Windows Analysis Report
WinUI.exe

Overview

General Information

Sample name:	WinUI.exe
Analysis ID:	1427802
MD5:	cbda0e120fd089cb6f31c81dcc3ad065
SHA1:	4f3e30004357b7f570a1719ecd99df25fd9b41c4
SHA256:	76b9211c8ccc28b01827089f4eda07f39a12f603b0e26726cdb0deec2c9a2893
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Detected potential crypto function

Found large amount of non-executed APIs

PE file contains sections with non-standard names

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Signatures

Source: WinUI.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: WinUI.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: WinUI.exe

Source: C:\Users\user\Desktop\WinUI.exe

Code function: 0_2_00007FF62E5DFB00 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,Concurrency::cancel_current_task,

0_2_00007FF62E5DFB00

Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing

Detected potential crypto function

Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5E1AF0	0_2_00007FF62E5E1AF0
Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5D2BA0	0_2_00007FF62E5D2BA0
Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5D6750	0_2_00007FF62E5D6750
Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5D9C20	0_2_00007FF62E5D9C20
Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5DEFF0	0_2_00007FF62E5DEFF0

PE file contains strange resources

Source: WinUI.exe

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Sample file is different than original file name gathered from version info

Source: WinUI.exe	Binary or memory string: OriginalFilename vs WinUI.exe
Source: WinUI.exe, 00000000.00000000.1629017320.00007FF62E5F6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWinUI.dll: vs WinUI.exe
Source: WinUI.exe	Binary or memory string: OriginalFilenameWinUI.dll: vs WinUI.exe

Source: classification engine

Classification label: clean4.winEXE@1/0@0/0

Source: WinUI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WinUI.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing error dialog for application: '%s' - error code: 0x%x - url: '%s' - dialog message: %sopenRedirecting errors to custom writer.invalid string position
Source: WinUI.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed

Source: C:\Users\user\Desktop\WinUI.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\WinUI.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: WinUI.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: WinUI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WinUI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WinUI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WinUI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WinUI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WinUI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: WinUI.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: WinUI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: WinUI.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: WinUI.exe

Source: WinUI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WinUI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WinUI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WinUI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WinUI.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\WinUI.exe

Code function: 0_2_00007FF62E5DF400 LoadLibraryA,GetProcAddress,_invalid_parameter_noinfo_noreturn,

0_2_00007FF62E5DF400

PE file contains sections with non-standard names

Source: WinUI.exe

Static PE information: section name: _RDATA

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\WinUI.exe

API coverage: 8.0 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WinUI.exe

0_2_00007FF62E5DFB00

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\WinUI.exe

Code function: 0_2_00007FF62E5E4120 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF62E5E4120

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\WinUI.exe

Code function: 0_2_00007FF62E5DF400 LoadLibraryA,GetProcAddress,_invalid_parameter_noinfo_noreturn,

0_2_00007FF62E5DF400

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5E4120 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF62E5E4120
Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5E3DD0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF62E5E3DD0
Source: C:\Users\user\Desktop\WinUI.exe	Code function: 0_2_00007FF62E5E42C8 SetUnhandledExceptionFilter,	0_2_00007FF62E5E42C8

Source: C:\Users\user\Desktop\WinUI.exe

Code function: 0_2_00007FF62E5E433C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF62E5E433C

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1427802
Product:	CloudBasic
Start time:	07:49:01
Start date:	18.04.2024
Sample:	WinUI.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	cbda0e120fd089cb6f31c81dcc3ad065
SHA1:	4f3e30004357b7f570a1719ecd99df25fd9b41c4
SHA256:	76b9211c8ccc28b01827089f4eda07f39a12f603b0e26726cdb0deec2c9a2893
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
WinUI.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report WinUI.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
WinUI.exe