Windows Analysis Report
osk[1].exe

Overview

General Information

Sample name: osk[1].exe
Analysis ID: 1417356
MD5: cb6cd09f6a25744a8fa6e4b3e4d260c5
SHA1: e9be2f86e3a3bff02d1953aeccf0ed22284596d4
SHA256: 265b69033cea7a9f8214a34cd9b17912909af46c7a47395dd7bb893a24507e59
Infos:

Detection

Score: 7
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs

Classification

Source: osk[1].exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: cmd.pdbUGP source: osk[1].exe
Source: Binary string: cmd.pdb source: osk[1].exe
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6022978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 0_2_00007FF6F6022978
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6037B4C FindFirstFileW,FindNextFileW,FindClose, 0_2_00007FF6F6037B4C
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6011560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 0_2_00007FF6F6011560
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F60135B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 0_2_00007FF6F60135B8
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F602823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 0_2_00007FF6F602823C
Contains functionality to call native functions
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F60288C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 0_2_00007FF6F60288C0
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F602898C NtQueryInformationToken, 0_2_00007FF6F602898C
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F60289E4 NtQueryInformationToken,NtQueryInformationToken, 0_2_00007FF6F60289E4
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6027FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError, 0_2_00007FF6F6027FF8
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F603BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 0_2_00007FF6F603BCF0
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6028114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 0_2_00007FF6F6028114
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6041538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 0_2_00007FF6F6041538
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6013D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 0_2_00007FF6F6013D94
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6015240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 0_2_00007FF6F6015240
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6024224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList, 0_2_00007FF6F6024224
Detected potential crypto function
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F60237D8 0_2_00007FF6F60237D8
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6013410 0_2_00007FF6F6013410
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6025554 0_2_00007FF6F6025554
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F601AA54 0_2_00007FF6F601AA54
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6037F00 0_2_00007FF6F6037F00
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6019B50 0_2_00007FF6F6019B50
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6015B70 0_2_00007FF6F6015B70
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6013F90 0_2_00007FF6F6013F90
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F603AFBC 0_2_00007FF6F603AFBC
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6016BE0 0_2_00007FF6F6016BE0
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6012C48 0_2_00007FF6F6012C48
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F603AC4C 0_2_00007FF6F603AC4C
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6027854 0_2_00007FF6F6027854
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6011884 0_2_00007FF6F6011884
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F60218D4 0_2_00007FF6F60218D4
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F601B0D8 0_2_00007FF6F601B0D8
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6018510 0_2_00007FF6F6018510
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6017D30 0_2_00007FF6F6017D30
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6041538 0_2_00007FF6F6041538
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F603D9D0 0_2_00007FF6F603D9D0
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F60181D4 0_2_00007FF6F60181D4
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F601CE10 0_2_00007FF6F601CE10
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6018DF8 0_2_00007FF6F6018DF8
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F603AA30 0_2_00007FF6F603AA30
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6014A30 0_2_00007FF6F6014A30
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6012220 0_2_00007FF6F6012220
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6024224 0_2_00007FF6F6024224
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6017650 0_2_00007FF6F6017650
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F601D250 0_2_00007FF6F601D250
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6019E50 0_2_00007FF6F6019E50
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6015240 0_2_00007FF6F6015240
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6020A6C 0_2_00007FF6F6020A6C
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F603EE88 0_2_00007FF6F603EE88
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F601E680 0_2_00007FF6F601E680
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6016EE4 0_2_00007FF6F6016EE4
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F601372C 0_2_00007FF6F601372C
Sample file is different than original file name gathered from version info
Source: osk[1].exe, 00000000.00000002.2831027086.00007FF6F606D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs osk[1].exe
Source: osk[1].exe Binary or memory string: OriginalFilenameCmd.Exej% vs osk[1].exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\osk[1].exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Users\user\Desktop\osk[1].exe Section loaded: wldp.dll Jump to behavior
Source: classification engine Classification label: clean7.winEXE@2/0@0/0
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F60132B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError, 0_2_00007FF6F60132B0
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F603FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z, 0_2_00007FF6F603FB54
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: osk[1].exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\osk[1].exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\osk[1].exe "C:\Users\user\Desktop\osk[1].exe"
Source: C:\Users\user\Desktop\osk[1].exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: osk[1].exe Static PE information: Image base 0x140000000 > 0x60000000
Source: osk[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: osk[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: osk[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: osk[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: osk[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: osk[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: osk[1].exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: osk[1].exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: cmd.pdbUGP source: osk[1].exe
Source: Binary string: cmd.pdb source: osk[1].exe
Source: osk[1].exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: osk[1].exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: osk[1].exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: osk[1].exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: osk[1].exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: osk[1].exe Static PE information: 0xD7EE190D [Wed Oct 18 11:03:41 2084 UTC]
PE file contains sections with non-standard names
Source: osk[1].exe Static PE information: section name: .didat
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\osk[1].exe API coverage: 9.2 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6022978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 0_2_00007FF6F6022978
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6037B4C FindFirstFileW,FindNextFileW,FindClose, 0_2_00007FF6F6037B4C
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6011560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 0_2_00007FF6F6011560
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F60135B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 0_2_00007FF6F60135B8
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F602823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 0_2_00007FF6F602823C
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6028B00 DelayLoadFailureHook,LdrResolveDelayLoadedAPI, 0_2_00007FF6F6028B00
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F60363FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF6F60363FC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F601DF60 GetProcessHeap,RtlFreeHeap,_setjmp,longjmp,VirtualFree, 0_2_00007FF6F601DF60
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F60293B0 SetUnhandledExceptionFilter, 0_2_00007FF6F60293B0
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6028FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF6F6028FA4
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\osk[1].exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 0_2_00007FF6F60251EC
Source: C:\Users\user\Desktop\osk[1].exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 0_2_00007FF6F6023140
Source: C:\Users\user\Desktop\osk[1].exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 0_2_00007FF6F6016EE4
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F6023140 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 0_2_00007FF6F6023140
Source: C:\Users\user\Desktop\osk[1].exe Code function: 0_2_00007FF6F601586C GetVersion, 0_2_00007FF6F601586C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1417356 Sample: osk[1].exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 7 5 osk[1].exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos