Windows Analysis Report
ProduKey.exe

Overview

General Information

Sample Name: ProduKey.exe
Analysis ID: 800703
MD5: 9260e593a0f2d798fddc16a7b19ad808
SHA1: 8b3736186f9963a5cedd4a2d8dca66041799d0cd
SHA256: bace5e41e07df9f71b07828dacfde462ce609fa1cd387c7e1cc4aacc59cf00e5
Infos:

Detection

Score: 0
Range: 0 - 100
Whitelisted: true
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the product ID of Windows
Extensive use of GetProcAddress (often used to hide API calls)
Uses code obfuscation techniques (call, push, ret)
Queries the product ID of Microsoft Office
Contains functionality to dynamically determine API calls
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ProduKey.exe ReversingLabs: Detection: 55%
Source: ProduKey.exe Virustotal: Detection: 50% Perma Link
Uses 32bit PE files
Source: ProduKey.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ProduKey.exe Static PE information: certificate valid
Source: Binary string: c:\Projects\VS2005\ProduKey\Release\ProduKey.pdb source: ProduKey.exe
Source: C:\Users\user\Desktop\ProduKey.exe Code function: 0_2_0040867D FindFirstFileA,FindNextFileA, 0_2_0040867D
Source: ProduKey.exe String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: ProduKey.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: ProduKey.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ProduKey.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: ProduKey.exe String found in binary or memory: http://www.nirsoft.net/
Source: ProduKey.exe String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.html
Source: ProduKey.exe String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.html/stext/shtml/sverhtml/sxml/stab/scomma/stabul
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\ProduKey.exe Code function: 0_2_0040455B OpenClipboard, 0_2_0040455B
Uses 32bit PE files
Source: ProduKey.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ProduKey.exe ReversingLabs: Detection: 55%
Source: ProduKey.exe Virustotal: Detection: 50%
Source: ProduKey.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ProduKey.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ProduKey.exe String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: classification engine Classification label: clean48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\ProduKey.exe File opened: C:\Users\user\Desktop\ProduKey.cfg Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Jump to behavior
Source: ProduKey.exe Static PE information: certificate valid
Source: ProduKey.exe Static PE information: section name: RT_CURSOR
Source: ProduKey.exe Static PE information: section name: RT_BITMAP
Source: ProduKey.exe Static PE information: section name: RT_ICON
Source: ProduKey.exe Static PE information: section name: RT_MENU
Source: ProduKey.exe Static PE information: section name: RT_DIALOG
Source: ProduKey.exe Static PE information: section name: RT_STRING
Source: ProduKey.exe Static PE information: section name: RT_ACCELERATOR
Source: ProduKey.exe Static PE information: section name: RT_GROUP_ICON
Source: ProduKey.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Projects\VS2005\ProduKey\Release\ProduKey.pdb source: ProduKey.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ProduKey.exe Code function: 0_2_0040EAD0 push eax; ret 0_2_0040EAE4
Source: C:\Users\user\Desktop\ProduKey.exe Code function: 0_2_0040EAD0 push eax; ret 0_2_0040EB0C
Source: C:\Users\user\Desktop\ProduKey.exe Code function: 0_2_00401309 push ecx; ret 0_2_00401319
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ProduKey.exe Code function: 0_2_0040180A GetDlgItem,LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_0040180A
Source: C:\Users\user\Desktop\ProduKey.exe Code function: 0_2_0040C73D RegOpenKeyExA,memset,memset,memset,memset,memset,GetPrivateProfileStringA,RegCloseKey,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,memset,RegCloseKey,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegCloseKey, 0_2_0040C73D
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\ProduKey.exe Code function: 0_2_00401ACF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00401ACF
Source: C:\Users\user\Desktop\ProduKey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ProduKey.exe Window / User API: foregroundWindowGot 510 Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe Window / User API: foregroundWindowGot 413 Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe Code function: 0_2_0040867D FindFirstFileA,FindNextFileA, 0_2_0040867D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ProduKey.exe Code function: 0_2_0040180A GetDlgItem,LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_0040180A
Queries the product ID of Windows
Source: C:\Users\user\Desktop\ProduKey.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductID Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe Code function: 0_2_004092C5 GetVersionExA, 0_2_004092C5
Queries the product ID of Microsoft Office
Source: C:\Users\user\Desktop\ProduKey.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Registration\{90160000-002A-0000-1000-0000000FF1CE} ProductID Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Registration\{90160000-002A-0000-1000-0000000FF1CE} DigitalProductID Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Registration\{90160000-002A-0000-1000-0000000FF1CE} DigitalProductId4 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800703 Sample: ProduKey.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 0 7 Multi AV Scanner detection for submitted file 2->7 5 ProduKey.exe 2->5         started        process3
No contacted IP infos