Windows Analysis Report
MbYnGuRGnm.exe

ID:	1410994
Product:	CloudBasic
Start time:	14:37:55
Start date:	18.03.2024
Sample:	MbYnGuRGnm.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f671843cfde5c734ce07aa5a35e32934
SHA1:	717d3b853415bd2f1645f7edcd0944b438e3d01a
SHA256:	e57ce68c59b39ce145bbeec16942a48068fcaa26f6ff7d7a2c16b0d947d17873
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: MbYnGuRGnm.exe

Avira: detected

Source: MbYnGuRGnm.exe

ReversingLabs: Detection: 28%

Compliance

Source: MbYnGuRGnm.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: MbYnGuRGnm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Code function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405841
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Code function: 0_2_004027FB FindFirstFileW,		0_2_004027FB
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Code function: 0_2_00406393 FindFirstFileW,FindClose,		0_2_00406393

Networking

Source: MbYnGuRGnm.exe, 00000000.00000002.1282798108.0000000000618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MbYnGuRGnm.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

Code function: 0_2_004052EE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052EE

System Summary

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004032A0

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Code function: 0_2_00407040		0_2_00407040
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Code function: 0_2_00406869		0_2_00406869
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Code function: 0_2_00404B2B		0_2_00404B2B

Source: MbYnGuRGnm.exe, 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameavoke besully.exe: vs MbYnGuRGnm.exe
Source: MbYnGuRGnm.exe	Binary or memory string: OriginalFilenameavoke besully.exe: vs MbYnGuRGnm.exe

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: oleacc.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Section loaded: wintypes.dll			Jump to behavior

Source: MbYnGuRGnm.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004032A0

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

Code function: 0_2_004045AF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045AF

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

File created: C:\Users\user\AppData\Local\Temp\nsxB483.tmp

Jump to behavior

Source: MbYnGuRGnm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MbYnGuRGnm.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

File read: C:\Users\user\Desktop\MbYnGuRGnm.exe

Jump to behavior

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: MbYnGuRGnm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

API coverage: 8.9 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Code function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405841
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Code function: 0_2_004027FB FindFirstFileW,		0_2_004027FB
Source: C:\Users\user\Desktop\MbYnGuRGnm.exe	Code function: 0_2_00406393 FindFirstFileW,FindClose,		0_2_00406393

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

API call chain: ExitProcess graph end node

Anti Debugging

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\MbYnGuRGnm.exe

Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004032A0