Windows Analysis Report
Payload.exe

Overview

General Information

Sample name: Payload.exe
Analysis ID: 1487423
MD5: 9c04cc2093d04bcb63b5505e26a5d681
SHA1: d699d464108c960f5d7aac5ffeff195f5749b57a
SHA256: d3d58aeaa5eff57a8235cacc3e5c8b2b7ca00064b80abbe8b4b062725bc6c659
Tags: exe
Infos:

Detection

Clipboard Hijacker
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Clipboard Hijacker
AI detected suspicious sample
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: Payload.exe Avira: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Avira: detection malicious, Label: HEUR/AGEN.1314455
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Virustotal: Detection: 62% Perma Link
Source: Payload.exe ReversingLabs: Detection: 84%
Source: Payload.exe Virustotal: Detection: 62% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 91.6% probability
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Joe Sandbox ML: detected
Source: Payload.exe Joe Sandbox ML: detected
Source: Payload.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Payload.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Code function: 4x nop then dec eax 0_2_00007FFD9BA116E9
Source: C:\Users\user\Desktop\Payload.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: Payload.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal96.adwa.spyw.winEXE@2/3@0/0
Source: C:\Users\user\Desktop\Payload.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Payload.exe Mutant created: \Sessions\1\BaseNamedObjects\HZ7oDGV5TWzfti2Q
Source: Payload.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Payload.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Payload.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Payload.exe ReversingLabs: Detection: 84%
Source: Payload.exe Virustotal: Detection: 62%
Source: C:\Users\user\Desktop\Payload.exe File read: C:\Users\user\Desktop\Payload.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payload.exe "C:\Users\user\Desktop\Payload.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"
Source: C:\Users\user\Desktop\Payload.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Section loaded: uxtheme.dll Jump to behavior
Source: Payload.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Payload.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Payload.exe Code function: 0_2_00007FFD9BA10508 push ebx; retf 0_2_00007FFD9BA1052A
Source: C:\Users\user\Desktop\Payload.exe Code function: 0_2_00007FFD9BA104F0 push ebx; retf 0_2_00007FFD9BA1052A
Source: C:\Users\user\Desktop\Payload.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\Payload.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Memory allocated: 1070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Memory allocated: 1AF10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Memory allocated: FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Memory allocated: 1AE30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe TID: 7464 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: Payload.exe, type: SAMPLE
Source: Yara match File source: 0.0.Payload.exe.c10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1642342731.0000000000C12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe, type: DROPPED