Source: 0.0.evatest2.exe.1090000.0.unpack | Joe Sandbox ML: detected |
Source: 0.1.evatest2.exe.1090000.0.unpack | Joe Sandbox ML: detected |
Source: 0.2.evatest2.exe.1090000.0.unpack | Joe Sandbox ML: detected |
Source: C:\Users\user\Desktop\evatest2.exe | Code function: 0_2_01091C99 | 0_2_01091C99 |
Source: evatest2.exe, type: SAMPLE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 00000000.00000001.1662073315.01090000.00000002.sdmp, type: MEMORY | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 00000000.00000002.1671247806.01090000.00000002.sdmp, type: MEMORY | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 00000000.00000000.1660532969.01090000.00000002.sdmp, type: MEMORY | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 0.1.evatest2.exe.1090000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 0.2.evatest2.exe.1090000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 0.0.evatest2.exe.1090000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 0.0.evatest2.exe.1090000.0.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 0.1.evatest2.exe.1090000.0.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 0.2.evatest2.exe.1090000.0.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: classification engine | Classification label: sus25.winEXE@1/0@0/0 |
Source: evatest2.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\evatest2.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: evatest2.exe | Static file information: File size 6677504 > 1048576 |
Source: evatest2.exe | Static PE information: Raw size of .data is bigger than: 0x100000 < 0x651200 |
Source: evatest2.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: evatest2.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: evatest2.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: evatest2.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: evatest2.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: evatest2.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: evatest2.exe | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: evatest2.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: C:\UnTroueCunTroueKhouya\Release\UnTroueCunTroueKhouya.pdb source: evatest2.exe |
Source: evatest2.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: evatest2.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: evatest2.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: evatest2.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: evatest2.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\evatest2.exe | Code function: 0_2_01091000 OutputDebugStringW,GetKeyboardLayout,lstrlenA,lstrlenA,_malloc,GetModuleHandleA,GetProcAddress,_malloc,VirtualProtect,LoadLibraryA,GetProcAddress, | 0_2_01091000 |
Source: C:\Users\user\Desktop\evatest2.exe | Code function: 0_2_010922A5 push ecx; ret | 0_2_010922B8 |
Source: c:\users\user\desktop\evatest2.exe | Event Logs and Signature results: Application crash and keyboard check |
Source: C:\Users\user\Desktop\evatest2.exe | Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep | graph_0-3409 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\evatest2.exe | Code function: 0_2_01091000 GetKeyboardLayout followed by cmp: cmp al, 09h and CTI: je 01091023h country: English (en) | 0_2_01091000 |
Source: C:\Users\user\Desktop\evatest2.exe | Code function: 0_2_01091000 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: jne 0109102Dh country: Russian (ru) | 0_2_01091000 |
Source: C:\Users\user\Desktop\evatest2.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\evatest2.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\evatest2.exe | Code function: 0_2_01093B64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_01093B64 |
Source: C:\Users\user\Desktop\evatest2.exe | Code function: 0_2_01091000 OutputDebugStringW,GetKeyboardLayout,lstrlenA,lstrlenA,_malloc,GetModuleHandleA,GetProcAddress,_malloc,VirtualProtect,LoadLibraryA,GetProcAddress, | 0_2_01091000 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\evatest2.exe | Code function: 0_2_01093B64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_01093B64 |
Source: C:\Users\user\Desktop\evatest2.exe | Code function: 0_2_0109120D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_0109120D |
Source: C:\Users\user\Desktop\evatest2.exe | Code function: 0_2_010960B7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_010960B7 |
Source: C:\Users\user\Desktop\evatest2.exe | Code function: GetLocaleInfoA, | 0_2_01096D2C |
Source: C:\Users\user\Desktop\evatest2.exe | Code function: 0_2_010938DB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, | 0_2_010938DB |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.