Windows Analysis Report g3r7OOQiri.exe

Overview

General Information

Sample Name: g3r7OOQiri.exe
Analysis ID: 528755
MD5: 523928f18d5110ae858049b3e8e7ffe1
SHA1: 741c67937cc564d2d0bb989ab09997ffd6be1296
SHA256: aef6752333e99c747f01eb9345f03ccbc6a162054dfb705afd7c3040e8219e45
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
PE file has nameless sections
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
One or more processes crash
PE file contains an invalid checksum
Checks if the current process is being debugged
PE file contains sections with non-standard names
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file overlay found

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: g3r7OOQiri.exe Virustotal: Detection: 15% Perma Link
Machine Learning detection for sample
Source: g3r7OOQiri.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: g3r7OOQiri.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.246560840.0000000000FBD000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.247748945.0000000005231000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246619265.0000000000FA5000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246580863.0000000000FA5000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.247748945.0000000005231000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246623632.0000000000FAB000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246585158.0000000000FAB000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.246623632.0000000000FAB000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246585158.0000000000FAB000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.247748945.0000000005231000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246576679.0000000000F9F000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246615405.0000000000F9F000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.246619265.0000000000FA5000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246580863.0000000000FA5000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.247748945.0000000005231000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000004.00000003.247748945.0000000005231000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.246576679.0000000000F9F000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246615405.0000000000F9F000.00000004.00000001.sdmp
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net

System Summary:

barindex
PE file has nameless sections
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Uses 32bit PE files
Source: g3r7OOQiri.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE file does not import any functions
Source: g3r7OOQiri.exe Static PE information: No import functions for PE file found
One or more processes crash
Source: C:\Users\user\Desktop\g3r7OOQiri.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 212
PE file contains more sections than normal
Source: g3r7OOQiri.exe Static PE information: Number of sections : 14 > 10
PE file overlay found
Source: g3r7OOQiri.exe Static PE information: Data appended to the last section found
Source: g3r7OOQiri.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: g3r7OOQiri.exe Static PE information: Section: ZLIB complexity 1.00042941046
Source: g3r7OOQiri.exe Static PE information: Section: ZLIB complexity 1.004296875
Source: g3r7OOQiri.exe Static PE information: Section: ZLIB complexity 1.00097595599
Source: g3r7OOQiri.exe Virustotal: Detection: 15%
Source: C:\Users\user\Desktop\g3r7OOQiri.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\g3r7OOQiri.exe "C:\Users\user\Desktop\g3r7OOQiri.exe"
Source: C:\Users\user\Desktop\g3r7OOQiri.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 212
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6240
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE4.tmp Jump to behavior
Source: classification engine Classification label: mal56.winEXE@2/6@0/0
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: g3r7OOQiri.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.246560840.0000000000FBD000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.247748945.0000000005231000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246619265.0000000000FA5000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246580863.0000000000FA5000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.247748945.0000000005231000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246623632.0000000000FAB000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246585158.0000000000FAB000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.246623632.0000000000FAB000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246585158.0000000000FAB000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.247748945.0000000005231000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246576679.0000000000F9F000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246615405.0000000000F9F000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.246619265.0000000000FA5000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246580863.0000000000FA5000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.247748945.0000000005231000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000004.00000003.247748945.0000000005231000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.246576679.0000000000F9F000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.246615405.0000000000F9F000.00000004.00000001.sdmp

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: g3r7OOQiri.exe Static PE information: real checksum: 0x14efe5 should be: 0x1c55f
PE file contains sections with non-standard names
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name:
Source: g3r7OOQiri.exe Static PE information: section name: .ShqA6WN
Source: g3r7OOQiri.exe Static PE information: section name: .adata
Source: initial sample Static PE information: section name: entropy: 7.9974253827
Source: initial sample Static PE information: section name: entropy: 7.92908677458
Source: initial sample Static PE information: section name: entropy: 7.98297122027

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.4.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: WerFault.exe, 00000004.00000003.258827345.0000000000FB2000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.258988957.0000000000FB3000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: VMware7,1
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\g3r7OOQiri.exe Process queried: DebugPort Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528755 Sample: g3r7OOQiri.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 56 13 Multi AV Scanner detection for submitted file 2->13 15 Machine Learning detection for sample 2->15 17 PE file has nameless sections 2->17 6 g3r7OOQiri.exe 2->6         started        process3 process4 8 WerFault.exe 23 9 6->8         started        file5 11 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 8->11 dropped
No contacted IP infos