Windows Analysis Report
Clangen.exe

Overview

General Information

Sample name: Clangen.exe
Analysis ID: 1430907
MD5: 30712264600cb5dbac0cf9436afb8057
SHA1: 87d07b89f5f94a705f4c8c3017887fe204c8582e
SHA256: 4cca30c7f69113632bcbc829ffab14614599624752d021bc00d232bcea54c596
Tags: exe
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Clangen.exe Virustotal: Detection: 11% Perma Link
Source: Clangen.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F396714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF67F396714
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F387820 FindFirstFileExW,FindClose, 0_2_00007FF67F387820
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F396714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF67F396714
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A09B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF67F3A09B4
Detected potential crypto function
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A5D6C 0_2_00007FF67F3A5D6C
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F39D098 0_2_00007FF67F39D098
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3880A0 0_2_00007FF67F3880A0
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A509C 0_2_00007FF67F3A509C
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F396714 0_2_00007FF67F396714
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F386780 0_2_00007FF67F386780
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F396F98 0_2_00007FF67F396F98
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F390FB4 0_2_00007FF67F390FB4
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F394F50 0_2_00007FF67F394F50
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F392800 0_2_00007FF67F392800
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A5820 0_2_00007FF67F3A5820
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F391E70 0_2_00007FF67F391E70
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F396714 0_2_00007FF67F396714
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F39D718 0_2_00007FF67F39D718
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F390DB0 0_2_00007FF67F390DB0
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F396560 0_2_00007FF67F396560
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F39FA08 0_2_00007FF67F39FA08
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A4E20 0_2_00007FF67F3A4E20
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A2D30 0_2_00007FF67F3A2D30
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F381B90 0_2_00007FF67F381B90
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F398BA0 0_2_00007FF67F398BA0
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F390BA4 0_2_00007FF67F390BA4
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A8B68 0_2_00007FF67F3A8B68
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F392C04 0_2_00007FF67F392C04
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F39CC04 0_2_00007FF67F39CC04
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3913C4 0_2_00007FF67F3913C4
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3909A0 0_2_00007FF67F3909A0
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A09B4 0_2_00007FF67F3A09B4
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F39FA08 0_2_00007FF67F39FA08
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3911C0 0_2_00007FF67F3911C0
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A31CC 0_2_00007FF67F3A31CC
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Clangen.exe Code function: String function: 00007FF67F382770 appears 41 times
Source: classification engine Classification label: mal48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3874B0 GetLastError,FormatMessageW,WideCharToMultiByte, 0_2_00007FF67F3874B0
Source: Clangen.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Clangen.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Clangen.exe Virustotal: Detection: 11%
Source: C:\Users\user\Desktop\Clangen.exe File read: C:\Users\user\Desktop\Clangen.exe Jump to behavior
Source: C:\Users\user\Desktop\Clangen.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Clangen.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Clangen.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Clangen.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Clangen.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Clangen.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Clangen.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Clangen.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Clangen.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Clangen.exe Section loaded: wintypes.dll Jump to behavior
Source: Clangen.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Clangen.exe Static file information: File size 5303823 > 1048576
Source: Clangen.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Clangen.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Clangen.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Clangen.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Clangen.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Clangen.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Clangen.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Clangen.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Clangen.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Clangen.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Clangen.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Clangen.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Clangen.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: Clangen.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3D10CC push rbp; retn 0000h 0_2_00007FF67F3D10CD
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3D10E4 push rcx; retn 0000h 0_2_00007FF67F3D10ED
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3855D0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00007FF67F3855D0
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\Clangen.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Clangen.exe API coverage: 7.1 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F396714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF67F396714
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F387820 FindFirstFileExW,FindClose, 0_2_00007FF67F387820
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F396714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF67F396714
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A09B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF67F3A09B4
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F38B69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF67F38B69C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A25A0 GetProcessHeap, 0_2_00007FF67F3A25A0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F38B880 SetUnhandledExceptionFilter, 0_2_00007FF67F38B880
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F38B69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF67F38B69C
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F38AE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF67F38AE00
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F399AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF67F399AE4
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A89B0 cpuid 0_2_00007FF67F3A89B0
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F38B580 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF67F38B580
Source: C:\Users\user\Desktop\Clangen.exe Code function: 0_2_00007FF67F3A509C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF67F3A509C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430907 Sample: Clangen.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 48 7 Multi AV Scanner detection for submitted file 2->7 5 Clangen.exe 2->5         started        process3
No contacted IP infos