Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561634
MD5:	2699448f43fe2a97c2cf07bf56fe92f3
SHA1:	672e4bdd08082c99ed7adba3799288c22f50338e
SHA256:	a4ac352fe49d6162961007d64b2ac23413cc5575ea17b61a91f6d808795e994b
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]	0_2_00CBE0D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push eax	0_2_00CEF8D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, eax	0_2_00CEF8D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h	0_2_00CEBCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, eax	0_2_00CEB8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	0_2_00CEB8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+14h]	0_2_00CB98F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	0_2_00CBBC9D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, ebp	0_2_00CB5C90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, ebp	0_2_00CB5C90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00CD8CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh	0_2_00CEC040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh	0_2_00CEC040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h	0_2_00CEC040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh	0_2_00CEC040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push eax	0_2_00CEB860
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_00CD0870
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_00CBC02B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+14h]	0_2_00CBE970
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx]	0_2_00CBAD00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [edi]	0_2_00CD5E90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_00CBEA38
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]	0_2_00CB77D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax	0_2_00CB77D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-65h]	0_2_00CBE35B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch]	0_2_00CF0F60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [eax], bl	0_2_00CBCF05

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE4470 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00CE4470

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE4470 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00CE4470

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB89A0	0_2_00CB89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB6CC0	0_2_00CB6CC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBE0D8	0_2_00CBE0D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB94D0	0_2_00CB94D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEF8D0	0_2_00CEF8D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE24E0	0_2_00CE24E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEB8E0	0_2_00CEB8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB98F0	0_2_00CB98F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF0C80	0_2_00CF0C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB5C90	0_2_00CB5C90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD8CB0	0_2_00CD8CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB6840	0_2_00CB6840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB4040	0_2_00CB4040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEC040	0_2_00CEC040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD0870	0_2_00CD0870
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB542C	0_2_00CB542C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE9030	0_2_00CE9030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE41D0	0_2_00CE41D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB3580	0_2_00CB3580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF1580	0_2_00CF1580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB61A0	0_2_00CB61A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBE970	0_2_00CBE970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD3D70	0_2_00CD3D70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBAD00	0_2_00CBAD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC9530	0_2_00CC9530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB5AC9	0_2_00CB5AC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB4AC0	0_2_00CB4AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD5E90	0_2_00CD5E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD0650	0_2_00CD0650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB9210	0_2_00CB9210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBB210	0_2_00CBB210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD7E20	0_2_00CD7E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB77D0	0_2_00CB77D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB27D0	0_2_00CB27D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB2B80	0_2_00CB2B80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEC780	0_2_00CEC780
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1790	0_2_00CD1790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE87B0	0_2_00CE87B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCFB60	0_2_00CCFB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF0F60	0_2_00CF0F60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD8770	0_2_00CD8770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBCF05	0_2_00CBCF05
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCDB30	0_2_00CCDB30

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus24.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE9030 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

0_2_00CE9030

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC5057 push eax; iretd	0_2_00CC5058
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC8028 push esp; ret	0_2_00CC802B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC642B push esp; ret	0_2_00CC6438
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC81DA push eax; iretd	0_2_00CC81DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC8100 push esp; iretd	0_2_00CC8102
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC811F push esp; iretd	0_2_00CC8135
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC4BB8 push esp; iretd	0_2_00CC4BD4

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CEDF70 LdrInitializeThunk,

0_2_00CEDF70

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1561634
Product:	CloudBasic
Start time:	02:22:04
Start date:	24.11.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2699448f43fe2a97c2cf07bf56fe92f3
SHA1:	672e4bdd08082c99ed7adba3799288c22f50338e
SHA256:	a4ac352fe49d6162961007d64b2ac23413cc5575ea17b61a91f6d808795e994b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
file.exe