Windows Analysis Report 1.2.javaw.exe.22e0000.2.unpack

Overview

General Information

Sample Name: 1.2.javaw.exe.22e0000.2.unpack (renamed file extension from unpack to exe)
Analysis ID: 537742
MD5: c47bfe4e43d258b87c6cece9de90c89f
SHA1: eb2c417a29d2f08e37d63f3b75cdc61b42855e91
SHA256: f4d742d82698f532e0215832cb484619a4e84547d8a1ca8dc8f2e9f791a6f27d
Infos:

Most interesting Screenshot:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Creates autostart registry keys to launch java
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
One or more processes crash
Contains functionality to read the PEB
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: 1.2.javaw.exe.22e0000.2.exe Avira: detected
Machine Learning detection for sample
Source: 1.2.javaw.exe.22e0000.2.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 1.2.javaw.exe.22e0000.2.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.295282834.00000000049D1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.295282834.00000000049D1000.00000004.00000001.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.305125543.0000000000312000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.295282834.00000000049D1000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.295282834.00000000049D1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.295282834.00000000049D1000.00000004.00000001.sdmp
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net

System Summary:

barindex
Uses 32bit PE files
Source: 1.2.javaw.exe.22e0000.2.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE file does not import any functions
Source: 1.2.javaw.exe.22e0000.2.exe Static PE information: No import functions for PE file found
One or more processes crash
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 212
Detected potential crypto function
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe Code function: 3_2_022E19B0 3_2_022E19B0
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe Code function: 3_2_022E8D70 3_2_022E8D70
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe Code function: 3_2_022E37F0 3_2_022E37F0
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe Code function: 3_2_022E50C0 3_2_022E50C0
Source: 1.2.javaw.exe.22e0000.2.exe Static PE information: Section: .data ZLIB complexity 1.021484375
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER173D.tmp Jump to behavior
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal56.winEXE@2/6@0/1
Source: unknown Process created: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe "C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe"
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 212
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6196
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.295282834.00000000049D1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.295282834.00000000049D1000.00000004.00000001.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.305125543.0000000000312000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.295282834.00000000049D1000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.295282834.00000000049D1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.295282834.00000000049D1000.00000004.00000001.sdmp
Source: 1.2.javaw.exe.22e0000.2.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1.2.javaw.exe.22e0000.2.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1.2.javaw.exe.22e0000.2.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1.2.javaw.exe.22e0000.2.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1.2.javaw.exe.22e0000.2.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: 1.2.javaw.exe.22e0000.2.exe Static PE information: section name: .teslaX

Boot Survival:

barindex
Creates autostart registry keys to launch java
Source: C:\Windows\SysWOW64\WerFault.exe Registry value created or modified: \REGISTRY\A\{ff6a568b-cc7a-5e80-36a9-d30ff46fc7a9}\Root\InventoryApplicationFile\1.2.javaw.exe.22|d0d8f4f4 LowerCaseLongPath c:\users\user\desktop\1.2.javaw.exe.22e0000.2.exe Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Registry value created or modified: \REGISTRY\A\{ff6a568b-cc7a-5e80-36a9-d30ff46fc7a9}\Root\InventoryApplicationFile\1.2.javaw.exe.22|d0d8f4f4 LongPathHash 1.2.javaw.exe.22|d0d8f4f4 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Registry value created or modified: \REGISTRY\A\{ff6a568b-cc7a-5e80-36a9-d30ff46fc7a9}\Root\InventoryApplicationFile\1.2.javaw.exe.22|d0d8f4f4 Name 1.2.javaw.exe.22e0000.2.exe Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.9.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: VMware7,1
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.9.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe Code function: 3_2_022E3E40 mov eax, dword ptr fs:[00000030h] 3_2_022E3E40
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe Process queried: DebugPort Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.9.dr, Amcache.hve.LOG1.9.dr Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr, Amcache.hve.LOG1.9.dr Binary or memory string: procexp.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 537742 Sample: 1.2.javaw.exe.22e0000.2.unpack Startdate: 10/12/2021 Architecture: WINDOWS Score: 56 14 Antivirus / Scanner detection for submitted sample 2->14 16 Machine Learning detection for sample 2->16 6 1.2.javaw.exe.22e0000.2.exe 2->6         started        process3 process4 8 WerFault.exe 23 9 6->8         started        dnsIp5 12 192.168.2.1 unknown unknown 8->12 18 Creates autostart registry keys to launch java 8->18 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1