Windows Analysis Report
RKKO3T4hSU

Overview

General Information

Sample Name: RKKO3T4hSU (renamed file extension from none to exe)
Analysis ID: 651268
MD5: df9025d622d4ac7b41641491c26dc146
SHA1: ff97781df2915d2d8330d7641f572915da7513cd
SHA256: 22b2655f8d9880171d3caf5ccfc408b07c96d47ba0f15e1ad00df414c7494f74
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Installs a global keyboard hook
Binary is likely a compiled AutoIt script file
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sleep loop found (likely to delay execution)
Detected potential crypto function
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: RKKO3T4hSU.exe Virustotal: Detection: 11% Perma Link
Source: RKKO3T4hSU.exe Metadefender: Detection: 14% Perma Link
Uses 32bit PE files
Source: RKKO3T4hSU.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: RKKO3T4hSU.exe, 00000000.00000002.681137900.0000000001033000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://forum.median-xl.com/viewtopic.php?f=4&t=3702

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\RKKO3T4hSU.exe Jump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\RKKO3T4hSU.exe Jump to behavior
Installs a raw input device (often for capturing keystrokes)
Source: RKKO3T4hSU.exe, 00000000.00000002.681153272.000000000105C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: GetRawInputDatac
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1CB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00B1CB26
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A92344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00A92344

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: RKKO3T4hSU.exe, 00000000.00000002.680662270.0000000000B44000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RKKO3T4hSU.exe, 00000000.00000002.680662270.0000000000B44000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Uses 32bit PE files
Source: RKKO3T4hSU.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Sample file is different than original file name gathered from version info
Source: RKKO3T4hSU.exe, 00000000.00000002.680990722.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME vs RKKO3T4hSU.exe
Source: RKKO3T4hSU.exe, 00000000.00000002.680990722.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs RKKO3T4hSU.exe
Source: RKKO3T4hSU.exe, 00000000.00000002.681832599.000000000322F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FV_ORIGINALFILENAME?| vs RKKO3T4hSU.exe
PE file contains strange resources
Source: RKKO3T4hSU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RKKO3T4hSU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RKKO3T4hSU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RKKO3T4hSU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A9E800 0_2_00A9E800
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A9E060 0_2_00A9E060
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A91287 0_2_00A91287
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A9FE40 0_2_00A9FE40
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AA70FE 0_2_00AA70FE
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AA6841 0_2_00AA6841
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AC6452 0_2_00AC6452
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AA8968 0_2_00AA8968
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00ABDAF5 0_2_00ABDAF5
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AB1604 0_2_00AB1604
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B17E0D 0_2_00B17E0D
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00ABBF26 0_2_00ABBF26
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AC6F36 0_2_00AC6F36
Contains functionality to call native functions
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A91287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73CD4310,NtdllDialogWndProc_W, 0_2_00A91287
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A91290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient, 0_2_00A91290
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A93633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow, 0_2_00A93633
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1D4A8 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W, 0_2_00B1D4A8
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A9189B NtdllDialogWndProc_W, 0_2_00A9189B
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1C8F9 NtdllDialogWndProc_W, 0_2_00B1C8F9
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1C8CA NtdllDialogWndProc_W, 0_2_00B1C8CA
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1D422 NtdllDialogWndProc_W, 0_2_00B1D422
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1C9A8 ClientToScreen,NtdllDialogWndProc_W, 0_2_00B1C9A8
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1C5E7 SendMessageW,NtdllDialogWndProc_W, 0_2_00B1C5E7
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1C928 NtdllDialogWndProc_W, 0_2_00B1C928
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1C502 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W, 0_2_00B1C502
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1C973 NtdllDialogWndProc_W, 0_2_00B1C973
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A916B5 NtdllDialogWndProc_W, 0_2_00A916B5
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1CAE6 GetWindowLongW,NtdllDialogWndProc_W, 0_2_00B1CAE6
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A916DE GetParent,NtdllDialogWndProc_W, 0_2_00A916DE
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1C216 PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W, 0_2_00B1C216
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A9167D NtdllDialogWndProc_W, 0_2_00A9167D
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1C668 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, 0_2_00B1C668
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1BF9A NtdllDialogWndProc_W, 0_2_00B1BF9A
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1BFF6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W, 0_2_00B1BFF6
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1D7F6 NtdllDialogWndProc_W, 0_2_00B1D7F6
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00B1CB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00B1CB26
Source: RKKO3T4hSU.exe Virustotal: Detection: 11%
Source: RKKO3T4hSU.exe Metadefender: Detection: 14%
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AFA0F4 GetLastError,FormatMessageW, 0_2_00AFA0F4
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AF3C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00AF3C99
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Mutant created: \Sessions\1\BaseNamedObjects\D2Stats-Singleton
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A94FE9 FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00A94FE9
Source: classification engine Classification label: mal56.spyw.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Window found: window name: SysTabControl32 Jump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Window detected: Number of UI elements: 24
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AB8AC5 push ecx; ret 0_2_00AB8AD8
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00BD5AD0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00BD5AD0
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,KiUserCallbackDispatcher,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00A94A35
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Window / User API: threadDelayed 6680 Jump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Window / User API: foregroundWindowGot 608 Jump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Window / User API: foregroundWindowGot 1054 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe TID: 5908 Thread sleep time: -66800s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Thread sleep count: Count: 6680 delay: -10 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AB8DD9 _memset,IsDebuggerPresent, 0_2_00AB8DD9
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AC5BFC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 0_2_00AC5BFC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00BD5AD0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00BD5AD0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AC9922 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_00AC9922
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00ABA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00ABA2D5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00A94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,KiUserCallbackDispatcher,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00A94A35
Source: RKKO3T4hSU.exe, 00000000.00000002.680662270.0000000000B44000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RKKO3T4hSU.exe Binary or memory string: Shell_TrayWnd
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe Code function: 0_2_00AB537A GetSystemTimeAsFileTime,__aulldiv, 0_2_00AB537A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 651268 Sample: RKKO3T4hSU Startdate: 23/06/2022 Architecture: WINDOWS Score: 56 8 Multi AV Scanner detection for submitted file 2->8 10 Binary is likely a compiled AutoIt script file 2->10 5 RKKO3T4hSU.exe 2->5         started        process3 signatures4 12 Installs a global keyboard hook 5->12
No contacted IP infos