Windows Analysis Report
xm393ns0.exe

Overview

General Information

Sample name: xm393ns0.exe
Analysis ID: 1431276
MD5: 83f90ab89da59ab13fc97fb404e75a8e
SHA1: d28c10ad2223c31ed6151cdbca75c2917f7863a4
SHA256: 224974155c0a18c9c01f1f6b8f66187c2f030df5cc1c68bf537a77ec8181fdd0
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Performs DNS queries to domains with low reputation
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes or reads registry keys via WMI
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: xm393ns0.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: xm393ns0.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking
barindex
Performs DNS queries to domains with low reputation
Source: C:\Users\user\Desktop\xm393ns0.exe DNS query: LjZQsnIZIOXO7P.db0.xyz
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: LjZQsnIZIOXO7P.db0.xyzUser-Agent: If you would like to opt out, please fill out this form: https://forms.office.com/r/i1h9pFXbKAHistory: LjZQsnIZIOXO7PAccept-Encoding: gzip
Source: global traffic DNS traffic detected: DNS query: LjZQsnIZIOXO7P.db0.xyz
Source: xm393ns0.exe, 00000000.00000002.604617157.000000000AC9E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://LjZQsnIZIOXO7P.db0.xyz
Source: xm393ns0.exe, 00000000.00000002.604617157.000000000AC9E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://LjZQsnIZIOXO7P.db0.xyzLjZQsnIZIOXO7P.db0.xyz:80REQUEST_METHODtcpLjZQsnIZIOXO7P.db0.xyziphlpap
Source: xm393ns0.exe, jZQs-eo6N153d.exe.0.dr String found in binary or memory: http://historycmd.exefloat32float64UpgradeReferer
Source: xm393ns0.exe, jZQs-eo6N153d.exe.0.dr String found in binary or memory: https://forms.office.com/r/i1h9pFXbKA

System Summary
barindex
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\xm393ns0.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Sample file is different than original file name gathered from version info
Source: xm393ns0.exe, 00000000.00000002.603623309.00000000002FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs xm393ns0.exe
Source: xm393ns0.exe, 00000000.00000003.335755561.0000000000300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesysinfo.exej% vs xm393ns0.exe
Source: xm393ns0.exe, 00000000.00000003.340319298.00000000002F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs xm393ns0.exe
Source: xm393ns0.exe, 00000000.00000003.335719938.00000000002FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesysinfo.exej% vs xm393ns0.exe
Uses 32bit PE files
Source: xm393ns0.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal52.troj.evad.winEXE@6/2@1/1
Source: C:\Users\user\Desktop\xm393ns0.exe File created: C:\Users\user\Desktop\jZQs-eo6N153d.exe Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Console Write: ........................................(.P.....`.......8...............................#....................................................... Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Console Write: ................@....`..........L.j.Z.Q.s.n.I.Z.I.O.X.O.7.P...d.b.0...x.y.z........s............................h...............#p.s............ Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Console Write: ................@....`..........S.t.a.r.t.i.n.g. .k.e.y.l.o.g.g.e.r.............................P.DJ............X.H+....&....................... Jump to behavior
Source: xm393ns0.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\xm393ns0.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: xm393ns0.exe String found in binary or memory: /usr/local/go/src/net/addrselect.go
Source: C:\Users\user\Desktop\xm393ns0.exe File read: C:\Users\user\Desktop\xm393ns0.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\xm393ns0.exe "C:\Users\user\Desktop\xm393ns0.exe"
Source: C:\Users\user\Desktop\xm393ns0.exe Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv
Source: C:\Windows\SysWOW64\systeminfo.exe Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\xm393ns0.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns0.exe"
Source: C:\Users\user\Desktop\xm393ns0.exe Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns0.exe" Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: wbemcomn2.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: wbemcomn2.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: esscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv
Source: xm393ns0.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: xm393ns0.exe Static file information: File size 5152256 > 1048576
Source: xm393ns0.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x274c00
Source: xm393ns0.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21c800
Source: xm393ns0.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: xm393ns0.exe Static PE information: section name: .symtab
Source: jZQs-eo6N153d.exe.0.dr Static PE information: section name: .symtab
Drops PE files
Source: C:\Users\user\Desktop\xm393ns0.exe File created: C:\Users\user\Desktop\jZQs-eo6N153d.exe Jump to dropped file
Source: C:\Users\user\Desktop\xm393ns0.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\xm393ns0.exe Dropped PE file which has not been started: C:\Users\user\Desktop\jZQs-eo6N153d.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 2588 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 2588 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe TID: 1148 Thread sleep time: -240000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Process information queried: ProcessInformation Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\xm393ns0.exe Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv Jump to behavior
Source: C:\Users\user\Desktop\xm393ns0.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns0.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\xm393ns0.exe Queries volume information: C:\Users\user\Desktop\jZQs-eo6N153d.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431276 Sample: xm393ns0.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 52 6 xm393ns0.exe 1 2->6         started        dnsIp3 20 LjZQsnIZIOXO7P.db0.xyz 6->20 22 LjZQsnIZIOXO7P.db0.xyz 64.225.4.76, 49163, 80 DIGITALOCEAN-ASNUS United States 6->22 18 C:\Users\user\Desktop\jZQs-eo6N153d.exe, PE32 6->18 dropped 24 Performs DNS queries to domains with low reputation 6->24 11 systeminfo.exe 1 6->11         started        14 cmd.exe 6->14         started        file4 signatures5 process6 signatures7 26 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->26 28 Writes or reads registry keys via WMI 11->28 16 WmiPrvSE.exe 11->16         started        process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
64.225.4.76
 LjZQsnIZIOXO7P.db0.xyz United States
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
LjZQsnIZIOXO7P.db0.xyz 64.225.4.76 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://LjZQsnIZIOXO7P.db0.xyz/ false
  • Avira URL Cloud: safe
 unknown