Windows Analysis Report
BDFirm180.exe

Overview

General Information

Sample name:	BDFirm180.exe
Analysis ID:	1432310
MD5:	d1d78d33fb33f1d0a0d217c77febb364
SHA1:	f1eb83f04a4d6a57f546164846f99db6a4e3c569
SHA256:	3493225143e3b0935083fd7b2c66cead25b4d639486520934e2f18e6b4540254
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Drops PE files

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Uses 32bit PE files

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: BDFirm180.exe

Virustotal: Detection: 16%

Perma Link

Uses 32bit PE files

Source: BDFirm180.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: BDFirm180.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains executable resources (Code or Archives)

Source: BDFirm180.exe

Static PE information: Resource name: DLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Uses 32bit PE files

Source: BDFirm180.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\BDFirm180.exe	Mutant created: \Sessions\1\BaseNamedObjects\Roland Firmware Installer
Source: C:\Users\user\Desktop\BDFirm180.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\RemoteController ROBI

Source: C:\Users\user\Desktop\BDFirm180.exe

File created: C:\Users\user\AppData\Local\Temp\RemoteCTR.DLL

Source: BDFirm180.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BDFirm180.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: BDFirm180.exe

Virustotal: Detection: 16%

Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: snmpapi.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: mgmtapi.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: wsnmp32.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\BDFirm180.exe	Section loaded: rasadhlp.dll

Source: BDFirm180.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: BDFirm180.exe

Static file information: File size 6023168 > 1048576

Source: BDFirm180.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14e000
Source: BDFirm180.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x3b9600

Source: BDFirm180.exe

Static PE information: More than 200 imports for USER32.dll

Source: BDFirm180.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: BDFirm180.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: BDFirm180.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: BDFirm180.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: BDFirm180.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: BDFirm180.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Drops PE files

Source: C:\Users\user\Desktop\BDFirm180.exe

File created: C:\Users\user\AppData\Local\Temp\RemoteCTR.DLL

Jump to dropped file

Source: C:\Users\user\Desktop\BDFirm180.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BDFirm180.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BDFirm180.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BDFirm180.exe	Process information set: NOOPENFILEERRORBOX

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\BDFirm180.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RemoteCTR.DLL

Jump to dropped file

Screenshots

Network Map

⊘No contacted IP infos

ID:	1432310
Product:	CloudBasic
Start time:	20:44:16
Start date:	26.04.2024
Sample:	BDFirm180.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d1d78d33fb33f1d0a0d217c77febb364
SHA1:	f1eb83f04a4d6a57f546164846f99db6a4e3c569
SHA256:	3493225143e3b0935083fd7b2c66cead25b4d639486520934e2f18e6b4540254
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
BDFirm180.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Windows Analysis Report BDFirm180.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Windows Analysis Report
BDFirm180.exe