Windows Analysis Report sVNHE4jjOw.exe

Overview

General Information

Sample Name: sVNHE4jjOw.exe
Analysis ID: 449805
MD5: 72fe87cb4fd41cf172a9caecbdc6887f
SHA1: 2c8c745378f4a80e96dbabf574d1ac2d6408df69
SHA256: 6d26df7a7163053aa756f62ee4504af93020696cee98a1fc891c600ac76acc1c
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: sVNHE4jjOw.exe Virustotal: Detection: 34% Perma Link
Source: sVNHE4jjOw.exe ReversingLabs: Detection: 23%

Compliance:

barindex
Uses 32bit PE files
Source: sVNHE4jjOw.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb source: sVNHE4jjOw.exe
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb@ source: sVNHE4jjOw.exe
Source: sVNHE4jjOw.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sVNHE4jjOw.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: sVNHE4jjOw.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: sVNHE4jjOw.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: sVNHE4jjOw.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sVNHE4jjOw.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sVNHE4jjOw.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: sVNHE4jjOw.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: sVNHE4jjOw.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: sVNHE4jjOw.exe String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: sVNHE4jjOw.exe, 00000000.00000002.748037096.000000000081A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_0080561F NtAllocateVirtualMemory, 0_2_0080561F
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00805608 NtAllocateVirtualMemory, 0_2_00805608
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00805761 NtAllocateVirtualMemory, 0_2_00805761
Detected potential crypto function
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00401470 0_2_00401470
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_0080561F 0_2_0080561F
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_008080B4 0_2_008080B4
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00805985 0_2_00805985
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_008022A2 0_2_008022A2
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00805AB8 0_2_00805AB8
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00805AE6 0_2_00805AE6
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00805A62 0_2_00805A62
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00805608 0_2_00805608
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00808F74 0_2_00808F74
PE / OLE file has an invalid certificate
Source: sVNHE4jjOw.exe Static PE information: invalid certificate
PE file contains strange resources
Source: sVNHE4jjOw.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sVNHE4jjOw.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sVNHE4jjOw.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: sVNHE4jjOw.exe, 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDragt1.exe vs sVNHE4jjOw.exe
Source: sVNHE4jjOw.exe Binary or memory string: OriginalFilenameDragt1.exe vs sVNHE4jjOw.exe
Uses 32bit PE files
Source: sVNHE4jjOw.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal64.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe File created: C:\Users\user\AppData\Local\Temp\~DFB3D8909A7274E24A.TMP Jump to behavior
Source: sVNHE4jjOw.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: sVNHE4jjOw.exe Virustotal: Detection: 34%
Source: sVNHE4jjOw.exe ReversingLabs: Detection: 23%
Source: sVNHE4jjOw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb source: sVNHE4jjOw.exe
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb@ source: sVNHE4jjOw.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00404960 push es; ret 0_2_00404965
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00611774 push edx; ret 0_2_006117A1
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00613063 push edx; ret 0_2_00613091
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00611863 push edx; ret 0_2_00611891
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00614863 push edx; ret 0_2_00614891
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00616065 push edx; ret 0_2_00616091
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00610068 push edx; ret 0_2_00610091
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00616875 push edx; ret 0_2_006168A1
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00612074 push edx; ret 0_2_006120A1
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00613874 push edx; ret 0_2_006138A1
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00615074 push edx; ret 0_2_006150A1
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00610878 push edx; ret 0_2_006108A1
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00610843 push edx; ret 0_2_00610871
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00612043 push edx; ret 0_2_00612071
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00613843 push edx; ret 0_2_00613871
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00615043 push edx; ret 0_2_00615071
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00616844 push edx; ret 0_2_00616871
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00611054 push edx; ret 0_2_00611081
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00612854 push edx; ret 0_2_00612881
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00614054 push edx; ret 0_2_00614081
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00615854 push edx; ret 0_2_00615881
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00617054 push edx; ret 0_2_00617081
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00611023 push edx; ret 0_2_00611051
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00612823 push edx; ret 0_2_00612851
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00614023 push edx; ret 0_2_00614051
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00615825 push edx; ret 0_2_00615851
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00617024 push edx; ret 0_2_00617051
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00614833 push edx; ret 0_2_00614861
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00613033 push edx; ret 0_2_00613061
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00611833 push edx; ret 0_2_00611861
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00616034 push edx; ret 0_2_00616061
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_008080B4 0_2_008080B4
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00805A62 0_2_00805A62
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe RDTSC instruction interceptor: First address: 0000000000807129 second address: 0000000000807129 instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe RDTSC instruction interceptor: First address: 0000000000807129 second address: 0000000000807129 instructions:
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe RDTSC instruction interceptor: First address: 00000000008092E8 second address: 00000000008092E8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp edx, dword ptr [ebp+44h] 0x0000000e jne 00007F282C8B58F9h 0x00000010 sub edx, 04h 0x00000013 xor dword ptr [edx], ecx 0x00000015 pushad 0x00000016 lfence 0x00000019 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_008080B4 rdtsc 0_2_008080B4
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_008080B4 rdtsc 0_2_008080B4
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_008080B4 mov eax, dword ptr fs:[00000030h] 0_2_008080B4
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_0080527E mov eax, dword ptr fs:[00000030h] 0_2_0080527E
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_008074A3 mov eax, dword ptr fs:[00000030h] 0_2_008074A3
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe Code function: 0_2_00806F30 mov eax, dword ptr fs:[00000030h] 0_2_00806F30
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449805 Sample: sVNHE4jjOw.exe Startdate: 16/07/2021 Architecture: WINDOWS Score: 64 8 Multi AV Scanner detection for submitted file 2->8 5 sVNHE4jjOw.exe 1 2->5         started        process3 signatures4 10 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->10 12 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->12 14 Found potential dummy code loops (likely to delay analysis) 5->14 16 Tries to detect virtualization through RDTSC time measurements 5->16
No contacted IP infos