Windows Analysis Report
install_numarkidjliveii+(1).exe

Overview

General Information

Sample name: install_numarkidjliveii+(1).exe
Analysis ID: 1427202
MD5: 049a333248120d695c0b344f9698de4e
SHA1: 422f821ddbb9c70edd991f8f9d40f3b1e31b49db
SHA256: 92cd9486c31b528a0dd4a3b83aa165454143bf8439ecfc65191a99ed2a4e34f7
Infos:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: install_numarkidjliveii+(1).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: install_numarkidjliveii+(1).exe Static PE information: certificate valid
Source: install_numarkidjliveii+(1).exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://ocsp.thawte.com0
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://s2.symcb.com0
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://sv.symcd.com0&
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://www.symauth.com/cps0(
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://www.symauth.com/rpa00
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://www.virtualdj.com/0/
Source: install_numarkidjliveii+(1).exe String found in binary or memory: http://www.winimage.com/zLibDll
Source: install_numarkidjliveii+(1).exe String found in binary or memory: https://d.symcb.com/cps0%
Source: install_numarkidjliveii+(1).exe String found in binary or memory: https://d.symcb.com/rpa0
Detected potential crypto function
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008D7080 0_2_008D7080
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008E541E 0_2_008E541E
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008D5C29 0_2_008D5C29
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008DB02A 0_2_008DB02A
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008D7C70 0_2_008D7C70
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008D6D90 0_2_008D6D90
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008D5160 0_2_008D5160
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008E8A9F 0_2_008E8A9F
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008D2A43 0_2_008D2A43
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008E4F70 0_2_008E4F70
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: String function: 008D40B0 appears 34 times
Sample file is different than original file name gathered from version info
Source: install_numarkidjliveii+(1).exe, 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameinstalladdon.exeB vs install_numarkidjliveii+(1).exe
Source: install_numarkidjliveii+(1).exe Binary or memory string: OriginalFilenameinstalladdon.exeB vs install_numarkidjliveii+(1).exe
Uses 32bit PE files
Source: install_numarkidjliveii+(1).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean5.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Command line argument: %s\%s 0_2_008D321A
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Command line argument: %s\%s%s 0_2_008D321A
Source: install_numarkidjliveii+(1).exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe File read: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Jump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Section loaded: wintypes.dll Jump to behavior
Source: install_numarkidjliveii+(1).exe Static PE information: certificate valid
Source: install_numarkidjliveii+(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: install_numarkidjliveii+(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: install_numarkidjliveii+(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: install_numarkidjliveii+(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: install_numarkidjliveii+(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: install_numarkidjliveii+(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: install_numarkidjliveii+(1).exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: install_numarkidjliveii+(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: install_numarkidjliveii+(1).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: install_numarkidjliveii+(1).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: install_numarkidjliveii+(1).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: install_numarkidjliveii+(1).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: install_numarkidjliveii+(1).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008D40F6 push ecx; ret 0_2_008D4109
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe API coverage: 9.7 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008DD428 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_008DD428
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008DC6A6 mov eax, dword ptr fs:[00000030h] 0_2_008DC6A6
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008E33B1 GetProcessHeap, 0_2_008E33B1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008D38C3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_008D38C3
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008DD428 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_008DD428
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008D3E66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_008D3E66
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008D3FF9 SetUnhandledExceptionFilter, 0_2_008D3FF9
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008D410B cpuid 0_2_008D410B
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe Code function: 0_2_008D3D58 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_008D3D58
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1427202 Sample: install_numarkidjliveii+(1).exe Startdate: 17/04/2024 Architecture: WINDOWS Score: 5 4 install_numarkidjliveii+(1).exe 2->4         started       
No contacted IP infos