Play interactive tourEdit tour
Windows Analysis Report 77Etc0bR2v.exe
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Compliance
Score: | 17 |
Range: | 0 - 100 |
Signatures
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (window names)
Creates processes via WMI
DLL side loading technique detected
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Contains functionality to execute programs as a different user
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
EXE planting / hijacking vulnerabilities found
PE file does not import any functions
DLL planting / hijacking vulnerabilities found
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality to delete services
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: |
Source: | Avira: |
Source: | Code function: | 3_2_0049B32E | |
Source: | Code function: | 3_2_0049B4A0 | |
Source: | Code function: | 3_2_006F605B |
Source: | EXE: | Jump to behavior |
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior |
Compliance: |
---|
Uses 32bit PE files | Show sources |
Source: | Static PE information: |
EXE planting / hijacking vulnerabilities found | Show sources |
Source: | EXE: | Jump to behavior |
DLL planting / hijacking vulnerabilities found | Show sources |
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior |
Uses secure TLS version for HTTPS connections | Show sources |
Source: | HTTPS traffic detected: |
PE / OLE file has a valid certificate | Show sources |
Source: | Static PE information: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 1_2_00405E61 | |
Source: | Code function: | 1_2_0040263E | |
Source: | Code function: | 1_2_0040548B | |
Source: | Code function: | 2_2_6F332DF0 | |
Source: | Code function: | 2_2_6F3328B0 | |
Source: | Code function: | 3_2_004BF3A9 | |
Source: | Code function: | 3_2_0050331C | |
Source: | Code function: | 3_2_6F332DF0 | |
Source: | Code function: | 3_2_6F3328B0 | |
Source: | Code function: | 6_2_6F332DF0 | |
Source: | Code function: | 6_2_6F3328B0 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |