Windows Analysis Report
URGENT ORDER.exe

Overview

General Information

Sample name: URGENT ORDER.exe
Analysis ID: 1432051
MD5: 4498a75f6f27e3e03a0b14ba933c0a06
SHA1: 259d54f92d825925cf87c9057d5d0c47a0c50bfb
SHA256: 270da7ba03177d793879ddc0272e94a0003e9327298879463693f7b78f199e28
Tags: exe
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries Google from non browser process on port 80
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: URGENT ORDER.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: URGENT ORDER.exe ReversingLabs: Detection: 41%
Machine Learning detection for sample
Source: URGENT ORDER.exe Joe Sandbox ML: detected
Source: URGENT ORDER.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Queries Google from non browser process on port 80
Source: C:\Users\user\Desktop\URGENT ORDER.exe HTTP traffic: GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
Source: C:\Users\user\Desktop\URGENT ORDER.exe HTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj029XrK4z0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj029XrK4z0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj029XrK4z0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000341B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: URGENT ORDER.exe String found in binary or memory: http://www.google.com
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp, URGENT ORDER.exe, 00000000.00000002.2109504607.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, URGENT ORDER.exe, 00000000.00000002.2109504607.000000000341B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj0
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000341B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/t
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.comd
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/api.js

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: URGENT ORDER.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\URGENT ORDER.exe Code function: 0_2_01546D58 0_2_01546D58
Source: C:\Users\user\Desktop\URGENT ORDER.exe Code function: 0_2_01544D00 0_2_01544D00
Source: C:\Users\user\Desktop\URGENT ORDER.exe Code function: 0_2_0154A8D0 0_2_0154A8D0
Source: C:\Users\user\Desktop\URGENT ORDER.exe Code function: 0_2_01547C38 0_2_01547C38
Sample file is different than original file name gathered from version info
Source: URGENT ORDER.exe, 00000000.00000002.2109013393.00000000015FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs URGENT ORDER.exe
Source: classification engine Classification label: mal76.evad.winEXE@1/1@1/1
Source: C:\Users\user\Desktop\URGENT ORDER.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\URGENT ORDER.exe.log Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Mutant created: NULL
Source: URGENT ORDER.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: URGENT ORDER.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\URGENT ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: URGENT ORDER.exe ReversingLabs: Detection: 41%
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: URGENT ORDER.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: URGENT ORDER.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: URGENT ORDER.exe, Jm1s.cs .Net Code: NewLateBinding.LateCall(objectValue3, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: URGENT ORDER.exe, Jm1s.cs .Net Code: r2GY System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\URGENT ORDER.exe Code function: 0_2_015462C8 push esp; ret 0_2_015462D1
Source: URGENT ORDER.exe, Gb7.cs High entropy of concatenated method names: 'Ri', 'o7', 'q9', 'n6', 'a0', 'g6', 'Gy', 'Ki', 'By', 'Na'
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\URGENT ORDER.exe Memory allocated: 1540000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Memory allocated: 33B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Memory allocated: 17F0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\URGENT ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Thread delayed: delay time: 599889 Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Thread delayed: delay time: 599780 Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\URGENT ORDER.exe Window / User API: threadDelayed 368 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6620 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6620 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6620 Thread sleep time: -599889s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6484 Thread sleep count: 368 > 30 Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6620 Thread sleep time: -599780s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 380 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 5876 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Thread delayed: delay time: 599889 Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Thread delayed: delay time: 599780 Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: URGENT ORDER.exe, 00000000.00000002.2109013393.0000000001680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\URGENT ORDER.exe Code function: 0_2_01544528 LdrInitializeThunk, 0_2_01544528
Enables debug privileges
Source: C:\Users\user\Desktop\URGENT ORDER.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\URGENT ORDER.exe Queries volume information: C:\Users\user\Desktop\URGENT ORDER.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\URGENT ORDER.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432051 Sample: URGENT ORDER.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 76 9 www.google.com 2->9 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 .NET source code contains potential unpacker 2->17 19 4 other signatures 2->19 6 URGENT ORDER.exe 15 3 2->6         started        signatures3 process4 dnsIp5 11 www.google.com 142.250.217.196, 49704, 80 GOOGLEUS United States 6->11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.217.196
 www.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
www.google.com 142.250.217.196 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.google.com/ false
    		high