Windows Analysis Report
kGZyUV1upG.exe

Overview

General Information

Sample name: kGZyUV1upG.exe
renamed because original name is a hash value
Original sample name: 6c93fc68e2f01c20fb81af24470b790c.exe
Analysis ID: 1431451
MD5: 6c93fc68e2f01c20fb81af24470b790c
SHA1: d5927b38a32e30afcf5a658612a8266476fc4ad8
SHA256: 64a71b664d76641b35dac312161cb356b3b3b5f0b45c9d88c8afa547b4902580
Tags: 32exe
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Found evasive API chain (may stop execution after checking mutex)
Found potential dummy code loops (likely to delay analysis)
Found stalling execution ending in API Sleep call
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: kGZyUV1upG.exe Virustotal: Detection: 33% Perma Link
Source: kGZyUV1upG.exe ReversingLabs: Detection: 26%
Uses 32bit PE files
Source: kGZyUV1upG.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: kGZyUV1upG.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: kGZyUV1upG.exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_008B2590 CreateMutexA,GetLastError,ExitProcess,OpenClipboard,GetClipboardData,GlobalFix,EmptyClipboard,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,GlobalFree,CloseClipboard,Sleep, 0_2_008B2590
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_008B2590 CreateMutexA,GetLastError,ExitProcess,OpenClipboard,GetClipboardData,GlobalFix,EmptyClipboard,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,GlobalFree,CloseClipboard,Sleep, 0_2_008B2590
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_008B2590 CreateMutexA,GetLastError,ExitProcess,OpenClipboard,GetClipboardData,GlobalFix,EmptyClipboard,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,GlobalFree,CloseClipboard,Sleep, 0_2_008B2590
Detected potential crypto function
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_00907830 0_2_00907830
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_00909063 0_2_00909063
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_0090A988 0_2_0090A988
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_0090B29C 0_2_0090B29C
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_008B1A40 0_2_008B1A40
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_00912BD5 0_2_00912BD5
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_0090BB06 0_2_0090BB06
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_00905C20 0_2_00905C20
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_008B5500 0_2_008B5500
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_0090AE84 0_2_0090AE84
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_0090B6D1 0_2_0090B6D1
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_00913759 0_2_00913759
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: String function: 00909E8D appears 31 times
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: String function: 00908810 appears 32 times
Uses 32bit PE files
Source: kGZyUV1upG.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal60.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Mutant created: \Sessions\1\BaseNamedObjects\8dddf1vvvv
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Command line argument: 8dddf1vvvv 0_2_008B2590
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Command line argument: 8dddf1vvvv 0_2_008B2590
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Command line argument: f1vvvv 0_2_008B2590
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Command line argument: 8dddf1vvvv 0_2_008B2590
Source: kGZyUV1upG.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: kGZyUV1upG.exe Virustotal: Detection: 33%
Source: kGZyUV1upG.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Section loaded: apphelp.dll Jump to behavior
Source: kGZyUV1upG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kGZyUV1upG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kGZyUV1upG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kGZyUV1upG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kGZyUV1upG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kGZyUV1upG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: kGZyUV1upG.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: kGZyUV1upG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: kGZyUV1upG.exe
Source: kGZyUV1upG.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kGZyUV1upG.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kGZyUV1upG.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kGZyUV1upG.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kGZyUV1upG.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_008B89F0 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_008B89F0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_00908856 push ecx; ret 0_2_00908869
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_0090834B push ecx; ret 0_2_0090835E
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_008B89F0 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_008B89F0

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Stalling execution: Execution stalls by calling Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Window / User API: threadDelayed 875 Jump to behavior
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Window / User API: threadDelayed 9124 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\kGZyUV1upG.exe API coverage: 5.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\kGZyUV1upG.exe TID: 6924 Thread sleep count: 875 > 30 Jump to behavior
Source: C:\Users\user\Desktop\kGZyUV1upG.exe TID: 6924 Thread sleep time: -622125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\kGZyUV1upG.exe TID: 6924 Thread sleep count: 9124 > 30 Jump to behavior
Source: C:\Users\user\Desktop\kGZyUV1upG.exe TID: 6924 Thread sleep time: -6487164s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\kGZyUV1upG.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Process Stats: CPU usage > 42% for more than 60s
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_0090CC07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0090CC07
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_008B89F0 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_008B89F0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_0090E8F6 mov eax, dword ptr fs:[00000030h] 0_2_0090E8F6
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_00912404 GetProcessHeap, 0_2_00912404
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_0090CC07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0090CC07
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_00907C28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00907C28
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_00908609 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00908609
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_00908757 SetUnhandledExceptionFilter, 0_2_00908757
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_0090886B cpuid 0_2_0090886B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: GetLocaleInfoW, 0_2_00917A1C
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: GetLocaleInfoW, 0_2_00911A67
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_009173E1
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00917B45
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: GetLocaleInfoW, 0_2_00917C4C
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00917D19
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: EnumSystemLocalesW, 0_2_009176A4
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: EnumSystemLocalesW, 0_2_009116C2
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: EnumSystemLocalesW, 0_2_00917659
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_009177CC
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: EnumSystemLocalesW, 0_2_0091773F
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_009084F8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_009084F8
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_008B1390 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 0_2_008B1390
Source: C:\Users\user\Desktop\kGZyUV1upG.exe Code function: 0_2_008B2D60 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 0_2_008B2D60
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431451 Sample: kGZyUV1upG.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 60 8 Multi AV Scanner detection for submitted file 2->8 5 kGZyUV1upG.exe 2->5         started        process3 signatures4 10 Found evasive API chain (may stop execution after checking mutex) 5->10 12 Found stalling execution ending in API Sleep call 5->12 14 Found potential dummy code loops (likely to delay analysis) 5->14
No contacted IP infos