Windows Analysis Report
xx.scr.exe

Overview

General Information

Sample name: xx.scr.exe
Analysis ID: 1416053
MD5: 89d59c877ae2ef85e3866aaf3096c97c
SHA1: 05669b68ad58dd9fe2380d26262f23226d3fdf6c
SHA256: 172978417316907e9c20bbeb63e98da0ef70144779ed902d5f339943dea8f353
Tags: exeHUN
Infos:

Detection

Score: 36
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: xx.scr.exe ReversingLabs: Detection: 13%
Uses 32bit PE files
Source: xx.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: xx.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: xx.scr.exe
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_0078C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_0078C4A8
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_0079E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0079E560
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007AD998 FindFirstFileExA, 0_2_007AD998
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00787FD3: _wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_00787FD3
Detected potential crypto function
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_0078F963 0_2_0078F963
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00783AB7 0_2_00783AB7
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007B4044 0_2_007B4044
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007960F7 0_2_007960F7
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00792125 0_2_00792125
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00799111 0_2_00799111
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007982D0 0_2_007982D0
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_0078E394 0_2_0078E394
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00791476 0_2_00791476
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00796445 0_2_00796445
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_0079976F 0_2_0079976F
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007A7738 0_2_007A7738
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007A7967 0_2_007A7967
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00790949 0_2_00790949
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00789906 0_2_00789906
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_0079EA07 0_2_0079EA07
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007AFA90 0_2_007AFA90
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00798C7E 0_2_00798C7E
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00784C6E 0_2_00784C6E
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00795E86 0_2_00795E86
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007AFF3E 0_2_007AFF3E
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00782FCB 0_2_00782FCB
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00790FAC 0_2_00790FAC
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\xx.scr.exe Code function: String function: 007A1590 appears 57 times
Source: C:\Users\user\Desktop\xx.scr.exe Code function: String function: 007A1D60 appears 31 times
Tries to load missing DLLs
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Section loaded: wintypes.dll Jump to behavior
Uses 32bit PE files
Source: xx.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: sus36.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_00787BFF GetLastError,FormatMessageW, 0_2_00787BFF
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_0079C652 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_0079C652
Source: C:\Users\user\Desktop\xx.scr.exe Command line argument: sfxname 0_2_007A037C
Source: C:\Users\user\Desktop\xx.scr.exe Command line argument: sfxstime 0_2_007A037C
Source: C:\Users\user\Desktop\xx.scr.exe Command line argument: pP| 0_2_007A037C
Source: C:\Users\user\Desktop\xx.scr.exe Command line argument: STARTDLG 0_2_007A037C
Source: C:\Users\user\Desktop\xx.scr.exe Command line argument: >G{ 0_2_007B4690
Source: xx.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\xx.scr.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: xx.scr.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\xx.scr.exe File read: C:\Users\user\Desktop\xx.scr.exe Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: C:\Users\user\Desktop\xx.scr.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: xx.scr.exe Static file information: File size 3755246 > 1048576
Source: xx.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: xx.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: xx.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: xx.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: xx.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: xx.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: xx.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: xx.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: xx.scr.exe
Source: xx.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: xx.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: xx.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: xx.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: xx.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: xx.scr.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007A125A push ecx; ret 0_2_007A126D
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007A1DB0 push ecx; ret 0_2_007A1DC3
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_0078C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_0078C4A8
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_0079E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0079E560
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007AD998 FindFirstFileExA, 0_2_007AD998
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007A0B80 VirtualQuery,GetSystemInfo, 0_2_007A0B80
Source: C:\Users\user\Desktop\xx.scr.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007A647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007A647F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007AA640 mov eax, dword ptr fs:[00000030h] 0_2_007AA640
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007AE680 GetProcessHeap, 0_2_007AE680
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007A215D SetUnhandledExceptionFilter, 0_2_007A215D
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007A12D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_007A12D7
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007A647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007A647F
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007A1FCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007A1FCA
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007927A9 cpuid 0_2_007927A9
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\xx.scr.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_0079D0AB
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_007A037C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle, 0_2_007A037C
Source: C:\Users\user\Desktop\xx.scr.exe Code function: 0_2_0078D076 GetVersionExW, 0_2_0078D076
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1416053 Sample: xx.scr.exe Startdate: 26/03/2024 Architecture: WINDOWS Score: 36 7 Multi AV Scanner detection for submitted file 2->7 5 xx.scr.exe 2->5         started        process3
No contacted IP infos