Windows Analysis Report
y83WAR4vQc.exe

Overview

General Information

Sample name: y83WAR4vQc.exe
renamed because original name is a hash value
Original sample name: f9401786d00286b50c0d2228fa06d6777d0a5c32294470c297db161a8625ac5b.exe
Analysis ID: 1562314
MD5: 4effe13b0f91976bd70825f2eff1077a
SHA1: 65990fc883bdd4c6c59cf039e5979c43d3d3d0d2
SHA256: f9401786d00286b50c0d2228fa06d6777d0a5c32294470c297db161a8625ac5b
Tags: exeuser-adrian__luca
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: y83WAR4vQc.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: y83WAR4vQc.exe ReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 92.7% probability
Uses 32bit PE files
Source: y83WAR4vQc.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_0040276E FindFirstFileW, 0_2_0040276E
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_00405629 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405629
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_004060E4 FindFirstFileW,FindClose, 0_2_004060E4
Source: y83WAR4vQc.exe, 00000000.00000002.1362400372.000000000062E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: y83WAR4vQc.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_0040518A GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040518A
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_00403229 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_00403229
Detected potential crypto function
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_00406547 0_2_00406547
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_00406D1E 0_2_00406D1E
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_004049C7 0_2_004049C7
Uses 32bit PE files
Source: y83WAR4vQc.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal60.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_00404481 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404481
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_0040206A CoCreateInstance, 0_2_0040206A
Source: C:\Users\user\Desktop\y83WAR4vQc.exe File created: C:\Users\user~1\AppData\Local\Temp\nsmADFC.tmp Jump to behavior
Source: y83WAR4vQc.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\y83WAR4vQc.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: y83WAR4vQc.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\y83WAR4vQc.exe File read: C:\Users\user\Desktop\y83WAR4vQc.exe Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_0040610B GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_0040610B
PE file contains an invalid checksum
Source: y83WAR4vQc.exe Static PE information: real checksum: 0xce445 should be: 0xa98e
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\y83WAR4vQc.exe API coverage: 7.8 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_0040276E FindFirstFileW, 0_2_0040276E
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_00405629 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405629
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_004060E4 FindFirstFileW,FindClose, 0_2_004060E4
Source: C:\Users\user\Desktop\y83WAR4vQc.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_0040610B GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_0040610B
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\y83WAR4vQc.exe Code function: 0_2_00405DC3 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00405DC3
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562314 Sample: y83WAR4vQc.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 60 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 AI detected suspicious sample 2->11 5 y83WAR4vQc.exe 3 2->5         started        process3
No contacted IP infos