Windows Analysis Report QVWb1n5OTH

Overview

General Information

Sample Name: QVWb1n5OTH (renamed file extension from none to exe)
Analysis ID: 532182
MD5: f8236209c7b1928b3f1eb0a7074f6992
SHA1: 7f31471385b39722a1c7a6e983ecca372e673796
SHA256: eab40778e702a859cc33abcd92e796755e95e8fdb0eeb7c5243b7c1866751bb0
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Potential malicious icon found
Multi AV Scanner detection for submitted file
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: QVWb1n5OTH.exe Virustotal: Detection: 60% Perma Link
Source: QVWb1n5OTH.exe Metadefender: Detection: 28% Perma Link
Source: QVWb1n5OTH.exe ReversingLabs: Detection: 48%

Compliance:

barindex
Uses 32bit PE files
Source: QVWb1n5OTH.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\AERIFIED.pdb source: QVWb1n5OTH.exe
Source: QVWb1n5OTH.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: QVWb1n5OTH.exe String found in binary or memory: http://s.symcd.com06
Source: QVWb1n5OTH.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: QVWb1n5OTH.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: QVWb1n5OTH.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: QVWb1n5OTH.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: QVWb1n5OTH.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: QVWb1n5OTH.exe String found in binary or memory: https://d.symcb.com/rpa0.

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: QVWb1n5OTH.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: QVWb1n5OTH.exe, 00000000.00000002.1187882230.0000000000422000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAERIFIED.exe vs QVWb1n5OTH.exe
Source: QVWb1n5OTH.exe, 00000000.00000002.1188293212.00000000020D0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAERIFIED.exeFE2X vs QVWb1n5OTH.exe
Source: QVWb1n5OTH.exe Binary or memory string: OriginalFilenameAERIFIED.exe vs QVWb1n5OTH.exe
PE file contains strange resources
Source: QVWb1n5OTH.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021F42DB 0_2_021F42DB
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021ED013 0_2_021ED013
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021F0824 0_2_021F0824
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021EA25A 0_2_021EA25A
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021F2674 0_2_021F2674
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021F2A99 0_2_021F2A99
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021E1480 0_2_021E1480
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021EC52C 0_2_021EC52C
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021E474F 0_2_021E474F
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021E4D67 0_2_021E4D67
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021F2592 0_2_021F2592
PE / OLE file has an invalid certificate
Source: QVWb1n5OTH.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Process Stats: CPU usage > 98%
Source: QVWb1n5OTH.exe Virustotal: Detection: 60%
Source: QVWb1n5OTH.exe Metadefender: Detection: 28%
Source: QVWb1n5OTH.exe ReversingLabs: Detection: 48%
Source: QVWb1n5OTH.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal60.rans.evad.winEXE@1/0@0/0
Source: QVWb1n5OTH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\AERIFIED.pdb source: QVWb1n5OTH.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_0040390E push eax; ret 0_2_00403911
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021E5811 push ss; retf 0_2_021E5824
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021E2E49 push 0EFDBCC3h; ret 0_2_021E2E4E
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021E5D3B pushad ; retn 0004h 0_2_021E5D49
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021E234D push edx; iretd 0_2_021E2355
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021E39A4 pushad ; ret 0_2_021E39AF
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021E57C8 push ss; retf 0_2_021E5824
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021E13F7 pushad ; ret 0_2_021E1407
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021F184A rdtsc 0_2_021F184A

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021F2A99 mov eax, dword ptr fs:[00000030h] 0_2_021F2A99
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021F0086 mov eax, dword ptr fs:[00000030h] 0_2_021F0086
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021EC2B2 mov eax, dword ptr fs:[00000030h] 0_2_021EC2B2
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021F0FA8 mov eax, dword ptr fs:[00000030h] 0_2_021F0FA8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021F184A rdtsc 0_2_021F184A
Source: C:\Users\user\Desktop\QVWb1n5OTH.exe Code function: 0_2_021F42DB RtlAddVectoredExceptionHandler, 0_2_021F42DB
Source: QVWb1n5OTH.exe, 00000000.00000002.1188234484.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: QVWb1n5OTH.exe, 00000000.00000002.1188234484.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: QVWb1n5OTH.exe, 00000000.00000002.1188234484.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: QVWb1n5OTH.exe, 00000000.00000002.1188234484.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532182 Sample: QVWb1n5OTH Startdate: 01/12/2021 Architecture: WINDOWS Score: 60 8 Potential malicious icon found 2->8 10 Multi AV Scanner detection for submitted file 2->10 5 QVWb1n5OTH.exe 2->5         started        process3 signatures4 12 Found potential dummy code loops (likely to delay analysis) 5->12
No contacted IP infos