Windows Analysis Report RICHIESTA DI OFFERTA.exe

Overview

General Information

Sample Name: RICHIESTA DI OFFERTA.exe
Analysis ID: 450724
MD5: 73bb5c4b690b8d6df88d6bc18fb3a553
SHA1: 60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256: a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
Infos:

Most interesting Screenshot:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: RICHIESTA DI OFFERTA.exe Virustotal: Detection: 20% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: RICHIESTA DI OFFERTA.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_004092BC 0_2_004092BC
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC329 0_2_01DCC329
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC5DB 0_2_01DCC5DB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC9C1 0_2_01DCC9C1
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC567 0_2_01DCC567
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC563 0_2_01DCC563
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC90C 0_2_01DCC90C
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCDD07 0_2_01DCDD07
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCDD3B 0_2_01DCDD3B
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC8CA 0_2_01DCC8CA
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCDCC7 0_2_01DCDCC7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC816 0_2_01DCC816
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCE033 0_2_01DCE033
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCDB8F 0_2_01DCDB8F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCCF87 0_2_01DCCF87
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCDBBF 0_2_01DCDBBF
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC7B8 0_2_01DCC7B8
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCDB55 0_2_01DCDB55
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCCB72 0_2_01DCCB72
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCCB63 0_2_01DCCB63
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCDF14 0_2_01DCDF14
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCCAD7 0_2_01DCCAD7
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCCEE6 0_2_01DCCEE6
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC6B4 0_2_01DCC6B4
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCCEAA 0_2_01DCCEAA
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC665 0_2_01DCC665
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCDE3B 0_2_01DCDE3B
PE file contains strange resources
Source: RICHIESTA DI OFFERTA.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RICHIESTA DI OFFERTA.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.2202591011.0000000000435000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIndtr8.exe vs RICHIESTA DI OFFERTA.exe
Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.2202689070.00000000004C0000.00000008.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs RICHIESTA DI OFFERTA.exe
Source: RICHIESTA DI OFFERTA.exe Binary or memory string: OriginalFilenameIndtr8.exe vs RICHIESTA DI OFFERTA.exe
Uses 32bit PE files
Source: RICHIESTA DI OFFERTA.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal56.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe File created: C:\Users\user\AppData\Local\Temp\~DF92EF296CBEA58232.TMP Jump to behavior
Source: RICHIESTA DI OFFERTA.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RICHIESTA DI OFFERTA.exe Virustotal: Detection: 20%

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_0040C06E push 00000000h; retf 0_2_0040C0B0
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_00406625 push ebp; iretd 0_2_0040662F
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCD1CB push FFFFFFB9h; retf 0_2_01DCD1CD
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCD1F3 push FFFFFFB9h; retf 0_2_01DCD1F5
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCE73F push edi; ret 0_2_01DCE741
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe RDTSC instruction interceptor: First address: 0000000001DCE352 second address: 0000000001DCE352 instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe RDTSC instruction interceptor: First address: 0000000001DCE352 second address: 0000000001DCE352 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC5DB rdtsc 0_2_01DCC5DB
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC5DB rdtsc 0_2_01DCC5DB
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC5DB mov eax, dword ptr fs:[00000030h] 0_2_01DCC5DB
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC567 mov eax, dword ptr fs:[00000030h] 0_2_01DCC567
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCC563 mov eax, dword ptr fs:[00000030h] 0_2_01DCC563
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Code function: 0_2_01DCCD39 cpuid 0_2_01DCCD39
Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450724 Sample: RICHIESTA DI OFFERTA.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 56 7 Multi AV Scanner detection for submitted file 2->7 9 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 2->9 11 Tries to detect virtualization through RDTSC time measurements 2->11 5 RICHIESTA DI OFFERTA.exe 1 2->5         started        process3
No contacted IP infos