Windows Analysis Report
openurl.exe

Overview

General Information

Sample name: openurl.exe
Analysis ID: 1431823
MD5: c907c48492d52f2de4c9b9e22c256742
SHA1: 4767e3c8a4f31628ef6e759def710e5dad46c1ee
SHA256: 1e69e00f0361e9a4d21b0386015c7b8d8186bec53ad325ea2c079441fcb37f62

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: openurl.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: openurl.exe Static PE information: certificate valid
Source: openurl.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: openurl.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: openurl.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: openurl.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: openurl.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: openurl.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: openurl.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: openurl.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: openurl.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: openurl.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: openurl.exe String found in binary or memory: http://ocsp.digicert.com0
Source: openurl.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: openurl.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: openurl.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: openurl.exe String found in binary or memory: http://www.digicert.com/CPS0
Uses 32bit PE files
Source: openurl.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean2.winEXE@1/0@0/0
Source: openurl.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\openurl.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\openurl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\openurl.exe Section loaded: qt5widgets.dll Jump to behavior
Source: C:\Users\user\Desktop\openurl.exe Section loaded: qt5gui.dll Jump to behavior
Source: C:\Users\user\Desktop\openurl.exe Section loaded: qt5core.dll Jump to behavior
Source: C:\Users\user\Desktop\openurl.exe Section loaded: vcruntime140.dll Jump to behavior
Source: openurl.exe Static PE information: certificate valid
Source: openurl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: openurl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: openurl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: openurl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: openurl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: openurl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: openurl.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: openurl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: openurl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: openurl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: openurl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: openurl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: openurl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\openurl.exe Code function: 0_2_00771EC6 push ecx; ret 0_2_00771ED9
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\openurl.exe Code function: 0_2_00771C37 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00771C37
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\openurl.exe Code function: 0_2_0077177E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0077177E
Source: C:\Users\user\Desktop\openurl.exe Code function: 0_2_00771C37 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00771C37
Source: C:\Users\user\Desktop\openurl.exe Code function: 0_2_00771DCA SetUnhandledExceptionFilter, 0_2_00771DCA
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\openurl.exe Code function: 0_2_00771EFE cpuid 0_2_00771EFE
Source: C:\Users\user\Desktop\openurl.exe Code function: 0_2_00771B21 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00771B21
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431823 Sample: openurl.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 2 4 openurl.exe 2->4         started       
No contacted IP infos