Windows Analysis Report
6culQoI97a.exe

Overview

General Information

Sample Name: 6culQoI97a.exe
Analysis ID: 755473
MD5: d9aa122b8c39444799e60eabbab69502
SHA1: 0175baf7a240c2050571a6df273a892e8b192d81
SHA256: 317b5db72d7c43ab63caffa88412395a1b010d24f234eb1b7eeabc92105db143
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection

barindex
Source: 6culQoI97a.exe ReversingLabs: Detection: 73%
Source: 6culQoI97a.exe Virustotal: Detection: 58% Perma Link
Source: 6culQoI97a.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 6culQoI97a.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_00406448 FindFirstFileA,FindClose, 0_2_00406448
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_0040589C
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: 6culQoI97a.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 6culQoI97a.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405339
Source: 6culQoI97a.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403325
Source: C:\Users\user\Desktop\6culQoI97a.exe File created: C:\Windows\resources\0409 Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_73541A98 0_2_73541A98
Source: C:\Users\user\Desktop\6culQoI97a.exe Process Stats: CPU usage > 98%
Source: 6culQoI97a.exe ReversingLabs: Detection: 73%
Source: 6culQoI97a.exe Virustotal: Detection: 58%
Source: C:\Users\user\Desktop\6culQoI97a.exe File read: C:\Users\user\Desktop\6culQoI97a.exe Jump to behavior
Source: 6culQoI97a.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\6culQoI97a.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403325
Source: C:\Users\user\Desktop\6culQoI97a.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe File created: C:\Users\user\AppData\Local\Temp\nskAD76.tmp Jump to behavior
Source: classification engine Classification label: mal52.evad.winEXE@1/4@0/0
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar, 0_2_0040216B
Source: C:\Users\user\Desktop\6culQoI97a.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004045EA
Source: 6culQoI97a.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_73542F60 push eax; ret 0_2_73542F8E
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_73541A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_73541A98
Source: C:\Users\user\Desktop\6culQoI97a.exe File created: C:\Users\user\AppData\Local\Temp\nskAE13.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\6culQoI97a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\6culQoI97a.exe RDTSC instruction interceptor: First address: 0000000002C434D3 second address: 0000000002C434D3 instructions: 0x00000000 rdtsc 0x00000002 cmp bh, ah 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F1108CE4DA5h 0x00000008 cmp dh, 00000028h 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_00406448 FindFirstFileA,FindClose, 0_2_00406448
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_0040589C
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: C:\Users\user\Desktop\6culQoI97a.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\6culQoI97a.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_73541A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_73541A98
Source: C:\Users\user\Desktop\6culQoI97a.exe Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403325
No contacted IP infos