Windows Analysis Report
stage2.exe

Overview

General Information

Sample name: stage2.exe
Analysis ID: 1428251
MD5: f4f731777157f1bc59369be4b286b5cd
SHA1: ebce4a1a3b15bce601671867d36965b15ef4108b
SHA256: fe6328938db1b9c8e3e8b1a92f0cc5ac28a6fd5e0c7e40c521f7b0f408e63c3f
Tags: exe
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Binary contains a suspicious time stamp
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: stage2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: stage2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: BthUdTask.pdbGCTL source: stage2.exe
Source: Binary string: BthUdTask.pdb source: stage2.exe
Sample file is different than original file name gathered from version info
Source: stage2.exe, 00000000.00000002.1641867251.0000000000786000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBthUdTask.exej% vs stage2.exe
Source: stage2.exe Binary or memory string: OriginalFilenameBthUdTask.exej% vs stage2.exe
Uses 32bit PE files
Source: stage2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean4.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: stage2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\stage2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\stage2.exe "C:\Users\user\Desktop\stage2.exe"
Source: C:\Users\user\Desktop\stage2.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\stage2.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Users\user\Desktop\stage2.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\stage2.exe Section loaded: devrtl.dll Jump to behavior
Source: stage2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: stage2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: stage2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: stage2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: stage2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: stage2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: stage2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: stage2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: BthUdTask.pdbGCTL source: stage2.exe
Source: Binary string: BthUdTask.pdb source: stage2.exe
Binary contains a suspicious time stamp
Source: stage2.exe Static PE information: 0xF898BAFC [Thu Mar 2 16:08:28 2102 UTC]
PE file contains an invalid checksum
Source: stage2.exe Static PE information: real checksum: 0x15f44 should be: 0x32e44
PE file contains sections with non-standard names
Source: stage2.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\stage2.exe Code function: 0_2_00782115 push ecx; ret 0_2_00782128
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\stage2.exe API coverage: 9.2 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\stage2.exe Code function: 0_2_0078212F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0078212F
Source: C:\Users\user\Desktop\stage2.exe Code function: 0_2_0078200B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0078200B

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428251 Sample: stage2.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 4 5 stage2.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos