Windows Analysis Report
hwPMkWBZ6O.exe

Overview

General Information

Sample name: hwPMkWBZ6O.exe
renamed because original name is a hash value
Original sample name: 2024-06-08_4f7c96df26709451ade16a8703b546df_avoslocker.exe
Analysis ID: 1562216
MD5: 4f7c96df26709451ade16a8703b546df
SHA1: 4cccded38fbfe2bc528be05389a0e7ab1bb18bb7
SHA256: 1e4053448fa8dbcee9851ea62a6399bda2d8188b6ac3a0093b5a0049fa9be3e4
Tags: exemalwareRansomwareuser-Joker
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Detected potential crypto function
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: hwPMkWBZ6O.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: hwPMkWBZ6O.exe ReversingLabs: Detection: 84%
Machine Learning detection for sample
Source: hwPMkWBZ6O.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: hwPMkWBZ6O.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: MidlRT.pdb source: hwPMkWBZ6O.exe
Source: Binary string: MidlRT.pdbGCTL source: hwPMkWBZ6O.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe Code function: 0_2_00407D6C 0_2_00407D6C
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe Code function: 0_2_00403EA0 0_2_00403EA0
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe Code function: 0_2_00405BB5 0_2_00405BB5
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe Code function: 0_2_004014B6 0_2_004014B6
Sample file is different than original file name gathered from version info
Source: hwPMkWBZ6O.exe Binary or memory string: OriginalFilename vs hwPMkWBZ6O.exe
Source: hwPMkWBZ6O.exe, 00000000.00000000.2111814165.0000000000551000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemidlrt.exej% vs hwPMkWBZ6O.exe
Source: hwPMkWBZ6O.exe, 00000000.00000002.3349290604.0000000000552000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemidlrt.exej% vs hwPMkWBZ6O.exe
Source: hwPMkWBZ6O.exe Binary or memory string: OriginalFilenamemidlrt.exej% vs hwPMkWBZ6O.exe
Uses 32bit PE files
Source: hwPMkWBZ6O.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: hwPMkWBZ6O.exe Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: hwPMkWBZ6O.exe Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal60.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: hwPMkWBZ6O.exe ReversingLabs: Detection: 84%
Source: unknown Process created: C:\Users\user\Desktop\hwPMkWBZ6O.exe "C:\Users\user\Desktop\hwPMkWBZ6O.exe"
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe Section loaded: midlrtmd.dll Jump to behavior
Source: hwPMkWBZ6O.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: hwPMkWBZ6O.exe Static file information: File size 2082816 > 1048576
Source: hwPMkWBZ6O.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x145200
Source: hwPMkWBZ6O.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: MidlRT.pdb source: hwPMkWBZ6O.exe
Source: Binary string: MidlRT.pdbGCTL source: hwPMkWBZ6O.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe Code function: 0_2_0040BF5A push eax; iretd 0_2_0040BF65
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe Code function: 0_2_00413164 pushfd ; ret 0_2_00413165
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe Code function: 0_2_0040BF66 pushad ; iretd 0_2_0040BF71
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe Code function: 0_2_004112F9 pushad ; iretd 0_2_004113F9
Source: C:\Users\user\Desktop\hwPMkWBZ6O.exe Code function: 0_2_0041119F push eax; ret 0_2_004111AD
Source: hwPMkWBZ6O.exe Static PE information: section name: .reloc entropy: 7.901129109347179
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562216 Sample: hwPMkWBZ6O.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 60 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Machine Learning detection for sample 2->14 6 hwPMkWBZ6O.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos