Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RKKO3T4hSU

Overview

General Information

Sample Name:RKKO3T4hSU (renamed file extension from none to exe)
Analysis ID:651268
MD5:df9025d622d4ac7b41641491c26dc146
SHA1:ff97781df2915d2d8330d7641f572915da7513cd
SHA256:22b2655f8d9880171d3caf5ccfc408b07c96d47ba0f15e1ad00df414c7494f74
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Installs a global keyboard hook
Binary is likely a compiled AutoIt script file
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sleep loop found (likely to delay execution)
Detected potential crypto function
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

  • System is w10x64
  • RKKO3T4hSU.exe (PID: 824 cmdline: "C:\Users\user\Desktop\RKKO3T4hSU.exe" MD5: DF9025D622D4AC7B41641491C26DC146)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: RKKO3T4hSU.exeVirustotal: Detection: 11%Perma Link
Source: RKKO3T4hSU.exeMetadefender: Detection: 14%Perma Link
Source: RKKO3T4hSU.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: RKKO3T4hSU.exe, 00000000.00000002.681137900.0000000001033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://forum.median-xl.com/viewtopic.php?f=4&t=3702

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\RKKO3T4hSU.exeJump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\RKKO3T4hSU.exeJump to behavior
Source: RKKO3T4hSU.exe, 00000000.00000002.681153272.000000000105C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatac
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1CB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B1CB26
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A92344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00A92344

System Summary

barindex
Source: RKKO3T4hSU.exe, 00000000.00000002.680662270.0000000000B44000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: RKKO3T4hSU.exe, 00000000.00000002.680662270.0000000000B44000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: RKKO3T4hSU.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: RKKO3T4hSU.exe, 00000000.00000002.680990722.0000000000EE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs RKKO3T4hSU.exe
Source: RKKO3T4hSU.exe, 00000000.00000002.680990722.0000000000EE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs RKKO3T4hSU.exe
Source: RKKO3T4hSU.exe, 00000000.00000002.681832599.000000000322F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME?| vs RKKO3T4hSU.exe
Source: RKKO3T4hSU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RKKO3T4hSU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RKKO3T4hSU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RKKO3T4hSU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A9E8000_2_00A9E800
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A9E0600_2_00A9E060
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A912870_2_00A91287
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A9FE400_2_00A9FE40
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AA70FE0_2_00AA70FE
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AA68410_2_00AA6841
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AC64520_2_00AC6452
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AA89680_2_00AA8968
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00ABDAF50_2_00ABDAF5
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AB16040_2_00AB1604
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B17E0D0_2_00B17E0D
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00ABBF260_2_00ABBF26
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AC6F360_2_00AC6F36
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A91287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73CD4310,NtdllDialogWndProc_W,0_2_00A91287
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A91290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00A91290
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A93633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00A93633
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1D4A8 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00B1D4A8
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A9189B NtdllDialogWndProc_W,0_2_00A9189B
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1C8F9 NtdllDialogWndProc_W,0_2_00B1C8F9
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1C8CA NtdllDialogWndProc_W,0_2_00B1C8CA
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1D422 NtdllDialogWndProc_W,0_2_00B1D422
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1C9A8 ClientToScreen,NtdllDialogWndProc_W,0_2_00B1C9A8
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1C5E7 SendMessageW,NtdllDialogWndProc_W,0_2_00B1C5E7
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1C928 NtdllDialogWndProc_W,0_2_00B1C928
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1C502 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00B1C502
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1C973 NtdllDialogWndProc_W,0_2_00B1C973
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A916B5 NtdllDialogWndProc_W,0_2_00A916B5
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1CAE6 GetWindowLongW,NtdllDialogWndProc_W,0_2_00B1CAE6
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A916DE GetParent,NtdllDialogWndProc_W,0_2_00A916DE
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1C216 PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00B1C216
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A9167D NtdllDialogWndProc_W,0_2_00A9167D
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1C668 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00B1C668
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1BF9A NtdllDialogWndProc_W,0_2_00B1BF9A
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1BFF6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00B1BFF6
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1D7F6 NtdllDialogWndProc_W,0_2_00B1D7F6
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00B1CB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B1CB26
Source: RKKO3T4hSU.exeVirustotal: Detection: 11%
Source: RKKO3T4hSU.exeMetadefender: Detection: 14%
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AFA0F4 GetLastError,FormatMessageW,0_2_00AFA0F4
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AF3C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00AF3C99
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeMutant created: \Sessions\1\BaseNamedObjects\D2Stats-Singleton
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A94FE9 FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00A94FE9
Source: classification engineClassification label: mal56.spyw.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeWindow found: window name: SysTabControl32Jump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeWindow detected: Number of UI elements: 24
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AB8AC5 push ecx; ret 0_2_00AB8AD8
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00BD5AD0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00BD5AD0
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,KiUserCallbackDispatcher,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A94A35
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeWindow / User API: threadDelayed 6680Jump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeWindow / User API: foregroundWindowGot 608Jump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeWindow / User API: foregroundWindowGot 1054Jump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exe TID: 5908Thread sleep time: -66800s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-21424
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeThread sleep count: Count: 6680 delay: -10Jump to behavior
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeAPI call chain: ExitProcess graph end nodegraph_0-20505
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeAPI call chain: ExitProcess graph end nodegraph_0-21708
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeAPI call chain: ExitProcess graph end nodegraph_0-21025
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AB8DD9 _memset,IsDebuggerPresent,0_2_00AB8DD9
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AC5BFC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00AC5BFC
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00BD5AD0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00BD5AD0
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AC9922 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00AC9922
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00ABA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00ABA2D5
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00A94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,KiUserCallbackDispatcher,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A94A35
Source: RKKO3T4hSU.exe, 00000000.00000002.680662270.0000000000B44000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RKKO3T4hSU.exeBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\Desktop\RKKO3T4hSU.exeCode function: 0_2_00AB537A GetSystemTimeAsFileTime,__aulldiv,0_2_00AB537A
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Native API
Path Interception1
Process Injection
2
Virtualization/Sandbox Evasion
131
Input Capture
1
System Time Discovery
Remote Services131
Input Capture
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection
LSASS Memory3
Security Software Discovery
Remote Desktop Protocol1
Archive Collected Data
Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Obfuscated Files or Information
Security Account Manager2
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Software Packing
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets11
Application Window Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials2
System Information Discovery
VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.