Windows Analysis Report ilnQNBU7NA.exe

Overview

General Information

Sample Name: ilnQNBU7NA.exe
Analysis ID: 491982
MD5: 76449275538d7041bebeeedf2ab75b1d
SHA1: 6dc592eb5c639f79e67d7e1d45b03d15c703ea08
SHA256: bb47883b9a0e02bc3f3df2605176307900ea804ffa9698e35f93ea4909b28dbe
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Program does not show much activity (idle)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Machine Learning detection for sample
Source: ilnQNBU7NA.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: ilnQNBU7NA.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: ilnQNBU7NA.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_0040646B FindFirstFileA,FindClose, 1_2_0040646B
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_004027A1 FindFirstFileA, 1_2_004027A1
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 1_2_004058BF
Source: ilnQNBU7NA.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ilnQNBU7NA.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_0040535C

System Summary:

barindex
Uses 32bit PE files
Source: ilnQNBU7NA.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: ilnQNBU7NA.exe, 00000001.00000000.244825608.0000000000438000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamepestudio.exe2 vs ilnQNBU7NA.exe
Source: ilnQNBU7NA.exe Binary or memory string: OriginalFilenamepestudio.exe2 vs ilnQNBU7NA.exe
PE file contains strange resources
Source: ilnQNBU7NA.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403348
Detected potential crypto function
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_00406945 1_2_00406945
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_0040711C 1_2_0040711C
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe File read: C:\Users\user\Desktop\ilnQNBU7NA.exe Jump to behavior
Source: ilnQNBU7NA.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403348
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe File created: C:\Users\user\AppData\Local\Temp\nsf5E6D.tmp Jump to behavior
Source: classification engine Classification label: sus24.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_0040216B CoCreateInstance,MultiByteToWideChar, 1_2_0040216B
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 1_2_0040460D
Source: ilnQNBU7NA.exe Static file information: File size 3333764 > 1048576
Source: ilnQNBU7NA.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: ilnQNBU7NA.exe Static PE information: real checksum: 0x502be1 should be: 0x33a921
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_0040646B FindFirstFileA,FindClose, 1_2_0040646B
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_004027A1 FindFirstFileA, 1_2_004027A1
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 1_2_004058BF

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\ilnQNBU7NA.exe Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403348
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491982 Sample: ilnQNBU7NA.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 24 7 Machine Learning detection for sample 2->7 5 ilnQNBU7NA.exe 3 2->5         started        process3
No contacted IP infos