Loading ...

Play interactive tourEdit tour

Windows Analysis Report 0klWxH7lko.exe

Overview

General Information

Sample Name:0klWxH7lko.exe
Analysis ID:511181
MD5:8b1a607ffb0fc28a2cfc74782c86639e
SHA1:a806a148512d7dcf8a3d5578bc8f76d8408ddc50
SHA256:07c670b4ae43186e7e56124048946ba2f7324226359c10e344241e633773e6f0
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to detect sleep reduction / modifications
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to detect sandboxes (mouse cursor move detection)
May check if the current machine is a sandbox (GetTickCount - Sleep)

Classification

Process Tree

  • System is w10x64
  • 0klWxH7lko.exe (PID: 4440 cmdline: 'C:\Users\user\Desktop\0klWxH7lko.exe' MD5: 8B1A607FFB0FC28A2CFC74782C86639E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 0klWxH7lko.exeVirustotal: Detection: 19%Perma Link
Source: 0klWxH7lko.exeReversingLabs: Detection: 22%
Source: 0klWxH7lko.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: Binary string: makecab.pdbGCTL source: 0klWxH7lko.exe
Source: Binary string: makecab.pdb source: 0klWxH7lko.exe
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_004059DC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_004059DC
Source: unknownDNS traffic detected: queries for: clientconfig.passport.net
Source: 0klWxH7lko.exe, 00000001.00000002.517897189.000000000069A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0043289C GetKeyboardState,KiUserCallbackDispatcher,1_2_0043289C
Source: 0klWxH7lko.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: 0klWxH7lko.exeBinary or memory string: OriginalFilename vs 0klWxH7lko.exe
Source: 0klWxH7lko.exe, 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmpBinary or memory string: OriginalFilenamemakecab.exej% vs 0klWxH7lko.exe
Source: 0klWxH7lko.exeBinary or memory string: OriginalFilenamemakecab.exej% vs 0klWxH7lko.exe
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0044AA441_2_0044AA44
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0044583C1_2_0044583C
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: String function: 00406A24 appears 61 times
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: String function: 004048D8 appears 68 times
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00450594 NtdllDefWindowProc_A,1_2_00450594
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0043582C NtdllDefWindowProc_A,GetCapture,1_2_0043582C
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00450D38 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_00450D38
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00450DE8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_00450DE8
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00429488 NtdllDefWindowProc_A,1_2_00429488
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0044583C GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,1_2_0044583C
Source: 0klWxH7lko.exeVirustotal: Detection: 19%
Source: 0klWxH7lko.exeReversingLabs: Detection: 22%
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0041E178 GetLastError,FormatMessageA,1_2_0041E178
Source: C:\Users\user\Desktop\0klWxH7lko.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\0klWxH7lko.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: 0klWxH7lko.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00414038 FindResourceA,1_2_00414038
Source: classification engineClassification label: mal52.evad.winEXE@1/0@1/0
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00408D92 GetDiskFreeSpaceA,1_2_00408D92
Source: C:\Users\user\Desktop\0klWxH7lko.exeWindow found: window name: TButtonJump to behavior
Source: Binary string: makecab.pdbGCTL source: 0klWxH7lko.exe
Source: Binary string: makecab.pdb source: 0klWxH7lko.exe
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0043CE54 push 0043CEE1h; ret 1_2_0043CED9
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0043E11C push 0043E148h; ret 1_2_0043E140
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_004462F4 push 0044635Fh; ret 1_2_00446357
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0041A428 push ecx; mov dword ptr [esp], edx1_2_0041A42D
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0042443C push 0042447Ah; ret 1_2_00424472
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00424484 push 004244B0h; ret 1_2_004244A8
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_004244BC push 004244F4h; ret 1_2_004244EC
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00406570 push 004065C1h; ret 1_2_004065B9
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0040E628 push 0040E654h; ret 1_2_0040E64C
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0043263C push ecx; mov dword ptr [esp], ecx1_2_00432640
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_004226D0 push 004227A0h; ret 1_2_00422798
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_004247E0 push 0042480Ch; ret 1_2_00424804
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_004067B8 push 004067E4h; ret 1_2_004067DC
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00406830 push 0040685Ch; ret 1_2_00406854
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_004168D4 push ecx; mov dword ptr [esp], edx1_2_004168D6
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_004228B0 push 004228DCh; ret 1_2_004228D4
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00452954 push 004529AEh; ret 1_2_004529A6
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0042498C push 004249B8h; ret 1_2_004249B0
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00422B84 push 00422BB0h; ret 1_2_00422BA8
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00422C88 push 00422CB4h; ret 1_2_00422CAC
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0043CDEC push 0043CE52h; ret 1_2_0043CE4A
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00408E40 push ecx; mov dword ptr [esp], eax1_2_00408E41
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00410F86 push 00410FFEh; ret 1_2_00410FF6
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00410F88 push 00410FFEh; ret 1_2_00410FF6
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0042AFAC push 0042B005h; ret 1_2_0042AFFD
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00409044 push ecx; mov dword ptr [esp], eax1_2_00409045
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0042B048 push 0042B080h; ret 1_2_0042B078
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00411000 push 004110A8h; ret 1_2_004110A0
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_004550C8 push 004550FBh; ret 1_2_004550F3
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0042B0DC push 0042B108h; ret 1_2_0042B100
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_004110AA push 004111C0h; ret 1_2_004111B8
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0043C824 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,1_2_0043C824
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0043C824 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,1_2_0043C824
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0045061C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_0045061C
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0044D604 KiUserCallbackDispatcher,SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0044D604
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00438128 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00438128
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00450D38 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_00450D38
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00450DE8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_00450DE8
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00422ECC MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,1_2_00422ECC
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00436F50 IsIconic,GetCapture,1_2_00436F50
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_00437804 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00437804

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0042BDC81_2_0042BDC8
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,1_2_0044FB78
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0042BDC81_2_0042BDC8
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0041E714 GetSystemInfo,1_2_0041E714
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_004059DC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_004059DC
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0043C824 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,1_2_0043C824
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmpBinary or memory string: Progman
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_00405BB4
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: GetLocaleInfoA,1_2_004064FC
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: GetLocaleInfoA,GetACP,1_2_0040CC84
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: GetLocaleInfoA,1_2_0040B638
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: GetLocaleInfoA,1_2_0040B684
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_00405CBF
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0043CE54 GetVersion,1_2_0043CE54
Source: C:\Users\user\Desktop\0klWxH7lko.exeCode function: 1_2_0040A10C GetLocalTime,1_2_0040A10C

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Application Shimming1Process Injection1Process Injection1Input Capture21System Time Discovery1Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsApplication Shimming1Deobfuscate/Decode Files or Information1LSASS MemorySecurity Software Discovery12Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSApplication Window Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.