Windows Analysis Report
file.bin.exe

Overview

General Information

Sample name:	file.bin.exe
Analysis ID:	1428250
MD5:	3fd97c8116999264c370a1b7fab80ba6
SHA1:	24e252b05b0d1aeec39329784bbfc41a8038ad02
SHA256:	00e18b6dd077d1653a31266e11465e1a9c66362f35eff47c4403850de9370824
Tags:	exe
Infos:

Detection

Score:	8
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D88050 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom,		0_2_00D88050
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400665F0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GlobalMemoryStatusEx,GetDiskFreeSpaceExW,GetSystemTimes,QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,		0_2_00000001400665F0

Source:	Binary string: C:\BUILD\work\e0dd96435fde7cb0\BUILDS\Release\x64\aswAvBootTimeScanShMin.pdbp source: file.bin.exe
Source:	Binary string: C:\BUILD\work\e0dd96435fde7cb0\BUILDS\Release\x64\aswAvBootTimeScanShMin.pdb source: file.bin.exe

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DA7508 FindFirstFileExW,	0_2_00DA7508
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D86720 CloseHandle,FindFirstFileW,FindClose,	0_2_00D86720
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400643B0 FindFirstFileExW,GetLastError,PathMatchSpecW,FindNextFileW,GetLastError,FindClose,	0_2_00000001400643B0

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 92.118.112.89:1612

Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00D7F1C0 recv,WSAGetLastError,

0_2_00D7F1C0

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D87080 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00D87080
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D871E0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00D871E0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DB1438 NtWriteFile,	0_2_00DB1438
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014004A2A0 NtSetInformationThread,NtSetInformationThread,NtSetInformationThread,EnterCriticalSection,LeaveCriticalSection,	0_2_000000014004A2A0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014006B700 NtQueryKey,	0_2_000000014006B700
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014006B960 RegCloseKey,SetLastError,RegSetValueExW,RegCloseKey,SetLastError,NtClose,	0_2_000000014006B960
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140043E70 GetThreadPriority,SetThreadPriority,NtSetInformationThread,NtSetInformationThread,	0_2_0000000140043E70

Detected potential crypto function

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D9F080	0_2_00D9F080
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D88050	0_2_00D88050
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D91120	0_2_00D91120
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D9C120	0_2_00D9C120
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D7E350	0_2_00D7E350
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D8E340	0_2_00D8E340
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D9B330	0_2_00D9B330
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D76410	0_2_00D76410
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DA7508	0_2_00DA7508
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D937F0	0_2_00D937F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D92790	0_2_00D92790
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D9B710	0_2_00D9B710
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D8E840	0_2_00D8E840
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D89A90	0_2_00D89A90
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D9EAA0	0_2_00D9EAA0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DADDA8	0_2_00DADDA8
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D98D10	0_2_00D98D10
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D94D00	0_2_00D94D00
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D9AEB0	0_2_00D9AEB0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140011240	0_2_0000000140011240
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A7268	0_2_00000001400A7268
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140001270	0_2_0000000140001270
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A5290	0_2_00000001400A5290
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400643B0	0_2_00000001400643B0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400683F0	0_2_00000001400683F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140012460	0_2_0000000140012460
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140098480	0_2_0000000140098480
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A3478	0_2_00000001400A3478
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A84BC	0_2_00000001400A84BC
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A14F0	0_2_00000001400A14F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140030560	0_2_0000000140030560
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014004A5E0	0_2_000000014004A5E0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400085E0	0_2_00000001400085E0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400665F0	0_2_00000001400665F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400925F8	0_2_00000001400925F8
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140053620	0_2_0000000140053620
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140088640	0_2_0000000140088640
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014004E660	0_2_000000014004E660
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400546B0	0_2_00000001400546B0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400446F0	0_2_00000001400446F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014004E701	0_2_000000014004E701
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140049720	0_2_0000000140049720
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014009473C	0_2_000000014009473C
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014009D7A4	0_2_000000014009D7A4
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400927E0	0_2_00000001400927E0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140011820	0_2_0000000140011820
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140046860	0_2_0000000140046860
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400338F0	0_2_00000001400338F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400048F0	0_2_00000001400048F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A2948	0_2_00000001400A2948
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400929CC	0_2_00000001400929CC
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014000E9F0	0_2_000000014000E9F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140093A34	0_2_0000000140093A34
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140063A90	0_2_0000000140063A90
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014009EAA8	0_2_000000014009EAA8
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140094B08	0_2_0000000140094B08
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140092BB4	0_2_0000000140092BB4
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140038BE0	0_2_0000000140038BE0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140002C20	0_2_0000000140002C20
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400AFC60	0_2_00000001400AFC60
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140049D20	0_2_0000000140049D20
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140039D20	0_2_0000000140039D20
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140003D30	0_2_0000000140003D30
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140092DA0	0_2_0000000140092DA0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140093DC4	0_2_0000000140093DC4
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140012DE0	0_2_0000000140012DE0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014005CE00	0_2_000000014005CE00
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A2DF8	0_2_00000001400A2DF8
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140041E20	0_2_0000000140041E20
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014004CF30	0_2_000000014004CF30
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140031F30	0_2_0000000140031F30
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014006CF60	0_2_000000014006CF60
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014003CF90	0_2_000000014003CF90
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140092F88	0_2_0000000140092F88
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140009F90	0_2_0000000140009F90
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140018FC0	0_2_0000000140018FC0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.bin.exe	Code function: String function: 0000000140018B50 appears 47 times
Source: C:\Users\user\Desktop\file.bin.exe	Code function: String function: 00D75B00 appears 46 times
Source: C:\Users\user\Desktop\file.bin.exe	Code function: String function: 00D9E1D0 appears 69 times

Source: file.bin.exe

Binary string: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersUnable to retrieve a path of the known folder ({})!Unable to store the path of the module!Unable to retrieve the path of the module!Unable to get the path of the module!ProgramFilesDir%LOCALAPPDATA%ProgramFilesCommon AppData%APPDATA%CommonFilesDirCommonProgramFilesSOFTWARE\Microsoft\Windows\CurrentVersionwUnable to retrieve volume mount point from volume path '{}'!Unable to retrieve volume path from directory '{}'!\Device\LanmanRedirector\\Device\Mup\Unable to convert NT path '{}' to a volume GUID path!Unable to retrieve volume paths for volume '{}'!Unable to enumerate volumes!WSL ProcessMicrosoft Base Cryptographic Provider v1.0P

Source: classification engine

Classification label: clean8.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00D87430 GetModuleHandleW,FormatMessageW,GetLastError,

0_2_00D87430

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00000001400665F0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GlobalMemoryStatusEx,GetDiskFreeSpaceExW,GetSystemTimes,QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

0_2_00000001400665F0

Source: C:\Users\user\Desktop\file.bin.exe

Code function: OpenSCManagerW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,GetLastError,

0_2_0000000140053F80

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_0000000140054120 OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,GetLastError,GetLastError,GetLastError,

0_2_0000000140054120

Source: file.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.bin.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.bin.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.bin.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.bin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.bin.exe	Section loaded: mswsock.dll	Jump to behavior

Source: file.bin.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.bin.exe

Static file information: File size 1658368 > 1048576

Source: file.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\BUILD\work\e0dd96435fde7cb0\BUILDS\Release\x64\aswAvBootTimeScanShMin.pdbp source: file.bin.exe
Source:	Binary string: C:\BUILD\work\e0dd96435fde7cb0\BUILDS\Release\x64\aswAvBootTimeScanShMin.pdb source: file.bin.exe

Source: file.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00D923E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,ReleaseMutex,

0_2_00D923E0

PE file contains an invalid checksum

Source: file.bin.exe

Static PE information: real checksum: 0x13c37f should be: 0x19d266

PE file contains sections with non-standard names

Source: file.bin.exe

Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DB1720 push rax; iretd		0_2_00DB1721
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014000C684 push E8000E67h; ret		0_2_000000014000C689

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_0000000140053620 OpenSCManagerW,OpenServiceW,QueryServiceStatus,RegCloseKey,SetLastError,RegCloseKey,SetLastError,RegCloseKey,SetLastError,RegCloseKey,SetLastError,StartServiceW,GetLastError,Sleep,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,

0_2_0000000140053620

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00000001400683F0 rdtsc

0_2_00000001400683F0

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.bin.exe

API coverage: 1.6 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DA7508 FindFirstFileExW,	0_2_00DA7508
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D86720 CloseHandle,FindFirstFileW,FindClose,	0_2_00D86720
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400643B0 FindFirstFileExW,GetLastError,PathMatchSpecW,FindNextFileW,GetLastError,FindClose,	0_2_00000001400643B0

Source: file.bin.exe, 00000000.00000002.2876371967.00000000005BF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll''

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00000001400683F0 rdtsc

0_2_00000001400683F0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00DA1494 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00DA1494

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_0000000140081DF0 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_0000000140081DF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.bin.exe

0_2_00D923E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00DA9058 GetProcessHeap,

0_2_00DA9058

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DB13A8 SetUnhandledExceptionFilter,	0_2_00DB13A8
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DA1494 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DA1494
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DA6ACC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DA6ACC
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400912F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00000001400912F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140081F98 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000140081F98

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00DADBF0 cpuid

0_2_00DADBF0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.bin.exe	Code function: EnumSystemLocalesW,	0_2_00000001400A3FF4
Source: C:\Users\user\Desktop\file.bin.exe	Code function: EnumSystemLocalesW,	0_2_00000001400AD238
Source: C:\Users\user\Desktop\file.bin.exe	Code function: EnumSystemLocalesW,	0_2_00000001400AD308
Source: C:\Users\user\Desktop\file.bin.exe	Code function: GetLocaleInfoW,	0_2_00000001400A43A0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_00000001400816D0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00000001400AD748
Source: C:\Users\user\Desktop\file.bin.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00000001400AD924
Source: C:\Users\user\Desktop\file.bin.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00000001400ACEE8

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00D88050 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom,

0_2_00D88050

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00DA106C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00DA106C

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
92.118.112.89	unknown	Russian Federation		209401	GUDAEV-ASRU	false

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D88050 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom,		0_2_00D88050
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400665F0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GlobalMemoryStatusEx,GetDiskFreeSpaceExW,GetSystemTimes,QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,		0_2_00000001400665F0

Source:	Binary string: C:\BUILD\work\e0dd96435fde7cb0\BUILDS\Release\x64\aswAvBootTimeScanShMin.pdbp source: file.bin.exe
Source:	Binary string: C:\BUILD\work\e0dd96435fde7cb0\BUILDS\Release\x64\aswAvBootTimeScanShMin.pdb source: file.bin.exe

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DA7508 FindFirstFileExW,	0_2_00DA7508
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D86720 CloseHandle,FindFirstFileW,FindClose,	0_2_00D86720
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400643B0 FindFirstFileExW,GetLastError,PathMatchSpecW,FindNextFileW,GetLastError,FindClose,	0_2_00000001400643B0

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 92.118.112.89:1612

Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.112.89

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00D7F1C0 recv,WSAGetLastError,

0_2_00D7F1C0

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D87080 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00D87080
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D871E0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00D871E0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DB1438 NtWriteFile,	0_2_00DB1438
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014004A2A0 NtSetInformationThread,NtSetInformationThread,NtSetInformationThread,EnterCriticalSection,LeaveCriticalSection,	0_2_000000014004A2A0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014006B700 NtQueryKey,	0_2_000000014006B700
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014006B960 RegCloseKey,SetLastError,RegSetValueExW,RegCloseKey,SetLastError,NtClose,	0_2_000000014006B960
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140043E70 GetThreadPriority,SetThreadPriority,NtSetInformationThread,NtSetInformationThread,	0_2_0000000140043E70

Detected potential crypto function

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D9F080	0_2_00D9F080
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D88050	0_2_00D88050
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D91120	0_2_00D91120
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D9C120	0_2_00D9C120
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D7E350	0_2_00D7E350
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D8E340	0_2_00D8E340
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D9B330	0_2_00D9B330
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D76410	0_2_00D76410
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DA7508	0_2_00DA7508
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D937F0	0_2_00D937F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D92790	0_2_00D92790
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D9B710	0_2_00D9B710
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D8E840	0_2_00D8E840
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D89A90	0_2_00D89A90
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D9EAA0	0_2_00D9EAA0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DADDA8	0_2_00DADDA8
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D98D10	0_2_00D98D10
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D94D00	0_2_00D94D00
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D9AEB0	0_2_00D9AEB0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140011240	0_2_0000000140011240
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A7268	0_2_00000001400A7268
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140001270	0_2_0000000140001270
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A5290	0_2_00000001400A5290
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400643B0	0_2_00000001400643B0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400683F0	0_2_00000001400683F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140012460	0_2_0000000140012460
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140098480	0_2_0000000140098480
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A3478	0_2_00000001400A3478
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A84BC	0_2_00000001400A84BC
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A14F0	0_2_00000001400A14F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140030560	0_2_0000000140030560
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014004A5E0	0_2_000000014004A5E0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400085E0	0_2_00000001400085E0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400665F0	0_2_00000001400665F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400925F8	0_2_00000001400925F8
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140053620	0_2_0000000140053620
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140088640	0_2_0000000140088640
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014004E660	0_2_000000014004E660
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400546B0	0_2_00000001400546B0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400446F0	0_2_00000001400446F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014004E701	0_2_000000014004E701
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140049720	0_2_0000000140049720
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014009473C	0_2_000000014009473C
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014009D7A4	0_2_000000014009D7A4
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400927E0	0_2_00000001400927E0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140011820	0_2_0000000140011820
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140046860	0_2_0000000140046860
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400338F0	0_2_00000001400338F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400048F0	0_2_00000001400048F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A2948	0_2_00000001400A2948
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400929CC	0_2_00000001400929CC
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014000E9F0	0_2_000000014000E9F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140093A34	0_2_0000000140093A34
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140063A90	0_2_0000000140063A90
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014009EAA8	0_2_000000014009EAA8
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140094B08	0_2_0000000140094B08
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140092BB4	0_2_0000000140092BB4
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140038BE0	0_2_0000000140038BE0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140002C20	0_2_0000000140002C20
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400AFC60	0_2_00000001400AFC60
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140049D20	0_2_0000000140049D20
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140039D20	0_2_0000000140039D20
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140003D30	0_2_0000000140003D30
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140092DA0	0_2_0000000140092DA0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140093DC4	0_2_0000000140093DC4
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140012DE0	0_2_0000000140012DE0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014005CE00	0_2_000000014005CE00
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400A2DF8	0_2_00000001400A2DF8
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140041E20	0_2_0000000140041E20
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014004CF30	0_2_000000014004CF30
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140031F30	0_2_0000000140031F30
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014006CF60	0_2_000000014006CF60
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014003CF90	0_2_000000014003CF90
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140092F88	0_2_0000000140092F88
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140009F90	0_2_0000000140009F90
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140018FC0	0_2_0000000140018FC0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.bin.exe	Code function: String function: 0000000140018B50 appears 47 times
Source: C:\Users\user\Desktop\file.bin.exe	Code function: String function: 00D75B00 appears 46 times
Source: C:\Users\user\Desktop\file.bin.exe	Code function: String function: 00D9E1D0 appears 69 times

Source: file.bin.exe

Source: classification engine

Classification label: clean8.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00D87430 GetModuleHandleW,FormatMessageW,GetLastError,

0_2_00D87430

Source: C:\Users\user\Desktop\file.bin.exe

0_2_00000001400665F0

Source: C:\Users\user\Desktop\file.bin.exe

Code function: OpenSCManagerW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,GetLastError,

0_2_0000000140053F80

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_0000000140054120 OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,GetLastError,GetLastError,GetLastError,

0_2_0000000140054120

Source: file.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.bin.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.bin.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.bin.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.bin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.bin.exe	Section loaded: mswsock.dll	Jump to behavior

Source: file.bin.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.bin.exe

Static file information: File size 1658368 > 1048576

Source: file.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\BUILD\work\e0dd96435fde7cb0\BUILDS\Release\x64\aswAvBootTimeScanShMin.pdbp source: file.bin.exe
Source:	Binary string: C:\BUILD\work\e0dd96435fde7cb0\BUILDS\Release\x64\aswAvBootTimeScanShMin.pdb source: file.bin.exe

Source: file.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.bin.exe

0_2_00D923E0

PE file contains an invalid checksum

Source: file.bin.exe

Static PE information: real checksum: 0x13c37f should be: 0x19d266

PE file contains sections with non-standard names

Source: file.bin.exe

Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DB1720 push rax; iretd		0_2_00DB1721
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_000000014000C684 push E8000E67h; ret		0_2_000000014000C689

Source: C:\Users\user\Desktop\file.bin.exe

0_2_0000000140053620

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00000001400683F0 rdtsc

0_2_00000001400683F0

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.bin.exe

API coverage: 1.6 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DA7508 FindFirstFileExW,	0_2_00DA7508
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00D86720 CloseHandle,FindFirstFileW,FindClose,	0_2_00D86720
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400643B0 FindFirstFileExW,GetLastError,PathMatchSpecW,FindNextFileW,GetLastError,FindClose,	0_2_00000001400643B0

Source: file.bin.exe, 00000000.00000002.2876371967.00000000005BF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll''

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00000001400683F0 rdtsc

0_2_00000001400683F0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00DA1494 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00DA1494

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_0000000140081DF0 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_0000000140081DF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.bin.exe

0_2_00D923E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00DA9058 GetProcessHeap,

0_2_00DA9058

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DB13A8 SetUnhandledExceptionFilter,	0_2_00DB13A8
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DA1494 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DA1494
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00DA6ACC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DA6ACC
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_00000001400912F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00000001400912F0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: 0_2_0000000140081F98 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000140081F98

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00DADBF0 cpuid

0_2_00DADBF0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.bin.exe	Code function: EnumSystemLocalesW,	0_2_00000001400A3FF4
Source: C:\Users\user\Desktop\file.bin.exe	Code function: EnumSystemLocalesW,	0_2_00000001400AD238
Source: C:\Users\user\Desktop\file.bin.exe	Code function: EnumSystemLocalesW,	0_2_00000001400AD308
Source: C:\Users\user\Desktop\file.bin.exe	Code function: GetLocaleInfoW,	0_2_00000001400A43A0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_00000001400816D0
Source: C:\Users\user\Desktop\file.bin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00000001400AD748
Source: C:\Users\user\Desktop\file.bin.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00000001400AD924
Source: C:\Users\user\Desktop\file.bin.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00000001400ACEE8

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00D88050 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom,

0_2_00D88050

Source: C:\Users\user\Desktop\file.bin.exe

Code function: 0_2_00DA106C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00DA106C

ID:	1428250
Product:	CloudBasic
Start time:	18:19:04
Start date:	18.04.2024
Sample:	file.bin.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3fd97c8116999264c370a1b7fab80ba6
SHA1:	24e252b05b0d1aeec39329784bbfc41a8038ad02
SHA256:	00e18b6dd077d1653a31266e11465e1a9c66362f35eff47c4403850de9370824
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
file.bin.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report file.bin.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
file.bin.exe