Windows Analysis Report
HkppfZO2WW.exe

Overview

General Information

Sample name:	HkppfZO2WW.exe renamed because original name is a hash value
Original sample name:	c23e31e962885184e343d7f402561853515a44256a20e78f74e5e597090b4f41.exe
Analysis ID:	1562123
MD5:	e8c247a498e6c947ac8fe25cb0374140
SHA1:	2d40b90c9f9920e7890acbbadbc9fea85ce508c6
SHA256:	c23e31e962885184e343d7f402561853515a44256a20e78f74e5e597090b4f41
Tags:	exeTRADETRUSTLLCuser-JAMESWT_MHT
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

PE / OLE file has an invalid certificate

Potential time zone aware malware

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Signatures

Uses 32bit PE files

Source: HkppfZO2WW.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: HkppfZO2WW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.cer0
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.crl0
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-EVecc-RootCA.crl0
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exe	String found in binary or memory: http://ocsps.ssl.com0P
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-ECC-384-R1.crt0
Source: javaw.exe, 00000005.00000003.2191270030.0000000001145000.00000004.00000020.00020000.00000000.sdmp, HkppfZO2WW.exe	String found in binary or memory: https://www.ssl.com/repository0

Detected potential crypto function

Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: 0_2_004030C0	0_2_004030C0
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: 0_2_004013B0	0_2_004013B0
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: 0_2_004013E9	0_2_004013E9
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: 4_2_004030C0	4_2_004030C0
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: 4_2_004013B0	4_2_004013B0
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: 4_2_004013E9	4_2_004013E9
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: 6_2_004030C0	6_2_004030C0
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: 6_2_004013B0	6_2_004013B0
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: 6_2_004013E9	6_2_004013E9

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: String function: 00404DF0 appears 36 times
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: String function: 00404D40 appears 45 times

PE / OLE file has an invalid certificate

Source: HkppfZO2WW.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: HkppfZO2WW.exe, 00000000.00000000.2163550546.0000000000410000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exe, 00000000.00000002.2166217491.0000000000411000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exe, 00000004.00000002.2191385256.0000000000411000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exe, 00000004.00000000.2188658719.0000000000410000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exe, 00000006.00000000.2210752213.0000000000410000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exe, 00000006.00000002.2212399628.0000000000411000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe
Source: HkppfZO2WW.exe	Binary or memory string: OriginalFilenameEXP Soundboard_05.exe> vs HkppfZO2WW.exe

Uses 32bit PE files

Source: HkppfZO2WW.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: clean4.winEXE@9/0@0/0

Source: C:\Users\user\Desktop\HkppfZO2WW.exe

Code function: 0_2_00401BF0 GetLastError,MessageBoxA,ShellExecuteA,printf,fclose,FormatMessageA,strcat,printf,LocalFree,fprintf,fprintf,MessageBoxA,

0_2_00401BF0

Source: C:\Users\user\Desktop\HkppfZO2WW.exe

Code function: 0_2_00401E10 FindResourceExA,LoadResource,LockResource,SetLastError,

0_2_00401E10

Source: HkppfZO2WW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HkppfZO2WW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HkppfZO2WW.exe	String found in binary or memory: exp/soundboard/loader.mp3
Source: HkppfZO2WW.exe	String found in binary or memory: exp/soundboard/loader.mp3PK

Source: unknown	Process created: C:\Users\user\Desktop\HkppfZO2WW.exe "C:\Users\user\Desktop\HkppfZO2WW.exe" -install
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" -install
Source: unknown	Process created: C:\Users\user\Desktop\HkppfZO2WW.exe "C:\Users\user\Desktop\HkppfZO2WW.exe" /install
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /install
Source: unknown	Process created: C:\Users\user\Desktop\HkppfZO2WW.exe "C:\Users\user\Desktop\HkppfZO2WW.exe" /load
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /load
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" -install	Jump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /install	Jump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /load	Jump to behavior

Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\HkppfZO2WW.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Development Kit

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Automated click: OK
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Automated click: OK
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Automated click: OK

Source: HkppfZO2WW.exe

Static file information: File size 9142400 > 1048576

Source: HkppfZO2WW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Potential time zone aware malware

Source: C:\Users\user\Desktop\HkppfZO2WW.exe	System information queried: CurrentTimeZoneInformation	Jump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	System information queried: CurrentTimeZoneInformation	Jump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	System information queried: CurrentTimeZoneInformation	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: 0_2_00401150 SetUnhandledExceptionFilter,__getmainargs,_iob,_iob,_setmode,_iob,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,	0_2_00401150
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: 4_2_00401150 SetUnhandledExceptionFilter,__getmainargs,_iob,_iob,_setmode,_iob,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,	4_2_00401150
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Code function: 6_2_00401150 SetUnhandledExceptionFilter,__getmainargs,_iob,_iob,_setmode,_iob,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,	6_2_00401150

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" -install	Jump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /install	Jump to behavior
Source: C:\Users\user\Desktop\HkppfZO2WW.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\HkppfZO2WW.exe" /load	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1562123
Product:	CloudBasic
Start time:	08:35:48
Start date:	25.11.2024
Sample:	HkppfZO2WW.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e8c247a498e6c947ac8fe25cb0374140
SHA1:	2d40b90c9f9920e7890acbbadbc9fea85ce508c6
SHA256:	c23e31e962885184e343d7f402561853515a44256a20e78f74e5e597090b4f41
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Windows Analysis Report
HkppfZO2WW.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report HkppfZO2WW.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
HkppfZO2WW.exe