Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6culQoI97a.exe

Overview

General Information

Sample Name:	6culQoI97a.exe
Analysis ID:	755473
MD5:	d9aa122b8c39444799e60eabbab69502
SHA1:	0175baf7a240c2050571a6df273a892e8b192d81
SHA256:	317b5db72d7c43ab63caffa88412395a1b010d24f234eb1b7eeabc92105db143
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Contains functionality to dynamically determine API calls

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

×

Process Tree

System is w10x64

6culQoI97a.exe (PID: 5172 cmdline: C:\Users\user\Desktop\6culQoI97a.exe MD5: D9AA122B8C39444799E60EABBAB69502)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 6culQoI97a.exe	ReversingLabs: Detection: 73%
Source: 6culQoI97a.exe	Virustotal: Detection: 58%			Perma Link

Source: 6culQoI97a.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 6culQoI97a.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 0_2_004027A1 FindFirstFileA,

Source: 6culQoI97a.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 6culQoI97a.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: 6culQoI97a.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\6culQoI97a.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_73541A98

Source: C:\Users\user\Desktop\6culQoI97a.exe

Process Stats: CPU usage > 98%

Source: 6culQoI97a.exe	ReversingLabs: Detection: 73%
Source: 6culQoI97a.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\6culQoI97a.exe

File read: C:\Users\user\Desktop\6culQoI97a.exe

Jump to behavior

Source: 6culQoI97a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6culQoI97a.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\6culQoI97a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\6culQoI97a.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker

Jump to behavior

Source: C:\Users\user\Desktop\6culQoI97a.exe

File created: C:\Users\user\AppData\Local\Temp\nskAD76.tmp

Jump to behavior

Source: classification engine

Classification label: mal52.evad.winEXE@1/4@0/0

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\6culQoI97a.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: 6culQoI97a.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_73542F60 push eax; ret

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_73541A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Source: C:\Users\user\Desktop\6culQoI97a.exe

File created: C:\Users\user\AppData\Local\Temp\nskAE13.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\6culQoI97a.exe

Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\6culQoI97a.exe

RDTSC instruction interceptor: First address: 0000000002C434D3 second address: 0000000002C434D3 instructions: 0x00000000 rdtsc 0x00000002 cmp bh, ah 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F1108CE4DA5h 0x00000008 cmp dh, 00000028h 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc

Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 0_2_004027A1 FindFirstFileA,

Source: C:\Users\user\Desktop\6culQoI97a.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\6culQoI97a.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_73541A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Access Token Manipulation	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6culQoI97a.exe	73%	ReversingLabs	Win32.Trojan.Woreflint
6culQoI97a.exe	58%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nskAE13.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nskAE13.tmp\System.dll	0%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.6culQoI97a.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File
0.0.6culQoI97a.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	6culQoI97a.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	6culQoI97a.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755473
Start date and time:	2022-11-28 18:32:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 21s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	6culQoI97a.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.evad.winEXE@1/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 85.2% (good quality ratio 83.7%) Quality average: 87.2% Quality standard deviation: 22%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Lavkonjunkturen.pro

Process:	C:\Users\user\Desktop\6culQoI97a.exe
File Type:	data
Category:	dropped
Size (bytes):	151484
Entropy (8bit):	6.722739524237379
Encrypted:	false
SSDEEP:	3072:i/XcPN2AMaEryngg6xwigaQTpHJVoBMQ/fV:ikUUhnfJrZzcMQ/fV
MD5:	7D35914613D5AE2EE21358270112B5F2
SHA1:	ED7CBBBBC35EBCA9F221B1E22927BF2845B54807
SHA-256:	DF9AA833D7E0B7455D5112DF644234B735D4F8C4E2A1527148E655DE16DA4BA3
SHA-512:	29F422C4B45EE72141D040EA7682A6D4C90858EA42F2FF461A6301B90195F5DF6F79B5F364B55D61A327EE1E5BAAE26F317E42B3965EDBD1ED42EF7F4FCB7793
Malicious:	false
Reputation:	low
Preview:	..zx'il...Y........W.7...HF..$K..B.+.z.$i.z.M6.O..0wG;~Fm.....!gJn..M;&..-Lm.S<......B..Q.N.).C....x.h`.[o.......IL@..^..e(...H....F<U...,.M8m>.l..F...o...W......4....l<h..f....yK...a..n.....LM..U..S7]..b..V..;.W-..pL.k..........w...U...9F..;y.....H..jc......u....\.V...%.O..r.a3=&.mE9.........G..c..Y.&.....\|.....X.~.`...=...e6..W.........w..7..B.U.".m....Q;T..D..A[...E.{...[..f..".....D#a...........sd...l,..t....)tU.[ .u\.M...{3UP...~c_u.......dK..=.1.?..}8.TP.+P.z.H{.>'..2%a...}.f.e\|3C.....R(...Q.`F~..N}Q]H.!.....+.....Y.G...d.\U."......Z....../c..%.t.....@8...D.1.S....N........q.......Kq..........................................................................f.................l.d)f................................................................................................................f.e....f.b..i.LZ.....................................................................................................f!............H...6qqqqqqqqqqqqqqqqqqqqqqq

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice\Grabbers145.Scu187

Process:	C:\Users\user\Desktop\6culQoI97a.exe
File Type:	ASCII text, with very long lines (42820), with no line terminators
Category:	dropped
Size (bytes):	42820
Entropy (8bit):	3.999720795205128
Encrypted:	false
SSDEEP:	768:Y8gLgZjz0mqZY9XVZ3z0Aqa2ogrBpnu2L9l6+EfD5u6IZ46hj0HJPn1W4:LgLgNuYBrA75oIpu2Rl6+20v46QF17
MD5:	63EE366B70BC4507D462A94DD9C637BA
SHA1:	E0E3D34620C83C47F0590BD059AE2066D7F26FE7
SHA-256:	D032E1E9FA29373C0D811D0ED484D69F64DF02C0353DC2B7B4F2D08C44094F8A
SHA-512:	096C8D578842BE10D2B5D88DF5B130EE3D352190158CBF893DC2AC106D2DF6A91BFA17A92F5F48D3EC952A83DB785A05076AC340015832E5EF4D08D5E584EF00
Malicious:	false
Reputation:	low
Preview:	FEE6A8669E78D118DC67A5CFBFFEC42B41EA106FBB6439C877770204CA485EF518706580B268717463D5CB797335A0A4350DCD796FC17224C6434BF095F7CA6B1DB91696C2ADB472E0F9E1E2D5D9262D956F3DB187372096F1F921757D6CF3BF2C192545E4EC2E0119B230B5AE2A35C6F37BA1074F96373F828DDB9E588D13955D1AB94FE615E94016E252B8B38104F562E874B8886AF764B43D98BB66EA7A4F47209579E550F48880977DB1721FBE84477DACD88B7A9715F0DB819F886D56CCEFBB7CF44E40BEFCFF574D5E029E1762B75A84AEB88BC477AD0C2EEA118D4BEE4BCF2EB8DDD0207D78B0EC8551401E1F79E9FB8B2FBE5C4F4026E771F2713CF19CDF0CB33B72276EC057B36A339D1B55FF594867C79F91E160A4306CB89DC803C9D2A891E3B0250832C9561D97669476859BD0FA173F47CCE4052D59DB63C8DA7F75B11332DBC582649E24CAD546663CE0C14FBBE1C832071D322EA51419FF51CF67B56DC3A1EC75B588F2C7B20CAE80771F166C55894E635141CFA69FAE881544C83F0F60B59833A61A433C6F47427621250CE45F35855E28554832210A2F46F0BBC2640B9A2CD045EC3AEF8BDAD8D15D0B80E2F82BA296742D4481221961F2BB57D4461407EAB6FEB6DC9E558BE2DB318A22CDEB0E26889BCA6482843DEB5C73A1C673197F30B4DA15D73000C3C08C5F8CDCD8

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Urationelt\call-missed-symbolic.svg

Process:	C:\Users\user\Desktop\6culQoI97a.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1626
Entropy (8bit):	5.039495966615547
Encrypted:	false
SSDEEP:	24:t42w+Fdw6OyKbRAecFxVrGMalOY3bYnfS/YH6AAHD1gyKbRAecFxVrGMaFC:fONtAecFmMiScmNtAecFmMmC
MD5:	CCC1083D634E112EBE2FAD8D1809FEB7
SHA1:	AFBBB71D1B029B7FBE45E09C7217945A2668D262
SHA-256:	3D961823A04BAC2FF8748D7624AF7D06B10B3D2566AA93540ADB1FC46F6FA6CF
SHA-512:	3962F71527D2B662D5B9EACA2AF12AE414F01497871F3E818D86A9DF03DC9C08F1A9873265F70745857D65ADA87E623E523BEB80B51CCA99E820C459757B96D2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16.006" height="16.013"><path d="M12.98 0a1 1 0 00-.11.01H8v.832A1 1 0 009 2.01h1.586L8 4.596 5.707 2.303a1 1 0 10-1.414 1.414l3 3a1 1 0 001.414 0L12 3.424V5.01a1 1 0 001.158 1H14V1.137a1 1 0 000-.275V.01h-.854A1 1 0 0012.98 0z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;shape-padding:0;isolation:auto;mix-blend-mode:normal;marker:none" color="#000" font-weight="400" font-family="sans-serif" overflow="visible" fill="#2e3436"/><path class="error" d="M14.242 15.725a.979.979 0 01-1.387 0l-1.04-1.04-1.041-1.04a.979.979 0 010-1.387l.493-.493a6.838 6.838 0 00-6.534 0l.493.493a.979.979 0 010 1.387l-1.04 1.04-1.04 1.04a.979.979 0 01-1.388 0l-1.

C:\Users\user\AppData\Local\Temp\nskAE13.tmp\System.dll

Process:	C:\Users\user\Desktop\6culQoI97a.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.854450882766351
Encrypted:	false
SSDEEP:	192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4
MD5:	34442E1E0C2870341DF55E1B7B3CCCDC
SHA1:	99B2FA21AEAD4B6CCD8FF2F6D3D3453A51D9C70C
SHA-256:	269D232712C86983336BADB40B9E55E80052D8389ED095EBF9214964D43B6BB1
SHA-512:	4A8C57FB12997438B488B862F3FC9DC0F236E07BB47B2BCE6053DCB03AC7AD171842F02AC749F02DDA4719C681D186330524CD2953D33CB50854844E74B33D51
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....`...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.777623756268328
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6culQoI97a.exe
File size:	334430
MD5:	d9aa122b8c39444799e60eabbab69502
SHA1:	0175baf7a240c2050571a6df273a892e8b192d81
SHA256:	317b5db72d7c43ab63caffa88412395a1b010d24f234eb1b7eeabc92105db143
SHA512:	4ba7e997ffad2ce396faa08d8be8cd6b7073e37828b347fad1ca3f1112d257ecd235c7df9d3d6c78e6b9f96ce878c5fbe2d2a70f7428648f1d2aa14aba7f5d38
SSDEEP:	6144:0x/MQs/IvHdjSzIH1qrb+WECj3wc0ibE0+Ix:wxAIVu8VWb+WEY3LbEt6
TLSH:	7964F1253F64DC27C2A906708EF3D329D6F9D9406E634717BB8177ACBD31780B91A18A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L......`.................d....9.....%3............@

File Icon


Icon Hash:	6070dee2bab2c43c

Static PE Info

General

Entrypoint:	0x403325
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60FC909C [Sat Jul 24 22:13:48 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A2F6Ch], eax
je 00007F11089BBEB3h
push ebx
call 00007F11089BF016h
cmp eax, ebx
je 00007F11089BBEA9h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F11089BEF92h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F11089BBE8Dh
push 0000000Bh
call 00007F11089BEFEAh
push 00000009h
call 00007F11089BEFE3h
push 00000007h
mov dword ptr [007A2F64h], eax
call 00007F11089BEFD7h
cmp eax, ebx
je 00007F11089BBEB1h
push 0000001Eh
call eax
test eax, eax
je 00007F11089BBEA9h
or byte ptr [007A2F6Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [007A3038h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079E528h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8438	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c7000	0x28868	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6230	0x6400	False	0.6699609375	data	6.441889952551939	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1274	0x1400	False	0.4337890625	data	5.061067348371254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x399078	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a4000	0x23000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c7000	0x28868	0x28a00	False	0.5296875	data	5.194338163153121	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x3c73b8	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States
RT_ICON	0x3c7720	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States
RT_ICON	0x3d7f48	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States
RT_ICON	0x3e13f0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States
RT_ICON	0x3e6878	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States
RT_ICON	0x3eaaa0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x3ed048	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x3ee0f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x3eea78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x3eeee0	0x144	data	English	United States
RT_DIALOG	0x3ef028	0x13c	data	English	United States
RT_DIALOG	0x3ef168	0x100	data	English	United States
RT_DIALOG	0x3ef268	0x11c	data	English	United States
RT_DIALOG	0x3ef388	0xc4	data	English	United States
RT_DIALOG	0x3ef450	0x60	data	English	United States
RT_GROUP_ICON	0x3ef4b0	0x76	data	English	United States
RT_MANIFEST	0x3ef528	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

Analysis Process: 6culQoI97a.exePID: 5172, Parent PID: 3452

General

Target ID:	0
Start time:	18:33:04
Start date:	28/11/2022
Path:	C:\Users\user\Desktop\6culQoI97a.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\6culQoI97a.exe
Imagebase:	0x400000
File size:	334430 bytes
MD5 hash:	D9AA122B8C39444799E60EABBAB69502
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

⊘No disassembly