Windows Analysis Report
4NsDuAp8TA.exe

Overview

General Information

Sample name: 4NsDuAp8TA.exe
renamed because original name is a hash value
Original sample name: 0471df01d611ffbd17f9bb9e6e32d69685d2378184c69107ff78a31bbbc84567.exe
Analysis ID: 1438239
MD5: cae6f54148013b927ed9f993f739ae2e
SHA1: 381484ae43668a86797ef320f3d0eaaf0e907251
SHA256: 0471df01d611ffbd17f9bb9e6e32d69685d2378184c69107ff78a31bbbc84567
Tags: exe
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 4NsDuAp8TA.exe Virustotal: Detection: 38% Perma Link
Uses 32bit PE files
Source: 4NsDuAp8TA.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_0040264F FindFirstFileA, 0_2_0040264F
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_00405454 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405454
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_00405E7B FindFirstFileA,FindClose, 0_2_00405E7B
Source: 4NsDuAp8TA.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 4NsDuAp8TA.exe, 00000000.00000002.2045049060.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error(
Source: 4NsDuAp8TA.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FC2
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_004030EF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030EF
Detected potential crypto function
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_00404801 0_2_00404801
PE file contains executable resources (Code or Archives)
Source: 4NsDuAp8TA.exe Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Uses 32bit PE files
Source: 4NsDuAp8TA.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_004042C5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004042C5
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar, 0_2_00402036
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe File created: C:\Users\user\AppData\Local\Temp\nsi56C.tmp Jump to behavior
Source: 4NsDuAp8TA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 4NsDuAp8TA.exe Virustotal: Detection: 38%
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe File read: C:\Users\user\Desktop\4NsDuAp8TA.exe Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_00405EA2 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405EA2
PE file contains an invalid checksum
Source: 4NsDuAp8TA.exe Static PE information: real checksum: 0x70616 should be: 0x310b9
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe API coverage: 8.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_0040264F FindFirstFileA, 0_2_0040264F
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_00405454 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405454
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_00405E7B FindFirstFileA,FindClose, 0_2_00405E7B
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_00405EA2 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405EA2
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\4NsDuAp8TA.exe Code function: 0_2_00405B99 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405B99
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1438239 Sample: 4NsDuAp8TA.exe Startdate: 08/05/2024 Architecture: WINDOWS Score: 48 7 Multi AV Scanner detection for submitted file 2->7 5 4NsDuAp8TA.exe 3 2->5         started        process3
No contacted IP infos