Windows Analysis Report
SGIART9.exe

Overview

General Information

Sample name: SGIART9.exe
Analysis ID: 1417156
MD5: 0a404629a2a8a1185c3048d164f7eca2
SHA1: c40fee8f8a0247359a05c9db8be6fb66ca65b452
SHA256: 5f7a67bd387dfc4c9d750cdc0ced3e4efb37dcc918a0ce4869f3561b88944873

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Detected potential crypto function
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: SGIART9.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Detected potential crypto function
Source: C:\Users\user\Desktop\SGIART9.exe Code function: 1_2_00401198 1_2_00401198
Source: C:\Users\user\Desktop\SGIART9.exe Code function: 1_2_00401244 1_2_00401244
Sample file is different than original file name gathered from version info
Source: SGIART9.exe Binary or memory string: OriginalFilename vs SGIART9.exe
Source: SGIART9.exe, 00000001.00000002.3423110448.000000000042A000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePBRUSH.EXEj% vs SGIART9.exe
Source: SGIART9.exe Binary or memory string: OriginalFilenamePBRUSH.EXEj% vs SGIART9.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SGIART9.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SGIART9.exe Section loaded: vb40032.dll Jump to behavior
Uses 32bit PE files
Source: SGIART9.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: clean3.winEXE@1/0@0/0
Source: SGIART9.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SGIART9.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SGIART9.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SGIART9.exe Static file information: File size 1283072 > 1048576
Source: SGIART9.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x122a00
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SGIART9.exe Code function: 1_2_004154BB push es; ret 1_2_004154C0
Source: C:\Users\user\Desktop\SGIART9.exe Code function: 1_2_00415B67 push ds; iretd 1_2_00415B71
Source: C:\Users\user\Desktop\SGIART9.exe Code function: 1_2_00415B6C push ds; iretd 1_2_00415B71
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1417156 Sample: SGIART9.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 3 4 SGIART9.exe 2->4         started       
No contacted IP infos