Windows Analysis Report
grade.exe

Overview

General Information

Sample name: grade.exe
Analysis ID: 1430592
MD5: 6e57c402199ce6e7bbf5ede13d4a838e
SHA1: 69fb871bdb2d0fa0af25107215b5187e1f420ada
SHA256: e3eb252b1b009440c097ba7a40d8b2ccc4e233847dec9e1d6c08c5a4439dcc12
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Source: grade.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6841040D4 FindFirstFileExW, 0_2_00007FF6841040D4
Detected potential crypto function
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF68410DD48 0_2_00007FF68410DD48
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840F8588 0_2_00007FF6840F8588
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6841021BC 0_2_00007FF6841021BC
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840F69F0 0_2_00007FF6840F69F0
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840FAA04 0_2_00007FF6840FAA04
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF68410266C 0_2_00007FF68410266C
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840F96A4 0_2_00007FF6840F96A4
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840FCF10 0_2_00007FF6840FCF10
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF684108B64 0_2_00007FF684108B64
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840F733C 0_2_00007FF6840F733C
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF684107F58 0_2_00007FF684107F58
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840F6BD8 0_2_00007FF6840F6BD8
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840F6808 0_2_00007FF6840F6808
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840F784C 0_2_00007FF6840F784C
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF68410C08C 0_2_00007FF68410C08C
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6841040D4 0_2_00007FF6841040D4
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF684102CEC 0_2_00007FF684102CEC
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840FA50C 0_2_00007FF6840FA50C
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840FF4FC 0_2_00007FF6840FF4FC
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840FC920 0_2_00007FF6840FC920
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\grade.exe Code function: String function: 00007FF6840F1D30 appears 36 times
Source: classification engine Classification label: clean4.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3004:120:WilError_03
Source: grade.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\grade.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\grade.exe "C:\Users\user\Desktop\grade.exe"
Source: C:\Users\user\Desktop\grade.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\grade.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\grade.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: grade.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: grade.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: grade.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains sections with non-standard names
Source: grade.exe Static PE information: section name: _RDATA
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6841040D4 FindFirstFileExW, 0_2_00007FF6841040D4
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840FFD94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6840FFD94
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF684106848 GetProcessHeap, 0_2_00007FF684106848
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840FFD94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6840FFD94
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840F2708 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6840F2708
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840F28B0 SetUnhandledExceptionFilter, 0_2_00007FF6840F28B0
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840F2104 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF6840F2104
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF68410DB90 cpuid 0_2_00007FF68410DB90
Source: C:\Users\user\Desktop\grade.exe Code function: 0_2_00007FF6840F25F0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6840F25F0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1430592 Sample: grade.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 4 5 grade.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos