Windows Analysis Report
6Sy6PrInNl.exe

Overview

General Information

Sample Name: 6Sy6PrInNl.exe
Analysis ID: 708240
MD5: cd1ffe7c30311659ea1be07ed7923d65
SHA1: 310fcf3a43286785eb88d742f5deeae150c661e9
SHA256: 842342b4db7bbc84d8e4da35f8d79d8b76a52815b7a22272f331ba906d2dba6c
Tags: exemorpheuspwtorun
Infos:

Detection

Score: 36
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Multi AV Scanner detection for submitted file
Uses 32bit PE files
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
File is packed with WinRar
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 6Sy6PrInNl.exe ReversingLabs: Detection: 27%
Source: 6Sy6PrInNl.exe Virustotal: Detection: 30% Perma Link
Uses 32bit PE files
Source: 6Sy6PrInNl.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 6Sy6PrInNl.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 6Sy6PrInNl.exe
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0098A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_0098A69B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0099C330 SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0099C330
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009AB348 FindFirstFileExA, 0_2_009AB348
Uses 32bit PE files
Source: 6Sy6PrInNl.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Tries to load missing DLLs
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Section loaded: dxgidebug.dll Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0098848E 0_2_0098848E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_00994088 0_2_00994088
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009900B7 0_2_009900B7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009840FE 0_2_009840FE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009A51C9 0_2_009A51C9
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_00997153 0_2_00997153
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009962CA 0_2_009962CA
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009832F7 0_2_009832F7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009943BF 0_2_009943BF
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0098C426 0_2_0098C426
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009AD440 0_2_009AD440
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0098F461 0_2_0098F461
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009977EF 0_2_009977EF
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009AD8EE 0_2_009AD8EE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0098286B 0_2_0098286B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0098E9B7 0_2_0098E9B7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009B19F4 0_2_009B19F4
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_00996CDC 0_2_00996CDC
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_00993E0B 0_2_00993E0B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009A4F9A 0_2_009A4F9A
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0098EFE2 0_2_0098EFE2
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: String function: 0099EC50 appears 55 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: String function: 0099F5F0 appears 31 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: String function: 0099EB78 appears 39 times
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_00986FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_00986FAA
Source: 6Sy6PrInNl.exe ReversingLabs: Detection: 27%
Source: 6Sy6PrInNl.exe Virustotal: Detection: 30%
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe File read: C:\Users\user\Desktop\6Sy6PrInNl.exe Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_00986C74 GetLastError,FormatMessageW, 0_2_00986C74
Source: 6Sy6PrInNl.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\6Sy6PrInNl.exe "C:\Users\user\Desktop\6Sy6PrInNl.exe" -install
Source: unknown Process created: C:\Users\user\Desktop\6Sy6PrInNl.exe "C:\Users\user\Desktop\6Sy6PrInNl.exe" /install
Source: unknown Process created: C:\Users\user\Desktop\6Sy6PrInNl.exe "C:\Users\user\Desktop\6Sy6PrInNl.exe" /load
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0099A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_0099A6C2
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Command line argument: sfxname 0_2_0099DF1E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Command line argument: sfxstime 0_2_0099DF1E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Command line argument: STARTDLG 0_2_0099DF1E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7126781 Jump to behavior
Source: classification engine Classification label: sus36.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 6Sy6PrInNl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6Sy6PrInNl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6Sy6PrInNl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6Sy6PrInNl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6Sy6PrInNl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6Sy6PrInNl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 6Sy6PrInNl.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: 6Sy6PrInNl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 6Sy6PrInNl.exe
Source: 6Sy6PrInNl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6Sy6PrInNl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6Sy6PrInNl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6Sy6PrInNl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6Sy6PrInNl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0099F640 push ecx; ret 0_2_0099F653
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0099EB78 push eax; ret 0_2_0099EB96
File is packed with WinRar
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7126781 Jump to behavior
PE file contains sections with non-standard names
Source: 6Sy6PrInNl.exe Static PE information: section name: .didat
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Evasive API call chain: GetLocalTime,DecisionNodes
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0099E6A3 VirtualQuery,GetSystemInfo, 0_2_0099E6A3
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0098A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_0098A69B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0099C330 SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0099C330
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009AB348 FindFirstFileExA, 0_2_009AB348
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0099F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0099F838
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009A7DEE mov eax, dword ptr fs:[00000030h] 0_2_009A7DEE
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009AC030 GetProcessHeap, 0_2_009AC030
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0099F9D5 SetUnhandledExceptionFilter, 0_2_0099F9D5
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0099F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0099F838
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0099FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0099FBCA
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_009A8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_009A8EBD
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_0099AF0F
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0099F654 cpuid 0_2_0099F654
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0098B146 GetVersionExW, 0_2_0098B146
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe Code function: 0_2_0099DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle, 0_2_0099DF1E
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708240 Sample: 6Sy6PrInNl.exe Startdate: 23/09/2022 Architecture: WINDOWS Score: 36 11 Multi AV Scanner detection for submitted file 2->11 5 6Sy6PrInNl.exe 4 2->5         started        7 6Sy6PrInNl.exe 4 2->7         started        9 6Sy6PrInNl.exe 4 2->9         started        process3
No contacted IP infos