Windows Analysis Report
doc-1.exe

Overview

General Information

Sample name: doc-1.exe
Analysis ID: 1431427
MD5: cb0453ea959b40b3a0500dac08b0a309
SHA1: 574ee3b44cf4e11ea8a2b19554e2b9c709c5177a
SHA256: 9f3034de7f891cbccf1e97f2ce5a806907149a573258ed1c094301b5919d3bba
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Found API chain indicative of debugger detection
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: doc-1.exe Virustotal: Detection: 7% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00479B50 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom, 0_2_00479B50
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0042FF42 BCryptGenRandom,SystemFunction036, 0_2_0042FF42
Source: doc-1.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: doc-1.exe String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportyfqBCUuiHMkgJBsjVLIZXuZmbxVFvbUFzjnbhVPhCE
Contains functionality to call native functions
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00406F46 memcpy,memcpy,memcpy,memset,AcquireSRWLockExclusive,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,GlobalMemoryStatusEx,K32GetPerformanceInfo,PdhOpenQueryA,PdhCollectQueryData,NtQuerySystemInformation,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,GetUserNameW,GetUserNameW,GetNativeSystemInfo,GetCurrentProcessId,memcpy,memset, 0_2_00406F46
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0047CF27 NtQueryInformationProcess,NtQueryInformationProcess, 0_2_0047CF27
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0047BFDF NtQueryInformationProcess,NtQueryInformationProcess, 0_2_0047BFDF
Detected potential crypto function
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00471040 0_2_00471040
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00441000 0_2_00441000
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0040B011 0_2_0040B011
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004320CC 0_2_004320CC
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0044C090 0_2_0044C090
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0041B160 0_2_0041B160
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00415130 0_2_00415130
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004711E0 0_2_004711E0
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0041E1E8 0_2_0041E1E8
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0048327F 0_2_0048327F
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004242F5 0_2_004242F5
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00417280 0_2_00417280
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0046B300 0_2_0046B300
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0043132E 0_2_0043132E
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0041C330 0_2_0041C330
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00426473 0_2_00426473
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0041141C 0_2_0041141C
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00416430 0_2_00416430
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004354CA 0_2_004354CA
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004084D4 0_2_004084D4
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004084D9 0_2_004084D9
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004084DE 0_2_004084DE
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0042F4F7 0_2_0042F4F7
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004334BF 0_2_004334BF
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00408543 0_2_00408543
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00408545 0_2_00408545
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0040852D 0_2_0040852D
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0040852F 0_2_0040852F
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00408531 0_2_00408531
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004735D0 0_2_004735D0
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00405648 0_2_00405648
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0047A670 0_2_0047A670
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00427712 0_2_00427712
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00401731 0_2_00401731
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0043E7A0 0_2_0043E7A0
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004397A4 0_2_004397A4
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00422850 0_2_00422850
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0041B810 0_2_0041B810
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0043F830 0_2_0043F830
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0043383B 0_2_0043383B
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0043883F 0_2_0043883F
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0048794D 0_2_0048794D
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00445932 0_2_00445932
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00423938 0_2_00423938
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0047CA4A 0_2_0047CA4A
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0041FA00 0_2_0041FA00
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00405A2B 0_2_00405A2B
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00411ACC 0_2_00411ACC
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00417AE0 0_2_00417AE0
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0042BAEE 0_2_0042BAEE
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00411A8C 0_2_00411A8C
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0047BAA8 0_2_0047BAA8
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00479B50 0_2_00479B50
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00465BD0 0_2_00465BD0
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00441BF0 0_2_00441BF0
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00437BA5 0_2_00437BA5
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00434C66 0_2_00434C66
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0047EC69 0_2_0047EC69
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00467C10 0_2_00467C10
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00479CA0 0_2_00479CA0
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00471D50 0_2_00471D50
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0047BD62 0_2_0047BD62
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00424D7E 0_2_00424D7E
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0042CD25 0_2_0042CD25
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0042CE47 0_2_0042CE47
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0043CE50 0_2_0043CE50
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00413E20 0_2_00413E20
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00402E36 0_2_00402E36
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00414EF0 0_2_00414EF0
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00406F46 0_2_00406F46
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00410F6F 0_2_00410F6F
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00484F78 0_2_00484F78
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0046AFC0 0_2_0046AFC0
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0047BFDF 0_2_0047BFDF
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00430FB4 0_2_00430FB4
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\doc-1.exe Code function: String function: 00414310 appears 76 times
Source: C:\Users\user\Desktop\doc-1.exe Code function: String function: 00414630 appears 129 times
Source: classification engine Classification label: mal52.evad.winEXE@1/0@0/0
Source: doc-1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\doc-1.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: doc-1.exe Virustotal: Detection: 7%
Source: C:\Users\user\Desktop\doc-1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\doc-1.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\doc-1.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\doc-1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\doc-1.exe Section loaded: umpdc.dll Jump to behavior
Source: doc-1.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0048F830 LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_0048F830
PE file contains an invalid checksum
Source: doc-1.exe Static PE information: real checksum: 0xc2eec should be: 0xb6eb6
PE file contains sections with non-standard names
Source: doc-1.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00419540 push 75058D48h; retf 0_2_00419608
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004195A0 push 75058D48h; retf 0_2_00419608
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00406F46 memcpy,memcpy,memcpy,memset,AcquireSRWLockExclusive,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,GlobalMemoryStatusEx,K32GetPerformanceInfo,PdhOpenQueryA,PdhCollectQueryData,NtQuerySystemInformation,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,GetUserNameW,GetUserNameW,GetNativeSystemInfo,GetCurrentProcessId,memcpy,memset, 0_2_00406F46
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\doc-1.exe API coverage: 0.9 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004320CC GetSystemInfo,memcpy,memcpy,memcpy,memcpy,CloseHandle, 0_2_004320CC

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\doc-1.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00406F46 memcpy,memcpy,memcpy,memset,AcquireSRWLockExclusive,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,GlobalMemoryStatusEx,K32GetPerformanceInfo,PdhOpenQueryA,PdhCollectQueryData,NtQuerySystemInformation,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,GetUserNameW,GetUserNameW,GetNativeSystemInfo,GetCurrentProcessId,memcpy,memset, 0_2_00406F46
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0048F830 LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_0048F830
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0047D854 GetProcessHeap, 0_2_0047D854
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,exit, 0_2_00401180
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004023D4 RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetLastError, 0_2_004023D4
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_004B8A18 SetUnhandledExceptionFilter, 0_2_004B8A18
Source: C:\Users\user\Desktop\doc-1.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0042B09E CreateNamedPipeW,memcpy,CreateIoCompletionPort, 0_2_0042B09E
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_0048E400 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0048E400
Source: C:\Users\user\Desktop\doc-1.exe Code function: 0_2_00406F46 memcpy,memcpy,memcpy,memset,AcquireSRWLockExclusive,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,GlobalMemoryStatusEx,K32GetPerformanceInfo,PdhOpenQueryA,PdhCollectQueryData,NtQuerySystemInformation,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,GetUserNameW,GetUserNameW,GetNativeSystemInfo,GetCurrentProcessId,memcpy,memset, 0_2_00406F46
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431427 Sample: doc-1.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 52 8 Multi AV Scanner detection for submitted file 2->8 5 doc-1.exe 2->5         started        process3 signatures4 10 Found API chain indicative of debugger detection 5->10
No contacted IP infos