Windows Analysis Report
adminpriv.exe

Overview

General Information

Sample name: adminpriv.exe
Analysis ID: 1430490
MD5: 5cae01aea8ed390ce9bec17b6c1237e4
SHA1: 3a80a49efaac5d839400e4fb8f803243fb39a513
SHA256: 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
Infos:

Detection

Score: 36
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: adminpriv.exe ReversingLabs: Detection: 54%
Source: adminpriv.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdbSS source: adminpriv.exe
Source: Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdb source: adminpriv.exe
Source: adminpriv.exe String found in binary or memory: https://forums.mydigitallife.net/threads/59268/
Source: adminpriv.exe String found in binary or memory: https://github.com/M2Team/NSudo
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C204AC memset,GetCurrentProcess,OpenProcessToken,CreateProcessAsUserW,SetPriorityClass,ResumeThread,WaitForSingleObjectEx,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle, 5_2_00007FF746C204AC
Detected potential crypto function
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C1F0D8 5_2_00007FF746C1F0D8
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C21DCC 5_2_00007FF746C21DCC
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C20B88 5_2_00007FF746C20B88
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C19A08 5_2_00007FF746C19A08
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C20104 5_2_00007FF746C20104
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C26088 5_2_00007FF746C26088
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C15E0C 5_2_00007FF746C15E0C
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C2CE91 5_2_00007FF746C2CE91
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C1F680 5_2_00007FF746C1F680
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C13508 5_2_00007FF746C13508
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C2C294 5_2_00007FF746C2C294
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C16224 5_2_00007FF746C16224
Sample file is different than original file name gathered from version info
Source: adminpriv.exe Binary or memory string: OriginalFilename vs adminpriv.exe
Source: adminpriv.exe, 00000005.00000000.52386766550.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameNSudo.exe, vs adminpriv.exe
Source: adminpriv.exe Binary or memory string: OriginalFilenameNSudo.exe, vs adminpriv.exe
Source: classification engine Classification label: sus36.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C21348 AdjustTokenPrivileges,GetLastError, 5_2_00007FF746C21348
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C21168 GetTokenInformation,GetLastError,malloc,GetTokenInformation,AdjustTokenPrivileges,GetLastError,SetLastError,free, 5_2_00007FF746C21168
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C13450 SetLastError,FindResourceExW,SizeofResource,LoadResource,LockResource,GetLastError,GetLastError,GetLastError, 5_2_00007FF746C13450
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C13508 OpenSCManagerW,OpenServiceW,QueryServiceStatusEx,StartServiceW,GetTickCount64,SleepEx,CloseServiceHandle,CloseServiceHandle, 5_2_00007FF746C13508
Source: adminpriv.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\adminpriv.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: adminpriv.exe ReversingLabs: Detection: 54%
Source: adminpriv.exe String found in binary or memory: t console window. PS: If you want to create a process with the new console window, please do not include the "-UseCurrentConsole" parameter. -Version Show version information of NSudo. -? Show this content. -H Show this content. -Help Show this cont
Source: adminpriv.exe String found in binary or memory: nt. Context Menu: -Install Copy NSudo to the Windows directory and add the context menu. -Uninstall Remove NSudo in the Windows directory and the context menu. PS: 1. All NSudo command arguments is case-insensitive. 2. You can use the
Source: adminpriv.exe String found in binary or memory: -? -H -Help -Install NSudoWindows
Source: adminpriv.exe String found in binary or memory: -? -H -Help -Install NSudoWindows
Source: adminpriv.exe String found in binary or memory: -Help
Source: adminpriv.exe String found in binary or memory: -Install
Source: adminpriv.exe String found in binary or memory: -Help Show this content.
Source: adminpriv.exe String found in binary or memory: -Install Copy NSudo to the Windows directory and add the context menu.
Source: adminpriv.exe String found in binary or memory: -Help Affiche l'aide.
Source: adminpriv.exe String found in binary or memory: -Install Copie NSudo dans le r
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: Run
Source: C:\Users\user\Desktop\adminpriv.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: adminpriv.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: adminpriv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: adminpriv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: adminpriv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: adminpriv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: adminpriv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: adminpriv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: adminpriv.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: adminpriv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdbSS source: adminpriv.exe
Source: Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdb source: adminpriv.exe
Source: adminpriv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: adminpriv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: adminpriv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: adminpriv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: adminpriv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C1E1E0 LoadLibraryW,GetProcAddress,FreeLibrary, 5_2_00007FF746C1E1E0
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C13508 OpenSCManagerW,OpenServiceW,QueryServiceStatusEx,StartServiceW,GetTickCount64,SleepEx,CloseServiceHandle,CloseServiceHandle, 5_2_00007FF746C13508
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\adminpriv.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\adminpriv.exe API coverage: 9.6 %
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C2B808 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 5_2_00007FF746C2B808
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C2B808 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 5_2_00007FF746C2B808
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C1E1E0 LoadLibraryW,GetProcAddress,FreeLibrary, 5_2_00007FF746C1E1E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C2BB3C GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 5_2_00007FF746C2BB3C
Enables debug privileges
Source: C:\Users\user\Desktop\adminpriv.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C2C850 IsProcessorFeaturePresent,memset,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FF746C2C850
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C2C5D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FF746C2C5D0
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C2B280 SetUnhandledExceptionFilter, 5_2_00007FF746C2B280
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C2B470 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF746C2B470
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C20104 CreateRestrictedToken,GetTokenInformation,GetLastError,malloc,SetLastError,GetTokenInformation,SetTokenInformation,GetTokenInformation,GetLastError,malloc,GetTokenInformation,AllocateAndInitializeSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,EqualSid,AddAce,GetAce,SetTokenInformation,SetTokenInformation,free,FreeSid,free,free,CloseHandle, 5_2_00007FF746C20104
Source: C:\Users\user\Desktop\adminpriv.exe Code function: 5_2_00007FF746C2B6D0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,GetTickCount64,GetTickCount64,QueryPerformanceCounter, 5_2_00007FF746C2B6D0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430490 Sample: adminpriv.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 36 7 Multi AV Scanner detection for submitted file 2->7 5 adminpriv.exe 2->5         started        process3
No contacted IP infos