Windows Analysis Report
Confirming#000092002.exe

Overview

General Information

Sample Name:	Confirming#000092002.exe
Analysis ID:	596169
MD5:	24a097b3cd1e774e29e6e3e4f5e6522a
SHA1:	f856350b37fae02331ce184b1f258f80900d8de5
SHA256:	23cae5cce339ef9de5d22c2117af79d45013d65241fbe6faa7a36e94e191b42b
Tags:	exelimeratwarzonerat
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Found large amount of non-executed APIs

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Confirming#000092002.exe

ReversingLabs: Detection: 54%

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.Confirming#000092002.exe.ea0000.0.unpack	Avira: Label: ADWARE/Adware.Gen8
Source: 1.0.Confirming#000092002.exe.ea0000.0.unpack	Avira: Label: ADWARE/Adware.Gen8

Uses 32bit PE files

Source: Confirming#000092002.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Confirming#000092002.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\MultiRead\no.pdb source: Confirming#000092002.exe

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EAA22B FindFirstFileExW,

1_2_00EAA22B

Uses 32bit PE files

Source: Confirming#000092002.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Sample file is different than original file name gathered from version info

Source: Confirming#000092002.exe, 00000001.00000000.244166012.0000000000FE3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMultiRead.EXEB vs Confirming#000092002.exe
Source: Confirming#000092002.exe	Binary or memory string: OriginalFilenameMultiRead.EXEB vs Confirming#000092002.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EAFA9C

1_2_00EAFA9C

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: String function: 00EA4730 appears 34 times

Source: Confirming#000092002.exe

ReversingLabs: Detection: 54%

Source: Confirming#000092002.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA1B39 __EH_prolog3_catch_GS,__alloca_probe_16,LoadLibraryExA,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary,

1_2_00EA1B39

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA14A2 CoCreateInstance,

1_2_00EA14A2

Source: Confirming#000092002.exe

Static file information: File size 1320960 > 1048576

Source: Confirming#000092002.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x129400

Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Confirming#000092002.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Confirming#000092002.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Confirming#000092002.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\MultiRead\no.pdb source: Confirming#000092002.exe

Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Confirming#000092002.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EB01B1 push ecx; ret

1_2_00EB01C4

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Confirming#000092002.exe

API coverage: 3.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA71A3 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

1_2_00EA71A3

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EAA22B FindFirstFileExW,

1_2_00EAA22B

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA4959 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00EA4959

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA7B8E mov eax, dword ptr fs:[00000030h]		1_2_00EA7B8E
Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA9DF6 mov eax, dword ptr fs:[00000030h]		1_2_00EA9DF6

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA71A3 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

1_2_00EA71A3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EAB2B8 GetProcessHeap,

1_2_00EAB2B8

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA4AEF SetUnhandledExceptionFilter,	1_2_00EA4AEF
Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA4959 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00EA4959
Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA72E0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00EA72E0
Source: C:\Users\user\Desktop\Confirming#000092002.exe	Code function: 1_2_00EA42DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00EA42DA

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA4775 cpuid

1_2_00EA4775

Source: C:\Users\user\Desktop\Confirming#000092002.exe

Code function: 1_2_00EA4BDE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00EA4BDE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	596169
Product:	CloudBasic
Start time:	12:33:12
Start date:	24.03.2022
Sample:	Confirming#000092002.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	24a097b3cd1e774e29e6e3e4f5e6522a
SHA1:	f856350b37fae02331ce184b1f258f80900d8de5
SHA256:	23cae5cce339ef9de5d22c2117af79d45013d65241fbe6faa7a36e94e191b42b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
Confirming#000092002.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Confirming#000092002.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Confirming#000092002.exe