Windows Analysis Report ZM80M76Nwv.exe

Overview

General Information

Sample Name: ZM80M76Nwv.exe
Analysis ID: 528754
MD5: 3c93f57536f15046b52f4340edba42da
SHA1: a7b4f2c0390ebc7c4b7aa5bbfbb60503aba08955
SHA256: 493ea8db7e8d8554d3f3c1dcbcf661dc5027892b02d262dfdcb58372e257191b
Tags: exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
PE file has nameless sections
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
One or more processes crash
PE file contains an invalid checksum
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
PE file overlay found

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: ZM80M76Nwv.exe Virustotal: Detection: 35% Perma Link
Machine Learning detection for sample
Source: ZM80M76Nwv.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: ZM80M76Nwv.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.309886506.00000000052C1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.309886506.00000000052C1000.00000004.00000001.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000005.00000002.319420895.0000000002E32000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.309886506.00000000052C1000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.309886506.00000000052C1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000005.00000003.309886506.00000000052C1000.00000004.00000001.sdmp
Source: Amcache.hve.5.dr String found in binary or memory: http://upx.sf.net

System Summary:

barindex
PE file has nameless sections
Source: ZM80M76Nwv.exe Static PE information: section name:
Source: ZM80M76Nwv.exe Static PE information: section name:
Source: ZM80M76Nwv.exe Static PE information: section name:
Source: ZM80M76Nwv.exe Static PE information: section name:
Source: ZM80M76Nwv.exe Static PE information: section name:
Source: ZM80M76Nwv.exe Static PE information: section name:
Uses 32bit PE files
Source: ZM80M76Nwv.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
PE file does not import any functions
Source: ZM80M76Nwv.exe Static PE information: No import functions for PE file found
One or more processes crash
Source: C:\Users\user\Desktop\ZM80M76Nwv.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 208
Detected potential crypto function
Source: C:\Windows\SysWOW64\WerFault.exe Code function: 5_2_02E3E448 5_2_02E3E448
PE file overlay found
Source: ZM80M76Nwv.exe Static PE information: Data appended to the last section found
Source: ZM80M76Nwv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: ZM80M76Nwv.exe Static PE information: Section: ZLIB complexity 1.00051229508
Source: ZM80M76Nwv.exe Static PE information: Section: ZLIB complexity 1.0107421875
Source: ZM80M76Nwv.exe Virustotal: Detection: 35%
Source: C:\Users\user\Desktop\ZM80M76Nwv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ZM80M76Nwv.exe "C:\Users\user\Desktop\ZM80M76Nwv.exe"
Source: C:\Users\user\Desktop\ZM80M76Nwv.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 208
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1316
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A67.tmp Jump to behavior
Source: classification engine Classification label: mal56.winEXE@2/6@0/0
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: ZM80M76Nwv.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x3dc000
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.309886506.00000000052C1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.309886506.00000000052C1000.00000004.00000001.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000005.00000002.319420895.0000000002E32000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.309886506.00000000052C1000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.309886506.00000000052C1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000005.00000003.309886506.00000000052C1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: ZM80M76Nwv.exe Static PE information: real checksum: 0x42a356 should be: 0x39e83
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WerFault.exe Code function: 5_2_02E3E87A pushad ; ret 5_2_02E3E87C
PE file contains sections with non-standard names
Source: ZM80M76Nwv.exe Static PE information: section name:
Source: ZM80M76Nwv.exe Static PE information: section name:
Source: ZM80M76Nwv.exe Static PE information: section name:
Source: ZM80M76Nwv.exe Static PE information: section name:
Source: ZM80M76Nwv.exe Static PE information: section name:
Source: ZM80M76Nwv.exe Static PE information: section name:
Source: ZM80M76Nwv.exe Static PE information: section name: .AqWcUFG
Source: ZM80M76Nwv.exe Static PE information: section name: .adata
Source: initial sample Static PE information: section name: entropy: 7.99401104881
Source: initial sample Static PE information: section name: entropy: 7.78065343968
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.5.dr Binary or memory string: VMware
Source: Amcache.hve.5.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.5.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr Binary or memory string: VMware7,1
Source: Amcache.hve.5.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.5.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.5.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ZM80M76Nwv.exe Process queried: DebugPort Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.5.dr, Amcache.hve.LOG1.5.dr Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr, Amcache.hve.LOG1.5.dr Binary or memory string: procexp.exe
No contacted IP infos