Windows Analysis Report
GB72405.exe

Overview

General Information

Sample name: GB72405.exe
Analysis ID: 1438236
MD5: b13e8f3d2779aa2102e2c3db3b2957d2
SHA1: c15973faef8acbbf35b5b8361d3282bc4f2aaa23
SHA256: c96632658ed3356d4a3615740999a04f70f77a7cf60263be59b3f2ac28e0eec7
Infos:

Detection

Score: 29
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

PE file has a writeable .text section
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00448850 CryptAcquireContextW, 0_2_00448850
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00448B40 CryptCreateHash, 0_2_00448B40
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00426C76 __EH_prolog3,__CxxThrowException@8,CryptDeriveKey,CryptGenKey,CryptSetKeyParam, 0_2_00426C76
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00449150 CryptHashPublicKeyInfo, 0_2_00449150
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00449130 CryptGetUserKey, 0_2_00449130
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0042721E __EH_prolog3,__CxxThrowException@8,CryptGetKeyParam,CryptSetKeyParam, 0_2_0042721E
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0042742C __EH_prolog3,__CxxThrowException@8,CryptSetKeyParam, 0_2_0042742C
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0042754F CryptGetKeyParam,__CxxThrowException@8, 0_2_0042754F
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_004487F0 CryptGenRandom, 0_2_004487F0
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00448870 CryptReleaseContext, 0_2_00448870
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00448930 CryptVerifyCertificateSignature,__time64, 0_2_00448930
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00448AF0 CryptDestroyHash, 0_2_00448AF0
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00448B60 CryptHashData, 0_2_00448B60
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00448B00 CryptSetHashParam, 0_2_00448B00
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00448B20 CryptGetHashParam, 0_2_00448B20
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00448B80 CryptDestroyKey, 0_2_00448B80
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00448D60 CryptImportPublicKeyInfo, 0_2_00448D60
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00448D30 CryptVerifySignatureW, 0_2_00448D30
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00448D80 _calloc,_calloc,CryptAcquireContextA,CertSetCRLContextProperty,CryptAcquireCertificatePrivateKey,CertSetCRLContextProperty, 0_2_00448D80
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00426F0A __CxxThrowException@8,CryptImportKey,CryptSetKeyParam, 0_2_00426F0A
Uses 32bit PE files
Source: GB72405.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: d:\DistributionUtility\HDFloppyWrite\HDFloppyWrite\Debug\HDFloppyWrite.pdb( source: HDFloppyWrite.exe
Source: Binary string: d:\DistributionUtility\HDFloppyWrite\HDFloppyWrite\Debug\HDFloppyWrite.pdb source: HDFloppyWrite.exe
Source: GB72405.exe String found in binary or memory: http://www.openssl.org/support/faq.html
Source: GB72405.exe String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: GB72405.exe, 00000000.00000003.1039843785.00000000007B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pkware.com/
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00426F0A __CxxThrowException@8,CryptImportKey,CryptSetKeyParam, 0_2_00426F0A

System Summary
barindex
PE file has a writeable .text section
Source: GB72405.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00418A8E: __CxxThrowException@8,SetFileAttributesW,CreateFileW,DeviceIoControl,CloseHandle, 0_2_00418A8E
Detected potential crypto function
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00441000 0_2_00441000
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00422440 0_2_00422440
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0043F880 0_2_0043F880
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00481061 0_2_00481061
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0043A1D0 0_2_0043A1D0
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_004751E0 0_2_004751E0
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00446190 0_2_00446190
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00474420 0_2_00474420
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00443480 0_2_00443480
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0047A58E 0_2_0047A58E
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_004815A3 0_2_004815A3
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00443970 0_2_00443970
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00438A76 0_2_00438A76
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00481AE5 0_2_00481AE5
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00475B7F 0_2_00475B7F
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0046EC87 0_2_0046EC87
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00482E9C 0_2_00482E9C
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00441F40 0_2_00441F40
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0047BF0F 0_2_0047BF0F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\GB72405.exe Code function: String function: 004733A0 appears 32 times
Source: C:\Users\user\Desktop\GB72405.exe Code function: String function: 0047F7CB appears 67 times
Source: C:\Users\user\Desktop\GB72405.exe Code function: String function: 0041B0F2 appears 31 times
Source: C:\Users\user\Desktop\GB72405.exe Code function: String function: 00475180 appears 39 times
Source: C:\Users\user\Desktop\GB72405.exe Code function: String function: 0047F798 appears 235 times
PE file contains executable resources (Code or Archives)
Source: GB72405.exe Static PE information: Resource name: PKTEXT type: Zip archive data, at least v5.0 to extract, compression method=deflate
Sample file is different than original file name gathered from version info
Source: GB72405.exe, 00000000.00000002.1615835731.00000000004D2000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePKSFX.exeN vs GB72405.exe
Source: GB72405.exe, 00000000.00000000.1036649689.00000000004CD000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePKSFX.exeN vs GB72405.exe
Source: GB72405.exe Binary or memory string: OriginalFilenamePKSFX.exeN vs GB72405.exe
Uses 32bit PE files
Source: GB72405.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: sus29.winEXE@3/22@0/0
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_004488F0 CertOpenSystemStoreW, 0_2_004488F0
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00419044 GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,GetProcAddress,GetDiskFreeSpaceA, 0_2_00419044
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0043EAB0 FindResourceW,__CxxThrowException@8,SizeofResource,__CxxThrowException@8,LoadResource,__CxxThrowException@8,LockResource,__CxxThrowException@8,__CxxThrowException@8,_wcscat_s,_wcscat_s,_wcsncpy,_wcsncpy,_malloc,_wcsncpy,_malloc,_wcsrchr, 0_2_0043EAB0
Source: C:\Users\user\Desktop\GB72405.exe File created: C:\Users\user\Desktop\GB72405 Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Mutant created: \Sessions\1\BaseNamedObjects\/tmp/..PKText.PKSFX.en_US.MUTEX
Source: C:\Users\user\Desktop\GB72405.exe Mutant created: \Sessions\1\BaseNamedObjects\/tmp/..PKText.PKSFX.en_GB.MUTEX
Source: C:\Users\user\Desktop\GB72405.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: GB72405.exe String found in binary or memory: set-addPolicy
Source: GB72405.exe String found in binary or memory: id-cmc-addExtensions
Source: C:\Users\user\Desktop\GB72405.exe File read: C:\Users\user\Desktop\GB72405.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\GB72405.exe "C:\Users\user\Desktop\GB72405.exe"
Source: C:\Users\user\Desktop\GB72405.exe Process created: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe "C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe" GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN
Source: C:\Users\user\Desktop\GB72405.exe Process created: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe "C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe" GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32 Jump to behavior
Source: GB72405.exe Static file information: File size 3110227 > 1048576
Source: Binary string: d:\DistributionUtility\HDFloppyWrite\HDFloppyWrite\Debug\HDFloppyWrite.pdb( source: HDFloppyWrite.exe
Source: Binary string: d:\DistributionUtility\HDFloppyWrite\HDFloppyWrite\Debug\HDFloppyWrite.pdb source: HDFloppyWrite.exe
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .pklstb
PE file contains an invalid checksum
Source: HDFloppyWrite.exe.0.dr Static PE information: real checksum: 0x0 should be: 0xa3370
Source: GB72405.exe Static PE information: real checksum: 0x8e316 should be: 0x2fe4dc
PE file contains sections with non-standard names
Source: GB72405.exe Static PE information: section name: .pklstb
Source: GB72405.exe Static PE information: section name: .relo2
Source: HDFloppyWrite.exe.0.dr Static PE information: section name: .textbss
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_3_007AFA47 push es; iretd 0_3_007AFA52
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_3_007AFA45 push es; retf 0_3_007AFA46
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_3_007B742B push es; ret 0_3_007B742E
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_3_007AF611 push es; ret 0_3_007AFA32
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_3_007BFCB7 pushfd ; ret 0_3_007BFD35
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_3_007BFDCD pushfd ; ret 0_3_007BFE9D
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_3_007B4DC4 pushad ; retf 0_3_007B4EED
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_3_007B719C push es; retf 0_3_007B7286
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_004751C5 push ecx; ret 0_2_004751D8
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0047F870 push ecx; ret 0_2_0047F883
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00416E0B push eax; ret 0_2_00416E12
Source: GB72405.exe Static PE information: section name: .pklstb entropy: 7.991138007494125
Drops PE files
Source: C:\Users\user\Desktop\GB72405.exe File created: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe Jump to dropped file
Source: C:\Users\user\Desktop\GB72405.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\GB72405.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\GB72405.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0046E052 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0046E052
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0048332F GetProcessHeap,RtlAllocateHeap,RtlInterlockedPopEntrySList,VirtualAlloc,RtlInterlockedPopEntrySList,VirtualFree,RtlInterlockedPushEntrySList, 0_2_0048332F
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0046E052 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0046E052
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00474302 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00474302
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00471A99 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00471A99
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\GB72405.exe Process created: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe "C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe" GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN Jump to behavior
Source: GB72405.exe Binary or memory string: %A[open("%1")]open$.^.%0shell\%sshell\%s\commandPROGMAN\/
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_0047E922 cpuid 0_2_0047E922
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\GB72405.exe Code function: GetLocaleInfoW,_wcsncpy,_wcsncpy,_wcsncpy,_malloc,_malloc,CreateMutexW,WaitForSingleObject,_malloc,ReleaseMutex,CloseHandle,_memset,WideCharToMultiByte,ReleaseMutex,CloseHandle,_malloc,_wcsrchr,ReleaseMutex,CloseHandle,CreateFileMappingW,GetLastError,ReleaseMutex,CloseHandle,MapViewOfFile,__CxxThrowException@8,_malloc,_wcsrchr,ReleaseMutex,CloseHandle, 0_2_0043F880
Source: C:\Users\user\Desktop\GB72405.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 0_2_004830DA
Source: C:\Users\user\Desktop\GB72405.exe Code function: GetLocaleInfoA, 0_2_0047F0AA
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\GB72405.exe Queries volume information: C:\Users\user\Desktop\GB72405.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Queries volume information: C:\Users\user\Desktop\GB72405.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Queries volume information: C:\Users\user\Desktop\GB72405.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Queries volume information: C:\Users\user\Desktop\GB72405.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00473B6B GetSystemTimeAsFileTime,__aulldiv, 0_2_00473B6B
Source: C:\Users\user\Desktop\GB72405.exe Code function: 0_2_00483143 GetVersionExA,InterlockedExchange, 0_2_00483143
Source: C:\Users\user\Desktop\GB72405.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1438236 Sample: GB72405.exe Startdate: 08/05/2024 Architecture: WINDOWS Score: 29 13 PE file has a writeable .text section 2->13 6 GB72405.exe 30 2->6         started        process3 file4 11 C:\Users\user\Desktop\...\HDFloppyWrite.exe, PE32 6->11 dropped 9 HDFloppyWrite.exe 6->9         started        process5
No contacted IP infos