Windows Analysis Report
support.exe

Overview

General Information

Sample Name: support.exe
Analysis ID: 632531
MD5: a2d24ba3b1c040105083109b9912e223
SHA1: ad9daad3cdfbe1dacf4f077b98bb26f7af0854bd
SHA256: 348b351762c491c5d02cdfdf34d51faf67024f8f492ed46316d2adda6aac7412
Tags: exe
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to inject threads in other processes
Machine Learning detection for sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Program does not show much activity (idle)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: support.exe Virustotal: Detection: 60% Perma Link
Source: support.exe Metadefender: Detection: 23% Perma Link
Source: support.exe ReversingLabs: Detection: 68%
Machine Learning detection for sample
Source: support.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: support.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: support.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: support.exe String found in binary or memory: (http://www.youtube.com/JamesPaddockMusic equals www.youtube.com (Youtube)
Source: support.exe String found in binary or memory: http://vulpvibe.bandcamp.com/album/squaredance
Source: support.exe String found in binary or memory: http://www.exrock.com
Source: support.exe String found in binary or memory: http://www.netexplorers.com/member/midizone/
Source: support.exe String found in binary or memory: http://www.youtube.com/JamesPaddockMusic
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003BCA60 memset,memset,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,memmove,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,_invalid_parameter_noinfo_noreturn, 0_2_003BCA60
Uses 32bit PE files
Source: support.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000000.00000002.517890121.00000000003C5000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000000.00000000.250484546.0000000000476000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000000.00000002.518495863.0000000000476000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000000.00000000.250216516.00000000003C5000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Detected potential crypto function
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B1050 0_2_003B1050
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B7C40 0_2_003B7C40
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B3520 0_2_003B3520
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B3B30 0_2_003B3B30
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003BA100 0_2_003BA100
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B6D60 0_2_003B6D60
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003BCDA0 0_2_003BCDA0
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B29D0 0_2_003B29D0
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B7610 0_2_003B7610
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B6F80 0_2_003B6F80
Source: support.exe Virustotal: Detection: 60%
Source: support.exe Metadefender: Detection: 23%
Source: support.exe ReversingLabs: Detection: 68%
Source: support.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\support.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B6C80 FindWindowA,Sleep,CreateToolhelp32Snapshot,memset,Process32First,Process32Next,Process32Next,CloseHandle,CloseHandle, 0_2_003B6C80
Source: unknown Process created: C:\Users\user\Desktop\support.exe "C:\Users\user\Desktop\support.exe"
Source: C:\Users\user\Desktop\support.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B7610 FindWindowA,Sleep,Sleep,Sleep,FindWindowA,FindWindowA,FindWindowA,FindWindowA,Sleep,GetWindowThreadProcessId,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,LoadLibraryA,GetProcAddress,SetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,CloseHandle, 0_2_003B7610
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_01
Source: support.exe String found in binary or memory: F-AdDdId A
Source: classification engine Classification label: mal60.evad.winEXE@2/1@0/0
Source: support.exe Static file information: File size 3431424 > 1048576
Source: support.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x331000
Source: support.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: support.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: support.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: support.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: support.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: support.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: support.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: support.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: support.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: support.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: support.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: support.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: support.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003BEDB6 push ecx; ret 0_2_003BEDC9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B7C40 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_003B7C40
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B7C40 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_003B7C40
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\support.exe Window / User API: threadDelayed 896 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\support.exe TID: 276 Thread sleep time: -89600s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B6560 GetModuleHandleA,IsDebuggerPresent,CheckRemoteDebuggerPresent,IsDebuggerPresent,GetModuleHandleA,CheckRemoteDebuggerPresent,IsDebuggerPresent,GetModuleHandleA,CheckRemoteDebuggerPresent,GetTickCount64,Sleep, 0_2_003B6560
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B6560 GetModuleHandleA,IsDebuggerPresent,CheckRemoteDebuggerPresent,IsDebuggerPresent,GetModuleHandleA,CheckRemoteDebuggerPresent,IsDebuggerPresent,GetModuleHandleA,CheckRemoteDebuggerPresent,GetTickCount64,Sleep, 0_2_003B6560
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B6620 mov eax, dword ptr fs:[00000030h] 0_2_003B6620
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B6450 mov eax, dword ptr fs:[00000030h] 0_2_003B6450
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B6450 mov eax, dword ptr fs:[00000030h] 0_2_003B6450
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B64B0 mov eax, dword ptr fs:[00000030h] 0_2_003B64B0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\support.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\support.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B7C40 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_003B7C40
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003BF0FA SetUnhandledExceptionFilter, 0_2_003BF0FA
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003BEB6B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_003BEB6B
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003BEF95 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_003BEF95

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003B66C0 Sleep,VirtualAllocEx,memset,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,VirtualFreeEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,VirtualFreeEx,VirtualFreeEx,CloseHandle,GetExitCodeProcess,GetExitCodeProcess,memset,ReadProcessMemory,Sleep,memset,WriteProcessMemory,malloc,memset,WriteProcessMemory,VirtualFreeEx,VirtualFreeEx,Sleep, 0_2_003B66C0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\support.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003BEDEE cpuid 0_2_003BEDEE
Source: C:\Users\user\Desktop\support.exe Code function: 0_2_003BF154 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_003BF154
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632531 Sample: support.exe Startdate: 23/05/2022 Architecture: WINDOWS Score: 60 11 Multi AV Scanner detection for submitted file 2->11 13 Machine Learning detection for sample 2->13 6 support.exe 1 2->6         started        process3 signatures4 15 Contains functionality to inject threads in other processes 6->15 17 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 6->17 9 conhost.exe 6->9         started        process5
No contacted IP infos