Windows Analysis Report
Rechung-R1663322504.exe

ID:	829392
Product:	CloudBasic
Start time:	05:25:10
Start date:	18.03.2023
Sample:	Rechung-R1663322504.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	11b5b208de7a85b46104a0597c5da7dc
SHA1:	c578bc317e666159cbfc191cb4e50de2de03ab79
SHA256:	0a80ba418f561098477e18cc42ddfc31796b2be3166ff6c99967b98388fe4826
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\nsw3E4B.tmp\AdvSplash.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E8B67A37FB41D54A7EDA453309D45D97	96BE9BF7A988D9CEA06150D57CD1DE19F1FEC19E	2AD232BCCF4CA06CF13475AF87B510C5788AA790785FD50509BE483AFC0E0BCF
C:\Users\user\AppData\Local\Temp\nsw3E4B.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	8B3830B9DBF87F84DDD3B26645FED3A0	223BEF1F19E644A610A0877D01EADC9E28299509	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
C:\Users\user\Separationerne.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	E3BDEAA5B7F272426C9B086E815EF5B8	3789A45941BF4410EBB314C46BBD6DC33AB0D7A5	41AEE8966E4BBC0AF245942852F14EAF81BAFDD67DC2F512DED93F569FE9A7B1
C:\Users\user\Socialdirektrer\Fornices\Vingummis\Flannelled\Yndighed\Adventure_20.bmp	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, components 3	A4530760E13B17372AE0D8CB48F66D0D	AA21564FA3A847E59402B62D3F600DDA5046A926	F37F7A75DC27903EA88D1A3912DFB9123CA217E2467EB6D5DC966F60DC7F9DB7
C:\Users\user\Socialdirektrer\Fornices\Vingummis\Flannelled\Yndighed\Dialektforskningen134.Luk	ASCII text, with very long lines (35012), with no line terminators	F75A78EE11492D9F9146075023D485D3	772AE864C11AE2C45834F681EFDF662BBD28268B	5916C8773319EA24B225C76FE361D360360CE03E1F61E2E86387514A185BDAF9
C:\Users\user\Socialdirektrer\Vandspildets.Shi37	data	BAFC11E1543369B58D7852857D986EFA	A00AD13ECA7F98C1CBBC7AE32151D3878DD2BBB0	F8D1014289006D2ACCAB3D5A1C36CD867B4D6BEC50781365175B4FF8323A5E81
C:\Users\user\Socialdirektrer\media-floppy-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	293D1D4F18C3A918A44FAD289715E950	BD92A45835DD693FE8D0B72F296FE0134D46B876	553F673950BE4DE71377A297050888D0BE5A997DB334781994C3265EDA30C7B3
C:\Users\user\Socialdirektrer\mk.txt	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	71D42ABE45803AC9C3DA5FCACF9CC59C	98A1049906972ABB480ABAF1F5658C1B8C10F27C	78F5CB9345AB258CF745EAA90D44C7A7A73D3FE06EA182B1298A989135FFA11F

AV Detection

Source: Rechung-R1663322504.exe	ReversingLabs: Detection: 30%
Source: Rechung-R1663322504.exe	Virustotal: Detection: 37%			Perma Link

Compliance

Source: Rechung-R1663322504.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Rechung-R1663322504.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 0_2_00402862 FindFirstFileW,		0_2_00402862
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 0_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_0040596D
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 0_2_004065A2 FindFirstFileW,FindClose,		0_2_004065A2

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts			Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows			Jump to behavior

Networking

Source: Rechung-R1663322504.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Rechung-R1663322504.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Rechung-R1663322504.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: Rechung-R1663322504.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Rechung-R1663322504.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Rechung-R1663322504.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Rechung-R1663322504.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: Rechung-R1663322504.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Rechung-R1663322504.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: Rechung-R1663322504.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Rechung-R1663322504.exe	String found in binary or memory: http://www.certum.pl/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 0_2_00405402 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405402

System Summary

Source: Rechung-R1663322504.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 0_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403350

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File created: C:\Windows\SysWOW64\Arbejdsglderne

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 0_2_00404C3F

0_2_00404C3F

Source: Rechung-R1663322504.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Process Stats: CPU usage > 98%

Source: Rechung-R1663322504.exe	ReversingLabs: Detection: 30%
Source: Rechung-R1663322504.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File read: C:\Users\user\Desktop\Rechung-R1663322504.exe

Jump to behavior

Source: Rechung-R1663322504.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 0_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403350

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File created: C:\Users\user\Socialdirektrer

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File created: C:\Users\user\AppData\Local\Temp\nsv3DAD.tmp

Jump to behavior

Source: classification engine

Classification label: mal60.troj.evad.winEXE@1/8@0/0

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 0_2_004020FE CoCreateInstance,

0_2_004020FE

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 0_2_004046C3 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046C3

Source: Rechung-R1663322504.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: Yara match

File source: 00000000.00000002.774741365.00000000064AB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 0_2_10002DE0 push eax; ret

0_2_10002E0E

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File created: C:\Users\user\AppData\Local\Temp\nsw3E4B.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File created: C:\Users\user\AppData\Local\Temp\nsw3E4B.tmp\AdvSplash.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

RDTSC instruction interceptor: First address: 00000000066FD201 second address: 00000000066FD201 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB1345B668Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 0_2_00402862 FindFirstFileW,		0_2_00402862
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 0_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_0040596D
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 0_2_004065A2 FindFirstFileW,FindClose,		0_2_004065A2

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts			Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows			Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 0_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403350