Windows Analysis Report oYIQVnvsyG.exe

Overview

General Information

Sample Name:	oYIQVnvsyG.exe
Analysis ID:	483803
MD5:	43c573966b2b1d5d87ecd57eb2a81c33
SHA1:	a08966162e39fa04e39d93b1d121f1bef6b3ec86
SHA256:	d062fa8446a39adb2182c2a506e96801792855bbb0da2a9f278134630a5e5de2
Infos:
Most interesting Screenshot:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

May sleep (evasive loops) to hinder dynamic analysis

Contains long sleeps (>= 3 min)

Classification

Signatures

Compliance:

Uses 32bit PE files

Source: oYIQVnvsyG.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source: oYIQVnvsyG.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: oYIQVnvsyG.exe, 00000000.00000002.239893622.00000000014B2000.00000004.00000020.sdmp

String found in binary or memory: http://go.microsz.R

System Summary:

Uses 32bit PE files

Source: oYIQVnvsyG.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Sample file is different than original file name gathered from version info

Source: oYIQVnvsyG.exe, 00000000.00000000.229505995.0000000000F6A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePWCRLauncher.exe4 vs oYIQVnvsyG.exe
Source: oYIQVnvsyG.exe, 00000000.00000002.239887172.00000000014A9000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs oYIQVnvsyG.exe
Source: oYIQVnvsyG.exe	Binary or memory string: OriginalFilenamePWCRLauncher.exe4 vs oYIQVnvsyG.exe

PE file contains strange resources

Source: oYIQVnvsyG.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: oYIQVnvsyG.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

File read: C:\Users\user\Desktop\oYIQVnvsyG.exe

Jump to behavior

Source: oYIQVnvsyG.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: classification engine

Classification label: clean2.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\oYIQVnvsyG.exe.log

Jump to behavior

Source: oYIQVnvsyG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source: oYIQVnvsyG.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe TID: 6396

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

Memory allocated: page read and write | page guard

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	483803
Product:	CloudBasic
Start time:	14:05:02
Start date:	15.09.2021
Sample:	oYIQVnvsyG.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	43c573966b2b1d5d87ecd57eb2a81c33
SHA1:	a08966162e39fa04e39d93b1d121f1bef6b3ec86
SHA256:	d062fa8446a39adb2182c2a506e96801792855bbb0da2a9f278134630a5e5de2
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report oYIQVnvsyG.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Screenshots

Behavior Graph

Network Map