Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561503
MD5:	00737bada48d092c96d1d6a8829f680f
SHA1:	55dfedce4c520fe53ca2180f848e2089924365fb
SHA256:	d550c57c2b194b654d639537aa23827b98e2f03f0bd58957c7ae1bef570253e9
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000005.00000003.1284730596.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C950FB	5_2_00C950FB
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00D3203F	5_2_00D3203F
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C27184	5_2_00C27184
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C27159	5_2_00C27159
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00D2C459	5_2_00D2C459
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C2F727	5_2_00C2F727
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00AADF02	5_2_00AADF02

Sample file is different than original file name gathered from version info

Source: file.exe, 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000005.00000002.1425596261.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe	String found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNe

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00AAE631 push ecx; mov dword ptr [esp], 2EDFEAB8h	5_2_00AAF4E6
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C2691C push eax; mov dword ptr [esp], edx	5_2_00C2696C
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C2691C push edi; mov dword ptr [esp], 15D9BB73h	5_2_00C269B8
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C2691C push eax; mov dword ptr [esp], 776FA7D7h	5_2_00C269E1
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C2691C push eax; mov dword ptr [esp], edx	5_2_00C26A53
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C2691C push edx; mov dword ptr [esp], esp	5_2_00C26A6D
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C26A8D push ecx; mov dword ptr [esp], 1F9A5B00h	5_2_00C26A9D
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C26A8D push eax; mov dword ptr [esp], 7A7B13FBh	5_2_00C26AD7
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C26A8D push 3DDD64CCh; mov dword ptr [esp], ebx	5_2_00C26B43
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C26A8D push 353378F6h; mov dword ptr [esp], eax	5_2_00C26B92
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00AAEBE8 push ecx; mov dword ptr [esp], 3A7030C6h	5_2_00AAEEAF
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C33ED5 push 7E89483Ch; mov dword ptr [esp], esi	5_2_00C34323
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C3B0C0 push 698F884Dh; mov dword ptr [esp], ebx	5_2_00C3B735
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00D160C2 push ecx; mov dword ptr [esp], edi	5_2_00D161B8
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00AAF0B3 push 2E982ECAh; mov dword ptr [esp], esi	5_2_00AAF78E
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00AAD087 push esi; mov dword ptr [esp], 72EF4426h	5_2_00AAD2B5
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C300ED push 3867E794h; mov dword ptr [esp], edi	5_2_00C300F9
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C300ED push edi; mov dword ptr [esp], 2E662B80h	5_2_00C30253
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C300ED push 0612B6FEh; mov dword ptr [esp], eax	5_2_00C302B9
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C300ED push 07E9DF3Bh; mov dword ptr [esp], edx	5_2_00C30403
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C300ED push 68901B99h; mov dword ptr [esp], edi	5_2_00C304B3
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C950FB push 52E70452h; mov dword ptr [esp], ebx	5_2_00C95103
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C950FB push eax; mov dword ptr [esp], 55FB5BECh	5_2_00C951EB
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C950FB push 34AE4773h; mov dword ptr [esp], esp	5_2_00C951FA
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C950FB push 078B0E8Bh; mov dword ptr [esp], edx	5_2_00C95240
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C270FA push ebp; mov dword ptr [esp], 09600DC2h	5_2_00C27119
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C270FA push 56CAA343h; mov dword ptr [esp], ebp	5_2_00C27140
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00AB10EA push 32AC7660h; mov dword ptr [esp], ecx	5_2_00AB2C22
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C3108C push eax; mov dword ptr [esp], eax	5_2_00C31434
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C3108C push eax; mov dword ptr [esp], eax	5_2_00C314A8
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C3108C push eax; mov dword ptr [esp], esp	5_2_00C32612

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: AADDA6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: AADE85 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: AAB27A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: C5F8A3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CE6B52 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: C4B337 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: file.exe, file.exe, 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAE532 second address: AADE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 nop 0x00000008 jl 00007FE7A8F64FACh 0x0000000e push dword ptr [ebp+122D0E85h] 0x00000014 mov dword ptr [ebp+122D1CC3h], eax 0x0000001a pushad 0x0000001b mov si, DC3Eh 0x0000001f mov ecx, dword ptr [ebp+122D3B17h] 0x00000025 popad 0x00000026 call dword ptr [ebp+122D1F5Dh] 0x0000002c pushad 0x0000002d mov dword ptr [ebp+122D1D1Fh], ebx 0x00000033 xor eax, eax 0x00000035 add dword ptr [ebp+122D22D5h], ebx 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f jmp 00007FE7A8F64FABh 0x00000044 mov dword ptr [ebp+122D39ABh], eax 0x0000004a cmc 0x0000004b pushad 0x0000004c call 00007FE7A8F64FB0h 0x00000051 mov edi, ecx 0x00000053 pop ebx 0x00000054 mov edi, dword ptr [ebp+122D3D27h] 0x0000005a popad 0x0000005b mov esi, 0000003Ch 0x00000060 or dword ptr [ebp+122D2259h], ebx 0x00000066 add esi, dword ptr [esp+24h] 0x0000006a jl 00007FE7A8F64FA7h 0x00000070 stc 0x00000071 cmc 0x00000072 lodsw 0x00000074 jmp 00007FE7A8F64FAEh 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d jmp 00007FE7A8F64FB2h 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 jbe 00007FE7A8F64FA7h 0x0000008c clc 0x0000008d nop 0x0000008e push ecx 0x0000008f push eax 0x00000090 push edx 0x00000091 jo 00007FE7A8F64FA6h 0x00000097 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C26796 second address: C2679C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2679C second address: C267C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE7A8F64FADh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FE7A8F64FB4h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C267C8 second address: C267CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2692B second address: C2692F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2692F second address: C26939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C26D3A second address: C26D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2896B second address: C289F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+122D3CCFh] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FE7A8C37278h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a push EC9EC341h 0x0000002f pushad 0x00000030 jmp 00007FE7A8C3727Dh 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b popad 0x0000003c add dword ptr [esp], 13613D3Fh 0x00000043 mov edx, edi 0x00000045 push 00000003h 0x00000047 push esi 0x00000048 sub dword ptr [ebp+122D221Ch], edx 0x0000004e pop edx 0x0000004f push 00000000h 0x00000051 jo 00007FE7A8C3727Ch 0x00000057 push 00000003h 0x00000059 mov edi, dword ptr [ebp+122D3B83h] 0x0000005f call 00007FE7A8C37279h 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 je 00007FE7A8C37276h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C289F2 second address: C28A16 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE7A8F64FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE7A8F64FB8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28A16 second address: C28A47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C37288h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE7A8C37281h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28A47 second address: C28B03 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FE7A8F64FB5h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jnc 00007FE7A8F64FBBh 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007FE7A8F64FAEh 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 jmp 00007FE7A8F64FAEh 0x00000025 pop eax 0x00000026 jmp 00007FE7A8F64FAFh 0x0000002b lea ebx, dword ptr [ebp+1244E7E8h] 0x00000031 clc 0x00000032 xchg eax, ebx 0x00000033 jnc 00007FE7A8F64FC6h 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d jmp 00007FE7A8F64FB7h 0x00000042 jg 00007FE7A8F64FA6h 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28B03 second address: C28B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE7A8C37276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28BC8 second address: C28BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28C80 second address: C28C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28C84 second address: C28CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push ebx 0x00000009 jmp 00007FE7A8F64FB8h 0x0000000e pop ebx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 jmp 00007FE7A8F64FABh 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28CB9 second address: C28CDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE7A8C3727Dh 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007FE7A8C3727Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28CDE second address: C28CE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28CE4 second address: C28D33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jc 00007FE7A8C37284h 0x00000012 pushad 0x00000013 jnc 00007FE7A8C37276h 0x00000019 jc 00007FE7A8C37276h 0x0000001f popad 0x00000020 pop eax 0x00000021 mov dword ptr [ebp+122D1D13h], edx 0x00000027 lea ebx, dword ptr [ebp+1244E7F1h] 0x0000002d sbb si, 2296h 0x00000032 jmp 00007FE7A8C37288h 0x00000037 xchg eax, ebx 0x00000038 push eax 0x00000039 push ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28D33 second address: C28D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28D42 second address: C28D52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE7A8C3727Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28D9C second address: C28E31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FE7A8F64FB1h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FE7A8F64FAEh 0x00000011 nop 0x00000012 jmp 00007FE7A8F64FADh 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a mov di, F58Dh 0x0000001e pop ecx 0x0000001f push 1DF4CA9Ah 0x00000024 push esi 0x00000025 jmp 00007FE7A8F64FB7h 0x0000002a pop esi 0x0000002b xor dword ptr [esp], 1DF4CA1Ah 0x00000032 jne 00007FE7A8F64FABh 0x00000038 push 00000003h 0x0000003a jno 00007FE7A8F64FA7h 0x00000040 mov dword ptr [ebp+122D21C0h], edi 0x00000046 push 00000000h 0x00000048 mov dword ptr [ebp+122D1CADh], edi 0x0000004e push 00000003h 0x00000050 adc dh, 00000043h 0x00000053 call 00007FE7A8F64FA9h 0x00000058 pushad 0x00000059 push edi 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28E31 second address: C28E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FE7A8C3727Ah 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007FE7A8C37283h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28E59 second address: C28E88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007FE7A8F64FA6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jns 00007FE7A8F64FB8h 0x00000016 mov eax, dword ptr [eax] 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28E88 second address: C28EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007FE7A8C37282h 0x00000010 pop eax 0x00000011 lea ebx, dword ptr [ebp+1244E7FCh] 0x00000017 pushad 0x00000018 mov dword ptr [ebp+122D20A6h], ecx 0x0000001e popad 0x0000001f push eax 0x00000020 push ebx 0x00000021 jl 00007FE7A8C3727Ch 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3BC5F second address: C3BC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47EA9 second address: C47EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47EAD second address: C47EBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47EBB second address: C47EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47EBF second address: C47EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4804D second address: C48051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C48051 second address: C4805D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE7A8F64FA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4805D second address: C48078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE7A8C37281h 0x00000009 jnl 00007FE7A8C37276h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4861E second address: C48643 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8F64FB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE7A8F64FABh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C48643 second address: C48649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C48649 second address: C4864D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4864D second address: C48674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE7A8C37276h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007FE7A8C37285h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C48674 second address: C486A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE7A8F64FB3h 0x00000009 jmp 00007FE7A8F64FB3h 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C486A4 second address: C486AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3F222 second address: C3F227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C10A76 second address: C10A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

ID:	1561503
Product:	CloudBasic
Start time:	15:37:10
Start date:	23.11.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	00737bada48d092c96d1d6a8829f680f
SHA1:	55dfedce4c520fe53ca2180f848e2089924365fb
SHA256:	d550c57c2b194b654d639537aa23827b98e2f03f0bd58957c7ae1bef570253e9
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
file.exe