Windows Analysis Report
WCTBt2z7KE.exe

Overview

General Information

Sample Name: WCTBt2z7KE.exe
Analysis ID: 708235
MD5: 612955e16c4580bbc11798215426ff35
SHA1: 016c2f953e1c7a1ba88c1812d70751925ab9e3e0
SHA256: 2a39458d3161f7dae38dbad7e846ebecdbd802392f4cd0b845440914532a28d7
Tags: exemorpheus
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: WCTBt2z7KE.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: WCTBt2z7KE.exe ReversingLabs: Detection: 22%
Source: WCTBt2z7KE.exe Virustotal: Detection: 33% Perma Link
Machine Learning detection for sample
Source: WCTBt2z7KE.exe Joe Sandbox ML: detected
Contains functionality to call native functions
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_000000014000B64C NtdllDefWindowProc_W,GetWindowLongPtrW,GetWindowTextLengthW,RtlAllocateHeap,GetWindowTextW,EnableWindow,DestroyWindow,UnregisterClassW, 0_2_000000014000B64C
PE file contains executable resources (Code or Archives)
Source: WCTBt2z7KE.exe Static PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Detected potential crypto function
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_00000001400660A0 0_2_00000001400660A0
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_000000014000B758 0_2_000000014000B758
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_00000001400138E5 0_2_00000001400138E5
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_00000001400154F0 0_2_00000001400154F0
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_0000000140015160 0_2_0000000140015160
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_0000000140015170 0_2_0000000140015170
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_0000000140013175 0_2_0000000140013175
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_0000000140010210 0_2_0000000140010210
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_0000000140016210 0_2_0000000140016210
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_000000014000EA48 0_2_000000014000EA48
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_000000014001366E 0_2_000000014001366E
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_0000000140012FDD 0_2_0000000140012FDD
Source: WCTBt2z7KE.exe ReversingLabs: Detection: 22%
Source: WCTBt2z7KE.exe Virustotal: Detection: 33%
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal60.winEXE@1/0@0/0
Source: WCTBt2z7KE.exe Static PE information: Image base 0x140000000 > 0x60000000
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_00000001400660A0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00000001400660A0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_3_004509C9 push ebx; retf 0_3_004509DC
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_3_00451C49 push edi; retf 0_3_00451C5C
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_3_00450A0A push edi; iretd 0_3_00450A0C
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_3_00450A19 push edi; iretd 0_3_00451ABC
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_3_00451B19 push edx; retf 0_3_00451B2C
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_3_00451C79 push es; iretd 0_3_00451D6C
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_3_00451B38 push edi; iretd 0_3_00451BEC
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_3_0045093A push edi; iretd 0_3_0045096C
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_000000014001BD3E push rbx; ret 0_2_000000014001BD3F
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_00000001400660A0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00000001400660A0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_000000014000C4D0 RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,RtlAddVectoredContinueHandler, 0_2_000000014000C4D0
Source: C:\Users\user\Desktop\WCTBt2z7KE.exe Code function: 0_2_000000014001F888 RtlAddVectoredExceptionHandler, 0_2_000000014001F888
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708235 Sample: WCTBt2z7KE.exe Startdate: 23/09/2022 Architecture: WINDOWS Score: 60 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Machine Learning detection for sample 2->11 5 WCTBt2z7KE.exe 2->5         started        process3
No contacted IP infos