Windows Analysis Report
Q7Ct3eA5NE.exe

Overview

General Information

Sample name: Q7Ct3eA5NE.exe
(renamed file extension from tmp to exe, renamed because original name is a hash value)
Original sample name: 180d57b6af9e76cb88320bd6754ca571e054b2f9f193d2700e724c1fd584b235.tmp
Analysis ID: 1428859
MD5: 59fa1a478f284afac139920f0d64bdcc
SHA1: a42e353a3718f1eb56174ff68e77db2c3c841ac5
SHA256: 180d57b6af9e76cb88320bd6754ca571e054b2f9f193d2700e724c1fd584b235

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Queries keyboard layouts
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: Q7Ct3eA5NE.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Q7Ct3eA5NE.exe String found in binary or memory: http://restools.hanzify.org/
Source: Q7Ct3eA5NE.exe String found in binary or memory: http://www.innosetup.com/
Source: Q7Ct3eA5NE.exe String found in binary or memory: http://www.remobjects.com/ps
PE file contains executable resources (Code or Archives)
Source: Q7Ct3eA5NE.exe Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Q7Ct3eA5NE.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Sample file is different than original file name gathered from version info
Source: Q7Ct3eA5NE.exe, 00000000.00000000.2052230073.0000000000569000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs Q7Ct3eA5NE.exe
Source: Q7Ct3eA5NE.exe Binary or memory string: OriginalFilenameshfolder.dll~/ vs Q7Ct3eA5NE.exe
Uses 32bit PE files
Source: Q7Ct3eA5NE.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: clean2.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Q7Ct3eA5NE.exe String found in binary or memory: -Helper process exited with failure code: 0x%x
Source: Q7Ct3eA5NE.exe String found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
Source: Q7Ct3eA5NE.exe String found in binary or memory: /LoadInf=
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe File read: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Section loaded: textshaping.dll Jump to behavior
Source: Q7Ct3eA5NE.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Q7Ct3eA5NE.exe Static file information: File size 1486848 > 1048576
Source: Q7Ct3eA5NE.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x148200
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries keyboard layouts
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428859 Sample: Q7Ct3eA5NE.tmp Startdate: 19/04/2024 Architecture: WINDOWS Score: 2 4 Q7Ct3eA5NE.exe 2->4         started       
No contacted IP infos