Windows Analysis Report 0klWxH7lko.exe

ID:	511181
Product:	CloudBasic
Start time:	18:17:03
Start date:	28.10.2021
Sample:	0klWxH7lko.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8b1a607ffb0fc28a2cfc74782c86639e
SHA1:	a806a148512d7dcf8a3d5578bc8f76d8408ddc50
SHA256:	07c670b4ae43186e7e56124048946ba2f7324226359c10e344241e633773e6f0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.66%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Multi AV Scanner detection for submitted file

Source: 0klWxH7lko.exe	Virustotal: Detection: 19%			Perma Link
Source: 0klWxH7lko.exe	ReversingLabs: Detection: 22%

Compliance:

Uses 32bit PE files

Source: 0klWxH7lko.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Binary contains paths to debug symbols

Source:	Binary string: makecab.pdbGCTL source: 0klWxH7lko.exe
Source:	Binary string: makecab.pdb source: 0klWxH7lko.exe

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_004059DC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,

1_2_004059DC

Networking:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: 0klWxH7lko.exe, 00000001.00000002.517897189.000000000069A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0043289C GetKeyboardState,KiUserCallbackDispatcher,

1_2_0043289C

System Summary:

Uses 32bit PE files

Source: 0klWxH7lko.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Sample file is different than original file name gathered from version info

Source: 0klWxH7lko.exe	Binary or memory string: OriginalFilename vs 0klWxH7lko.exe
Source: 0klWxH7lko.exe, 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp	Binary or memory string: OriginalFilenamemakecab.exej% vs 0klWxH7lko.exe
Source: 0klWxH7lko.exe	Binary or memory string: OriginalFilenamemakecab.exej% vs 0klWxH7lko.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0044AA44		1_2_0044AA44
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0044583C		1_2_0044583C

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: String function: 00406A24 appears 61 times
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: String function: 004048D8 appears 68 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00450594 NtdllDefWindowProc_A,		1_2_00450594
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0043582C NtdllDefWindowProc_A,GetCapture,		1_2_0043582C
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00450D38 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,		1_2_00450D38
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00450DE8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,		1_2_00450DE8
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00429488 NtdllDefWindowProc_A,		1_2_00429488
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0044583C GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,		1_2_0044583C

Sample is known by Antivirus

Source: 0klWxH7lko.exe	Virustotal: Detection: 19%
Source: 0klWxH7lko.exe	ReversingLabs: Detection: 22%

Contains functionality for error logging

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0041E178 GetLastError,FormatMessageA,

1_2_0041E178

Reads software policies

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Found detection on Joe Sandbox Cloud Basic with higher score

Source: 0klWxH7lko.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_00414038 FindResourceA,

1_2_00414038

Classification label

Source: classification engine

Classification label: mal52.evad.winEXE@1/0@1/0

Contains functionality to check free disk space

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_00408D92 GetDiskFreeSpaceA,

1_2_00408D92

Executable creates window controls seldom found in malware

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Window found: window name: TButton

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: makecab.pdbGCTL source: 0klWxH7lko.exe
Source:	Binary string: makecab.pdb source: 0klWxH7lko.exe

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0043CE54 push 0043CEE1h; ret		1_2_0043CED9
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0043E11C push 0043E148h; ret		1_2_0043E140
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004462F4 push 0044635Fh; ret		1_2_00446357
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0041A428 push ecx; mov dword ptr [esp], edx		1_2_0041A42D
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0042443C push 0042447Ah; ret		1_2_00424472
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00424484 push 004244B0h; ret		1_2_004244A8
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004244BC push 004244F4h; ret		1_2_004244EC
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00406570 push 004065C1h; ret		1_2_004065B9
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0040E628 push 0040E654h; ret		1_2_0040E64C
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0043263C push ecx; mov dword ptr [esp], ecx		1_2_00432640
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004226D0 push 004227A0h; ret		1_2_00422798
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004247E0 push 0042480Ch; ret		1_2_00424804
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004067B8 push 004067E4h; ret		1_2_004067DC
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00406830 push 0040685Ch; ret		1_2_00406854
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004168D4 push ecx; mov dword ptr [esp], edx		1_2_004168D6
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004228B0 push 004228DCh; ret		1_2_004228D4
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00452954 push 004529AEh; ret		1_2_004529A6
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0042498C push 004249B8h; ret		1_2_004249B0
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00422B84 push 00422BB0h; ret		1_2_00422BA8
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00422C88 push 00422CB4h; ret		1_2_00422CAC
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0043CDEC push 0043CE52h; ret		1_2_0043CE4A
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00408E40 push ecx; mov dword ptr [esp], eax		1_2_00408E41
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00410F86 push 00410FFEh; ret		1_2_00410FF6
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00410F88 push 00410FFEh; ret		1_2_00410FF6
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0042AFAC push 0042B005h; ret		1_2_0042AFFD
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00409044 push ecx; mov dword ptr [esp], eax		1_2_00409045
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0042B048 push 0042B080h; ret		1_2_0042B078
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00411000 push 004110A8h; ret		1_2_004110A0
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004550C8 push 004550FBh; ret		1_2_004550F3
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0042B0DC push 0042B108h; ret		1_2_0042B100
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004110AA push 004111C0h; ret		1_2_004111B8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0043C824 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

1_2_0043C824

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0043C824 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

1_2_0043C824

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0045061C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,		1_2_0045061C
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0044D604 KiUserCallbackDispatcher,SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,		1_2_0044D604
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00438128 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,		1_2_00438128
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00450D38 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,		1_2_00450D38
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00450DE8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,		1_2_00450DE8
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00422ECC MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,		1_2_00422ECC
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00436F50 IsIconic,GetCapture,		1_2_00436F50
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00437804 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,		1_2_00437804

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0042BDC8

1_2_0042BDC8

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

1_2_0044FB78

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0042BDC8

1_2_0042BDC8

Contains functionality to query system information

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0041E714 GetSystemInfo,

1_2_0041E714

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_004059DC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,

1_2_004059DC

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0043C824 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

1_2_0043C824

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,		1_2_00405BB4
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: GetLocaleInfoA,		1_2_004064FC
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: GetLocaleInfoA,GetACP,		1_2_0040CC84
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: GetLocaleInfoA,		1_2_0040B638
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: GetLocaleInfoA,		1_2_0040B684
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,		1_2_00405CBF

Contains functionality to query windows version

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0043CE54 GetVersion,

1_2_0043CE54

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0040A10C GetLocalTime,

1_2_0040A10C