Windows Analysis Report
ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe

Overview

General Information

Sample Name: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe
Analysis ID: 800791
MD5: a42b37fbf9d9b46986d062c75c6da1b5
SHA1: 4efa169524085a15b81462dc4a1f34f25b23d4c4
SHA256: 348a52936f4a5bd079510503da07238b850da222cc0bb53f4758877e1c634216
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
PE file contains more sections than normal
Yara detected Keylogger Generic

Classification

Uses 32bit PE files
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe String found in binary or memory: http://www.indyproject.org/
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe String found in binary or memory: http://www.lmd.de
Installs a raw input device (often for capturing keystrokes)
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe, 00000000.00000002.600992012.0000000015EF7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: GetRawInputData
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe PID: 3332, type: MEMORYSTR
Uses 32bit PE files
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Sample file is different than original file name gathered from version info
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe, 00000000.00000000.326320767.0000000000401000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe, 00000000.00000000.327858639.0000000014089000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFilling Golosck TFT 0x547f87790701\ vs ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Binary or memory string: OriginalFileName vs ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe
PE file contains more sections than normal
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Static PE information: Number of sections : 11 > 10
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Mutant created: \Sessions\1\BaseNamedObjects\84B228BD6AA820A3E3698FA255C96490A5
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Mutant created: \Sessions\1\BaseNamedObjects\HookApi:{7DDF4ADB-4A01-4F4B-83AA-8D91C21E99D2}:3332:Lock
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe String found in binary or memory: NATS-SEFI-ADD
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe String found in binary or memory: NATS-DANO-ADD
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe String found in binary or memory: jp-ocr-b-add
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe String found in binary or memory: jp-ocr-hand-add
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe String found in binary or memory: ISO_6937-2-add
Source: classification engine Classification label: clean4.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Window found: window name: TEdit Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Static file information: File size 331854848 > 1048576
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x783c00
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x13426e00
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Static PE information: More than 200 imports for user32.dll
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Static PE information: section name: .didata
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\splwow64.exe Window / User API: threadDelayed 916 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\splwow64.exe Last function: Thread delayed
Source: C:\Windows\splwow64.exe Last function: Thread delayed
Source: C:\Windows\splwow64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\splwow64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe, 00000000.00000002.600992012.0000000015EF7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe, 00000000.00000002.600992012.0000000015EF7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 800791 Sample: ArchivoAdju_ntoSSAZLMAUEVNY... Startdate: 07/02/2023 Architecture: WINDOWS Score: 4 5 ArchivoAdju_ntoSSAZLMAUEVNYQBKcmiizVFSGC.exe 3 2->5         started        process3 7 splwow64.exe 5->7         started       
No contacted IP infos