Windows Analysis Report
dinhVFAbgo

Overview

General Information

Sample Name: dinhVFAbgo (renamed file extension from none to exe)
Analysis ID: 626617
MD5: de3eafb5fa64237cb2d54949c432f19c
SHA1: bbb3d8d70e1416241b469c3f58596986957ac39d
SHA256: 93d2edbc498f6f8689223bcb079143a97627efe9c1f7b23687a94a1eaf223d78
Tags: 32exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Found evasive API chain (may stop execution after checking mutex)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected potential crypto function
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Potential key logger detected (key state polling based)
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: dinhVFAbgo.exe Virustotal: Detection: 10% Perma Link
Uses 32bit PE files
Source: dinhVFAbgo.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: dinhVFAbgo.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CAC295 __EH_prolog3_GS,GetFullPathNameA,__cftof,_strlen,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,_strlen, 0_2_00CAC295
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.3:49735 -> 59.110.190.41:80
Source: dinhVFAbgo.exe String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_Defender.dat
Source: dinhVFAbgo.exe String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_FsFilter.dat
Source: dinhVFAbgo.exe String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_Defender.dat
Source: dinhVFAbgo.exe String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_Defender.dathttps:
Source: dinhVFAbgo.exe String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_FsFilter.dat
Source: dinhVFAbgo.exe String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Agent.exe
Source: dinhVFAbgo.exe String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.ini
Source: dinhVFAbgo.exe String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.inihttps://wtyjqp
Source: unknown DNS traffic detected: queries for: wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA79A0 recv, 0_2_00CA79A0
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00D09483 __EH_prolog3_GS,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 0_2_00D09483
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CB3981 GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_00CB3981
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CCBE54 SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,SendMessageA,GetKeyState,GetKeyState,GetKeyState,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,MessageBeep, 0_2_00CCBE54
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00D2428E GetKeyboardState,GetKeyboardLayout,MapVirtualKeyA,ToAsciiEx,LoadAcceleratorsW,LoadAcceleratorsW, 0_2_00D2428E
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00D7A59D __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00D7A59D
Uses 32bit PE files
Source: dinhVFAbgo.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CB406F 0_2_00CB406F
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DE406E 0_2_00DE406E
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DE42A0 0_2_00DE42A0
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DE44D2 0_2_00DE44D2
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DE8A9A 0_2_00DE8A9A
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DEAA00 0_2_00DEAA00
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DE0D40 0_2_00DE0D40
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00E0303E 0_2_00E0303E
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00D0D1DF 0_2_00D0D1DF
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CD313E 0_2_00CD313E
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00E0532A 0_2_00E0532A
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00E01317 0_2_00E01317
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00E0544A 0_2_00E0544A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: String function: 00DDD55F appears 124 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: String function: 00DDD52C appears 296 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: String function: 00CA6953 appears 34 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: String function: 00DDCEDD appears 65 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: String function: 00DDD690 appears 66 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: String function: 00CACA43 appears 44 times
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA6BF1: DeviceIoControl, 0_2_00CA6BF1
Contains functionality to delete services
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA6AF3 OpenSCManagerA,OpenServiceA,GetLastError,DeleteService,ControlService,GetLastError,StartServiceA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle, 0_2_00CA6AF3
Source: dinhVFAbgo.exe Virustotal: Detection: 10%
Source: dinhVFAbgo.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dinhVFAbgo.exe "C:\Users\user\Desktop\dinhVFAbgo.exe"
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c md C:\DownLoad-Helper
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c md C:\DownLoad-Helper Jump to behavior
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal56.evad.winEXE@4/0@6/1
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA5D23 CoInitialize,CoCreateInstance,CoUninitialize, 0_2_00CA5D23
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: OpenSCManagerA,OpenServiceA,GetLastError,DeleteService,ControlService,GetLastError,StartServiceA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle, 0_2_00CA6AF3
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: GetFullPathNameA,OpenSCManagerA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegCreateKeyExA,RegSetValueExA,RegFlushKey,RegCloseKey,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegFlushKey,RegCloseKey, 0_2_00CA8C59
Source: C:\Users\user\Desktop\dinhVFAbgo.exe File read: C:\DownLoad-Helper\Update.ini Jump to behavior
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA6AF3 OpenSCManagerA,OpenServiceA,GetLastError,DeleteService,ControlService,GetLastError,StartServiceA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle, 0_2_00CA6AF3
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA863A CreateToolhelp32Snapshot,Thread32First,CloseHandle,CloseHandle,OpenThread,OpenProcess,GetMappedFileNameA,TerminateThread,CloseHandle,CloseHandle,Thread32Next,CloseHandle,GetLastError,CloseHandle,SetLastError,CloseHandle, 0_2_00CA863A
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Mutant created: \Sessions\1\BaseNamedObjects\services.exe
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CB2712 FindResourceA,LoadResource,LockResource, 0_2_00CB2712
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\services.exe
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\x64_FsFilter.sys
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\x64_Defender.dat
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\x64_Defender.sys
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\x64_FsFilter.dat
Source: dinhVFAbgo.exe String found in binary or memory: md C:\DownLoad-Helper
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\servicesDecode.exe
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\svchost.dat
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\svchost.exe
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\svchost.exe
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\svchost.dat
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper
Source: dinhVFAbgo.exe String found in binary or memory: Cannot get trigger collection: %xTrigger1C:\DownLoad-Helper\svchost.exeC:\DownLoad-Helper\svchost.dat: iostreambad castbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set
Source: dinhVFAbgo.exe String found in binary or memory: iostream stream error/NOC:\DownLoad-Helper\Agent.exeContent-Length\Update.inihttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.inihttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Agent.exe\Updater.ini\x64_FsFilter.dat\x64_Defender.datwbx64_FsFilter.datx64_Defender.datMicrosoft Windows 7C:\DownLoad - Helper\x64_Defender.datC:\DownLoad - Helper\x64_FsFilter.dathttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_Defender.dathttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_FsFilter.dathttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_Defender.dathttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_FsFilter.datmainverMAINVERUpdate.iniUpdater.iniopen\\.\x64_DefenderLinksWindows
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\services.exe
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\services.exeiniurlINIURLrestartRESTARTYESGetNativeSystemInfokernel32unknown OperatingSystem.Microsoft Windows NT 4.0Microsoft Windows 95Microsoft Windows 98Microsoft Windows MeMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows XP Professional x64 EditionMicrosoft Windows Server 2003Microsoft Windows Server 2003 R2Microsoft Windows VistaMicrosoft Windows Server 2008Microsoft Windows Server 2008 R2NetPCI%s
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\x64_Defender.sys
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\x64_Defender.dat
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\x64_FsFilter.sys
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\x64_FsFilter.dat
Source: dinhVFAbgo.exe String found in binary or memory: u@CC:\DownLoad-Helper\x64_Defender.sysx64_DefenderC:\DownLoad-Helper\x64_Defender.datC:\DownLoad-Helper\x64_FsFilter.sysFsFilterC:\DownLoad-Helper\x64_FsFilter.dat370030InitializeLoadDriver_NewVersion64360rp.exe360tray.exe360sd.exeZhuDongFangYu.exeQQPCRTP.exeQQPCTray.exekxetray.exekwsprotect64.exeG2345SafeTray.exe2345SafeSvc.exe360Tray.exeknewvip.exekxescore.exekxecenter.exekxemain.exeHipsTray.exeHipsDaemon.exe2345MPCSafe.exeLenovoPcManagerService.exeLAVService.exeLenovoTray.exe360{C3C4746B-4B9D-4694-90A0-3323295ED085}360Safe.exe
Source: dinhVFAbgo.exe String found in binary or memory: md C:\DownLoad-Helper
Source: dinhVFAbgo.exe String found in binary or memory: C:\DownLoad-Helper\servicesDecode.exe
Source: dinhVFAbgo.exe String found in binary or memory: Q360SafeMainClass360safemonpro.tpiservices.exemd C:\DownLoad-HelperKERNEL32.dllWinExeccmd /c ren C:\"Program Files (x86)"\"Common Files"\Tencent\QQProtect\sonfig Bincmd /c rmdir /s /q C:\"Program Files (x86)"\"Common Files"\Tencent\QQProtect\Bincmd /c del C:\jc.txtC:\DownLoad-Helper\servicesDecode.exe.ACPntdllZwQueryInformationThread
Source: C:\Users\user\Desktop\dinhVFAbgo.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\dinhVFAbgo.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: dinhVFAbgo.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: dinhVFAbgo.exe Static file information: File size 2117120 > 1048576
Source: dinhVFAbgo.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x175200
Source: dinhVFAbgo.exe Static PE information: More than 200 imports for USER32.dll
Source: dinhVFAbgo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dinhVFAbgo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dinhVFAbgo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dinhVFAbgo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dinhVFAbgo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dinhVFAbgo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dinhVFAbgo.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: dinhVFAbgo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dinhVFAbgo.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dinhVFAbgo.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dinhVFAbgo.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dinhVFAbgo.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dinhVFAbgo.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CDED98 pushfd ; ret 0_2_00CDED99
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DDD4FA push ecx; ret 0_2_00DDD50D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA8A72 GetConsoleWindow,GetSystemMenu,EnableMenuItem,CreateMutexA,GetLastError,CreateThread,WaitForSingleObject,LoadLibraryA,GetProcAddress,DeleteFileA,Sleep,Sleep,Sleep,Sleep,CreateThread,CreateThread,CreateThread,CreateThread,GetModuleHandleA,GetProcAddress,CreateThread,CloseHandle,Sleep,CloseHandle, 0_2_00CA8A72
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA5FC9 __EH_prolog3_GS,Sleep,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,Sleep,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,Sleep,GetPrivateProfileStringA,WritePrivateProfileStringA,DeleteFileA,ShellExecuteA,Sleep,ExitProcess, 0_2_00CA5FC9
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA6AF3 OpenSCManagerA,OpenServiceA,GetLastError,DeleteService,ControlService,GetLastError,StartServiceA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle, 0_2_00CA6AF3
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00D06FDD GetParent,IsIconic,GetParent,GetDlgCtrlID, 0_2_00D06FDD
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CF4F06 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageA,UpdateWindow,SendMessageA,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow, 0_2_00CF4F06

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: dinhVFAbgo.exe Binary or memory string: HRAUTORUNSAUTORUNS.EXEHIPSMAIN.EXE2345
Source: dinhVFAbgo.exe Binary or memory string: AUTORUNS.EXE
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\dinhVFAbgo.exe API coverage: 3.7 %
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DE237B VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 0_2_00DE237B
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CAC295 __EH_prolog3_GS,GetFullPathNameA,__cftof,_strlen,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,_strlen, 0_2_00CAC295
Source: C:\Users\user\Desktop\dinhVFAbgo.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DE216E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DE216E
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DE237B VirtualProtect ?,-00000001,00000104,?,?,?,00000000 0_2_00DE237B
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CAB4CE OutputDebugStringA,GetLastError, 0_2_00CAB4CE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA8A72 GetConsoleWindow,GetSystemMenu,EnableMenuItem,CreateMutexA,GetLastError,CreateThread,WaitForSingleObject,LoadLibraryA,GetProcAddress,DeleteFileA,Sleep,Sleep,Sleep,Sleep,CreateThread,CreateThread,CreateThread,CreateThread,GetModuleHandleA,GetProcAddress,CreateThread,CloseHandle,Sleep,CloseHandle, 0_2_00CA8A72
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DF998E mov eax, dword ptr fs:[00000030h] 0_2_00DF998E
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DEB924 mov eax, dword ptr fs:[00000030h] 0_2_00DEB924
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DE216E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DE216E
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DDCF23 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00DDCF23
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c md C:\DownLoad-Helper Jump to behavior
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA889D ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,OpenProcessToken,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,RevertToSelf,LocalFree,LocalFree,FreeSid, 0_2_00CA889D
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA889D ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,OpenProcessToken,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,RevertToSelf,LocalFree,LocalFree,FreeSid, 0_2_00CA889D
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: EnumSystemLocalesW, 0_2_00E00086
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00E00111
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: GetLocaleInfoW, 0_2_00E00364
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00E0048A
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: GetLocaleInfoW, 0_2_00E00590
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00E0065F
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: EnumSystemLocalesW, 0_2_00DF4D9C
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: GetLocaleInfoW, 0_2_00DF52FE
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00DFFCFE
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: GetLocaleInfoW, 0_2_00DFFEF9
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: EnumSystemLocalesW, 0_2_00DFFFEB
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: EnumSystemLocalesW, 0_2_00DFFFA0
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00DEB4A8 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_00DEB4A8
Source: C:\Users\user\Desktop\dinhVFAbgo.exe Code function: 0_2_00CA6C70 GetSystemInfo,GetVersionExA,GetSystemMetrics,GetSystemMetrics, 0_2_00CA6C70
AV process strings found (often used to terminate AV products)
Source: dinhVFAbgo.exe, dinhVFAbgo.exe, 00000000.00000000.238756247.0000000000E17000.00000002.00000001.01000000.00000003.sdmp, dinhVFAbgo.exe, 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: kxetray.exe
Source: dinhVFAbgo.exe, dinhVFAbgo.exe, 00000000.00000000.238756247.0000000000E17000.00000002.00000001.01000000.00000003.sdmp, dinhVFAbgo.exe, 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Autoruns.exe
Source: dinhVFAbgo.exe, dinhVFAbgo.exe, 00000000.00000000.238756247.0000000000E17000.00000002.00000001.01000000.00000003.sdmp, dinhVFAbgo.exe, 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: 360Safe.exe
Source: dinhVFAbgo.exe, dinhVFAbgo.exe, 00000000.00000000.238756247.0000000000E17000.00000002.00000001.01000000.00000003.sdmp, dinhVFAbgo.exe, 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: 360tray.exe
Source: dinhVFAbgo.exe, dinhVFAbgo.exe, 00000000.00000000.238756247.0000000000E17000.00000002.00000001.01000000.00000003.sdmp, dinhVFAbgo.exe, 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: 360Tray.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626617 Sample: dinhVFAbgo Startdate: 14/05/2022 Architecture: WINDOWS Score: 56 17 Multi AV Scanner detection for submitted file 2->17 19 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->19 7 dinhVFAbgo.exe 1 2->7         started        process3 dnsIp4 15 wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com 59.110.190.41, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 7->15 21 Found evasive API chain (may stop execution after checking mutex) 7->21 11 cmd.exe 2 7->11         started        signatures5 process6 process7 13 conhost.exe 11->13         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
59.110.190.41
 wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false

Contacted Domains

Name IP Active
wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com 59.110.190.41 true