Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
67AzzNNioP.exe

Overview

General Information

Sample Name:67AzzNNioP.exe
Analysis ID:708239
MD5:f44d0bd72d14338b655a6d4457419493
SHA1:dbe1773340912698515f76885f07d6faacbce09c
SHA256:8f8cb5930100e80159502fd6d224909606f47ff17614f89b41b650afc3a91b6d
Tags:185-25-204-244ServereasySrlexemorpheus
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Installs a raw input device (often for capturing keystrokes)
Searches for the Microsoft Outlook file path
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
File is packed with WinRar
Detected TCP or UDP traffic on non-standard ports
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • 67AzzNNioP.exe (PID: 3932 cmdline: "C:\Users\user\Desktop\67AzzNNioP.exe" MD5: F44D0BD72D14338B655A6D4457419493)
    • AIO.exe (PID: 5576 cmdline: "C:\Users\user\Desktop\AIO.exe" MD5: 9C1181704C48D62DE14C5F682C4F5D5E)
      • conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 67AzzNNioP.exeReversingLabs: Detection: 27%
Source: 67AzzNNioP.exeVirustotal: Detection: 22%Perma Link
Source: C:\Users\user\Desktop\AIO.exeVirustotal: Detection: 7%Perma Link
Source: 67AzzNNioP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 67AzzNNioP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 67AzzNNioP.exe
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_0020B348 FindFirstFileExA,
Source: global trafficTCP traffic: 192.168.2.3:49702 -> 185.25.204.244:9090
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: 67AzzNNioP.exe, 00000000.00000003.264138468.000000000C2CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,M3.2.0,M11.1.0476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitCallWindowProcWCreateHardLinkWCreatePopupMenuCreateWindowExWDefSubclassProcDeviceIoControlDialogBoxParamWDragAcceptFilesDuplicateHandleFailed to find Failed to load FindNextStreamWFlushViewOfFileGdiplusShutdownGetActiveWindowGetAdaptersInfoGetClassInfoExWGetCommandLineWGetEnhMetaFileWGetMenuItemRectGetMonitorInfoWGetProcessTimesGetRawInputDataGetStartupInfoWGetTextMetricsWHanifi_RohingyaImpersonateSelfInsertMenuItemWIsWindowEnabledIsWindowVisibleMonitorFromRectOpenThreadTokenOther_LowercaseOther_UppercasePlayEnhMetaFilePostQuitMessageProcess32FirstWPsalter_PahlaviRegCreateKeyExWRegDeleteValueWSetDCBrushColorShowWindowAsyncSwapMouseButtonUnmapViewOfFile]
Source: 67AzzNNioP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001E848E
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001F6CDC
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001F4088
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001F00B7
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001E40FE
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001F7153
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_002051C9
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001F62CA
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001E32F7
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001F43BF
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001EC426
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_0020D440
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001EF461
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001F77EF
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001E286B
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_0020D8EE
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001EE9B7
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_002119F4
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001F3E0B
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_00204F9A
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001EEFE2
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: String function: 001FEB78 appears 39 times
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: String function: 001FEC50 appears 56 times
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: String function: 001FF5F0 appears 31 times
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001FA070 SetWindowLongW,GetWindowLongW,NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\67AzzNNioP.exeCode function: 0_2_001E6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
Source: C:\Users\user\Desktop\67AzzNNioP.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Users\user\Desktop\67AzzNNioP.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\67AzzNNioP.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Deskto