Windows Analysis Report
xm393ns4.exe

Overview

General Information

Sample name: xm393ns4.exe
Analysis ID: 1431558
MD5: bf30f725d867f62d2020d4ea18a9140b
SHA1: 82b3b4539774511032e473b3956b31f015a25a0d
SHA256: 39a55044a8919be58ee0d1580a1573e23cc56d48a7cba9f29b5a578a5a089582
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes or reads registry keys via WMI
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: xm393ns4.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: xm393ns4.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: Z4uofnIZILkJsb.q91.latUser-Agent: If you would like to opt out, please fill out this form: https://forms.office.com/r/i1h9pFXbKAHistory: Z4uofnIZILkJsbAccept-Encoding: gzip
Source: global traffic DNS traffic detected: DNS query: Z4uofnIZILkJsb.q91.lat
Source: xm393ns4.exe, 00000000.00000002.601512879.000000000AE12000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://Z4uofnIZILkJsb.q91.lat
Source: xm393ns4.exe, 00000000.00000002.601512879.000000000AE12000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://Z4uofnIZILkJsb.q91.latZ4uofnIZILkJsb.q91.lat:80REQUEST_METHODtcpZ4uofnIZILkJsb.q91.latiphlpap
Source: xm393ns4.exe, 4uof-MjWrlY2P.exe.0.dr String found in binary or memory: http://historycmd.exefloat32float64UpgradeReferer
Source: xm393ns4.exe, 4uof-MjWrlY2P.exe.0.dr String found in binary or memory: https://forms.office.com/r/i1h9pFXbKA

System Summary
barindex
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\xm393ns4.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Sample file is different than original file name gathered from version info
Source: xm393ns4.exe, 00000000.00000003.332644889.0000000000320000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesysinfo.exej% vs xm393ns4.exe
Source: xm393ns4.exe, 00000000.00000002.601178412.000000000031A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs xm393ns4.exe
Source: xm393ns4.exe, 00000000.00000003.338631987.0000000000317000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs xm393ns4.exe
Source: xm393ns4.exe, 00000000.00000003.332626974.000000000031D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesysinfo.exej% vs xm393ns4.exe
Uses 32bit PE files
Source: xm393ns4.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal48.evad.winEXE@6/2@1/1
Source: C:\Users\user\Desktop\xm393ns4.exe File created: C:\Users\user\Desktop\4uof-MjWrlY2P.exe Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Console Write: ........................................(.P..... ...............$.......-...............#....................................................... Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Console Write: ................@....`..........Z.4.u.o.f.n.I.Z.I.L.k.J.s.b...q.9.1...l.a.t........s............................h...............#p.s............ Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Console Write: ................@....`..........S.t.a.r.t.i.n.g. .k.e.y.l.o.g.g.e.r.............................P..J............X.$.....&....................... Jump to behavior
Source: xm393ns4.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\xm393ns4.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: xm393ns4.exe String found in binary or memory: /usr/local/go/src/net/addrselect.go
Source: C:\Users\user\Desktop\xm393ns4.exe File read: C:\Users\user\Desktop\xm393ns4.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\xm393ns4.exe "C:\Users\user\Desktop\xm393ns4.exe"
Source: C:\Users\user\Desktop\xm393ns4.exe Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv
Source: C:\Windows\SysWOW64\systeminfo.exe Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\xm393ns4.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns4.exe"
Source: C:\Users\user\Desktop\xm393ns4.exe Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns4.exe" Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: wbemcomn2.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: wbemcomn2.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: esscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv
Source: xm393ns4.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: xm393ns4.exe Static file information: File size 5152256 > 1048576
Source: xm393ns4.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x274c00
Source: xm393ns4.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21c800
Source: xm393ns4.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: xm393ns4.exe Static PE information: section name: .symtab
Source: 4uof-MjWrlY2P.exe.0.dr Static PE information: section name: .symtab
Drops PE files
Source: C:\Users\user\Desktop\xm393ns4.exe File created: C:\Users\user\Desktop\4uof-MjWrlY2P.exe Jump to dropped file
Source: C:\Users\user\Desktop\xm393ns4.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\xm393ns4.exe Dropped PE file which has not been started: C:\Users\user\Desktop\4uof-MjWrlY2P.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 892 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 892 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe TID: 3096 Thread sleep time: -180000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\xm393ns4.exe Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv Jump to behavior
Source: C:\Users\user\Desktop\xm393ns4.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns4.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\xm393ns4.exe Queries volume information: C:\Users\user\Desktop\4uof-MjWrlY2P.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431558 Sample: xm393ns4.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 48 6 xm393ns4.exe 1 2->6         started        dnsIp3 19 Z4uofnIZILkJsb.q91.lat 139.59.65.89, 49161, 80 DIGITALOCEAN-ASNUS Singapore 6->19 17 C:\Users\user\Desktop\4uof-MjWrlY2P.exe, PE32 6->17 dropped 10 systeminfo.exe 1 6->10         started        13 cmd.exe 6->13         started        file4 process5 signatures6 21 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->21 23 Writes or reads registry keys via WMI 10->23 15 WmiPrvSE.exe 10->15         started        process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
139.59.65.89
 Z4uofnIZILkJsb.q91.lat Singapore
14061 DIGITALOCEAN-ASNUS false

Contacted Domains

Name IP Active
Z4uofnIZILkJsb.q91.lat 139.59.65.89 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://Z4uofnIZILkJsb.q91.lat/ false
  • Avira URL Cloud: safe
 unknown