Loading ...

Play interactive tourEdit tour

Analysis Report New Text Document.exe

Overview

General Information

Sample Name:New Text Document.exe
Analysis ID:383850
MD5:4e79b531f4f6813cc8e21894a13c5537
SHA1:addcb0a2aac14befcb9f8c9185e365c47a86b40c
SHA256:9445838c51449888abaeac1c5d1953212a0205a6b4038e6a404ca752cbda3f2f
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Binary is likely a compiled AutoIt script file
Found API chain indicative of debugger detection
Initial sample is a PE file and has a suspicious name
Uses Windows timers to delay execution
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • New Text Document.exe (PID: 6780 cmdline: 'C:\Users\user\Desktop\New Text Document.exe' MD5: 4E79B531F4F6813CC8E21894A13C5537)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: New Text Document.exeVirustotal: Detection: 14%Perma Link
Source: New Text Document.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012D2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,1_2_012D2344
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_0135CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0135CDAC

System Summary:

barindex
Binary is likely a compiled AutoIt script fileShow sources
Source: New Text Document.exe, 00000001.00000000.327002724.0000000001385000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: New Text Document.exe, 00000001.00000000.327002724.0000000001385000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: New Text Document.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: New Text Document.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: New Text Document.exe
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_013065221_2_01306522
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012E710E1_2_012E710E
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012DE8001_2_012DE800
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_013070061_2_01307006
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012DE0601_2_012DE060
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012E68431_2_012E6843
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_0135804A1_2_0135804A
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012FDBB51_2_012FDBB5
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012FBFE61_2_012FBFE6
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012E8A0E1_2_012E8A0E
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012DFE401_2_012DFE40
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012D12871_2_012D1287
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012F16C41_2_012F16C4
Source: New Text Document.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: New Text Document.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: New Text Document.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: New Text Document.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: New Text Document.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: New Text Document.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: classification engineClassification label: mal72.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_0133A2D5 GetLastError,FormatMessageW,1_2_0133A2D5
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_01333E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_01333E91
Source: New Text Document.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New Text Document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: New Text Document.exeVirustotal: Detection: 14%
Source: New Text Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: New Text Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: New Text Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: New Text Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: New Text Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: New Text Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: New Text Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: New Text Document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: New Text Document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: New Text Document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: New Text Document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: New Text Document.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012F8B85 push ecx; ret 1_2_012F8B98

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: google.png
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_012D4A35
Source: C:\Users\user\Desktop\New Text Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New Text Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Uses Windows timers to delay executionShow sources
Source: C:\Users\user\Desktop\New Text Document.exeUser Timer Set: Timeout: 750msJump to behavior
Source: C:\Users\user\Desktop\New Text Document.exeUser Timer Set: Timeout: 750msJump to behavior
Source: C:\Users\user\Desktop\New Text Document.exeWindow / User API: threadDelayed 2095Jump to behavior
Source: C:\Users\user\Desktop\New Text Document.exeAPI coverage: 3.8 %
Source: C:\Users\user\Desktop\New Text Document.exe TID: 6784Thread sleep count: 2095 > 30Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\New Text Document.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\New Text Document.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\New Text Document.exeThread sleep count: Count: 2095 delay: -10Jump to behavior

Anti Debugging:

barindex
Found API chain indicative of debugger detectionShow sources
Source: C:\Users\user\Desktop\New Text Document.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_1-19210
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_01305CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_01305CCC
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_01305CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_01305CCC
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012FA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_012FA395
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_012D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_012D4A35
Source: New Text Document.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: New Text Document.exeBinary or memory string: Shell_TrayWnd
Source: New Text Document.exe, 00000001.00000002.402453920.0000000002170000.00000002.00000001.sdmpBinary or memory string: Progman
Source: New Text Document.exe, 00000001.00000002.402453920.0000000002170000.00000002.00000001.sdmpBinary or memory string: &Program Manager
Source: New Text Document.exe, 00000001.00000002.402453920.0000000002170000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\New Text Document.exeCode function: 1_2_013050D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_013050D7

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1Input Capture21System Time Discovery1Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion22LSASS MemorySecurity Software Discovery12Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion22SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsApplication Window Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.