Windows Analysis Report
WAdE7vk6kk.exe

Overview

General Information

Sample name: WAdE7vk6kk.exe
renamed because original name is a hash value
Original sample name: 7801c18c1bfe85c29be22a73508b587abd132302247b859fd865eb028546cfba.exe
Analysis ID: 1432271
MD5: 23d0437f7b646ed9239eeced668e0f12
SHA1: b5a54b5b909ffd7baf306c37bc5acc2d4e813f73
SHA256: 7801c18c1bfe85c29be22a73508b587abd132302247b859fd865eb028546cfba
Tags: exe
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Machine Learning detection for sample
Source: WAdE7vk6kk.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008EB0FC CertOpenStore,GetLastError,CryptStringToBinaryA,CertCloseStore,CertFindCertificateInStore,CertCloseStore,__fread_nolock,MultiByteToWideChar,PFXImportCertStore,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertFreeCertificateContext,CertCloseStore,CertFreeCertificateContext, 0_2_008EB0FC
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008E9FB0 BCryptGenRandom, 0_2_008E9FB0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_009140E0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext, 0_2_009140E0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00914140 CryptHashData, 0_2_00914140
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00914160 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00914160
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00914640 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 0_2_00914640
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008EAB90 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_008EAB90
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00916C50 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00916C50
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_0090F0F0 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, 0_2_0090F0F0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_0090F5C0 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx, 0_2_0090F5C0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00915E90 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00915E90
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00915EF0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00915EF0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00915E30 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext, 0_2_00915E30
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008E9E40 BCryptGenRandom, 0_2_008E9E40
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008E9F00 BCryptGenRandom, 0_2_008E9F00
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: -----BEGIN PUBLIC KEY----- 0_2_008CE890
Source: WAdE7vk6kk.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Contains functionality to create an SMB header
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: mov dword ptr [ebx+04h], 424D53FFh 0_2_008F9840
Uses 32bit PE files
Source: WAdE7vk6kk.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.65.101:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: WAdE7vk6kk.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\General\SmartDropper\Release\SmartDropper.pdb source: WAdE7vk6kk.exe
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_009382C5 FindFirstFileExW, 0_2_009382C5
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00905080 recv,WSAGetLastError, 0_2_00905080
Source: global traffic DNS traffic detected: DNS query: helloitelemetry.cc
Source: WAdE7vk6kk.exe String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: WAdE7vk6kk.exe String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: WAdE7vk6kk.exe String found in binary or memory: https://curl.se/docs/hsts.html
Source: WAdE7vk6kk.exe String found in binary or memory: https://curl.se/docs/hsts.html#
Source: WAdE7vk6kk.exe String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: WAdE7vk6kk.exe String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: WAdE7vk6kk.exe String found in binary or memory: https://helloitelemetry.cc/2xpIMc81Kn
Source: WAdE7vk6kk.exe, 00000000.00000002.1660805540.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://helloitelemetry.cc/2xpIMc81Kn/9a6b4fe2-a803-4bfe-88e9-f61599aa8c1b/update
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown HTTPS traffic detected: 104.21.65.101:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00914640 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 0_2_00914640
Detected potential crypto function
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008E70C0 0_2_008E70C0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008EB0FC 0_2_008EB0FC
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008C7210 0_2_008C7210
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00908040 0_2_00908040
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008AC180 0_2_008AC180
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008B01D0 0_2_008B01D0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_0093A3BD 0_2_0093A3BD
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008A43F0 0_2_008A43F0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_0090E370 0_2_0090E370
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008A2470 0_2_008A2470
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_009345B9 0_2_009345B9
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008AC690 0_2_008AC690
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008E66C0 0_2_008E66C0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_0093C6CE 0_2_0093C6CE
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008B2610 0_2_008B2610
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008D2630 0_2_008D2630
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_0090A7D0 0_2_0090A7D0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008B47D0 0_2_008B47D0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008A6720 0_2_008A6720
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008A68C0 0_2_008A68C0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_0091C81A 0_2_0091C81A
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_0091E850 0_2_0091E850
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008C0870 0_2_008C0870
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008B29B0 0_2_008B29B0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008BE9F0 0_2_008BE9F0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008A6A60 0_2_008A6A60
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00922B25 0_2_00922B25
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00916C00 0_2_00916C00
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008E8C40 0_2_008E8C40
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00908C60 0_2_00908C60
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008A6D90 0_2_008A6D90
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008DCDC0 0_2_008DCDC0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00918D10 0_2_00918D10
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008B4D20 0_2_008B4D20
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008B2D30 0_2_008B2D30
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00922E84 0_2_00922E84
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008ACE00 0_2_008ACE00
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008ECF80 0_2_008ECF80
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008B30A0 0_2_008B30A0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008E1380 0_2_008E1380
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008F53C0 0_2_008F53C0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_0092F3CF 0_2_0092F3CF
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008A9300 0_2_008A9300
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008FD370 0_2_008FD370
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008FF490 0_2_008FF490
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008B3410 0_2_008B3410
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008B96A0 0_2_008B96A0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008B3790 0_2_008B3790
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_009017A0 0_2_009017A0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_0090F7C0 0_2_0090F7C0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008A1A40 0_2_008A1A40
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008A3A70 0_2_008A3A70
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008AFB30 0_2_008AFB30
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008F5C80 0_2_008F5C80
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00911CF0 0_2_00911CF0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008ABD10 0_2_008ABD10
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008ADE10 0_2_008ADE10
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008A1E40 0_2_008A1E40
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008B1FA0 0_2_008B1FA0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008A5F30 0_2_008A5F30
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: String function: 008D9D40 appears 71 times
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: String function: 008D9CE0 appears 37 times
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: String function: 008D57B0 appears 68 times
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: String function: 008D5720 appears 288 times
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: String function: 00917F40 appears 57 times
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: String function: 008D5650 appears 398 times
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: String function: 008DC090 appears 43 times
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: String function: 008DA2C0 appears 32 times
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: String function: 00912D50 appears 33 times
Uses 32bit PE files
Source: WAdE7vk6kk.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal48.evad.winEXE@1/0@1/2
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Mutant created: \Sessions\1\BaseNamedObjects\6ojlDCjfteCozqTBJdTa
Source: WAdE7vk6kk.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: WAdE7vk6kk.exe String found in binary or memory: iphlpapi.dllif_nametoindexws2_32FreeAddrInfoExWGetAddrInfoExCancelGetAddrInfoExWkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: WAdE7vk6kk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WAdE7vk6kk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WAdE7vk6kk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WAdE7vk6kk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WAdE7vk6kk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WAdE7vk6kk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: WAdE7vk6kk.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: WAdE7vk6kk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\General\SmartDropper\Release\SmartDropper.pdb source: WAdE7vk6kk.exe
Source: WAdE7vk6kk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WAdE7vk6kk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WAdE7vk6kk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WAdE7vk6kk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WAdE7vk6kk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008D7DB0 GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA, 0_2_008D7DB0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00917418 push ecx; ret 0_2_0091742B

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_009382C5 FindFirstFileExW, 0_2_009382C5
Source: WAdE7vk6kk.exe, 00000000.00000002.1660805540.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00923CD5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00923CD5
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008D7DB0 GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA, 0_2_008D7DB0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_0093B4D9 GetProcessHeap, 0_2_0093B4D9
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00917861 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00917861
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00923CD5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00923CD5
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00917CE9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00917CE9
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00917E7D SetUnhandledExceptionFilter, 0_2_00917E7D
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00916D70 cpuid 0_2_00916D70
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_0093A907
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: EnumSystemLocalesW, 0_2_0093ABB3
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: EnumSystemLocalesW, 0_2_0093ABFE
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: EnumSystemLocalesW, 0_2_0093AC99
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0093AD24
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: GetLocaleInfoW, 0_2_0093AF77
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0093B0A0
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: GetLocaleInfoW, 0_2_0093B1A6
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0093B27C
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: EnumSystemLocalesW, 0_2_0093349E
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: GetLocaleInfoW, 0_2_00933A61
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_0092792E GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_0092792E
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_009363E8 GetTimeZoneInformation, 0_2_009363E8
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008E9570 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket,closesocket, 0_2_008E9570
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_00904690 htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, 0_2_00904690
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008FC85A bind,WSAGetLastError, 0_2_008FC85A
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008FCA50 bind,WSAGetLastError, 0_2_008FCA50
Source: C:\Users\user\Desktop\WAdE7vk6kk.exe Code function: 0_2_008F53C0 getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,getsockname,listen,WSAGetLastError,htons,htons, 0_2_008F53C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432271 Sample: WAdE7vk6kk.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 48 10 helloitelemetry.cc 2->10 16 Machine Learning detection for sample 2->16 6 WAdE7vk6kk.exe 2->6         started        signatures3 process4 dnsIp5 12 helloitelemetry.cc 104.21.65.101, 443, 49732 CLOUDFLARENETUS United States 6->12 14 127.0.0.1 unknown unknown 6->14 18 Found evasive API chain (may stop execution after checking mutex) 6->18 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.65.101
 helloitelemetry.cc United States
13335 CLOUDFLARENETUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
helloitelemetry.cc 104.21.65.101 true