Windows Analysis Report
wr.exe

Overview

General Information

Sample name: wr.exe
Analysis ID: 1428863
MD5: e2a072228078e6f3cf5073f4af029913
SHA1: 16ed4faf2239de52acdc439e88047984b8510547
SHA256: a742c71ce1ae3316e82d2b8c788b9c6ffd723d8d6da4f94ba5639b84070bb639
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: wr.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: wr.exe ReversingLabs: Detection: 87%
Source: wr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\wr.exe Code function: 4x nop then mov rsi, r9 0_2_005DB2A0
Source: C:\Users\user\Desktop\wr.exe Code function: 4x nop then mov rdi, 0000800000000000h 0_2_005D9DE0
Source: unknown DNS traffic detected: queries for: www.dblikes.top
Source: wr.exe, wr.exe, 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.dblikes.top/winconsistent
Source: wr.exe String found in binary or memory: https://www.sysinternals.com0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_00617300 SetWaitableTimer,SetWaitableTimer,NtWaitForSingleObject, 0_2_00617300
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_006172C0 NtWaitForSingleObject, 0_2_006172C0
Detected potential crypto function
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005E4080 0_2_005E4080
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005B6160 0_2_005B6160
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005D41E0 0_2_005D41E0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_00605240 0_2_00605240
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005DA260 0_2_005DA260
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_00628220 0_2_00628220
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005D72C0 0_2_005D72C0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_0060F2A0 0_2_0060F2A0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005C9280 0_2_005C9280
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005DB2A0 0_2_005DB2A0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005F7300 0_2_005F7300
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005FF3E0 0_2_005FF3E0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005CD380 0_2_005CD380
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_00626440 0_2_00626440
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005ED460 0_2_005ED460
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_006124A9 0_2_006124A9
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005BC4A0 0_2_005BC4A0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005F04A0 0_2_005F04A0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005E7500 0_2_005E7500
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005DC5A0 0_2_005DC5A0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005FA660 0_2_005FA660
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005C5600 0_2_005C5600
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005D6600 0_2_005D6600
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005B6620 0_2_005B6620
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005D1740 0_2_005D1740
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005C4860 0_2_005C4860
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005C98E0 0_2_005C98E0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005B5880 0_2_005B5880
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005FDAA0 0_2_005FDAA0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005EEBC0 0_2_005EEBC0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005BDBA0 0_2_005BDBA0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_00625C00 0_2_00625C00
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005F3C20 0_2_005F3C20
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_00627CE0 0_2_00627CE0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005C9CC0 0_2_005C9CC0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_00606C80 0_2_00606C80
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005E7D60 0_2_005E7D60
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005D9DE0 0_2_005D9DE0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005B9E20 0_2_005B9E20
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005EAE20 0_2_005EAE20
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005EDEA0 0_2_005EDEA0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005CFF60 0_2_005CFF60
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005BCFE0 0_2_005BCFE0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\wr.exe Code function: String function: 005FE620 appears 37 times
Source: C:\Users\user\Desktop\wr.exe Code function: String function: 005E8320 appears 54 times
Source: C:\Users\user\Desktop\wr.exe Code function: String function: 005E6A60 appears 31 times
Source: C:\Users\user\Desktop\wr.exe Code function: String function: 005E6960 appears 564 times
Source: C:\Users\user\Desktop\wr.exe Code function: String function: 005E8BA0 appears 563 times
PE / OLE file has an invalid certificate
Source: wr.exe Static PE information: invalid certificate
Source: classification engine Classification label: mal60.evad.winEXE@1/0@2/0
Source: C:\Users\user\Desktop\wr.exe Mutant created: \Sessions\1\BaseNamedObjects\abc20259991
Source: C:\Users\user\Desktop\wr.exe File opened: C:\Windows\system32\86dbeb1e3f4e7a98ad6a93ba86f929747d19ef3c7cdf7a0145acd6db2fd830a1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\user\Desktop\wr.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: wr.exe ReversingLabs: Detection: 87%
Source: wr.exe String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: wr.exe String found in binary or memory: C:/Users/Sroc/go/pkg/mod/golang.org/x/sys@v0.17.0/windows/svc/eventlog/install.go
Source: C:\Users\user\Desktop\wr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\wr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\wr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\wr.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\wr.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\wr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wr.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\wr.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\wr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wr.exe Section loaded: mswsock.dll Jump to behavior
Source: wr.exe Static file information: File size 4445584 > 1048576
Source: wr.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x43aa00
Source: wr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_00D9A7C0 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,ExitProcess, 0_2_00D9A7C0
PE file contains sections with non-standard names
Source: wr.exe Static PE information: section name: UPX2
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: C:\Users\user\Desktop\wr.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_006153E0 rdtscp 0_2_006153E0
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005E19C0 GetProcessAffinityMask,GetSystemInfo, 0_2_005E19C0
Source: wr.exe, 00000000.00000002.2039272794.000002685E15C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\wr.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\wr.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_006153E0 Start: 006153E9 End: 006153FF 0_2_006153E0
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_006153E0 rdtscp 0_2_006153E0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_00D9A7C0 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,ExitProcess, 0_2_00D9A7C0
Enables debug privileges
Source: C:\Users\user\Desktop\wr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\wr.exe Code function: 0_2_005F9980 RtlAddVectoredExceptionHandler,RtlAddVectoredContinueHandler,RtlAddVectoredContinueHandler,SetUnhandledExceptionFilter, 0_2_005F9980
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428863 Sample: wr.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 60 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 5 wr.exe 2->5         started        process3 dnsIp4 9 www.dblikes.top 5->9 11 ghs.googlehosted.com 5->11 17 Potentially malicious time measurement code found 5->17 signatures5
No contacted IP infos

Contacted Domains

Name IP Active
ghs.googlehosted.com 173.194.209.121 true
www.dblikes.top unknown unknown