Windows Analysis Report
Start.exe

Overview

General Information

Sample name: Start.exe
Analysis ID: 1417120
MD5: 27b6dfb711cd360ef2d2ddd84b2cc311
SHA1: 5f496753903465593309b16ee48366824aaad255
SHA256: 5e1d9d83870ff1c80a059f9feadf01426f4ad4d500c7f850f2d98ddc093ec32d
Infos:

Detection

Score: 19
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality to register a low level keyboard hook
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: Start.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Start.exe Static PE information: certificate valid
Source: Start.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: Z:\Development\Applications\FluxPlayer\build_win\Themes\FluxPlayer\FPStart\Release\Start.pdb source: Start.exe
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B09050 GetLongPathNameW,GetLongPathNameW,FindFirstFileW,FindClose, 0_2_00B09050
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B0E410 FindFirstFileW, 0_2_00B0E410
Source: Start.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Start.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Start.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Start.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Start.exe String found in binary or memory: http://jimmac.musichall.cz
Source: Start.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: Start.exe String found in binary or memory: http://www.gimp.orgg
Source: Start.exe String found in binary or memory: https://sectigo.com/CPS0
Source: Start.exe String found in binary or memory: https://sectigo.com/CPS0D

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009DA120 SetWindowsHookExW 00000002,Function_00039F30,00000000,00000000 0_2_009DA120
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009D9410 GetKeyState,GetSystemMetrics,GetAsyncKeyState, 0_2_009D9410
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009D4120 GetKeyState,GetKeyState,GetKeyState,GetMessageTime, 0_2_009D4120
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009D4A60 GetWindowLongW,GetWindowLongW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,GetWindowLongW,SendMessageW,GetWindowLongW,GetWindowLongW,SendMessageW,SendMessageW,GetFocus,GetWindowLongW,GetWindowLongW,IsWindowEnabled,IsWindowVisible,IsWindowEnabled,IsWindowVisible,GetWindowLongW,GetParent,IsDialogMessageW, 0_2_009D4A60
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009CCB20 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetCursorPos,GetMessagePos, 0_2_009CCB20
Detected potential crypto function
Source: C:\Users\user\Desktop\Start.exe Code function: 0_3_011A6541 0_3_011A6541
Source: C:\Users\user\Desktop\Start.exe Code function: 0_3_011A6541 0_3_011A6541
Source: C:\Users\user\Desktop\Start.exe Code function: 0_3_011A6541 0_3_011A6541
Source: C:\Users\user\Desktop\Start.exe Code function: 0_3_0119C860 0_3_0119C860
Source: C:\Users\user\Desktop\Start.exe Code function: 0_3_011A6541 0_3_011A6541
Source: C:\Users\user\Desktop\Start.exe Code function: 0_3_011A6541 0_3_011A6541
Source: C:\Users\user\Desktop\Start.exe Code function: 0_3_011A6541 0_3_011A6541
Source: C:\Users\user\Desktop\Start.exe Code function: 0_3_011A6541 0_3_011A6541
Source: C:\Users\user\Desktop\Start.exe Code function: 0_3_011A6541 0_3_011A6541
Source: C:\Users\user\Desktop\Start.exe Code function: 0_3_011A6541 0_3_011A6541
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B32250 0_2_00B32250
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BCF01A 0_2_00BCF01A
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B09050 0_2_00B09050
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B6A180 0_2_00B6A180
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B102E0 0_2_00B102E0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009B82E0 0_2_009B82E0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A1B210 0_2_00A1B210
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B393F0 0_2_00B393F0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B25340 0_2_00B25340
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009F8360 0_2_009F8360
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B0C480 0_2_00B0C480
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A15470 0_2_00A15470
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009E3590 0_2_009E3590
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009D15C0 0_2_009D15C0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A04540 0_2_00A04540
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A0F6A0 0_2_00A0F6A0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B386F0 0_2_00B386F0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009BE610 0_2_009BE610
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A01600 0_2_00A01600
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A0C8B0 0_2_00A0C8B0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009EC8E0 0_2_009EC8E0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009CE800 0_2_009CE800
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009FC800 0_2_009FC800
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A059A0 0_2_00A059A0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BA4AB1 0_2_00BA4AB1
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B0EA90 0_2_00B0EA90
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A96AF0 0_2_00A96AF0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B23A60 0_2_00B23A60
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009D7C00 0_2_009D7C00
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A87C40 0_2_00A87C40
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BACDC6 0_2_00BACDC6
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009F6D40 0_2_009F6D40
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BCEEF6 0_2_00BCEEF6
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BAEE00 0_2_00BAEE00
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A75E60 0_2_00A75E60
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A02F10 0_2_00A02F10
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009F4F40 0_2_009F4F40
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Start.exe Code function: String function: 009B3450 appears 617 times
Source: C:\Users\user\Desktop\Start.exe Code function: String function: 009AFB30 appears 57 times
Source: C:\Users\user\Desktop\Start.exe Code function: String function: 009ACE30 appears 110 times
Source: C:\Users\user\Desktop\Start.exe Code function: String function: 00BA28F0 appears 37 times
Source: C:\Users\user\Desktop\Start.exe Code function: String function: 00AF0760 appears 33 times
Source: C:\Users\user\Desktop\Start.exe Code function: String function: 00AEEB90 appears 351 times
Source: C:\Users\user\Desktop\Start.exe Code function: String function: 009AE210 appears 119 times
Source: C:\Users\user\Desktop\Start.exe Code function: String function: 009DF8D0 appears 160 times
Source: C:\Users\user\Desktop\Start.exe Code function: String function: 00AEEA00 appears 412 times
Sample file is different than original file name gathered from version info
Source: Start.exe, 00000000.00000002.1285021562.0000000000D3E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFluxPlayer.exe6 vs Start.exe
Source: Start.exe Binary or memory string: OriginalFilenameFluxPlayer.exe6 vs Start.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Start.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Start.exe Section loaded: wintypes.dll Jump to behavior
Uses 32bit PE files
Source: Start.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean19.spyw.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B09DB0 CoCreateInstance,MultiByteToWideChar,OleUninitialize, 0_2_00B09DB0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B2C250 FindResourceW,LoadResource,GetCurrentThreadId,GetCurrentThreadId,GetLastError,LockResource,GetLastError,SizeofResource, 0_2_00B2C250
Source: C:\Users\user\Desktop\Start.exe Mutant created: \Sessions\1\BaseNamedObjects\Start-user
Source: Start.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Start.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Start.exe String found in binary or memory: alnumalphaasciiblankcntrldigitgraphlowerprintpunctupperxdigitNULSOHSTXETXEOTENQACKBELalertBSbackspaceHTtabLFnewlineVTvertical-tabFFform-feedCRcarriage-returnSOSIDLEDC1DC2DC3DC4NAKSYNETBCANEMSUBESCIS4FSIS3GSIS2RSIS1USspaceexclamation-markquotation-marknumber-signdollar-signpercent-signampersandapostropheleft-parenthesisright-parenthesisasteriskplus-signcommahyphenhyphen-minusperiodfull-stopslashsoliduszeroonetwothreefourfivesixseveneightninecolonsemicolonless-than-signequals-signgreater-than-signquestion-markcommercial-atleft-square-bracketbackslashreverse-solidusright-square-bracketcircumflexcircumflex-accentunderscorelow-linegrave-accentleft-braceleft-curly-bracketvertical-lineright-braceright-curly-brackettildeDEL
Source: Start.exe Static PE information: certificate valid
Source: Start.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Start.exe Static file information: File size 4012936 > 1048576
Source: Start.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x263200
Source: Start.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Start.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Start.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Start.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Start.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Start.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Start.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Start.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Z:\Development\Applications\FluxPlayer\build_win\Themes\FluxPlayer\FPStart\Release\Start.pdb source: Start.exe
Source: Start.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Start.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Start.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Start.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Start.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Start.exe Code function: 0_3_0119CA58 pushad ; iretd 0_3_0119CAAD
Source: C:\Users\user\Desktop\Start.exe Code function: 0_3_0119C860 pushad ; iretd 0_3_0119CAAD
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009B3050 push ecx; mov dword ptr [esp], ecx 0_2_009B3171
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A11580 push ecx; mov dword ptr [esp], ecx 0_2_00A11581
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A29690 push ecx; mov dword ptr [esp], ecx 0_2_00A29691
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A60690 push ecx; mov dword ptr [esp], ecx 0_2_00A60691
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BA27F5 push ecx; ret 0_2_00BA2808
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B498C0 push ecx; mov dword ptr [esp], ecx 0_2_00B498C1
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BA2936 push ecx; ret 0_2_00BA2949
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B49900 push ecx; mov dword ptr [esp], ecx 0_2_00B49901
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B48BB0 push ecx; mov dword ptr [esp], ecx 0_2_00B48BB1
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A0DB30 push ecx; mov dword ptr [esp], ecx 0_2_00A0DB31
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A17DE0 push ecx; mov dword ptr [esp], ecx 0_2_00A17DE1
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00A10D40 push ecx; mov dword ptr [esp], ecx 0_2_00A10D41
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009E7910 IsIconic, 0_2_009E7910
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009E9D60 IsIconic,IsZoomed,IsIconic,BringWindowToTop,ShowWindow, 0_2_009E9D60
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_009E9D60 IsIconic,IsZoomed,IsIconic,BringWindowToTop,ShowWindow, 0_2_009E9D60
Source: C:\Users\user\Desktop\Start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B09050 GetLongPathNameW,GetLongPathNameW,FindFirstFileW,FindClose, 0_2_00B09050
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B0E410 FindFirstFileW, 0_2_00B0E410
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BA7043 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BA7043
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BA91C3 mov eax, dword ptr fs:[00000030h] 0_2_00BA91C3
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BC5CB8 mov eax, dword ptr fs:[00000030h] 0_2_00BC5CB8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BA7043 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BA7043
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BA2137 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00BA2137
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Start.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00B061D0
Source: C:\Users\user\Desktop\Start.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00BCB627
Source: C:\Users\user\Desktop\Start.exe Code function: EnumSystemLocalesW, 0_2_00BCB8CD
Source: C:\Users\user\Desktop\Start.exe Code function: EnumSystemLocalesW, 0_2_00BCB9B3
Source: C:\Users\user\Desktop\Start.exe Code function: EnumSystemLocalesW, 0_2_00BCB918
Source: C:\Users\user\Desktop\Start.exe Code function: EnumSystemLocalesW, 0_2_00BC4956
Source: C:\Users\user\Desktop\Start.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00BCBDBB
Source: C:\Users\user\Desktop\Start.exe Code function: GetLocaleInfoW, 0_2_00BC4EC9
Source: C:\Users\user\Desktop\Start.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00BCBF96
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BA2B8F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00BA2B8F
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00B2BDC0 GetUserNameW,GetEnvironmentVariableW, 0_2_00B2BDC0
Source: C:\Users\user\Desktop\Start.exe Code function: 0_2_00BBF0CB _free,GetTimeZoneInformation,_free, 0_2_00BBF0CB
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1417120 Sample: Start.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 19 4 Start.exe 2->4         started        signatures3 7 Contains functionality to register a low level keyboard hook 4->7
No contacted IP infos