Loading ...

Play interactive tourEdit tour

Analysis Report IDAProHelper.exe

Overview

General Information

Sample Name:IDAProHelper.exe
Analysis ID:331919
MD5:24e36601dc6f06b07270c60a0bba7002
SHA1:4758934da665823289aa7dbebf1121beef49aa9c
SHA256:e558133e382c004ea352fa0c7897ec156118e3d656f82c83cb76696962141fd8

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
PE file has a writeable .text section
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • IDAProHelper.exe (PID: 7140 cmdline: 'C:\Users\user\Desktop\IDAProHelper.exe' MD5: 24E36601DC6F06B07270C60A0BBA7002)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041FAED __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpy,0_2_0041FAED
Source: IDAProHelper.exe, 00000000.00000002.1768443171.000000000071A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041AA28 GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0041AA28
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041DEA9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0041DEA9

System Summary:

barindex
PE file has a writeable .text sectionShow sources
Source: IDAProHelper.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041C539 NtdllDefWindowProc_A,0_2_0041C539
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041CD25 NtdllDefWindowProc_A,CallWindowProcA,0_2_0041CD25
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_00416260 CallWindowProcA,NtdllDefWindowProc_A,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,0_2_00416260
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_004165B0 RtlEnterCriticalSection,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,ReleaseDC,GlobalAddAtomA,GlobalAddAtomA,RtlLeaveCriticalSection,GlobalAddAtomA,GlobalAddAtomA,GlobalAddAtomA,GlobalAddAtomA,GlobalAddAtomA,GlobalAddAtomA,GetSystemMetrics,GetClassInfoA,GetClassInfoA,GetClassInfoA,NtdllDialogWndProc_A,0_2_004165B0
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041E6FC NtdllDefWindowProc_A,0_2_0041E6FC
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041D2370_2_0041D237
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_004115D90_2_004115D9
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_00418AB00_2_00418AB0
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0040DF210_2_0040DF21
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: String function: 0040975E appears 50 times
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: String function: 00409B78 appears 168 times
Source: IDAProHelper.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: IDAProHelper.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IDAProHelper.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IDAProHelper.exeBinary or memory string: OriginalFilename vs IDAProHelper.exe
Source: IDAProHelper.exe, 00000000.00000002.1769080058.0000000002210000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs IDAProHelper.exe
Source: IDAProHelper.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal52.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041B5B0 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,0_2_0041B5B0
Source: C:\Users\user\Desktop\IDAProHelper.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\IDAProHelper.exeUnpacked PE file: 0.2.IDAProHelper.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041E685 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,0_2_0041E685
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0042C2EC push D0004352h; retn 0042h0_2_0042C2F1
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0042C374 pushad ; ret 0_2_0042C375
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0042CA3C pushad ; retf 0042h0_2_0042CA49
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_00409B78 push eax; ret 0_2_00409B96
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0042CB30 push eax; retf 0_2_0042CB31
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0040AF60 push eax; ret 0_2_0040AF8E
Source: initial sampleStatic PE information: section name: .text entropy: 7.99752542707
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_00416260 CallWindowProcA,NtdllDefWindowProc_A,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,0_2_00416260
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_004013BD IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_004013BD
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_00402729 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,0_2_00402729
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_00416A10 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmp,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,0_2_00416A10
Source: C:\Users\user\Desktop\IDAProHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\IDAProHelper.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-19152
Source: C:\Users\user\Desktop\IDAProHelper.exeAPI coverage: 5.2 %
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041FAED __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpy,0_2_0041FAED
Source: C:\Users\user\Desktop\IDAProHelper.exeAPI call chain: ExitProcess graph end nodegraph_0-19841
Source: C:\Users\user\Desktop\IDAProHelper.exeAPI call chain: ExitProcess graph end nodegraph_0-19853
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041E685 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,0_2_0041E685
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0040EE16 SetUnhandledExceptionFilter,0_2_0040EE16
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0040EE28 SetUnhandledExceptionFilter,0_2_0040EE28
Source: IDAProHelper.exe, 00000000.00000002.1768645796.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: IDAProHelper.exe, 00000000.00000002.1768645796.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: IDAProHelper.exe, 00000000.00000002.1768645796.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
Source: IDAProHelper.exe, 00000000.00000002.1768645796.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0040F755 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0040F755
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041D237 __EH_prolog,GetVersion,0_2_0041D237

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API2Path InterceptionProcess Injection1Process Injection1Input Capture2System Time Discovery1Remote ServicesInput Capture2Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerApplication Window Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing12NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.