Windows Analysis Report
Mol2sxTjLw.exe

Overview

General Information

Sample name: Mol2sxTjLw.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: 2ac6056ec233651a6d250a79e90067501fcb160d575451484da5e96f7c930030
Analysis ID: 1431956
MD5: f1f1e44ce2d94e04b8bcfd71e77f3e08
SHA1: 878526629858534871c263cde4b97da4a9c5eb9a
SHA256: 2ac6056ec233651a6d250a79e90067501fcb160d575451484da5e96f7c930030
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Found direct / indirect Syscall (likely to bypass EDR)
Contains functionality to dynamically determine API calls
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (might use process or thread times for sandbox detection)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Mol2sxTjLw.exe Virustotal: Detection: 7% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AB6270 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,_Init_thread_header,GetSystemTimeAsFileTime,GetCurrentProcessId, 0_2_00007FF726AB6270
Source: Mol2sxTjLw.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: .d?.v {.xqTM.}W.G\p.DIim.pM].VF.jM.u m C[.k.vg KqvC&] y f.y?n9 gP.tW.sd er Q.WeP.XScA }.H?O.TJUtQN@x b.}S.q.oP.gh U+ D.h.{m) q.{TEI?GGF.pDbkr%. source: Mol2sxTjLw.exe, 00000000.00000000.1639430585.00007FF726D93000.00000002.00000001.01000000.00000003.sdmp, Mol2sxTjLw.exe, 00000000.00000002.1677251869.00007FF726DBD000.00000002.00000001.01000000.00000003.sdmp
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269D9000 FindFirstFileExW,FindNextFileW,FindNextFileW,GetLastError,GetLastError,FindClose,_Init_thread_header, 0_2_00007FF7269D9000
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AB5120 GetCommandLineW,FindFirstFileW,FindNextFileW,FindClose,_Init_thread_header,GetModuleFileNameW,GetLongPathNameW,GetLastError,_Init_thread_header,_Init_thread_header,_Init_thread_header,_Init_thread_header, 0_2_00007FF726AB5120
Source: Mol2sxTjLw.exe String found in binary or memory: http://llvm.org/):
Source: Mol2sxTjLw.exe String found in binary or memory: https://github.com/llvm/llvm-project/issues/
Detected potential crypto function
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726935430 0_2_00007FF726935430
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72699B7D0 0_2_00007FF72699B7D0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269AEFD0 0_2_00007FF7269AEFD0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A31FC0 0_2_00007FF726A31FC0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72695C7D0 0_2_00007FF72695C7D0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269C97B0 0_2_00007FF7269C97B0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269B4800 0_2_00007FF7269B4800
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269D4010 0_2_00007FF7269D4010
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A8CFF0 0_2_00007FF726A8CFF0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269BAFE0 0_2_00007FF7269BAFE0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A33F90 0_2_00007FF726A33F90
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269470D0 0_2_00007FF7269470D0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269628D0 0_2_00007FF7269628D0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A8A0A0 0_2_00007FF726A8A0A0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AC3900 0_2_00007FF726AC3900
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A33100 0_2_00007FF726A33100
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72697C8F0 0_2_00007FF72697C8F0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AFE850 0_2_00007FF726AFE850
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72695D040 0_2_00007FF72695D040
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726946080 0_2_00007FF726946080
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A30880 0_2_00007FF726A30880
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72697D870 0_2_00007FF72697D870
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269B5DC0 0_2_00007FF7269B5DC0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726951DD0 0_2_00007FF726951DD0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A7C5F0 0_2_00007FF726A7C5F0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726988DF0 0_2_00007FF726988DF0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269BAFE0 0_2_00007FF7269BAFE0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72697D550 0_2_00007FF72697D550
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726985D30 0_2_00007FF726985D30
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269B3D80 0_2_00007FF7269B3D80
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269CD570 0_2_00007FF7269CD570
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726946EB0 0_2_00007FF726946EB0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AFDEF0 0_2_00007FF726AFDEF0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72697CEF0 0_2_00007FF72697CEF0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726963E40 0_2_00007FF726963E40
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A72650 0_2_00007FF726A72650
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AAEE30 0_2_00007FF726AAEE30
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72695E620 0_2_00007FF72695E620
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269A8E60 0_2_00007FF7269A8E60
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726962E60 0_2_00007FF726962E60
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726982E70 0_2_00007FF726982E70
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269B73D0 0_2_00007FF7269B73D0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72695DBD0 0_2_00007FF72695DBD0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A30BB0 0_2_00007FF726A30BB0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72697CBB0 0_2_00007FF72697CBB0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269CCC00 0_2_00007FF7269CCC00
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AFEC10 0_2_00007FF726AFEC10
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A86C00 0_2_00007FF726A86C00
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269D2BE0 0_2_00007FF7269D2BE0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A81350 0_2_00007FF726A81350
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269B6380 0_2_00007FF7269B6380
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A8FB80 0_2_00007FF726A8FB80
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726ABEB60 0_2_00007FF726ABEB60
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726952370 0_2_00007FF726952370
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72694FCA0 0_2_00007FF72694FCA0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AB0D10 0_2_00007FF726AB0D10
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AAE4F0 0_2_00007FF726AAE4F0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726B14C90 0_2_00007FF726B14C90
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A32480 0_2_00007FF726A32480
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AB8C70 0_2_00007FF726AB8C70
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269D39C0 0_2_00007FF7269D39C0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269801A0 0_2_00007FF7269801A0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269A99B0 0_2_00007FF7269A99B0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269B6200 0_2_00007FF7269B6200
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726963A10 0_2_00007FF726963A10
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A911E0 0_2_00007FF726A911E0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72698F150 0_2_00007FF72698F150
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AB5120 0_2_00007FF726AB5120
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A58920 0_2_00007FF726A58920
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269D6180 0_2_00007FF7269D6180
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726946990 0_2_00007FF726946990
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A85170 0_2_00007FF726A85170
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF72697A160 0_2_00007FF72697A160
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269C8970 0_2_00007FF7269C8970
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A32AC0 0_2_00007FF726A32AC0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269DB2A0 0_2_00007FF7269DB2A0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726B172A0 0_2_00007FF726B172A0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269AAB10 0_2_00007FF7269AAB10
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A95AF0 0_2_00007FF726A95AF0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269B1A20 0_2_00007FF7269B1A20
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A8C220 0_2_00007FF726A8C220
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A7F280 0_2_00007FF726A7F280
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726ABBA70 0_2_00007FF726ABBA70
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726964A60 0_2_00007FF726964A60
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726A72A70 0_2_00007FF726A72A70
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: String function: 00007FF7269CFF40 appears 48 times
Source: Mol2sxTjLw.exe Binary or memory string: llvm.ppc.altivec.vbpermd
Source: Mol2sxTjLw.exe Binary or memory string: llvm.s390.vbperm
Source: Mol2sxTjLw.exe, 00000000.00000000.1639430585.00007FF726D93000.00000002.00000001.01000000.00000003.sdmp, Mol2sxTjLw.exe, 00000000.00000002.1677251869.00007FF726DBD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: P iiL-.M.r|.y.h.M.O1 OBui;V.VbP iVXniWGu.OREE q Cuup.y.R mfd u.B ty.D1
Source: Mol2sxTjLw.exe Binary or memory string: llvm.ppc.altivec.vbpermq
Source: classification engine Classification label: mal52.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AC0D00 GetLastError,FormatMessageA,LocalFree, 0_2_00007FF726AC0D00
Source: Mol2sxTjLw.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Mol2sxTjLw.exe Virustotal: Detection: 7%
Source: Mol2sxTjLw.exe String found in binary or memory: --help
Source: Mol2sxTjLw.exe String found in binary or memory: --help
Source: Mol2sxTjLw.exe String found in binary or memory: -help
Source: Mol2sxTjLw.exe String found in binary or memory: -help
Source: Mol2sxTjLw.exe String found in binary or memory: --help'
Source: Mol2sxTjLw.exe String found in binary or memory: --help'
Source: Mol2sxTjLw.exe String found in binary or memory: --help
Source: Mol2sxTjLw.exe String found in binary or memory: --help
Source: Mol2sxTjLw.exe String found in binary or memory: <subcommand> --help" to get more help on a specific subcommand
Source: Mol2sxTjLw.exe String found in binary or memory: <subcommand> --help" to get more help on a specific subcommand
Source: Mol2sxTjLw.exe String found in binary or memory: --help'
Source: Mol2sxTjLw.exe String found in binary or memory: --help'
Source: Mol2sxTjLw.exe String found in binary or memory: --help'H
Source: Mol2sxTjLw.exe String found in binary or memory: --help'H
Source: Mol2sxTjLw.exe String found in binary or memory: --help
Source: Mol2sxTjLw.exe String found in binary or memory: --help
Source: Mol2sxTjLw.exe String found in binary or memory: cated.v2i64.v4i1cde.vcx1q.prediccde.vcx2q.predicrget-enforcementbranch-target-enn-return-addresssign-return-addrage Info SectionObjective-C Imagrbage CollectionObjective-C Garbectorizer.unrollf16.dpbf16ps.128avx512bf16.dpbf1f16.dpbf16ps.256f16.dpbf16ps.512cvtneps2bf16.256avx512bf16.cvtnecvtneps2bf16.512cvtneps2bf16.128avx512bf16.mask.vtne2ps2bf16.128vtne2ps2bf16.256vtne2ps2bf16.512.mask.cmp.pd.128.mask.cmp.pd.256.mask.cmp.pd.512.mask.cmp.ps.128.mask.cmp.ps.256.mask.cmp.ps.512512.mask.vfmadd.add.
Source: Mol2sxTjLw.exe String found in binary or memory: cated.v2i64.v4i1cde.vcx1q.prediccde.vcx2q.predicrget-enforcementbranch-target-enn-return-addresssign-return-addrage Info SectionObjective-C Imagrbage CollectionObjective-C Garbectorizer.unrollf16.dpbf16ps.128avx512bf16.dpbf1f16.dpbf16ps.256f16.dpbf16ps.512cvtneps2bf16.256avx512bf16.cvtnecvtneps2bf16.512cvtneps2bf16.128avx512bf16.mask.vtne2ps2bf16.128vtne2ps2bf16.256vtne2ps2bf16.512.mask.cmp.pd.128.mask.cmp.pd.256.mask.cmp.pd.512.mask.cmp.ps.128.mask.cmp.ps.256.mask.cmp.ps.512512.mask.vfmadd.add.sub.2.mask3.vfnmsub..mask.vfmaddsub.maskz.vfmaddsub.mask3.vfmaddsub.mask3.vfmsubadd.512.mask.pcmpeq.512.mask.pcmpgt.f.b.avx512.mask.pshuavx512.mask.cvtud2dq.256d2ps.256sk.vcvtph2ps.128sk.vcvtph2ps.256sk.cvttpd2dq.256avx512.mask.cvttsk.cvttps2dq.128sk.cvttps2dq.256var.mask.pmul.hr.sw.h.w.2.mask.pmulhu.w.2.mask.pmaddw.d.avx512.mask.pmadmask.pmaddubs.w.2.mask.packsswb.avx512.mask.pack2.mask.packssdw.2.mask.packuswb.2.mask.packusdw.bqmask.vpermilvar..d.q.wiv2.mask.dbpsadbw.avx512.mask.dbps512.mask.vpshld.512.mask.vpshrd.ldv.rdv.2.maskz.vpshldv.2.maskz.vpshrdv..pmultishift.qb.2.mask.conflict.avx512.mask.conf512.mask.storeu.avx512.mask.stor512.mask.store.pe.b.e.w.e.d.e.q.u.nd.bnd.wnd.dnd.qnd.p.mask.compress.b.mask.compress.w.mask.compress.d.mask.compress.q.mask.compress.p.broadcastf32x4..broadcastf64x2..broadcastf32x8..broadcastf64x4..broadcasti32x4..broadcasti64x2..broadcasti32x8..broadcasti64x4.v.avx512.mask.pavg
Source: Mol2sxTjLw.exe String found in binary or memory: --relative-address
Source: Mol2sxTjLw.exe String found in binary or memory: use-dbg-addr
Source: Mol2sxTjLw.exe String found in binary or memory: full-stop
Source: Mol2sxTjLw.exe String found in binary or memory: Alias for --help
Source: Mol2sxTjLw.exe String found in binary or memory: Alias for --help
Source: Mol2sxTjLw.exe String found in binary or memory: -help
Source: Mol2sxTjLw.exe String found in binary or memory: <subcommand> --help" to get more help on a specific subcommand
Source: Mol2sxTjLw.exe String found in binary or memory: <subcommand> --help" to get more help on a specific subcommand
Source: Mol2sxTjLw.exe String found in binary or memory: Display list of available options (--help-list-hidden for more)
Source: Mol2sxTjLw.exe String found in binary or memory: Display list of available options (--help-list-hidden for more)
Source: Mol2sxTjLw.exe String found in binary or memory: Display available options (--help-hidden for more)
Source: Mol2sxTjLw.exe String found in binary or memory: Display available options (--help-hidden for more)
Source: Mol2sxTjLw.exe String found in binary or memory: See each individual command --help for more details.
Source: Mol2sxTjLw.exe String found in binary or memory: See each individual command --help for more details.
Source: Mol2sxTjLw.exe String found in binary or memory: --help'
Source: Mol2sxTjLw.exe String found in binary or memory: --help'
Source: Mol2sxTjLw.exe String found in binary or memory: <command> -help
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Section loaded: winhttp.dll Jump to behavior
Source: Mol2sxTjLw.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Mol2sxTjLw.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Mol2sxTjLw.exe Static file information: File size 5901312 > 1048576
Source: Mol2sxTjLw.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x37d200
Source: Mol2sxTjLw.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x141400
Source: Mol2sxTjLw.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: .d?.v {.xqTM.}W.G\p.DIim.pM].VF.jM.u m C[.k.vg KqvC&] y f.y?n9 gP.tW.sd er Q.WeP.XScA }.H?O.TJUtQN@x b.}S.q.oP.gh U+ D.h.{m) q.{TEI?GGF.pDbkr%. source: Mol2sxTjLw.exe, 00000000.00000000.1639430585.00007FF726D93000.00000002.00000001.01000000.00000003.sdmp, Mol2sxTjLw.exe, 00000000.00000002.1677251869.00007FF726DBD000.00000002.00000001.01000000.00000003.sdmp
Source: Mol2sxTjLw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Mol2sxTjLw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Mol2sxTjLw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Mol2sxTjLw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Mol2sxTjLw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726ABA0F0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,EnterCriticalSection,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,SetConsoleCtrlHandler, 0_2_00007FF726ABA0F0
PE file contains sections with non-standard names
Source: Mol2sxTjLw.exe Static PE information: section name: .00cfg
Source: Mol2sxTjLw.exe Static PE information: section name: .voltbl
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726ABA0F0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,EnterCriticalSection,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,SetConsoleCtrlHandler, 0_2_00007FF726ABA0F0
Found evasive API chain (might use process or thread times for sandbox detection)
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726ABFDF0 WaitForSingleObject,TerminateProcess,WaitForSingleObject,CloseHandle,GetProcessTimes,K32GetProcessMemoryInfo,GetExitCodeProcess,GetLastError,CloseHandle,SetLastError,CloseHandle, 0_2_00007FF726ABFDF0
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe API coverage: 1.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe TID: 5016 Thread sleep time: -1000000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269D9000 FindFirstFileExW,FindNextFileW,FindNextFileW,GetLastError,GetLastError,FindClose,_Init_thread_header, 0_2_00007FF7269D9000
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726AB5120 GetCommandLineW,FindFirstFileW,FindNextFileW,FindClose,_Init_thread_header,GetModuleFileNameW,GetLongPathNameW,GetLastError,_Init_thread_header,_Init_thread_header,_Init_thread_header,_Init_thread_header, 0_2_00007FF726AB5120
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF7269D8FC0 GetSystemInfo, 0_2_00007FF7269D8FC0
Source: Mol2sxTjLw.exe Binary or memory string: IR.yd.l.dG P.jD.Jg2MJ oG D Il.GQEMU+.R`c.{0pnJC.u n d u U qo G w.f.
Source: Mol2sxTjLw.exe Binary or memory string: QEMU+.R`c.{0p
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726ABA0F0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,EnterCriticalSection,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,SetConsoleCtrlHandler, 0_2_00007FF726ABA0F0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726ABA0F0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,EnterCriticalSection,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,SetConsoleCtrlHandler, 0_2_00007FF726ABA0F0
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726CACD8C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF726CACD8C

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe NtClose: Indirect: 0x7FF726DB76F1
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe NtQuerySystemInformation: Indirect: 0x7FF726DB7825 Jump to behavior
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe NtCreateThreadEx: Indirect: 0x7FF726DB7AA6 Jump to behavior
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe NtQueueApcThread: Indirect: 0x7FF726DB78AA Jump to behavior
Source: C:\Users\user\Desktop\Mol2sxTjLw.exe Code function: 0_2_00007FF726CAD868 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF726CAD868
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431956 Sample: Mol2sxTjLw Startdate: 26/04/2024 Architecture: WINDOWS Score: 52 8 Multi AV Scanner detection for submitted file 2->8 5 Mol2sxTjLw.exe 2->5         started        process3 signatures4 10 Found direct / indirect Syscall (likely to bypass EDR) 5->10
No contacted IP infos