Windows Analysis Report
gjswzjReaderper-3.0.20.0830-setup.exe

Overview

General Information

Sample name: gjswzjReaderper-3.0.20.0830-setup.exe
Analysis ID: 1430812
MD5: a7c299857bd7e06b39e75c3fdd1cd79a
SHA1: 8943f80e37b700af13b85671b02c4a263010f3e0
SHA256: 64c208865c75b600548e0eeb11164f4ff3803a9af25f20a692ef4dca5db9e229
Infos:

Detection

Score: 6
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses taskkill to terminate processes

Classification

Uses 32bit PE files
Source: gjswzjReaderper-3.0.20.0830-setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406559
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_00405B98 FindFirstFileW,FindClose, 0_2_00405B98
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_004029F1 FindFirstFileW, 0_2_004029F1
Source: gjswzjReaderper-3.0.20.0830-setup.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_00404BB4 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404BB4
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_00403415 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 0_2_00403415
Detected potential crypto function
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_0040447D 0_2_0040447D
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_0040680A 0_2_0040680A
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_00406E34 0_2_00406E34
Sample file is different than original file name gathered from version info
Source: gjswzjReaderper-3.0.20.0830-setup.exe, 00000000.00000000.1311391250.00000000005D1000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamegjswzjreaderper.exe< vs gjswzjReaderper-3.0.20.0830-setup.exe
Source: gjswzjReaderper-3.0.20.0830-setup.exe Binary or memory string: OriginalFilenamegjswzjreaderper.exe< vs gjswzjReaderper-3.0.20.0830-setup.exe
Uses 32bit PE files
Source: gjswzjReaderper-3.0.20.0830-setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean6.winEXE@4/6@0/0
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_0040400B GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040400B
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_00402218 CoCreateInstance, 0_2_00402218
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Mutant created: \Sessions\1\BaseNamedObjects\C
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe File created: C:\Users\user~1\AppData\Local\Temp\nse9E4C.tmp Jump to behavior
Source: gjswzjReaderper-3.0.20.0830-setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe File read: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe "C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe"
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /t /im gjswzjReader.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /t /im gjswzjReader.exe Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: gjswzjReaderper-3.0.20.0830-setup.exe Static file information: File size 43905970 > 1048576
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405BBF
Drops PE files
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe File created: C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\FindProcDLL.dll Jump to dropped file
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe File created: C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\nsDialogs.dll Jump to dropped file
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe File created: C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\nsExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe File created: C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\FindProcDLL.dll Jump to dropped file
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\nsDialogs.dll Jump to dropped file
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\nsExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\System.dll Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406559
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_00405B98 FindFirstFileW,FindClose, 0_2_00405B98
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_004029F1 FindFirstFileW, 0_2_004029F1
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405BBF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_02A5188E CreateControl,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,GetProcessHeap,HeapReAlloc,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,CreateWindowExW,SetPropW,SendMessageW,SendMessageW,SendMessageW,SetWindowLongW,GetProcessHeap,RtlFreeHeap, 0_2_02A5188E
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /t /im gjswzjReader.exe Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /t /im gjswzjReader.exe Jump to behavior
Source: C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe Code function: 0_2_004060CA GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_004060CA
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1430812 Sample: gjswzjReaderper-3.0.20.0830... Startdate: 24/04/2024 Architecture: WINDOWS Score: 6 6 gjswzjReaderper-3.0.20.0830-setup.exe 19 2->6         started        file3 13 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 6->13 dropped 15 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 6->15 dropped 17 C:\Users\user\AppData\Local\...\System.dll, PE32 6->17 dropped 19 C:\Users\user\AppData\...\FindProcDLL.dll, PE32 6->19 dropped 9 taskkill.exe 1 6->9         started        process4 process5 11 conhost.exe 9->11         started       
No contacted IP infos