Windows Analysis Report
win32_remote.exe

Overview

General Information

Sample name: win32_remote.exe
Analysis ID: 1431482
MD5: 2783a76f46f07b45dcc4514bd67daeb4
SHA1: a2ec57d564f9b29cc9798ddad730ecda0af4fcc0
SHA256: 9ca85bbfed42b252002390fe9c5dbbfbe2e76c6e69f681204dd1d403b8f1ce2d
Tags: APT44ARGUEPATCHexe
Infos:

Detection

Score: 9
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to load drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C193A0 DecryptMessage, 0_2_00C193A0
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C18AE0 EncryptMessage, 0_2_00C18AE0
Uses 32bit PE files
Source: win32_remote.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: win32_remote.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: win32_remote.pdb source: win32_remote.exe
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C494A4 FindFirstFileExW,_free, 0_2_00C494A4
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C3B5D6 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError, 0_2_00C3B5D6
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE25E0 GetMappedFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,GetModuleFileNameExW,GetSystemDirectoryA,GetCurrentDirectoryA, 0_2_00BE25E0
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C172F0 recvfrom,WSAGetLastError, 0_2_00C172F0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE64D0 FreeLibrary,CloseHandle,NtUnloadDriver, 0_2_00BE64D0
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE64D1 FreeLibrary,CloseHandle,NtUnloadDriver, 0_2_00BE64D1
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE5500 NtSystemDebugControl, 0_2_00BE5500
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE3C60 RtlAdjustPrivilege,RtlAdjustPrivilege,NtLoadDriver,NtCreateFile,NtDeviceIoControlFile, 0_2_00BE3C60
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE6E20 NtSystemDebugControl, 0_2_00BE6E20
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE3C60: RtlAdjustPrivilege,RtlAdjustPrivilege,NtLoadDriver,NtCreateFile,NtDeviceIoControlFile, 0_2_00BE3C60
Contains functionality to load drivers
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE64D0 FreeLibrary,CloseHandle,NtUnloadDriver, 0_2_00BE64D0
Detected potential crypto function
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C4712E 0_2_00C4712E
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2D2A5 0_2_00C2D2A5
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C3E465 0_2_00C3E465
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C295E0 0_2_00C295E0
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C315B2 0_2_00C315B2
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C317DB 0_2_00C317DB
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2C707 0_2_00C2C707
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2D8F0 0_2_00C2D8F0
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C359CD 0_2_00C359CD
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C379D0 0_2_00C379D0
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C4891A 0_2_00C4891A
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BFBA90 0_2_00BFBA90
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C48A46 0_2_00C48A46
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2CA79 0_2_00C2CA79
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C1CD50 0_2_00C1CD50
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2CD23 0_2_00C2CD23
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2CFEA 0_2_00C2CFEA
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\win32_remote.exe Code function: String function: 00C2ADD0 appears 54 times
Source: C:\Users\user\Desktop\win32_remote.exe Code function: String function: 00BD37C0 appears 92 times
Source: C:\Users\user\Desktop\win32_remote.exe Code function: String function: 00BD39E0 appears 37 times
Uses 32bit PE files
Source: win32_remote.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: win32_remote.exe Binary string: JNtSystemDebugControlNtLoadDriverNtUnloadDriverRtlAdjustPrivilegeNtCreateFileNtDeviceIoControlFile\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\kldbgdrv\Device\kldbgdrv
Source: classification engine Classification label: clean9.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE0E90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,FindCloseChangeNotification,GetLastError,FreeLibrary,SetLastError, 0_2_00BE0E90
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BD5600 CoCreateInstance,SearchPathA,LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_00BD5600
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: win32_remote.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\win32_remote.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: win32_remote.exe String found in binary or memory: on-stop-kill-process
Source: win32_remote.exe String found in binary or memory: 'Don-broken-connection-keep-sessionKeep debugger session alive when connection breakson-stop-kill-processKill debuggee when closing sessionCould not initialize subsystem!IDA_DBGSRV_PASSWDIDA Windows 32-bit remote debug server(MT) v%d.%d.%d. Hex-Rays (c) 2004-2020
Source: win32_remote.exe String found in binary or memory: ip-address
Source: win32_remote.exe String found in binary or memory: v8aH@aHpeDport-numberPort numberip-addressIP address to bind to (default to any)use-tlsUse TLScertchain-fileTLS certificate chain fileprivkey-fileTLS private key fileverboseVerbose mode0.0.0.0%s:%u: %s
Source: unknown Process created: C:\Users\user\Desktop\win32_remote.exe "C:\Users\user\Desktop\win32_remote.exe"
Source: C:\Users\user\Desktop\win32_remote.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\win32_remote.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\win32_remote.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\win32_remote.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\win32_remote.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\win32_remote.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\win32_remote.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\win32_remote.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\win32_remote.exe Section loaded: rasadhlp.dll Jump to behavior
Source: win32_remote.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: win32_remote.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: win32_remote.pdb source: win32_remote.exe
Binary contains a suspicious time stamp
Source: win32_remote.exe Static PE information: 0xF41F5250 [Wed Oct 14 20:36:32 2099 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE3AA0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,GetModuleHandleA,GetProcAddress,GetProcAddress, 0_2_00BE3AA0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BD70D8 push ebp; iretd 0_2_00BD70D9
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BD71CE push ebp; iretd 0_2_00BD71CF
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BD712B push ebp; iretd 0_2_00BD712C
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BD717B push ebp; iretd 0_2_00BD717C
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BD72E8 push ebp; iretd 0_2_00BD72E9
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BD7228 push ebp; iretd 0_2_00BD7229
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BD727B push ebp; iretd 0_2_00BD727C
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BD7348 push ebp; iretd 0_2_00BD7349
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2D66B pushfd ; retf 0_2_00C2D66C
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C01979 push 840FC085h; ret 0_2_00C0197F
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2AE16 push ecx; ret 0_2_00C2AE29
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\win32_remote.exe API coverage: 8.4 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C494A4 FindFirstFileExW,_free, 0_2_00C494A4
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C3B5D6 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError, 0_2_00C3B5D6
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE25E0 GetMappedFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,GetModuleFileNameExW,GetSystemDirectoryA,GetCurrentDirectoryA, 0_2_00BE25E0
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE2E80 GetSystemInfo,VirtualQueryEx,VirtualQueryEx, 0_2_00BE2E80
Source: win32_remote.exe, 00000000.00000002.2870212866.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2F0D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C2F0D3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BE3AA0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,GetModuleHandleA,GetProcAddress,GetProcAddress, 0_2_00BE3AA0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C327C0 mov eax, dword ptr fs:[00000030h] 0_2_00C327C0
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C40F50 mov eax, dword ptr fs:[00000030h] 0_2_00C40F50
Enables debug privileges
Source: C:\Users\user\Desktop\win32_remote.exe Process token adjusted: Debug Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2F0D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C2F0D3
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2A147 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00C2A147
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2AC15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C2AC15
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2AD77 SetUnhandledExceptionFilter, 0_2_00C2AD77
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C2AA6E cpuid 0_2_00C2AA6E
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C3F7F3 GetSystemTimeAsFileTime, 0_2_00C3F7F3
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00BD1045 GetVersionExA,GetCurrentProcess, 0_2_00BD1045
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\win32_remote.exe Code function: 0_2_00C17985 WSAStartup,bind,WSAGetLastError,listen, 0_2_00C17985
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431482 Sample: win32_remote.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 9 5 win32_remote.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos