Windows Analysis Report
D009780.exe

Overview

General Information

Sample Name: D009780.exe
Analysis ID: 755926
MD5: 649e0964d04ac89667c1f59fe99c7799
SHA1: 5debabb563c0c457670b925c4c8f4830484a0067
SHA256: 2b5120f2d732c6b78ddac5ac679cbbf279d96108d50cc02e569be1e07813b604
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: D009780.exe ReversingLabs: Detection: 21%
Uses 32bit PE files
Source: D009780.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\D009780.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\Fouragen Jump to behavior
Source: D009780.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_004065C5 FindFirstFileW,FindClose, 0_2_004065C5
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405990
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: D009780.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405425
Uses 32bit PE files
Source: D009780.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403373
Detected potential crypto function
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_00404C62 0_2_00404C62
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_00406ADD 0_2_00406ADD
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_004072B4 0_2_004072B4
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\D009780.exe Process Stats: CPU usage > 98%
Source: D009780.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\D009780.exe File read: C:\Users\user\Desktop\D009780.exe Jump to behavior
Source: D009780.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\D009780.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403373
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Local\Temp\nst86C1.tmp Jump to behavior
Source: classification engine Classification label: mal52.evad.winEXE@1/6@0/0
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_004020FE CoCreateInstance, 0_2_004020FE
Source: C:\Users\user\Desktop\D009780.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004046E6
Source: C:\Users\user\Desktop\D009780.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\Fouragen Jump to behavior
Source: D009780.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Drops PE files
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Local\Temp\nsn8FFA.tmp\System.dll Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Anhydridizes.Imi121 Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae\libxml2-2.0.typelib Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae\Psammologist.Pan Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae\memstat.c Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae\selection-end-symbolic.symbolic.png Jump to behavior
Source: C:\Users\user\Desktop\D009780.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\D009780.exe RDTSC instruction interceptor: First address: 0000000002B12174 second address: 0000000002B12174 instructions: 0x00000000 rdtsc 0x00000002 test ecx, 68A7FE31h 0x00000008 cmp ebx, ecx 0x0000000a jc 00007FC9C0DD810Eh 0x0000000c test ecx, ecx 0x0000000e test al, A2h 0x00000010 inc ebp 0x00000011 cmp bl, al 0x00000013 inc ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_004065C5 FindFirstFileW,FindClose, 0_2_004065C5
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405990
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: C:\Users\user\Desktop\D009780.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\D009780.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Source: C:\Users\user\Desktop\D009780.exe Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403373
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755926 Sample: D009780.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 52 11 Multi AV Scanner detection for submitted file 2->11 5 D009780.exe 2 34 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 13 Tries to detect virtualization through RDTSC time measurements 5->13 signatures5
No contacted IP infos