Windows Analysis Report
Vh5fpQFekQ.exe

ID:	1562122
Product:	CloudBasic
Start time:	08:32:13
Start date:	25.11.2024
Sample:	Vh5fpQFekQ.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	600942b31377727cac9ca8f41b9d74c1
SHA1:	7116295c1f08155da6db552a94c3f355050546e9
SHA256:	c004f036648d61fccb863fa52daee51eab9767654d38e2a44b9ef72fc2b70c68
Filetype:	Win64 Executable GUI (202006/5) 92.64%

Name	Type	MD5	SHA1	SHA256

Networking

Source: Vh5fpQFekQ.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.cer0
Source: Vh5fpQFekQ.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.crl0
Source: Vh5fpQFekQ.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-EVecc-RootCA.crl0
Source: Vh5fpQFekQ.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: Vh5fpQFekQ.exe	String found in binary or memory: http://ocsps.ssl.com0P
Source: Vh5fpQFekQ.exe	String found in binary or memory: http://www.indyproject.org/
Source: Vh5fpQFekQ.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-ECC-384-R1.crt0
Source: Vh5fpQFekQ.exe	String found in binary or memory: https://www.ssl.com/repository0

System Summary

Source: Vh5fpQFekQ.exe

Static PE information: invalid certificate

Source: Vh5fpQFekQ.exe

Static PE information: Number of sections : 11 > 10

Source: Vh5fpQFekQ.exe, 00000000.00000000.1247097503.0000000000CC5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCRProcessMonitor .exe. vs Vh5fpQFekQ.exe
Source: Vh5fpQFekQ.exe, 00000000.00000002.1252067099.0000000002AC6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs Vh5fpQFekQ.exe
Source: Vh5fpQFekQ.exe, 00000000.00000000.1246176284.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Vh5fpQFekQ.exe
Source: Vh5fpQFekQ.exe, 00000000.00000002.1252067099.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCRProcessMonitor .exe. vs Vh5fpQFekQ.exe
Source: Vh5fpQFekQ.exe	Binary or memory string: OriginalFileName vs Vh5fpQFekQ.exe
Source: Vh5fpQFekQ.exe	Binary or memory string: OriginalFilenameCRProcessMonitor .exe. vs Vh5fpQFekQ.exe

Source: classification engine

Classification label: clean3.winEXE@1/0@0/0

Source: Vh5fpQFekQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Vh5fpQFekQ.exe	String found in binary or memory: pbe-help.chm
Source: Vh5fpQFekQ.exe	String found in binary or memory: NATS-SEFI-ADD
Source: Vh5fpQFekQ.exe	String found in binary or memory: NATS-DANO-ADD
Source: Vh5fpQFekQ.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: Vh5fpQFekQ.exe	String found in binary or memory: jp-ocr-b-add
Source: Vh5fpQFekQ.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: Vh5fpQFekQ.exe	String found in binary or memory: jp-ocr-hand-add
Source: Vh5fpQFekQ.exe	String found in binary or memory: ISO_6937-2-add

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: cscapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: iconcodecservice.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: wtsapi32.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: textshaping.dll			Jump to behavior

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe

Window found: window name: TMainForm

Jump to behavior

Source: Vh5fpQFekQ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Vh5fpQFekQ.exe

Static file information: File size 23192776 > 1048576

Source: Vh5fpQFekQ.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5a6a00
Source: Vh5fpQFekQ.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x222c00

Source: Vh5fpQFekQ.exe

Static PE information: More than 200 imports for user32.dll

Data Obfuscation

Source: Vh5fpQFekQ.exe

Static PE information: section name: .didata

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe

Code function: 0_2_00416170 GetSystemInfo,

0_2_00416170

Source: Vh5fpQFekQ.exe, 00000000.00000002.1251546012.0000000000D9C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected