Analysis Report executable.4420.exe

Overview

General Information

Sample Name: executable.4420.exe
Analysis ID: 356831
MD5: 6192cfbe8e44360f7c0b6f696206f41d
SHA1: 166886066ffabb76f6b72c4b4ed91fa19e59987a
SHA256: 8e353600579959f0507d00376d2e56e8c9a24648b2574ee72fa81dec5d70874a
Infos:

Most interesting Screenshot:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to upload files via FTP
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: executable.4420.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: executable.4420.exe ReversingLabs: Detection: 74%
Machine Learning detection for sample
Source: executable.4420.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: executable.4420.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Binary contains paths to debug symbols
Source: Binary string: shcore.pdb= source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb% source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb> source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdbC source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb= source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wsock32.pdbO source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb+ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: mfc42.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: psapi.pdbI source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdbU source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb{ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: comdlg32.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb[ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: comdlg32.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb7 source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: msvcp60.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: mfc42.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb1 source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: wsock32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_00428DCB memset,FindFirstFileA,FindClose, 0_2_00428DCB
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_004251F0 __EH_prolog,#536,#924,#922,#924,#800,#800,#800,FindFirstFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,FindNextFileA,FindClose,#800, 0_2_004251F0
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_004255B0 __EH_prolog,#537,#924,#922,#800,#800,FindFirstFileA,sscanf,sscanf,sscanf,#551,#3337,#3337,#3337,#3337,#3337,#3337,#551,FindNextFileA,FindClose,#800, 0_2_004255B0
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_004247C9 __EH_prolog,#537,#924,#922,#800,#800,#3811,FindFirstFileA,sscanf,sscanf,sscanf,#551,#536,#924,#922,#924,#800,#800,#800,DeleteFileA,#800,FindNextFileA,FindClose,#800, 0_2_004247C9

Networking:

barindex
Contains functionality to upload files via FTP
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_004258FF __EH_prolog,#3811,#924,#924,#924,#924,#924,#924,#858,#858,#858,#3790,#3790,#3790,#540,#924,#858,#800,#537,#537,#922,#923,#922,#537,#924,#800,#800,#800,#800,#800,#800,#800,#3790,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,lstrcpyA,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,#3337,#3337,#3337,#3337,#3337,#3337,sprintf,FtpCreateDirectoryA,lstrcatA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,DeleteFileA,#924,DeleteFileA,#800,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,#537,#537,#922,#924,#922,DeleteFileA,#800,#800,#800,#800,#800,GetUserNameA,#924,FtpPutFileA,DeleteFileA,#537,#922,#923,#800,#800,FtpCreateDirectoryA,#537,#537,#923,#922,#923,#800,#800,#800,#800,#924,#941,#924,FtpPutFileA,#800,#924,DeleteFileA,#800,#924,#924,DeleteFileA,#800,#800,#800,#800,#800,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,#800,#800,#800,#800,#800,#800,#800,#800,#800,#800, 0_2_004258FF
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_0041B588 __EH_prolog,InternetGetConnectedState,#1199,GetDlgItem,EnableWindow,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemInt,lstrcpyA,IsDlgButtonChecked,InternetOpenA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetConnectA,#1199,GetDlgItem,EnableWindow,FtpSetCurrentDirectoryA,lstrcpyA,FtpCreateDirectoryA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,CreateFileA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,WriteFile,CloseHandle,CloseHandle,FtpPutFileA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileA,GetDlgItem,EnableWindow,#1199,#800,#800, 0_2_0041B588
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_004276F1 __EH_prolog,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,GetUserNameA,#3811,#537,#537,#924,#922,#922,#800,#800,#800,#800,#537,#537,#926,#922,FtpPutFileA,#800,#800,#800,#800,DeleteFileA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#800, 0_2_004276F1
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_0042221F __EH_prolog,#924,#537,#537,#922,URLDownloadToFileA,#800,#800,#800,memset,CreateFileA,ReadFile,CloseHandle,#800,CloseHandle,DeleteFileA,atoi,#1199,ShellExecuteA,#800,#800, 0_2_0042221F
Source: WerFault.exe, 00000004.00000003.682815138.0000000004ED6000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoft
Source: executable.4420.exe String found in binary or memory: http://www.blazingtools.com/
Source: executable.4420.exe String found in binary or memory: http://www.blazingtools.com/downloads.html
Source: executable.4420.exe String found in binary or memory: http://www.blazingtools.com/orderbpk.html_This
Source: executable.4420.exe String found in binary or memory: http://www.blazingtools.com/update.tmpupdates/bpk.dat

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_00428E0F IsWindow,IsWindowUnicode,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,#823,WideCharToMultiByte,#860,#825,#860,GlobalUnlock,CloseClipboard, 0_2_00428E0F
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_00428E0F IsWindow,IsWindowUnicode,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,#823,WideCharToMultiByte,#860,#825,#860,GlobalUnlock,CloseClipboard, 0_2_00428E0F

System Summary:

barindex
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\executable.4420.exe Code function: String function: 0043E4E0 appears 241 times
Source: C:\Users\user\Desktop\executable.4420.exe Code function: String function: 0043DE26 appears 82 times
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
Uses 32bit PE files
Source: executable.4420.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal60.winEXE@2/4@0/0
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_0041C947 GetLastError,FormatMessageA,MessageBoxA,LocalFree, 0_2_0041C947
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_004288B3 CreateToolhelp32Snapshot,Module32First,Module32Next,memcpy,CloseHandle, 0_2_004288B3
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_00429112 CoCreateInstance, 0_2_00429112
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_0042980F #1168,FindResourceA,#1168,SizeofResource,LoadResource,LockResource,#537,#538, 0_2_0042980F
Source: C:\Users\user\Desktop\executable.4420.exe File created: C:\Users\user\AppData\Roaming\BPK\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7112
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5865.tmp Jump to behavior
Source: executable.4420.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\executable.4420.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: executable.4420.exe ReversingLabs: Detection: 74%
Source: unknown Process created: C:\Users\user\Desktop\executable.4420.exe 'C:\Users\user\Desktop\executable.4420.exe'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
Source: Binary string: shcore.pdb= source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb% source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb> source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdbC source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb= source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wsock32.pdbO source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb+ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: mfc42.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: psapi.pdbI source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdbU source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb{ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: comdlg32.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb[ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: comdlg32.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb7 source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: msvcp60.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: mfc42.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb1 source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: wsock32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_00428AD2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00428AD2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_0043E4E0 push eax; ret 0_2_0043E4FE
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_0043E690 push eax; ret 0_2_0043E6BE

Persistence and Installation Behavior:

barindex
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_0042221F __EH_prolog,#924,#537,#537,#922,URLDownloadToFileA,#800,#800,#800,memset,CreateFileA,ReadFile,CloseHandle,#800,CloseHandle,DeleteFileA,atoi,#1199,ShellExecuteA,#800,#800, 0_2_0042221F

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\executable.4420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\executable.4420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\executable.4420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\executable.4420.exe API coverage: 3.8 %
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_0042AAFA GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 0005h and CTI: jbe 0042AB3Fh 0_2_0042AAFA
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_0042AAFA GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 0014h and CTI: jbe 0042AB4Ch 0_2_0042AAFA
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_00428DCB memset,FindFirstFileA,FindClose, 0_2_00428DCB
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_004251F0 __EH_prolog,#536,#924,#922,#924,#800,#800,#800,FindFirstFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,FindNextFileA,FindClose,#800, 0_2_004251F0
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_004255B0 __EH_prolog,#537,#924,#922,#800,#800,FindFirstFileA,sscanf,sscanf,sscanf,#551,#3337,#3337,#3337,#3337,#3337,#3337,#551,FindNextFileA,FindClose,#800, 0_2_004255B0
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_004247C9 __EH_prolog,#537,#924,#922,#800,#800,#3811,FindFirstFileA,sscanf,sscanf,sscanf,#551,#536,#924,#922,#924,#800,#800,#800,DeleteFileA,#800,FindNextFileA,FindClose,#800, 0_2_004247C9
Source: WerFault.exe, 00000004.00000002.685643995.0000000004F30000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000004.00000002.685584401.0000000004EE7000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000004.00000002.685643995.0000000004F30000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.685643995.0000000004F30000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000004.00000003.683034880.0000000004EA8000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW^
Source: WerFault.exe, 00000004.00000003.672880218.0000000004EE7000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll73
Source: WerFault.exe, 00000004.00000002.685643995.0000000004F30000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_00428AD2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00428AD2
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_0042AAFA CreateFileA,GetSystemTime,SystemTimeToFileTime,SetFileTime,CloseHandle, 0_2_0042AAFA
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_004258FF __EH_prolog,#3811,#924,#924,#924,#924,#924,#924,#858,#858,#858,#3790,#3790,#3790,#540,#924,#858,#800,#537,#537,#922,#923,#922,#537,#924,#800,#800,#800,#800,#800,#800,#800,#3790,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,lstrcpyA,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,#3337,#3337,#3337,#3337,#3337,#3337,sprintf,FtpCreateDirectoryA,lstrcatA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,DeleteFileA,#924,DeleteFileA,#800,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,#537,#537,#922,#924,#922,DeleteFileA,#800,#800,#800,#800,#800,GetUserNameA,#924,FtpPutFileA,DeleteFileA,#537,#922,#923,#800,#800,FtpCreateDirectoryA,#537,#537,#923,#922,#923,#800,#800,#800,#800,#924,#941,#924,FtpPutFileA,#800,#924,DeleteFileA,#800,#924,#924,DeleteFileA,#800,#800,#800,#800,#800,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,#800,#800,#800,#800,#800,#800,#800,#800,#800,#800, 0_2_004258FF
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_00428A6B GetVersionExA, 0_2_00428A6B

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\executable.4420.exe Code function: 0_2_00410C1A strlen,memset,htons,inet_addr,gethostbyname,bind,memset,htons,inet_addr,gethostbyname,WSASetLastError, 0_2_00410C1A
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356831 Sample: executable.4420.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 60 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Machine Learning detection for sample 2->14 6 executable.4420.exe 1 1 2->6         started        process3 process4 8 WerFault.exe 23 9 6->8         started       
No contacted IP infos