Analysis Report New Text Document.exe

Overview

General Information

Sample Name: New Text Document.exe
Analysis ID: 383850
MD5: 4e79b531f4f6813cc8e21894a13c5537
SHA1: addcb0a2aac14befcb9f8c9185e365c47a86b40c
SHA256: 9445838c51449888abaeac1c5d1953212a0205a6b4038e6a404ca752cbda3f2f
Infos:

Most interesting Screenshot:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Binary is likely a compiled AutoIt script file
Found API chain indicative of debugger detection
Initial sample is a PE file and has a suspicious name
Uses Windows timers to delay execution
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: New Text Document.exe Virustotal: Detection: 14% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: New Text Document.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012D2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 1_2_012D2344
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_0135CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 1_2_0135CDAC

System Summary:

barindex
Binary is likely a compiled AutoIt script file
Source: New Text Document.exe, 00000001.00000000.327002724.0000000001385000.00000002.00020000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script.
Source: New Text Document.exe, 00000001.00000000.327002724.0000000001385000.00000002.00020000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: New Text Document.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: New Text Document.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: New Text Document.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_01306522 1_2_01306522
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012E710E 1_2_012E710E
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012DE800 1_2_012DE800
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_01307006 1_2_01307006
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012DE060 1_2_012DE060
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012E6843 1_2_012E6843
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_0135804A 1_2_0135804A
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012FDBB5 1_2_012FDBB5
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012FBFE6 1_2_012FBFE6
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012E8A0E 1_2_012E8A0E
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012DFE40 1_2_012DFE40
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012D1287 1_2_012D1287
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012F16C4 1_2_012F16C4
PE file contains strange resources
Source: New Text Document.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: New Text Document.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: New Text Document.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: New Text Document.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: New Text Document.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Uses 32bit PE files
Source: New Text Document.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: classification engine Classification label: mal72.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_0133A2D5 GetLastError,FormatMessageW, 1_2_0133A2D5
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_01333E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 1_2_01333E91
Source: New Text Document.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New Text Document.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: New Text Document.exe Virustotal: Detection: 14%
Source: New Text Document.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: New Text Document.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: New Text Document.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: New Text Document.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: New Text Document.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: New Text Document.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: New Text Document.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: New Text Document.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: New Text Document.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: New Text Document.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: New Text Document.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: New Text Document.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012F8B85 push ecx; ret 1_2_012F8B98

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: google.png
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 1_2_012D4A35
Source: C:\Users\user\Desktop\New Text Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Text Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Uses Windows timers to delay execution
Source: C:\Users\user\Desktop\New Text Document.exe User Timer Set: Timeout: 750ms Jump to behavior
Source: C:\Users\user\Desktop\New Text Document.exe User Timer Set: Timeout: 750ms Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\New Text Document.exe Window / User API: threadDelayed 2095 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\New Text Document.exe API coverage: 3.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\New Text Document.exe TID: 6784 Thread sleep count: 2095 > 30 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\New Text Document.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\New Text Document.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\New Text Document.exe Thread sleep count: Count: 2095 delay: -10 Jump to behavior

Anti Debugging:

barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\New Text Document.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_01305CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_01305CCC
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_01305CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_01305CCC
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012FA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_012FA395

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_012D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 1_2_012D4A35
Source: New Text Document.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: New Text Document.exe Binary or memory string: Shell_TrayWnd
Source: New Text Document.exe, 00000001.00000002.402453920.0000000002170000.00000002.00000001.sdmp Binary or memory string: Progman
Source: New Text Document.exe, 00000001.00000002.402453920.0000000002170000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: New Text Document.exe, 00000001.00000002.402453920.0000000002170000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\New Text Document.exe Code function: 1_2_013050D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_013050D7