Windows Analysis Report
Roahhi.exe

Overview

General Information

Sample name: Roahhi.exe
Analysis ID: 1592538
MD5: 395402b9823f71c7eb5dd07ed8f520d6
SHA1: 7fbe726d1b013c8343017cec30eb6900e3194f0c
SHA256: e5ddb80cb8eb3db1d9bc15026bb7c469e4d7898ae857ee7dfc166aa1244086e4
Tags: exeuser-lowmal3
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\IsClosed.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Virustotal: Detection: 38% Perma Link
Multi AV Scanner detection for submitted file
Source: Roahhi.exe Virustotal: Detection: 38% Perma Link
Source: Roahhi.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Roahhi.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Roahhi.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Roahhi.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbQ\ source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb)| source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdbnS source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Roahhi.exe, 00000000.00000002.2107417614.0000000006432000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106840572.00000000062C0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdbod source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Roahhi.exe, 00000000.00000002.2107417614.0000000006432000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106840572.00000000062C0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb@= source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n8C:\Windows\InstallUtil.pdb$ source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_06089740
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 4x nop then jmp 06083ABEh 0_2_060838F0
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_06089738
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 4x nop then jmp 06083ABEh 0_2_060838E1
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_060AD840
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 4x nop then jmp 06353C10h 0_2_06353B50
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 4x nop then jmp 06353C10h 0_2_06353B58
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06355490 NtProtectVirtualMemory, 0_2_06355490
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06358D08 NtResumeThread, 0_2_06358D08
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06355488 NtProtectVirtualMemory, 0_2_06355488
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06358D03 NtResumeThread, 0_2_06358D03
Detected potential crypto function
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_00C0D070 0_2_00C0D070
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05824D28 0_2_05824D28
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0582AC70 0_2_0582AC70
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0582668B 0_2_0582668B
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05824D1B 0_2_05824D1B
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0582AC5F 0_2_0582AC5F
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05820007 0_2_05820007
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05820040 0_2_05820040
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05823A41 0_2_05823A41
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05823A50 0_2_05823A50
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05FAE148 0_2_05FAE148
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05FAAE68 0_2_05FAAE68
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05FA8CE0 0_2_05FA8CE0
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05FA8CD0 0_2_05FA8CD0
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05FA7850 0_2_05FA7850
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05FA0040 0_2_05FA0040
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05FA7840 0_2_05FA7840
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05FA0006 0_2_05FA0006
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05FA6BCB 0_2_05FA6BCB
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_05FAAE58 0_2_05FAAE58
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0608DEB8 0_2_0608DEB8
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06086B58 0_2_06086B58
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0608D088 0_2_0608D088
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06088EB8 0_2_06088EB8
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06088EC8 0_2_06088EC8
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0608CB38 0_2_0608CB38
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06080040 0_2_06080040
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_060AF3E0 0_2_060AF3E0
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_060A0006 0_2_060A0006
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_060A0040 0_2_060A0040
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06110040 0_2_06110040
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06111248 0_2_06111248
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06110367 0_2_06110367
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0628AAE0 0_2_0628AAE0
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06287570 0_2_06287570
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06287545 0_2_06287545
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0628AAD1 0_2_0628AAD1
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0634FAB0 0_2_0634FAB0
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0634F788 0_2_0634F788
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0634E730 0_2_0634E730
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0633001E 0_2_0633001E
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06330040 0_2_06330040
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0634E190 0_2_0634E190
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06352038 0_2_06352038
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_063536A9 0_2_063536A9
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06352028 0_2_06352028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_02724F90 2_2_02724F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_02725AD8 2_2_02725AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_02725AC8 2_2_02725AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_027222B0 2_2_027222B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_027222A0 2_2_027222A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_02724F90 2_2_02724F90
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1144
Sample file is different than original file name gathered from version info
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2098685640.0000000005100000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameHykzini.dll" vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2067024816.0000000002B06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNuzfblcfzx.exe" vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2065169030.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2107417614.0000000006432000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2106840572.00000000062C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Roahhi.exe
Uses 32bit PE files
Source: Roahhi.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Roahhi.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IsClosed.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.expl.evad.winEXE@4/3@0/0
Source: C:\Users\user\Desktop\Roahhi.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3eadd90e-8281-47ef-8936-5aea80d618f3 Jump to behavior
Source: Roahhi.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Roahhi.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Roahhi.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Roahhi.exe Virustotal: Detection: 38%
Source: Roahhi.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\Roahhi.exe File read: C:\Users\user\Desktop\Roahhi.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Roahhi.exe "C:\Users\user\Desktop\Roahhi.exe"
Source: C:\Users\user\Desktop\Roahhi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1144
Source: C:\Users\user\Desktop\Roahhi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Roahhi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Roahhi.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Roahhi.exe Static file information: File size 1647616 > 1048576
Source: Roahhi.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x191a00
Source: Roahhi.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbQ\ source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb)| source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdbnS source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Roahhi.exe, 00000000.00000002.2107417614.0000000006432000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106840572.00000000062C0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdbod source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Roahhi.exe, 00000000.00000002.2107417614.0000000006432000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106840572.00000000062C0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb@= source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n8C:\Windows\InstallUtil.pdb$ source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.Roahhi.exe.43392bb.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Roahhi.exe.42f929b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Roahhi.exe.44b8ad0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Roahhi.exe.5fb0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Roahhi.exe.44b8ad0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Roahhi.exe.5fb0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Roahhi.exe.42d927b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2088150675.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2105474906.0000000005FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Roahhi.exe PID: 5604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5168, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06083B63 push eax; iretd 0_2_06083B69
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06083BA8 pushfd ; iretd 0_2_06083BA9
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0611EEC0 push 5D00BC01h; ret 0_2_0611EEDD
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_062892A3 push es; retf 0_2_062892A4
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_062861D9 push es; iretd 0_2_062861F4
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_0635771A push es; iretd 0_2_06357720
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06354C28 push es; retf 0_2_06354C58
Source: Roahhi.exe Static PE information: section name: .text entropy: 7.893702508411447
Source: IsClosed.exe.0.dr Static PE information: section name: .text entropy: 7.893702508411447
Drops PE files
Source: C:\Users\user\Desktop\Roahhi.exe File created: C:\Users\user\AppData\Roaming\IsClosed.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\Desktop\Roahhi.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\Roahhi.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\Roahhi.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Roahhi.exe PID: 5604, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Roahhi.exe Memory allocated: C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Memory allocated: 28B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Memory allocated: 2660000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Memory allocated: 6390000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 26E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2910000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2860000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06282D97 rdtsc 0_2_06282D97
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Roahhi.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Roahhi.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q 1:en-CH:Microsoft|VMWare|Virtual
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: C:\Users\user\Desktop\Roahhi.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06089740 CheckRemoteDebuggerPresent, 0_2_06089740
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Roahhi.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Roahhi.exe Code function: 0_2_06282D97 rdtsc 0_2_06282D97
Enables debug privileges
Source: C:\Users\user\Desktop\Roahhi.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Roahhi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Roahhi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 46E000 Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 470000 Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 611008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Roahhi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Roahhi.exe Queries volume information: C:\Users\user\Desktop\Roahhi.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1592538 Sample: Roahhi.exe Startdate: 16/01/2025 Architecture: WINDOWS Score: 100 21 Multi AV Scanner detection for dropped file 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Yara detected AntiVM3 2->25 27 5 other signatures 2->27 7 Roahhi.exe 5 2->7         started        process3 file4 15 C:\Users\user\AppData\Roaming\IsClosed.exe, PE32 7->15 dropped 17 C:\Users\user\AppData\...\IsClosed.vbs, ASCII 7->17 dropped 19 C:\Users\...\IsClosed.exe:Zone.Identifier, ASCII 7->19 dropped 29 Drops VBS files to the startup folder 7->29 31 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->31 33 Writes to foreign memory regions 7->33 35 2 other signatures 7->35 11 InstallUtil.exe 2 7->11         started        signatures5 process6 process7 13 WerFault.exe 4 11->13         started       
No contacted IP infos