Windows Analysis Report
hv7H7u7IvS.exe

Overview

General Information

Sample name: hv7H7u7IvS.exe
renamed because original name is a hash value
Original sample name: 50f45a0537eac244e3afa4f07684095d.exe
Analysis ID: 1432351
MD5: 50f45a0537eac244e3afa4f07684095d
SHA1: 3f1f70aff06ecaa65188072405edbf4778868deb
SHA256: 0b3f57e62dacdf7f1dddddbea20daced70e88ef547e795fbadfa124be5a422c2
Tags: 64exe
Infos:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

Source: hv7H7u7IvS.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD6842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF66DD6842C
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD58AF0 FindFirstFileExW,FindClose, 0_2_00007FF66DD58AF0
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD724C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF66DD724C4
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD6842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF66DD6842C
Detected potential crypto function
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD7789C 0_2_00007FF66DD7789C
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD62680 0_2_00007FF66DD62680
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD61E60 0_2_00007FF66DD61E60
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD6E5FC 0_2_00007FF66DD6E5FC
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD7A5D8 0_2_00007FF66DD7A5D8
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD5A55D 0_2_00007FF66DD5A55D
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD6842C 0_2_00007FF66DD6842C
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD6F110 0_2_00007FF66DD6F110
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD640C4 0_2_00007FF66DD640C4
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD590C0 0_2_00007FF66DD590C0
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD62884 0_2_00007FF66DD62884
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD62064 0_2_00007FF66DD62064
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD74860 0_2_00007FF66DD74860
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD71518 0_2_00007FF66DD71518
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD63330 0_2_00007FF66DD63330
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD68278 0_2_00007FF66DD68278
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD6EA90 0_2_00007FF66DD6EA90
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD62270 0_2_00007FF66DD62270
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD6AA10 0_2_00007FF66DD6AA10
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD76950 0_2_00007FF66DD76950
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD57950 0_2_00007FF66DD57950
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD71518 0_2_00007FF66DD71518
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD59D2B 0_2_00007FF66DD59D2B
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD74CFC 0_2_00007FF66DD74CFC
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD66510 0_2_00007FF66DD66510
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD724C4 0_2_00007FF66DD724C4
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD63CC0 0_2_00007FF66DD63CC0
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD68CB0 0_2_00007FF66DD68CB0
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD62474 0_2_00007FF66DD62474
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD6842C 0_2_00007FF66DD6842C
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD76BCC 0_2_00007FF66DD76BCC
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD59B8B 0_2_00007FF66DD59B8B
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD77350 0_2_00007FF66DD77350
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: String function: 00007FF66DD52B10 appears 47 times
Source: classification engine Classification label: clean5.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD58560 GetLastError,FormatMessageW,WideCharToMultiByte, 0_2_00007FF66DD58560
Source: hv7H7u7IvS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe File read: C:\Users\user\Desktop\hv7H7u7IvS.exe Jump to behavior
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Section loaded: wintypes.dll Jump to behavior
Source: hv7H7u7IvS.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: hv7H7u7IvS.exe Static file information: File size 30408704 > 1048576
Source: hv7H7u7IvS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: hv7H7u7IvS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: hv7H7u7IvS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: hv7H7u7IvS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: hv7H7u7IvS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: hv7H7u7IvS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: hv7H7u7IvS.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: hv7H7u7IvS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: hv7H7u7IvS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: hv7H7u7IvS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: hv7H7u7IvS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: hv7H7u7IvS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: hv7H7u7IvS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: hv7H7u7IvS.exe Static PE information: section name: _RDATA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD56EF0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00007FF66DD56EF0
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe API coverage: 6.1 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD6842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF66DD6842C
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD58AF0 FindFirstFileExW,FindClose, 0_2_00007FF66DD58AF0
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD724C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF66DD724C4
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD6842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF66DD6842C
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD5C6AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF66DD5C6AC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD740D0 GetProcessHeap, 0_2_00007FF66DD740D0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD5C6AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF66DD5C6AC
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD5BE20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF66DD5BE20
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD5C88C SetUnhandledExceptionFilter, 0_2_00007FF66DD5C88C
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD6B1B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF66DD6B1B8
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD7A420 cpuid 0_2_00007FF66DD7A420
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD5C590 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF66DD5C590
Source: C:\Users\user\Desktop\hv7H7u7IvS.exe Code function: 0_2_00007FF66DD76950 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF66DD76950
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1432351 Sample: hv7H7u7IvS.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 5 4 hv7H7u7IvS.exe 2->4         started       
No contacted IP infos