Windows Analysis Report
22w5dN070c.exe

Overview

General Information

Sample name: 22w5dN070c.exe
renamed because original name is a hash value
Original sample name: b2584406da7f9c66b50a4e57070b15286c92022cb337bc25392697a5a3a32043.exe
Analysis ID: 1411002
MD5: 8a0e29ab0781dfa6726efdd250f07b84
SHA1: b6f362a8ac82388e17ba0cee4a0a75d1cfbbdc23
SHA256: b2584406da7f9c66b50a4e57070b15286c92022cb337bc25392697a5a3a32043
Tags: exe

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected PE file pumping (to bypass AV & sandboxing)
Machine Learning detection for sample
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file does not import any functions
Program does not show much activity (idle)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 22w5dN070c.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 22w5dN070c.exe ReversingLabs: Detection: 52%
Machine Learning detection for sample
Source: 22w5dN070c.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 22w5dN070c.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Detected potential crypto function
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00411800 0_2_00411800
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_004108D0 0_2_004108D0
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040C8E0 0_2_0040C8E0
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040F0E9 0_2_0040F0E9
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00410907 0_2_00410907
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00404110 0_2_00404110
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00409119 0_2_00409119
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040F1C7 0_2_0040F1C7
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040C1D0 0_2_0040C1D0
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00404990 0_2_00404990
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_004091A7 0_2_004091A7
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040E246 0_2_0040E246
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00428A08 0_2_00428A08
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00425214 0_2_00425214
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00405310 0_2_00405310
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00408BC0 0_2_00408BC0
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00415BD0 0_2_00415BD0
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0041B3D0 0_2_0041B3D0
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040DBF0 0_2_0040DBF0
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0041E3A0 0_2_0041E3A0
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00409436 0_2_00409436
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00409CF7 0_2_00409CF7
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0041BD00 0_2_0041BD00
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040EDE0 0_2_0040EDE0
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040DE56 0_2_0040DE56
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00410670 0_2_00410670
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040E676 0_2_0040E676
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00409F47 0_2_00409F47
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040EF78 0_2_0040EF78
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00405F30 0_2_00405F30
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040FF30 0_2_0040FF30
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: String function: 0042664C appears 45 times
PE file contains executable resources (Code or Archives)
Source: 22w5dN070c.exe Static PE information: Resource name: RT_ICON type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: 22w5dN070c.exe Static PE information: Resource name: RT_ICON type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: 22w5dN070c.exe Static PE information: Resource name: RT_ICON type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: 22w5dN070c.exe Static PE information: Resource name: RT_ICON type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: 22w5dN070c.exe Static PE information: Resource name: RT_ICON type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
PE file does not import any functions
Source: 22w5dN070c.exe Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Users\user\Desktop\22w5dN070c.exe Section loaded: apphelp.dll Jump to behavior
Uses 32bit PE files
Source: 22w5dN070c.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal64.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\22w5dN070c.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 22w5dN070c.exe ReversingLabs: Detection: 52%
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0042647C push eax; ret 0_2_0042649A
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_004254B0 push eax; ret 0_2_004254C4
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_004254B0 push eax; ret 0_2_004254EC
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_00426687 push ecx; ret 0_2_00426697
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Malware Analysis System Evasion
barindex
Detected PE file pumping (to bypass AV & sandboxing)
Source: 22w5dN070c.exe Static PE information: Resource name: RT_ICON size: 0xffffff28
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040C1D0 rdtsc 0_2_0040C1D0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\22w5dN070c.exe Code function: 0_2_0040C1D0 rdtsc 0_2_0040C1D0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1411002 Sample: 22w5dN070c.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 64 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Detected PE file pumping (to bypass AV & sandboxing) 2->11 13 Machine Learning detection for sample 2->13 5 22w5dN070c.exe 2->5         started        process3
No contacted IP infos