Analysis Report addceupr21_bubbles.exe

Overview

General Information

Sample Name: addceupr21_bubbles.exe
Analysis ID: 321424
MD5: 11c2b95348f338db6835c23e6be1c862
SHA1: 3346e2fe2384afd22218c16c9028b56a2fed3d66
SHA256: a365df50290d34a97ad1c02a9c1d9d39a6365720f947703292a3a00a6575a61c

Most interesting Screenshot:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Machine Learning detection for sample
PE file has a writeable .text section
Antivirus or Machine Learning detection for unpacked file
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: addceupr21_bubbles.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: addceupr21_bubbles.exe Virustotal: Detection: 26% Perma Link
Machine Learning detection for sample
Source: addceupr21_bubbles.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.addceupr21_bubbles.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.0.addceupr21_bubbles.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\addceupr21_bubbles.exe Code function: 4x nop then push ebp 0_2_00406170

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
PE file has a writeable .text section
Source: addceupr21_bubbles.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
PE file contains strange resources
Source: addceupr21_bubbles.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: addceupr21_bubbles.exe, 00000000.00000002.212499955.000000000040A000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameBubbles.exe vs addceupr21_bubbles.exe
Source: addceupr21_bubbles.exe, 00000000.00000002.212681425.00000000021C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs addceupr21_bubbles.exe
Source: addceupr21_bubbles.exe Binary or memory string: OriginalFilenameBubbles.exe vs addceupr21_bubbles.exe
Source: addceupr21_bubbles.exe Binary or memory string: @*\AC:\Documents and Settings\Mkelly\My Documents\Bubbles\Bubbles.vbp
Source: addceupr21_bubbles.exe, 00000000.00000002.212496871.0000000000409000.00000004.00020000.sdmp Binary or memory string: f(4@*\AC:\Documents and Settings\Mkelly\My Documents\Bubbles\Bubbles.vbp
Source: classification engine Classification label: mal72.rans.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\addceupr21_bubbles.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\addceupr21_bubbles.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: addceupr21_bubbles.exe Virustotal: Detection: 26%

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: addceupr21_bubbles.exe Static PE information: real checksum: 0x13422 should be: 0x1aed7
Source: C:\Users\user\Desktop\addceupr21_bubbles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\addceupr21_bubbles.exe API coverage: 0.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321424 Sample: addceupr21_bubbles.exe Startdate: 22/11/2020 Architecture: WINDOWS Score: 72 7 Potential malicious icon found 2->7 9 Antivirus / Scanner detection for submitted sample 2->9 11 Multi AV Scanner detection for submitted file 2->11 13 2 other signatures 2->13 5 addceupr21_bubbles.exe 2->5         started        process3
No contacted IP infos