Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1427025
MD5: 4abca4ce3b4f93811359c9bfa0069878
SHA1: d4574fbd9741d1945c6d02cbb33fb398e9bc1d27
SHA256: 8523f06f8b50885c4b4895a09eae4acf06b4852966c7acd8ce0e2d1d9727f568
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\YYF2G.a Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: i:\IrQiF\cqyBw\whQMM.pdb source: YYF2G.a
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: file.exe
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F64D8A __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00F64D8A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F78590 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW, 0_2_00F78590

System Summary
barindex
PE file contains section with special chars
Source: YYF2G.a.0.dr Static PE information: section name: H|s1ii4Y
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051DBDC0 NtCreateThreadEx, 1_2_051DBDC0
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F6720F 0_2_00F6720F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F6E3FB 0_2_00F6E3FB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F6FBD3 0_2_00F6FBD3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F6837D 0_2_00F6837D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F7E430 0_2_00F7E430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F82578 0_2_00F82578
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F62606 0_2_00F62606
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F827A7 0_2_00F827A7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F70870 0_2_00F70870
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F68934 0_2_00F68934
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F8AA50 0_2_00F8AA50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F68D89 0_2_00F68D89
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F8AEFE 0_2_00F8AEFE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F8EE32 0_2_00F8EE32
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_050B1634 1_2_050B1634
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_050B310C 1_2_050B310C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_050B1000 1_2_050B1000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_050B5620 1_2_050B5620
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_050B2078 1_2_050B2078
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_050B2D58 1_2_050B2D58
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_050B5258 1_2_050B5258
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051D4300 1_2_051D4300
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051DC150 1_2_051DC150
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051DB370 1_2_051DB370
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051DCF70 1_2_051DCF70
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051DB79D 1_2_051DB79D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051D1290 1_2_051D1290
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051D39C0 1_2_051D39C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051DBDC0 1_2_051DBDC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051DAD40 1_2_051DAD40
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051D3C60 1_2_051D3C60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051DCA80 1_2_051DCA80
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051D36C0 1_2_051D36C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_051DB0E0 1_2_051DB0E0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00F7C468 appears 54 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: YYF2G.a.0.dr Static PE information: Section: H|s1ii4Y ZLIB complexity 0.9982600954403035
Source: classification engine Classification label: mal52.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F62E6F GetLastError,FormatMessageW,_wcslen,LocalFree, 0_2_00F62E6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F75C5C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00F75C5C
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5752750 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Command line argument: sfxname 0_2_00F7B2FE
Source: C:\Users\user\Desktop\file.exe Command line argument: sfxstime 0_2_00F7B2FE
Source: C:\Users\user\Desktop\file.exe Command line argument: STARTDLG 0_2_00F7B2FE
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" -S .\YYF2G.A
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" -S .\YYF2G.A Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: file.exe Static file information: File size 2237084 > 1048576
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: i:\IrQiF\cqyBw\whQMM.pdb source: YYF2G.a
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: file.exe
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
File is packed with WinRar
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5752750 Jump to behavior
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .didat
Source: YYF2G.a.0.dr Static PE information: section name: PACK
Source: YYF2G.a.0.dr Static PE information: section name: H|s1ii4Y
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F7D4B0 push ecx; ret 0_2_00F7D4C3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F7C403 push ecx; ret 0_2_00F7C416
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\YYF2G.a Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\YYF2G.a Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\YYF2G.a Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F64D8A __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00F64D8A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F78590 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW, 0_2_00F78590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F7BC1D VirtualQuery,GetSystemInfo, 0_2_00F7BC1D
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F812B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F812B4
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F853C2 mov eax, dword ptr fs:[00000030h] 0_2_00F853C2
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F893D0 GetProcessHeap, 0_2_00F893D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F812B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F812B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F7D242 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F7D242
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F7D3E5 SetUnhandledExceptionFilter, 0_2_00F7D3E5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F7C69D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00F7C69D
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" -S .\YYF2G.A Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F7D05E cpuid 0_2_00F7D05E
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00F76CF5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F7B2FE GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_00F7B2FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F65032 GetVersionExW, 0_2_00F65032
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1427025 Sample: file.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 52 13 Machine Learning detection for sample 2->13 15 Machine Learning detection for dropped file 2->15 17 PE file contains section with special chars 2->17 6 file.exe 8 2->6         started        process3 file4 11 C:\Users\user\AppData\Local\Temp\YYF2G.a, PE32 6->11 dropped 9 regsvr32.exe 6->9         started        process5
No contacted IP infos