Windows Analysis Report
apprun.exe

Overview

General Information

Sample Name: apprun.exe
Analysis ID: 635356
MD5: 7e13c6a35ac8ce03ece66e1d65b0601e
SHA1: a7c70afdd8ca0aae7fb7689d01c0c574aee85875
SHA256: d189bd389b7b442c31e1d009f958ab67d1361b75383b4dcdd53944970cf3fe0f

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Uses 32bit PE files
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a connection to the internet is available
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: apprun.exe Virustotal: Detection: 42% Perma Link
Source: apprun.exe ReversingLabs: Detection: 29%
Uses 32bit PE files
Source: apprun.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: apprun.exe Static PE information: certificate valid
Source: apprun.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\git\modular-installer\Release\kernel.pdbVV$2GCTL source: apprun.exe
Source: Binary string: C:\git\modular-installer\Release\kernel.pdb source: apprun.exe
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_011449B5 ___std_fs_close_handle@4,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_011449B5
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01144A15 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,___std_fs_close_handle@4, 0_2_01144A15
Contains functionality to check if a connection to the internet is available
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_0113193D __EH_prolog3_GS,memset,InternetCheckConnectionW,MessageBoxW, 0_2_0113193D
Source: apprun.exe String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: apprun.exe String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: apprun.exe String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: apprun.exe String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: apprun.exe String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: apprun.exe String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: apprun.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: apprun.exe String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: apprun.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: apprun.exe String found in binary or memory: http://www.google.com
Source: apprun.exe String found in binary or memory: http://www.google.comUninstallUninstall
Source: apprun.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: apprun.exe String found in binary or memory: https://www.globalsign.com/repository/06
Uses 32bit PE files
Source: apprun.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE file contains strange resources
Source: apprun.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\apprun.exe Section loaded: libcurl.dll Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01139394 0_2_01139394
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01127275 0_2_01127275
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01135533 0_2_01135533
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_0113C562 0_2_0113C562
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_0113A4AA 0_2_0113A4AA
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_0112EF1A 0_2_0112EF1A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\apprun.exe Code function: String function: 01143D5D appears 107 times
Source: C:\Users\user\Desktop\apprun.exe Code function: String function: 011298AC appears 261 times
Source: C:\Users\user\Desktop\apprun.exe Code function: String function: 011436A0 appears 53 times
Source: C:\Users\user\Desktop\apprun.exe Code function: String function: 01143D91 appears 103 times
Source: C:\Users\user\Desktop\apprun.exe Code function: String function: 0112BA2B appears 52 times
PE file contains executable resources (Code or Archives)
Source: apprun.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: apprun.exe Virustotal: Detection: 42%
Source: apprun.exe ReversingLabs: Detection: 29%
Source: apprun.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\apprun.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01142060 __EH_prolog3_GS,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_01142060
Source: C:\Users\user\Desktop\apprun.exe Command line argument: -tasks 0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe Command line argument: -install 0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe Command line argument: -updatesched 0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe Command line argument: -updatestartup 0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe Command line argument: -uninstall 0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe Command line argument: -resetsearch 0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe Command line argument: -version 0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe Command line argument: -install 0_2_011323FF
Source: apprun.exe String found in binary or memory: C:\git\modular-installer\kernel\kernel.cpp
Source: apprun.exe String found in binary or memory: C:\git\modular-installer\kernel\InstallerConfiguration.cpp
Source: apprun.exe String found in binary or memory: api/report/install
Source: apprun.exe String found in binary or memory: C:\git\modular-installer\kernel\IPCService.cpp
Source: apprun.exe String found in binary or memory: C:\git\modular-installer\kernel\Action.cpp
Source: apprun.exe String found in binary or memory: -install
Source: apprun.exe String found in binary or memory: v2/install
Source: apprun.exe String found in binary or memory: C:\git\modular-installer\kernel\Action.cpp
Source: apprun.exe String found in binary or memory: space673ae6306d8266a780df868d6772aab3b9662e0f1248KernelActionmimeTypedefaultJumpconfigurationfile\$cwdidcustomJumpjumpTableFailed to split URL "Downloading DLL "int __thiscall InstPC::Action::run(void)C:\git\modular-installer\kernel\Action.cppError occurred creating unique filenamewb+Could not open new temporary file
Source: apprun.exe String found in binary or memory: api/report/install
Source: apprun.exe String found in binary or memory: @Unknown exceptioninvalid string positionstring too longcodelabeldescription: "", "create_directorytemp_directory_pathreport_urlaipcrepcsearch_offerupdate_logupdate_actionuninstall_logUpdateisUpdatedfalseupdateUrlzoremov.combi.api/report/installapplift.exewb+UPDATEEntered updateStart (update_log) - -installunordered_map/set too longinvalid hash bucket count
Source: apprun.exe String found in binary or memory: @Unknown exceptioninvalid string positionstring too longcodelabeldescription: "", "create_directorytemp_directory_pathreport_urlaipcrepcsearch_offerupdate_logupdate_actionuninstall_logUpdateisUpdatedfalseupdateUrlzoremov.combi.api/report/installapplift.exewb+UPDATEEntered updateStart (update_log) - -installunordered_map/set too longinvalid hash bucket count
Source: apprun.exe String found in binary or memory: C:\git\modular-installer\kernel\InstallerConfiguration.cpp
Source: apprun.exe String found in binary or memory: @UNKNOWNedgeInstallerConfigurationactionsRunning actions - startvoid __thiscall InstPC::InstallerConfiguration::run(void)C:\git\modular-installer\kernel\InstallerConfiguration.cppRunning actions - module Running actions - module Running actions - module finished with return code Running actions - module finished with return code nextRunning actions - next module Running actions - next module Running actions - finishinvalid vector<T> subscript
Source: apprun.exe String found in binary or memory: C:\git\modular-installer\kernel\IPCService.cpp
Source: apprun.exe String found in binary or memory: v2/install
Source: apprun.exe String found in binary or memory: -install
Source: apprun.exe String found in binary or memory: C:\git\modular-installer\kernel\kernel.cpp
Source: apprun.exe String found in binary or memory: !A\.*directory_iterator::directory_iteratordirectory_iterator::operator++copy_fileexistsstatusIPCService1582447612575780--Failed to acquire size of buffer needed to store network adapters. Error: Failed to Network adapters data. Error: Select ProcessorId From Win32_processorProcessorIdSELECT Caption FROM Win32_OperatingSystemCaptionSOFTWARE\WOW6432Node\Clients\StartMenuInternetSOFTWARE\Clients\StartMenuInternetabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789. ,AppDirectoryAppX3xxs313wwkfjhythsb8q46xdsq8d2cvvAppX7rm9drdg8sk7vqndwj3sdjw11x96jc0yFriendlyTypeNameffSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exeedge_chromeSoftware\Microsoft\Edge\BlBeaconversionSoftware\Microsoft\Edge\PreferenceMACs\DefaultGS_ABE_LABS_LTD_SIGNATUREzoremov-updateinstallerEMPTYUpdate was triggered from: Requesting class Networking::Response __thiscall InstPC::IPCService::configurationImplementation(class Networking::Request)C:\git\modular-installer\kernel\IPCService.cpptotalTimenameLookupTimeconnectTimeappConnectTimepreTransferTimestartTransferTimeredirectTimeredirectCountResponse Info /emidapp_idv2/installinstall.jsonv2/uninstalluninstall.jsonCould not fetch installation configurationapplift.exeFinalizing update flowvoid __thiscall InstPC::IPCService::install(void)Entered updateComplete (update_log) - Fetching install actionsalg.Got install configuration Installer configuration readyFinished running configuration No install actions waitingFetching update actionsvoid __thiscall InstPC::IPCService::update(void)srv.up/update/checkeacbnEntered Check update needed (update_log) - Got update configuration Starting updateUpdate completedNo update actions waitingFetching tasksvoid __thiscall InstPC::IPCService::tasks(void)CHECK_TASKEntered 'Check task' flowEntered ReportUpdateAction - task-forSOME_ACTIONGot task configuration No tasks found.No task actions waitingFetching uninstall actionsvoid __thiscall InstPC::IPCService::uninstall(void)Got unintall configuration Uninstall configuration readyNo uninstall actions waitinghttp://www.google.comUninstallUninstall requires an internet connection. Please check your network connection and retry uninstall.Version Is >>>>>><<<<<< Start of program. Process ID: -tasks-install-updatesched-updatestartup-uninstall-resetsearch-versionElapsed run time: int __stdcall wWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,wchar_t *,int)C:\git\modular-installer\kernel\kernel.cppMFC error: exception: %fFailed to initialize cURLMETHOD not supported://curl_multi_wait() failed, code %d.
Source: apprun.exe String found in binary or memory: !A\.*directory_iterator::directory_iteratordirectory_iterator::operator++copy_fileexistsstatusIPCService1582447612575780--Failed to acquire size of buffer needed to store network adapters. Error: Failed to Network adapters data. Error: Select ProcessorId From Win32_processorProcessorIdSELECT Caption FROM Win32_OperatingSystemCaptionSOFTWARE\WOW6432Node\Clients\StartMenuInternetSOFTWARE\Clients\StartMenuInternetabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789. ,AppDirectoryAppX3xxs313wwkfjhythsb8q46xdsq8d2cvvAppX7rm9drdg8sk7vqndwj3sdjw11x96jc0yFriendlyTypeNameffSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exeedge_chromeSoftware\Microsoft\Edge\BlBeaconversionSoftware\Microsoft\Edge\PreferenceMACs\DefaultGS_ABE_LABS_LTD_SIGNATUREzoremov-updateinstallerEMPTYUpdate was triggered from: Requesting class Networking::Response __thiscall InstPC::IPCService::configurationImplementation(class Networking::Request)C:\git\modular-installer\kernel\IPCService.cpptotalTimenameLookupTimeconnectTimeappConnectTimepreTransferTimestartTransferTimeredirectTimeredirectCountResponse Info /emidapp_idv2/installinstall.jsonv2/uninstalluninstall.jsonCould not fetch installation configurationapplift.exeFinalizing update flowvoid __thiscall InstPC::IPCService::install(void)Entered updateComplete (update_log) - Fetching install actionsalg.Got install configuration Installer configuration readyFinished running configuration No install actions waitingFetching update actionsvoid __thiscall InstPC::IPCService::update(void)srv.up/update/checkeacbnEntered Check update needed (update_log) - Got update configuration Starting updateUpdate completedNo update actions waitingFetching tasksvoid __thiscall InstPC::IPCService::tasks(void)CHECK_TASKEntered 'Check task' flowEntered ReportUpdateAction - task-forSOME_ACTIONGot task configuration No tasks found.No task actions waitingFetching uninstall actionsvoid __thiscall InstPC::IPCService::uninstall(void)Got unintall configuration Uninstall configuration readyNo uninstall actions waitinghttp://www.google.comUninstallUninstall requires an internet connection. Please check your network connection and retry uninstall.Version Is >>>>>><<<<<< Start of program. Process ID: -tasks-install-updatesched-updatestartup-uninstall-resetsearch-versionElapsed run time: int __stdcall wWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,wchar_t *,int)C:\git\modular-installer\kernel\kernel.cppMFC error: exception: %fFailed to initialize cURLMETHOD not supported://curl_multi_wait() failed, code %d.
Source: apprun.exe String found in binary or memory: C:\git\modular-installer\Release\kernel.pdb
Source: apprun.exe String found in binary or memory: C:\git\modular-installer\Release\kernel.pdbVV$2GCTL
Source: classification engine Classification label: mal48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01142822 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z,__EH_prolog3,CoInitializeEx,CoInitializeSecurity,#1511,CoCreateInstance,#1511,#2,#6,#1511,#1511,_CxxThrowException, 0_2_01142822
Source: apprun.exe Static PE information: certificate valid
Source: apprun.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: apprun.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: apprun.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: apprun.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: apprun.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: apprun.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: apprun.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: apprun.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\git\modular-installer\Release\kernel.pdbVV$2GCTL source: apprun.exe
Source: Binary string: C:\git\modular-installer\Release\kernel.pdb source: apprun.exe
Source: apprun.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: apprun.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: apprun.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: apprun.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: apprun.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01143D26 push ecx; ret 0_2_01143D39
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01144F78 push ecx; ret 0_2_01144F9B
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01143E86 push ecx; ret 0_2_01143E99
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_011449B5 ___std_fs_close_handle@4,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_011449B5
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01144A15 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,___std_fs_close_handle@4, 0_2_01144A15
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01144036 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_01144036
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_0112E69C __EH_prolog3_GS,GetAdaptersAddresses,GetAdaptersAddresses,GetProcessHeap,HeapAlloc,GetAdaptersAddresses,GetProcessHeap,HeapFree,#1511,GetProcessHeap,HeapFree,#1511,_CxxThrowException, 0_2_0112E69C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_011441C9 SetUnhandledExceptionFilter, 0_2_011441C9
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01144036 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_01144036
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01143B2B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_01143B2B
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01144276 cpuid 0_2_01144276
Source: C:\Users\user\Desktop\apprun.exe Code function: 0_2_01143F29 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_01143F29
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635356 Sample: apprun.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 48 7 Multi AV Scanner detection for submitted file 2->7 5 apprun.exe 2->5         started        process3
No contacted IP infos