Windows Analysis Report
null.exe

Overview

General Information

Sample Name:	null.exe
Analysis ID:	632535
MD5:	b4dd22013aefae6f721f0b67be61dc91
SHA1:	177f953496b10a4256431166c6247cc5a135e343
SHA256:	de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Tries to load missing DLLs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Launches processes in debugging mode, may be used to hinder debugging

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: null.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: null.exe	Virustotal: Detection: 58%			Perma Link
Source: null.exe	ReversingLabs: Detection: 65%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\null.exe

Code function: 1_2_00007FF7A43A59F0 WSAStartup,GetComputerNameA,gethostbyname,htonl,GetModuleFileNameA,LocalAlloc,CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,Sleep,CryptEncrypt,CryptEncrypt,CryptDecrypt,LocalFree,GetLastError,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,LocalFree,CryptDestroyKey,CryptReleaseContext,WSACleanup,

1_2_00007FF7A43A59F0

Source: null.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A1590 FindFirstFileA,GetLastError,FileTimeToLocalFileTime,FileTimeToSystemTime,FindNextFileA,FindClose,	1_2_00007FF7A43A1590
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A21A0 FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00007FF7A43A21A0
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A2470 FindFirstFileA,GetLastError,DeleteFileA,GetLastError,FindClose,GetLastError,	1_2_00007FF7A43A2470
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A3030 SystemTimeToFileTime,LocalFileTimeToFileTime,FindFirstFileA,GetLastError,CreateFileA,SetFileTime,CloseHandle,FindClose,	1_2_00007FF7A43A3030
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A2CE0 FindFirstFileA,GetLastError,CopyFileA,CreateFileA,SetFileTime,CloseHandle,DeleteFileA,GetLastError,MoveFileA,CreateFileA,SetFileTime,CloseHandle,FindClose,GetLastError,	1_2_00007FF7A43A2CE0
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A2AA0 FindFirstFileA,GetLastError,FindClose,CopyFileA,CreateFileA,SetFileTime,CloseHandle,GetLastError,SHCreateDirectoryExA,GetLastError,	1_2_00007FF7A43A2AA0

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: t1.hinitial.com

Source: C:\Users\user\Desktop\null.exe

Code function: 1_2_00007FF7A43A5000 LocalAlloc,recvfrom,Sleep,htons,htons,htons,LocalReAlloc,recvfrom,LocalAlloc,LocalFree,LocalFree,GetLastError,LocalFree,

1_2_00007FF7A43A5000

Source: C:\Users\user\Desktop\null.exe

1_2_00007FF7A43A59F0

Tries to load missing DLLs

Source: C:\Users\user\Desktop\null.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\null.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\null.exe	Section loaded: edgegdi.dll	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43AC778	1_2_00007FF7A43AC778
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A1590	1_2_00007FF7A43A1590
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A59F0	1_2_00007FF7A43A59F0
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A9A5C	1_2_00007FF7A43A9A5C
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A5270	1_2_00007FF7A43A5270
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A4880	1_2_00007FF7A43A4880
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A3290	1_2_00007FF7A43A3290
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43AA418	1_2_00007FF7A43AA418
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A6430	1_2_00007FF7A43A6430
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A8AFC	1_2_00007FF7A43A8AFC
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43AB8D0	1_2_00007FF7A43AB8D0

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\null.exe

Code function: 1_2_00007FF7A43A4880 CreateEventW,CreateEventW,CreateEventW,RegisterServiceCtrlHandlerA,GetModuleFileNameW,CoInitialize,SetServiceStatus,Sleep,TerminateProcess,CloseHandle,SetServiceStatus,SetServiceStatus,Sleep,TerminateProcess,CloseHandle,SetServiceStatus,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,WTSGetActiveConsoleSessionId,SetTokenInformation,CreateEnvironmentBlock,CreateProcessAsUserW,CloseHandle,CloseHandle,WaitForMultipleObjects,CloseHandle,Sleep,DestroyEnvironmentBlock,CloseHandle,Sleep,

1_2_00007FF7A43A4880

Source: null.exe	Virustotal: Detection: 58%
Source: null.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\null.exe

Code function: 1_2_00007FF7A43A6040 StartServiceCtrlDispatcherA,

1_2_00007FF7A43A6040

Source: null.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\null.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\null.exe

Code function: 1_2_00007FF7A43A6040 StartServiceCtrlDispatcherA,

1_2_00007FF7A43A6040

Source: unknown	Process created: C:\Users\user\Desktop\null.exe "C:\Users\user\Desktop\null.exe"
Source: unknown	Process created: C:\Users\user\Desktop\null.exe C:\Users\user\Desktop\null.exe
Source: C:\Users\user\Desktop\null.exe	Process created: C:\Users\user\Desktop\null.exe -a
Source: C:\Users\user\Desktop\null.exe	Process created: C:\Users\user\Desktop\null.exe -a	Jump to behavior

Source: classification engine

Classification label: mal56.winEXE@4/0@1/1

Source: null.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: null.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\null.exe

Code function: 1_2_00007FF7A43A42B0 GetModuleFileNameA,LoadLibraryA,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary,OpenSCManagerA,FreeLibrary,FreeLibrary,GetLastError,FreeLibrary,

1_2_00007FF7A43A42B0

Source: C:\Users\user\Desktop\null.exe

Code function: 1_2_00007FF7A43A6040 StartServiceCtrlDispatcherA,

1_2_00007FF7A43A6040

Source: C:\Users\user\Desktop\null.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\null.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\null.exe TID: 8396	Thread sleep count: 99 > 30			Jump to behavior
Source: C:\Users\user\Desktop\null.exe TID: 8396	Thread sleep time: -99000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\null.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\null.exe	Last function: Thread delayed

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\null.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\null.exe

API coverage: 8.4 %

Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A1590 FindFirstFileA,GetLastError,FileTimeToLocalFileTime,FileTimeToSystemTime,FindNextFileA,FindClose,	1_2_00007FF7A43A1590
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A21A0 FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00007FF7A43A21A0
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A2470 FindFirstFileA,GetLastError,DeleteFileA,GetLastError,FindClose,GetLastError,	1_2_00007FF7A43A2470
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A3030 SystemTimeToFileTime,LocalFileTimeToFileTime,FindFirstFileA,GetLastError,CreateFileA,SetFileTime,CloseHandle,FindClose,	1_2_00007FF7A43A3030
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A2CE0 FindFirstFileA,GetLastError,CopyFileA,CreateFileA,SetFileTime,CloseHandle,DeleteFileA,GetLastError,MoveFileA,CreateFileA,SetFileTime,CloseHandle,FindClose,GetLastError,	1_2_00007FF7A43A2CE0
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A2AA0 FindFirstFileA,GetLastError,FindClose,CopyFileA,CreateFileA,SetFileTime,CloseHandle,GetLastError,SHCreateDirectoryExA,GetLastError,	1_2_00007FF7A43A2AA0

Source: C:\Users\user\Desktop\null.exe

API call chain: ExitProcess graph end node

Source: null.exe, 00000003.00000002.9452503817.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\null.exe

Code function: 1_2_00007FF7A43A6160 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_00007FF7A43A6160

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\null.exe

Process created: C:\Users\user\Desktop\null.exe -a

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\null.exe

1_2_00007FF7A43A42B0

Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A6160 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF7A43A6160
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43A8548 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF7A43A8548
Source: C:\Users\user\Desktop\null.exe	Code function: 1_2_00007FF7A43AD3D4 SetUnhandledExceptionFilter,	1_2_00007FF7A43AD3D4

Source: C:\Users\user\Desktop\null.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\null.exe

Code function: 1_2_00007FF7A43AB48C HeapCreate,GetVersion,HeapSetInformation,

1_2_00007FF7A43AB48C

Source: C:\Users\user\Desktop\null.exe

Code function: 1_2_00007FF7A43ADD48 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_00007FF7A43ADD48

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.85.91.147	t1.hinitial.com	Russian Federation		8749	REDCOM-ASRedcomKhabarovskRussiaRU	false

Contacted Domains

Name	IP	Active
t1.hinitial.com	95.85.91.147	true

ID:	632535
Product:	CloudBasic
Start time:	18:50:25
Start date:	23.05.2022
Sample:	null.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	b4dd22013aefae6f721f0b67be61dc91
SHA1:	177f953496b10a4256431166c6247cc5a135e343
SHA256:	de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
null.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report null.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
null.exe