Windows Analysis Report
5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe

Overview

General Information

Sample name: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe
Analysis ID: 1486293
MD5: e8e5c3ae6f7d5ff91bda7379b8e16eff
SHA1: 21117032713e26242bcd242dea4b3670396ed18c
SHA256: 47636fba9f8ced2a907949ebbf64334026f6efb6946dd0c78cad5dc19b478a10
Tags: exe
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Allocates memory in foreign processes
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for sample
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found evasive API chain (date check)
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe ReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49737 -> 194.48.248.72:7833
Source: unknown TCP traffic detected without corresponding DNS query: 194.48.248.72
Source: unknown TCP traffic detected without corresponding DNS query: 194.48.248.72
Source: unknown TCP traffic detected without corresponding DNS query: 194.48.248.72
Source: unknown TCP traffic detected without corresponding DNS query: 194.48.248.72
Source: unknown TCP traffic detected without corresponding DNS query: 194.48.248.72
Source: unknown TCP traffic detected without corresponding DNS query: 194.48.248.72
Source: unknown TCP traffic detected without corresponding DNS query: 194.48.248.72
Source: unknown TCP traffic detected without corresponding DNS query: 194.48.248.72
Source: unknown TCP traffic detected without corresponding DNS query: 194.48.248.72
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: http://prototype.conio.net/
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: http://www.atozed.com
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: http://www.wapforum.org/DTD/wml_1.1.xml
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: http://www.wapforum.org/DTD/xhtml-mobile10.dtd
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Windows\SysWOW64\grpconv.exe Code function: 5_2_131BAC47 5_2_131BAC47
Sample file is different than original file name gathered from version info
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe, 00000000.00000000.1679007389.0000000000EE4000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePeopleMatter: vs 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Binary or memory string: OriginalFilenamePeopleMatter: vs 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe
Uses 32bit PE files
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: mal80.evad.winEXE@3/0@0/1
Source: Yara match File source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.1678844742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe ReversingLabs: Detection: 68%
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: NATS-SEFI-ADD
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: NATS-DANO-ADD
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: jp-ocr-b-add
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: jp-ocr-hand-add
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: ISO_6937-2-add
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: <P>The IP/Address you used was %s.%s
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe String found in binary or memory: Execute via &Default browser/Launch default browser and execute application.
Source: unknown Process created: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe "C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe"
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Process created: C:\Windows\SysWOW64\grpconv.exe C:\windows\syswow64\grpconv.exe
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Process created: C:\Windows\SysWOW64\grpconv.exe C:\windows\syswow64\grpconv.exe Jump to behavior
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Section loaded: wship6.dll Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Static file information: File size 20952576 > 1048576
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1315000
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\grpconv.exe Code function: 5_2_14A8C880 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 5_2_14A8C880
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Code function: 0_2_0019BE14 push esp; retf 0019h 0_2_0019BE15
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Code function: 0_2_0019C994 push esp; retf 0019h 0_2_0019C995
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Code function: 0_2_0019BF81 push esp; retf 0019h 0_2_0019BFA1
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Code function: 0_2_0019B549 push esp; retf 0019h 0_2_0019B559
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Code function: 0_2_0019BEE0 push esp; retf 0019h 0_2_0019BEE1
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Code function: 0_2_0019C9E0 push esp; retf 0019h 0_2_0019C9E1
Source: C:\Windows\SysWOW64\grpconv.exe Code function: 5_2_13195609 push ecx; ret 5_2_1319561C
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\grpconv.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe TID: 7892 Thread sleep time: -146000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe TID: 7172 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe TID: 8180 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\SysWOW64\grpconv.exe Thread delayed: delay time: 30000 Jump to behavior
Source: grpconv.exe, 00000005.00000002.4132852100.00000000029A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\grpconv.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Windows\SysWOW64\grpconv.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\grpconv.exe Code function: 5_2_131A1C1F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_131A1C1F
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\grpconv.exe Code function: 5_2_14A8C880 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 5_2_14A8C880
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\grpconv.exe Code function: 5_2_131B2121 mov eax, dword ptr fs:[00000030h] 5_2_131B2121
Source: C:\Windows\SysWOW64\grpconv.exe Code function: 5_2_131ACD25 mov eax, dword ptr fs:[00000030h] 5_2_131ACD25
Source: C:\Windows\SysWOW64\grpconv.exe Code function: 5_2_131B2165 mov eax, dword ptr fs:[00000030h] 5_2_131B2165
Source: C:\Windows\SysWOW64\grpconv.exe Code function: 5_2_131946C5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_131946C5
Source: C:\Windows\SysWOW64\grpconv.exe Code function: 5_2_131A1C1F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_131A1C1F

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Memory allocated: C:\Windows\SysWOW64\grpconv.exe base: 13140000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Memory written: C:\Windows\SysWOW64\grpconv.exe base: 13140000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Memory written: C:\Windows\SysWOW64\grpconv.exe base: 13140000 Jump to behavior
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Memory written: C:\Windows\SysWOW64\grpconv.exe base: 471008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe Process created: C:\Windows\SysWOW64\grpconv.exe C:\windows\syswow64\grpconv.exe Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\grpconv.exe Code function: EnumSystemLocalesW, 5_2_131B176D
Source: C:\Windows\SysWOW64\grpconv.exe Code function: GetLocaleInfoW, 5_2_131BB391
Source: C:\Windows\SysWOW64\grpconv.exe Code function: GetLocaleInfoW, 5_2_131BB7FC
Source: C:\Windows\SysWOW64\grpconv.exe Code function: GetLocaleInfoW, 5_2_131BBA28
Source: C:\Windows\SysWOW64\grpconv.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_131BBAF7
Source: C:\Windows\SysWOW64\grpconv.exe Code function: EnumSystemLocalesW, 5_2_131BB51E
Source: C:\Windows\SysWOW64\grpconv.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_131BB922
Source: C:\Windows\SysWOW64\grpconv.exe Code function: GetLocaleInfoW, 5_2_131B1D26
Source: C:\Windows\SysWOW64\grpconv.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 5_2_131BB196
Source: C:\Windows\SysWOW64\grpconv.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 5_2_131BB5A9
Source: C:\Windows\SysWOW64\grpconv.exe Code function: EnumSystemLocalesW, 5_2_131BB438
Source: C:\Windows\SysWOW64\grpconv.exe Code function: EnumSystemLocalesW, 5_2_131BB483
Source: C:\Windows\SysWOW64\grpconv.exe Code function: 5_2_13181B54 GetSystemTimeAsFileTime, 5_2_13181B54
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1486293 Sample: 5086520740-COMPROBANTE-DE-P... Startdate: 01/08/2024 Architecture: WINDOWS Score: 80 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Machine Learning detection for sample 2->19 21 AI detected suspicious sample 2->21 6 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe 2->6         started        process3 signatures4 23 Writes to foreign memory regions 6->23 25 Allocates memory in foreign processes 6->25 27 Injects a PE file into a foreign processes 6->27 9 grpconv.exe 1 6->9         started        process5 dnsIp6 13 194.48.248.72, 49737, 49738, 7833 KVANTTELECOM-ASDE Germany 9->13 29 Found API chain indicative of debugger detection 9->29 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.48.248.72
 unknown Germany
200319 KVANTTELECOM-ASDE false