Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6Sy6PrInNl.exe

Overview

General Information

Sample Name:6Sy6PrInNl.exe
Analysis ID:708240
MD5:cd1ffe7c30311659ea1be07ed7923d65
SHA1:310fcf3a43286785eb88d742f5deeae150c661e9
SHA256:842342b4db7bbc84d8e4da35f8d79d8b76a52815b7a22272f331ba906d2dba6c
Tags:exemorpheuspwtorun
Infos:

Detection

Score:36
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Multi AV Scanner detection for submitted file
Uses 32bit PE files
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
File is packed with WinRar
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample reads itself and does not show any behavior, likely it performs some host environment checks which are compared to an embedded key
  • System is w10x64
  • 6Sy6PrInNl.exe (PID: 2800 cmdline: "C:\Users\user\Desktop\6Sy6PrInNl.exe" MD5: CD1FFE7C30311659EA1BE07ED7923D65)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 6Sy6PrInNl.exeReversingLabs: Detection: 27%
Source: 6Sy6PrInNl.exeVirustotal: Detection: 30%Perma Link
Source: 6Sy6PrInNl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 6Sy6PrInNl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 6Sy6PrInNl.exe
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011FB348 FindFirstFileExA,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: 6Sy6PrInNl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: dxgidebug.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011D848E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E7153
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011F51C9
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E4088
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E00B7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011D40FE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E43BF
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E62CA
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011D32F7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DC426
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011FD440
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DF461
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E77EF
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DE9B7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_012019F4
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011D286B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011FD8EE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E6CDC
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011F4F9A
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DEFE2
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E3E0B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: String function: 011EEB78 appears 39 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: String function: 011EF5F0 appears 31 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: String function: 011EEC50 appears 56 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011D6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
Source: 6Sy6PrInNl.exeReversingLabs: Detection: 27%
Source: 6Sy6PrInNl.exeVirustotal: Detection: 30%
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile read: C:\Users\user\Desktop\6Sy6PrInNl.exeJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011D6C74 GetLastError,FormatMessageW,
Source: 6Sy6PrInNl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCommand line argument: sfxname
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCommand line argument: sfxstime
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCommand line argument: STARTDLG
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7003046Jump to behavior
Source: classification engineClassification label: sus36.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 6Sy6PrInNl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 6Sy6PrInNl.exe
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EF640 push ecx; ret
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EEB78 push eax; ret
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7003046Jump to behavior
Source: 6Sy6PrInNl.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeEvasive API call chain: GetLocalTime,DecisionNodes
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EE6A3 VirtualQuery,GetSystemInfo,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011FB348 FindFirstFileExA,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011F7DEE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011FC030 GetProcessHeap,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EF9D5 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011F8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: GetLocaleInfoW,GetNumberFormatW,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E0723 cpuid
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DB146 GetVersionExW,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
DLL Side-Loading
1
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
Native API
Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Deobfuscate/Decode Files or Information
LSASS Memory2
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information
Security Account Manager2
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Software Packing
NTDS25
System Information Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.