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe Code function: 0_2_00007FF7C69E2E70 0_2_00007FF7C69E2E70
Sample file is different than original file name gathered from version info
Source: jeIXtJsk2r.exe Binary or memory string: OriginalFilename vs jeIXtJsk2r.exe
Source: jeIXtJsk2r.exe, 00000000.00000002.1654993619.00007FF7C69ED000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWBCore.exeP vs jeIXtJsk2r.exe
Source: jeIXtJsk2r.exe Binary or memory string: OriginalFilenameWBCore.exeP vs jeIXtJsk2r.exe
Source: classification engine Classification label: clean3.winEXE@1/0@0/0
Source: jeIXtJsk2r.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: jeIXtJsk2r.exe String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe Section loaded: apphelp.dll Jump to behavior
Source: jeIXtJsk2r.exe Static PE information: certificate valid
Source: jeIXtJsk2r.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: jeIXtJsk2r.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: jeIXtJsk2r.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\code\2009\Development\VistaBlinds\WBInstall\WBInstall\x64\Release\WBInstall.pdb source: jeIXtJsk2r.exe
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe Code function: 0_2_00007FF7C69E4FF4 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00007FF7C69E4FF4
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe Code function: 0_2_00007FF7C69E1490 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7C69E1490
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe Code function: 0_2_00007FF7C69E4FF4 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00007FF7C69E4FF4
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe Code function: 0_2_00007FF7C69E1490 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7C69E1490
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe Code function: 0_2_00007FF7C69E3158 SetUnhandledExceptionFilter, 0_2_00007FF7C69E3158
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe Code function: 0_2_00007FF7C69E2370 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7C69E2370
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe Code function: 0_2_00007FF7C69E3BD4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00007FF7C69E3BD4
Source: C:\Users\user\Desktop\jeIXtJsk2r.exe Code function: 0_2_00007FF7C69E3B7C HeapCreate,GetVersion,HeapSetInformation, 0_2_00007FF7C69E3B7C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1545669 Sample: jeIXtJsk2r.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 3 4 jeIXtJsk2r.exe 2->4         started       
No contacted IP infos