Windows Analysis Report
INSIGNON.EXE

Overview

General Information

Sample name: INSIGNON.EXE
Analysis ID: 1417006
MD5: 4eb9ce3332c6d41fc80ed09cfc939c38
SHA1: 3f129474c227f5b21595a11934401759065b29db
SHA256: 9fdc124fcf1a99c7af2bf8b8f799aaa310906c8940805b6149158355c5127459
Infos:

Detection

Score: 36
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: INSIGNON.EXE Virustotal: Detection: 13% Perma Link
Uses 32bit PE files
Source: INSIGNON.EXE Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\INSIGNON.EXE Code function: 4x nop then push ebp 0_2_00537C30
Source: C:\Users\user\Desktop\INSIGNON.EXE Code function: 4x nop then push ebp 0_2_00522670
Source: C:\Users\user\Desktop\INSIGNON.EXE Code function: 4x nop then push ebp 0_2_00547B90
Source: INSIGNON.EXE String found in binary or memory: http://Icons.Tritech.com/customericons
Source: INSIGNON.EXE String found in binary or memory: http://maps.google.com/mapfiles/kml
Source: INSIGNON.EXE String found in binary or memory: http://maps.google.com/mapfiles/ms/micons
Detected potential crypto function
Source: C:\Users\user\Desktop\INSIGNON.EXE Code function: 0_3_02AE0000 0_3_02AE0000
Source: C:\Users\user\Desktop\INSIGNON.EXE Code function: 0_3_02AE005C 0_3_02AE005C
Source: C:\Users\user\Desktop\INSIGNON.EXE Code function: 0_2_00545930 0_2_00545930
Tries to load missing DLLs
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Section loaded: wbtrv32.dll Jump to behavior
Uses 32bit PE files
Source: INSIGNON.EXE Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: sus36.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\INSIGNON.EXE File created: C:\Users\user\Desktop\ImcSys.log Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Mutant created: NULL
Source: INSIGNON.EXE Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\INSIGNON.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: INSIGNON.EXE Virustotal: Detection: 13%
Source: INSIGNON.EXE String found in binary or memory: rly re-started.
Source: INSIGNON.EXE String found in binary or memory: ted or Pervasive Server ('Microkernel') may need to be shut down and re-started.
Source: INSIGNON.EXE String found in binary or memory: If all other workstations get this same error, check the server. Pervasive on the server or the server itself may need to be properly re-started.
Source: INSIGNON.EXE String found in binary or memory: If rebooting every single workstation including pollers doesn't clear this error, the server may need to be properly downed re-started or Pervasive Server ('Microkernel') may need to be shut down and re-started.
Source: C:\Users\user\Desktop\INSIGNON.EXE Automated click: OK
Source: C:\Users\user\Desktop\INSIGNON.EXE Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: INSIGNON.EXE Static PE information: Virtual size of .text is bigger than: 0x100000
Source: INSIGNON.EXE Static file information: File size 1429504 > 1048576
Source: INSIGNON.EXE Static PE information: Raw size of .text is bigger than: 0x100000 < 0x150000
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\INSIGNON.EXE Code function: 0_2_00403058 push ebx; ret 0_2_00403069
Source: C:\Users\user\Desktop\INSIGNON.EXE Code function: 0_2_00401739 push cs; ret 0_2_00401871
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSIGNON.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\INSIGNON.EXE API coverage: 7.1 %
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\INSIGNON.EXE Code function: 0_2_00524430 __vbaChkstk,__vbaStrMove,__vbaOnError,__vbaGenerateBoundsError,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStr,__vbaStrCat,__vbaStrMove,#576,__vbaFreeStr,__vbaStrCat,__vbaStrMove,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStr,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStr,#576,LdrInitializeThunk,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStr,__vbaGenerateBoundsError,__vbaStrCat,__vbaStrMove,#576,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaErrorOverflow,__vbaChkstk,__vbaStrMove,__vbaOnError,__vbaGenerateBoundsError,__vbaStrCat,__vbaStrMove,__vbaFreeStr,__vbaGenerateBoundsError,__vbaStrCat,__vbaStrMove,#578,__vbaFreeStr,__vbaStrCat,__vbaStrMove,__vbaFreeStr,#648,__vbaFreeVar,__vbaStrCat,__vbaStrMove,__vbaFileOpen,__vbaFreeStr,__vbaStrMove,__vbaStrMove,__vbaPrintFile,__vbaFreeStrList,__vbaFileClose, 0_2_00524430
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417006 Sample: INSIGNON.EXE Startdate: 28/03/2024 Architecture: WINDOWS Score: 36 7 Multi AV Scanner detection for submitted file 2->7 5 INSIGNON.EXE 1 2->5         started        process3
No contacted IP infos

Contacted Domains

Name IP Active
fp2e7a.wpc.phicdn.net 192.229.211.108 true