Windows Analysis Report
init_DB.exe

ID:	1430160
Product:	CloudBasic
Start time:	08:21:25
Start date:	23.04.2024
Sample:	init_DB.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f2663571882c3baa5633db216443cc0a
SHA1:	85a1283578cef91b29c155c8179733332d48b7c9
SHA256:	de3dfcb68228e7f64f30e64980ad8da6629da73b10d5172762aba76721372b7c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat	ASCII text, with CRLF line terminators	9F4583205CE0445E8C1C1825A610C67E	4D7D01983E56BC441649C85619AE85C6AB76FEEE	523A531AC2645B757AFAD7FE4A60F85F21B369B070DEBC794B64EF7A8D4D8606

AV Detection

Source: init_DB.exe	ReversingLabs: Detection: 50%
Source: init_DB.exe	Virustotal: Detection: 39%			Perma Link

Source: init_DB.exe

Joe Sandbox ML: detected

Compliance

Source: init_DB.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Spreading

Source: C:\Users\user\Desktop\init_DB.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	File opened: C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	File opened: C:\Users\user\			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	File opened: C:\Users\user\AppData\Local\			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	File opened: C:\Users\user\AppData\Local\Temp\1413.tmp			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	File opened: C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.tmp			Jump to behavior

System Summary

Source: C:\Users\user\Desktop\init_DB.exe	Code function: 0_2_00411079		0_2_00411079
Source: C:\Users\user\Desktop\init_DB.exe	Code function: 0_2_00411C20		0_2_00411C20
Source: C:\Users\user\Desktop\init_DB.exe	Code function: 0_2_00411033		0_2_00411033
Source: C:\Users\user\Desktop\init_DB.exe	Code function: 0_2_00410C80		0_2_00410C80
Source: C:\Users\user\Desktop\init_DB.exe	Code function: 0_2_00410CA0		0_2_00410CA0
Source: C:\Users\user\Desktop\init_DB.exe	Code function: 0_2_0040B9C7		0_2_0040B9C7
Source: C:\Users\user\Desktop\init_DB.exe	Code function: 0_2_0040FA68		0_2_0040FA68
Source: C:\Users\user\Desktop\init_DB.exe	Code function: 0_2_0040CF18		0_2_0040CF18
Source: C:\Users\user\Desktop\init_DB.exe	Code function: 0_2_0040EFF0		0_2_0040EFF0
Source: C:\Users\user\Desktop\init_DB.exe	Code function: 0_2_00410FB0		0_2_00410FB0

Source: init_DB.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.troj.winEXE@4/1@0/0

Source: C:\Users\user\Desktop\init_DB.exe

Code function: 0_2_00402664 LoadResource,SizeofResource,FreeResource,

0_2_00402664

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03

Source: C:\Users\user\Desktop\init_DB.exe

File created: C:\Users\user\AppData\Local\Temp\1413.tmp

Jump to behavior

Source: C:\Users\user\Desktop\init_DB.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat C:\Users\user\Desktop\init_DB.exe"

Source: C:\Users\user\Desktop\init_DB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: init_DB.exe	ReversingLabs: Detection: 50%
Source: init_DB.exe	Virustotal: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\init_DB.exe "C:\Users\user\Desktop\init_DB.exe"
Source: C:\Users\user\Desktop\init_DB.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\init_DB.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat C:\Users\user\Desktop\init_DB.exe"
Source: C:\Users\user\Desktop\init_DB.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat C:\Users\user\Desktop\init_DB.exe"			Jump to behavior

Source: C:\Users\user\Desktop\init_DB.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior

Data Obfuscation

Source: Yara match	File source: init_DB.exe, type: SAMPLE
Source: Yara match	File source: 0.0.init_DB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.init_DB.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\init_DB.exe

Code function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040ADD6

Source: init_DB.exe

Static PE information: section name: .code

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\init_DB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\init_DB.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	File opened: C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	File opened: C:\Users\user\			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	File opened: C:\Users\user\AppData\Local\			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	File opened: C:\Users\user\AppData\Local\Temp\1413.tmp			Jump to behavior
Source: C:\Users\user\Desktop\init_DB.exe	File opened: C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.tmp			Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\init_DB.exe

Code function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040ADD6

Source: C:\Users\user\Desktop\init_DB.exe	Code function: 0_2_00409FD0 SetUnhandledExceptionFilter,		0_2_00409FD0
Source: C:\Users\user\Desktop\init_DB.exe	Code function: 0_2_00409FB0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,		0_2_00409FB0

Language, Device and Operating System Detection

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\init_DB.exe

Code function: 0_2_00405573 GetVersionExW,GetVersionExW,

0_2_00405573