Windows Analysis Report
werkernel.exe

Overview

General Information

Sample name: werkernel.exe
Analysis ID: 1428900
MD5: c4dd780560091c8d2da429c7c689f84b
SHA1: a2e36c89eb4cddccc4d73bf0525a0da46258d8a0
SHA256: 8b61cadaeda4c14d7bd9e7990c6620e111809cd57ea0ea222063b0cff1f6c316
Tags: exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: werkernel.exe ReversingLabs: Detection: 60%
Machine Learning detection for dropped file
Source: C:\Users\Public\Documents\s1.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: werkernel.exe Joe Sandbox ML: detected
Source: werkernel.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCB21E0 FindFirstFileExW, 0_2_00007FF74DCB21E0
Detected potential crypto function
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA2650 0_2_00007FF74DCA2650
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA1800 0_2_00007FF74DCA1800
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCB02D8 0_2_00007FF74DCB02D8
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCAB298 0_2_00007FF74DCAB298
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCABA68 0_2_00007FF74DCABA68
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCB5E90 0_2_00007FF74DCB5E90
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCAAE90 0_2_00007FF74DCAAE90
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCB0DEC 0_2_00007FF74DCB0DEC
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCB21E0 0_2_00007FF74DCB21E0
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCABE00 0_2_00007FF74DCABE00
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCAE14C 0_2_00007FF74DCAE14C
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA2D40 0_2_00007FF74DCA2D40
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCAC8C8 0_2_00007FF74DCAC8C8
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCAC490 0_2_00007FF74DCAC490
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCAB094 0_2_00007FF74DCAB094
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCBAC18 0_2_00007FF74DCBAC18
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCB076C 0_2_00007FF74DCB076C
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCB632C 0_2_00007FF74DCB632C
Source: classification engine Classification label: mal56.winEXE@19/1@0/0
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA36B0 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,Thread32Next,GetLastError,HeapFree,FindCloseChangeNotification, 0_2_00007FF74DCA36B0
Source: C:\Users\user\Desktop\werkernel.exe File created: C:\Users\Public\Documents\s1.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: werkernel.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\werkernel.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: werkernel.exe ReversingLabs: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\werkernel.exe "C:\Users\user\Desktop\werkernel.exe"
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Users\user\Desktop\werkernel.exe C:\Users\user\Desktop\werkernel.exe
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Users\user\Desktop\werkernel.exe C:\Users\user\Desktop\werkernel.exe Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: werkernel.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: werkernel.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: werkernel.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: werkernel.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: werkernel.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: werkernel.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: werkernel.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: werkernel.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: werkernel.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: werkernel.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: werkernel.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: werkernel.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: werkernel.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: werkernel.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA2650 GetModuleHandleW,Sleep,HeapCreate,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,PathFileExistsA,PathFileExistsA,SleepEx,PathFileExistsA,CreateProcessA,PathFileExistsA,Sleep,ShellExecuteA,Sleep,PathFileExistsA, 0_2_00007FF74DCA2650
PE file contains sections with non-standard names
Source: werkernel.exe Static PE information: section name: _RDATA
Source: s1.dll.0.dr Static PE information: section name: _RDATA
Drops PE files
Source: C:\Users\user\Desktop\werkernel.exe File created: C:\Users\Public\Documents\s1.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA2650 GetModuleHandleW,Sleep,HeapCreate,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,PathFileExistsA,PathFileExistsA,SleepEx,PathFileExistsA,CreateProcessA,PathFileExistsA,Sleep,ShellExecuteA,Sleep,PathFileExistsA, 0_2_00007FF74DCA2650
Source: C:\Users\user\Desktop\werkernel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA36B0 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,Thread32Next,GetLastError,HeapFree,FindCloseChangeNotification, 0_2_00007FF74DCA36B0
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\werkernel.exe Dropped PE file which has not been started: C:\Users\Public\Documents\s1.dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\werkernel.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCB21E0 FindFirstFileExW, 0_2_00007FF74DCB21E0
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA10A0 GetSystemInfo,VirtualQuery,VirtualQuery,VirtualAlloc,VirtualAlloc, 0_2_00007FF74DCA10A0
Source: C:\Users\user\Desktop\werkernel.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCAEA30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF74DCAEA30
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA5140 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF74DCA5140
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA36B0 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,Thread32Next,GetLastError,HeapFree,FindCloseChangeNotification, 0_2_00007FF74DCA36B0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA2650 GetModuleHandleW,Sleep,HeapCreate,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,PathFileExistsA,PathFileExistsA,SleepEx,PathFileExistsA,CreateProcessA,PathFileExistsA,Sleep,ShellExecuteA,Sleep,PathFileExistsA, 0_2_00007FF74DCA2650
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCB3C1C GetProcessHeap, 0_2_00007FF74DCB3C1C
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCAEA30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF74DCAEA30
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA4D9C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF74DCA4D9C
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA4938 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF74DCA4938
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA4F48 SetUnhandledExceptionFilter, 0_2_00007FF74DCA4F48
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA2650 GetModuleHandleW,Sleep,HeapCreate,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,PathFileExistsA,PathFileExistsA,SleepEx,PathFileExistsA,CreateProcessA,PathFileExistsA,Sleep,ShellExecuteA,Sleep,PathFileExistsA, 0_2_00007FF74DCA2650
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\Desktop\werkernel.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCBAA60 cpuid 0_2_00007FF74DCBAA60
Source: C:\Users\user\Desktop\werkernel.exe Code function: 0_2_00007FF74DCA4FC0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF74DCA4FC0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428900 Sample: werkernel.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 56 35 Multi AV Scanner detection for submitted file 2->35 37 Machine Learning detection for sample 2->37 39 Machine Learning detection for dropped file 2->39 8 werkernel.exe 2 2->8         started        process3 file4 33 C:\Users\Public\Documents\s1.dll, PE32+ 8->33 dropped 11 werkernel.exe 2 8->11         started        13 conhost.exe 8->13         started        process5 process6 15 cmd.exe 1 11->15         started        17 cmd.exe 1 11->17         started        19 cmd.exe 1 11->19         started        21 2 other processes 11->21 process7 23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 21->31         started       
No contacted IP infos