Windows Analysis Report
shootthemessenger.exe

Overview

General Information

Sample name: shootthemessenger.exe
Analysis ID: 1431785
MD5: 35c422bdf2a2f35cec6235c751cfe466
SHA1: e8a5cb5c798c3caf754d75711b25d6c39c36609b
SHA256: 3c8d01d842fc4969a74ff0fcfbc29e5f2fc572bb1ef5f00f5b3dbc3082efa65a
Infos:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to call native functions
Contains functionality to shutdown / reboot the system
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: shootthemessenger.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: shootthemessenger.exe, shootthemessenger.exe, 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://grc.com
Source: shootthemessenger.exe, 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://grc.com/mail.htm
Source: shootthemessenger.exe, 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://grc.com/mail.htmhttp://grc.com/stm/ShootTheMessenger.htmYou
Source: shootthemessenger.exe, shootthemessenger.exe, 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://grc.com/stm/ShootTheMessenger.htm
Source: shootthemessenger.exe String found in binary or memory: http://grc.comD
Contains functionality to call native functions
Source: C:\Users\user\Desktop\shootthemessenger.exe Code function: 0_2_00401931 KiUserCallbackDispatcher,GetSystemMenu,DeleteMenu,DeleteMenu,BeginPaint,SetTextColor,SetBkMode,SelectObject,lstrlen,TextOutA,lstrlen,TextOutA,lstrlen,TextOutA,SelectObject,MoveToEx,LineTo,LineTo,SelectObject,LineTo,LineTo,LineTo,SelectObject,MoveToEx,LineTo,LineTo,LineTo,SelectObject,LineTo,LineTo,SelectObject,MoveToEx,LineTo,LineTo,LineTo,SelectObject,LineTo,LineTo,SelectObject,MoveToEx,LineTo,LineTo,LineTo,SelectObject,LineTo,LineTo,DrawEdge,SelectObject,MoveToEx,LineTo,SelectObject,LineTo,LineTo,SelectObject,SetTextColor,lstrlen,TextOutA,GetTextExtentPointA,lstrlen,TextOutA,SelectObject,GetTextExtentPointA,SetTextColor,SetBkMode,SelectObject,lstrlen,TextOutA,lstrlen,TextOutA,EndPaint,GetCursor,SetFocus,SetCursor,GetWindowLongA,GetCursorPos,ScreenToClient,SendMessageA,SendMessageA,RtlFillMemory,SendMessageA,SendMessageA,SetCursor,PtInRect,SetCursor,GetCursor,PostQuitMessage,PostQuitMessage,SetCursor,LoadCursorA,SetCursor,NtdllDefWindowProc_A, 0_2_00401931
Source: C:\Users\user\Desktop\shootthemessenger.exe Code function: 0_2_00402073 BeginPaint,GetClientRect,GetWindowLongA,DrawEdge,MoveToEx,SelectObject,LineTo,LineTo,SelectObject,LineTo,LineTo,EndPaint,NtdllDefWindowProc_A, 0_2_00402073
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\shootthemessenger.exe Code function: 0_2_004023DE ExitWindowsEx, 0_2_004023DE
Uses 32bit PE files
Source: shootthemessenger.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean1.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\shootthemessenger.exe Code function: 0_2_004012D5 GetStockObject,GetStockObject,GetStockObject,CreatePen,CreatePen,GetStockObject,GetStockObject,GetStockObject,GetStockObject,GetStockObject,LoadLibraryA,LoadLibraryA,FindResourceA,LoadResource,LockResource,LoadCursorA,LoadCursorA,LoadBitmapA,LoadAcceleratorsA,LoadCursorA, 0_2_004012D5
Source: C:\Users\user\Desktop\shootthemessenger.exe Code function: 0_2_00402532 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,StartServiceA,ControlService,Sleep,CloseServiceHandle,CloseServiceHandle, 0_2_00402532
Source: C:\Users\user\Desktop\shootthemessenger.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe File read: C:\Users\user\Desktop\shootthemessenger.exe Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: ksuser.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: avrt.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: audioses.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Section loaded: midimap.dll Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe Window found: window name: RICHEDIT Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exe File opened: C:\Windows\SysWOW64\riched32.Dll Jump to behavior
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: C:\Users\user\Desktop\shootthemessenger.exe Code function: 0_2_00402532 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,StartServiceA,ControlService,Sleep,CloseServiceHandle,CloseServiceHandle, 0_2_00402532
Source: C:\Users\user\Desktop\shootthemessenger.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\shootthemessenger.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\shootthemessenger.exe Code function: 0_2_00401000 GetModuleHandleA,GetVersion,ShowWindow,UpdateWindow,KiUserCallbackDispatcher,GetMessageA,KiUserCallbackDispatcher,TranslateAccelerator,TranslateMessage,DispatchMessageA,ExitProcess,GetModuleFileNameA,CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CloseHandle,FindCloseChangeNotification,GlobalFree,MessageBoxA,ExitProcess, 0_2_00401000
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431785 Sample: shootthemessenger.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 1 4 shootthemessenger.exe 2->4         started       
No contacted IP infos