Windows Analysis Report
Uqt8tDIQYk.exe

ID:	1430596
Product:	CloudBasic
Start time:	23:16:05
Start date:	23.04.2024
Sample:	Uqt8tDIQYk.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	26422abceca3d5ce14d064e290678221
SHA1:	9bde1cf1e554872705cc38c9591b77b59c3aa597
SHA256:	495a744f783348c8a6ef1c048ea3e62d3903b00c66e9be21bb374d59d18b682e
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: Uqt8tDIQYk.exe

Avira: detected

Source: blockbeerman.fun

Avira URL Cloud: Label: malware

Source: Uqt8tDIQYk.exe

Malware Configuration Extractor: LummaC {"C2 url": ["blockbeerman.fun"], "Build Id": "GRAKRA--SHELL"}

Source: Uqt8tDIQYk.exe

ReversingLabs: Detection: 84%

Source: Uqt8tDIQYk.exe

Joe Sandbox ML: detected

Cryptography

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00439948 _strlen,CryptStringToBinaryA,CryptStringToBinaryA,

0_2_00439948

Compliance

Source: Uqt8tDIQYk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: storagewmi_passthru.pdbGCTL source: Uqt8tDIQYk.exe
Source:	Binary string: storagewmi_passthru.pdb source: Uqt8tDIQYk.exe

Spreading

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00457BCC FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00457BCC

Networking

Source: Malware configuration extractor

URLs: blockbeerman.fun

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_0043A3A3 GetProcAddress,InternetQueryDataAvailable,GetProcAddress,GetProcAddress,InternetReadFile,GetModuleHandleW,GetProcAddress,GetProcAddress,_strlen,InternetQueryDataAvailable,GetProcAddress,GetProcAddress,

0_2_0043A3A3

System Summary

Source: Uqt8tDIQYk.exe

Static PE information: section name: .'w(

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_0040B3D2 LoadLibraryA,GetProcAddress,NtRaiseHardError,ExitProcess,

0_2_0040B3D2

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004258A1		0_2_004258A1
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040AAA8		0_2_0040AAA8
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040B3D2		0_2_0040B3D2
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00417059		0_2_00417059
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0045E000		0_2_0045E000
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0041980D		0_2_0041980D
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00411828		0_2_00411828
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0041B0E3		0_2_0041B0E3
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0041494F		0_2_0041494F
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0044E960		0_2_0044E960
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00414918		0_2_00414918
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0042313B		0_2_0042313B
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004351E0		0_2_004351E0
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004309FA		0_2_004309FA
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0043D195		0_2_0043D195
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00440A50		0_2_00440A50
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00431A18		0_2_00431A18
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004242CB		0_2_004242CB
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00421AEE		0_2_00421AEE
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004632E8		0_2_004632E8
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00403AEF		0_2_00403AEF
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00447293		0_2_00447293
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0044F2BB		0_2_0044F2BB
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0043EB69		0_2_0043EB69
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040C332		0_2_0040C332
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004063F8		0_2_004063F8
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00425383		0_2_00425383
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0043A3A3		0_2_0043A3A3
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040E3BC		0_2_0040E3BC
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00420C54		0_2_00420C54
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00444C74		0_2_00444C74
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00426C70		0_2_00426C70
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004284D0		0_2_004284D0
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00439CD6		0_2_00439CD6
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004044DC		0_2_004044DC
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00433C90		0_2_00433C90
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00418D43		0_2_00418D43
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040EDD3		0_2_0040EDD3
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004165A5		0_2_004165A5
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00454E54		0_2_00454E54
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0043DE6F		0_2_0043DE6F
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004466CF		0_2_004466CF
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004186EB		0_2_004186EB
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004226F8		0_2_004226F8
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00411E8E		0_2_00411E8E
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0045BF5E		0_2_0045BF5E
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00413F74		0_2_00413F74
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00415F39		0_2_00415F39
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00419FE1		0_2_00419FE1
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040D78C		0_2_0040D78C
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00443FB4		0_2_00443FB4

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: String function: 00440310 appears 50 times

Source: Uqt8tDIQYk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Command line argument: ~&E

0_2_004525D0

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Uqt8tDIQYk.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

File read: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Jump to behavior

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Section loaded: wininet.dll			Jump to behavior

Source:	Binary string: storagewmi_passthru.pdbGCTL source: Uqt8tDIQYk.exe
Source:	Binary string: storagewmi_passthru.pdb source: Uqt8tDIQYk.exe

Data Obfuscation

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_0040B3D2 LoadLibraryA,GetProcAddress,NtRaiseHardError,ExitProcess,

0_2_0040B3D2

Source: Uqt8tDIQYk.exe	Static PE information: section name: .'w(
Source: Uqt8tDIQYk.exe	Static PE information: section name: ucnttp

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040192C push eax; mov dword ptr [esp], 00000000h		0_2_00401931
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00458378 push ecx; ret		0_2_0045838B

Source: Uqt8tDIQYk.exe	Static PE information: section name: .text entropy: 6.8318134628828755
Source: Uqt8tDIQYk.exe	Static PE information: section name: .'w( entropy: 7.197097448912549

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: Sleep,Sleep,GetCursorPos,Sleep,GetCursorPos,GetCursorPos,GetCursorPos,

0_2_004258A1

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,

0_2_004226F8

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

API coverage: 2.7 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00457BCC FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00457BCC

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	API call chain: ExitProcess graph end node

Anti Debugging

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00440135 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00440135

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_0040B3D2 LoadLibraryA,GetProcAddress,NtRaiseHardError,ExitProcess,

0_2_0040B3D2

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0043EB69 mov eax, dword ptr fs:[00000030h]		0_2_0043EB69
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00449B9A mov ecx, dword ptr fs:[00000030h]		0_2_00449B9A
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00455725 mov eax, dword ptr fs:[00000030h]		0_2_00455725

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00431A18 GetProcessHeap,GetDIBits,ReleaseDC,GetProcessHeap,GetObjectW,GetProcessHeap,HeapAlloc,GetDC,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapFree,HeapFree,GetProcessHeap,HeapFree,

0_2_00431A18

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00440129 SetUnhandledExceptionFilter,		0_2_00440129
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00440135 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00440135
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00440640 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00440640
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00453F4B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00453F4B

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00440358 cpuid

0_2_00440358

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_0044C351 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_0044C351

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00459824 GetTimeZoneInformation,

0_2_00459824

Stealing of Sensitive Information

Source: Yara match	File source: Uqt8tDIQYk.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Uqt8tDIQYk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Uqt8tDIQYk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2877797183.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: Uqt8tDIQYk.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Uqt8tDIQYk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Uqt8tDIQYk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2877797183.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY