Windows Analysis Report
kL1iGwj1Iu.exe

Overview

General Information

Sample name:	kL1iGwj1Iu.exe renamed because original name is a hash value
Original sample name:	7bb53203df909b0a4e2eb51d3ab8ea3245af998a74e42c663079c8ce9588a0f1.exe
Analysis ID:	1428550
MD5:	33366b21fa290d88a4c4e695959fe48f
SHA1:	40daec9ff6beb43a2fa4e40d349dcefb718ed6ff
SHA256:	7bb53203df909b0a4e2eb51d3ab8ea3245af998a74e42c663079c8ce9588a0f1
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kL1iGwj1Iu.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: kL1iGwj1Iu.exe	ReversingLabs: Detection: 82%
Source: kL1iGwj1Iu.exe	Virustotal: Detection: 67%			Perma Link

Machine Learning detection for sample

Source: kL1iGwj1Iu.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: kL1iGwj1Iu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: kL1iGwj1Iu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Sample file is different than original file name gathered from version info

Source: kL1iGwj1Iu.exe, 00000000.00000000.1654186321.00000000004C4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameA vs kL1iGwj1Iu.exe
Source: kL1iGwj1Iu.exe, 00000000.00000002.1656056615.000000000092E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs kL1iGwj1Iu.exe
Source: kL1iGwj1Iu.exe	Binary or memory string: OriginalFilenameA vs kL1iGwj1Iu.exe

Uses 32bit PE files

Source: kL1iGwj1Iu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\kL1iGwj1Iu.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe

Mutant created: NULL

Source: kL1iGwj1Iu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: kL1iGwj1Iu.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kL1iGwj1Iu.exe	ReversingLabs: Detection: 82%
Source: kL1iGwj1Iu.exe	Virustotal: Detection: 67%

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Section loaded: propsys.dll	Jump to behavior

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: kL1iGwj1Iu.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: kL1iGwj1Iu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Memory allocated: E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe	Memory allocated: 4B30000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe TID: 6744

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\kL1iGwj1Iu.exe

Memory allocated: page read and write | page guard

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1428550
Product:	CloudBasic
Start time:	07:44:05
Start date:	19.04.2024
Sample:	kL1iGwj1Iu.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	33366b21fa290d88a4c4e695959fe48f
SHA1:	40daec9ff6beb43a2fa4e40d349dcefb718ed6ff
SHA256:	7bb53203df909b0a4e2eb51d3ab8ea3245af998a74e42c663079c8ce9588a0f1
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report
kL1iGwj1Iu.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report kL1iGwj1Iu.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
kL1iGwj1Iu.exe