Windows Analysis Report VZghv7yI7g.exe

Overview

General Information

Sample Name: VZghv7yI7g.exe
Analysis ID: 450819
MD5: 73bb5c4b690b8d6df88d6bc18fb3a553
SHA1: 60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256: a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
Infos:

Most interesting Screenshot:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: VZghv7yI7g.exe Virustotal: Detection: 29% Perma Link
Source: VZghv7yI7g.exe ReversingLabs: Detection: 13%

Compliance:

barindex
Uses 32bit PE files
Source: VZghv7yI7g.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_004092BC 0_2_004092BC
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C329 0_2_02A8C329
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8CEAA 0_2_02A8CEAA
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C6B4 0_2_02A8C6B4
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8CEE6 0_2_02A8CEE6
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8CAD7 0_2_02A8CAD7
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8DE3B 0_2_02A8DE3B
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C665 0_2_02A8C665
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C7B8 0_2_02A8C7B8
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8DBBF 0_2_02A8DBBF
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8DB8F 0_2_02A8DB8F
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8CF87 0_2_02A8CF87
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8DF14 0_2_02A8DF14
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8CB63 0_2_02A8CB63
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8CB72 0_2_02A8CB72
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8DB55 0_2_02A8DB55
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C8CA 0_2_02A8C8CA
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8DCC7 0_2_02A8DCC7
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8E033 0_2_02A8E033
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C816 0_2_02A8C816
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C9C1 0_2_02A8C9C1
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C5DB 0_2_02A8C5DB
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8DD3B 0_2_02A8DD3B
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C90C 0_2_02A8C90C
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8DD07 0_2_02A8DD07
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C563 0_2_02A8C563
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C567 0_2_02A8C567
PE file contains strange resources
Source: VZghv7yI7g.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VZghv7yI7g.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: VZghv7yI7g.exe, 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIndtr8.exe vs VZghv7yI7g.exe
Source: VZghv7yI7g.exe, 00000000.00000002.826092877.0000000002920000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs VZghv7yI7g.exe
Source: VZghv7yI7g.exe Binary or memory string: OriginalFilenameIndtr8.exe vs VZghv7yI7g.exe
Uses 32bit PE files
Source: VZghv7yI7g.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal60.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\VZghv7yI7g.exe File created: C:\Users\user\AppData\Local\Temp\~DFEB0EEF351A7A5910.TMP Jump to behavior
Source: VZghv7yI7g.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: VZghv7yI7g.exe Virustotal: Detection: 29%
Source: VZghv7yI7g.exe ReversingLabs: Detection: 13%

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_0040C06E push 00000000h; retf 0_2_0040C0B0
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_00406625 push ebp; iretd 0_2_0040662F
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8E73F push edi; ret 0_2_02A8E741
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8D1F3 push FFFFFFB9h; retf 0_2_02A8D1F5
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8D1CB push FFFFFFB9h; retf 0_2_02A8D1CD
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\VZghv7yI7g.exe RDTSC instruction interceptor: First address: 0000000002A8E352 second address: 0000000002A8E352 instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\VZghv7yI7g.exe RDTSC instruction interceptor: First address: 0000000002A8E352 second address: 0000000002A8E352 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8CEAA rdtsc 0_2_02A8CEAA
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8CEAA rdtsc 0_2_02A8CEAA
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C5DB mov eax, dword ptr fs:[00000030h] 0_2_02A8C5DB
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C563 mov eax, dword ptr fs:[00000030h] 0_2_02A8C563
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8C567 mov eax, dword ptr fs:[00000030h] 0_2_02A8C567
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\VZghv7yI7g.exe Code function: 0_2_02A8CD39 cpuid 0_2_02A8CD39