Windows Analysis Report
MSI629D.exe

Overview

General Information

Sample name: MSI629D.exe
(renamed file extension from tmp to exe)
Original sample name: MSI629D.tmp
Analysis ID: 1431740
MD5: 77fada8cefee7aa4f3a83f299b6bc550
SHA1: 7745ac4ffb86f9a8d6f42683f34b1656d9c03a48
SHA256: c97c60f0aea64a0b7dc121c9d6889ee7350a25490a1062d1e4a5b3feb5427f9b
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Found potential dummy code loops (likely to delay analysis)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: MSI629D.exe ReversingLabs: Detection: 13%
Source: MSI629D.exe Virustotal: Detection: 15% Perma Link
Uses 32bit PE files
Source: MSI629D.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: MSI629D.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FD4AFA FindFirstFileExW, 1_2_00FD4AFA
Detected potential crypto function
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FDAF8D 1_2_00FDAF8D
Uses 32bit PE files
Source: MSI629D.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal52.evad.winEXE@1/0@0/0
Source: MSI629D.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MSI629D.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MSI629D.exe ReversingLabs: Detection: 13%
Source: MSI629D.exe Virustotal: Detection: 15%
Source: C:\Users\user\Desktop\MSI629D.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\MSI629D.exe Section loaded: edgegdi.dll Jump to behavior
Source: MSI629D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MSI629D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MSI629D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MSI629D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MSI629D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MSI629D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: MSI629D.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: MSI629D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MSI629D.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MSI629D.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MSI629D.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MSI629D.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MSI629D.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\MSI629D.exe Window / User API: threadDelayed 1028 Jump to behavior
Source: C:\Users\user\Desktop\MSI629D.exe Window / User API: threadDelayed 8971 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\MSI629D.exe API coverage: 3.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\MSI629D.exe TID: 6220 Thread sleep count: 1028 > 30 Jump to behavior
Source: C:\Users\user\Desktop\MSI629D.exe TID: 6220 Thread sleep time: -205600s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\MSI629D.exe TID: 6220 Thread sleep count: 8971 > 30 Jump to behavior
Source: C:\Users\user\Desktop\MSI629D.exe TID: 6220 Thread sleep time: -1794200s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\MSI629D.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\MSI629D.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FD4AFA FindFirstFileExW, 1_2_00FD4AFA

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\MSI629D.exe Process Stats: CPU usage > 5% for more than 60s
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FD4442 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00FD4442
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FD34CF mov eax, dword ptr fs:[00000030h] 1_2_00FD34CF
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FD5C27 mov eax, dword ptr fs:[00000030h] 1_2_00FD5C27
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FD6D42 GetProcessHeap, 1_2_00FD6D42
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FD4442 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00FD4442
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FD196E SetUnhandledExceptionFilter, 1_2_00FD196E
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FD17DA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00FD17DA
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FD134E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00FD134E
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FD1A75 cpuid 1_2_00FD1A75
Source: C:\Users\user\Desktop\MSI629D.exe Code function: 1_2_00FD16C1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00FD16C1
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431740 Sample: MSI629D.tmp Startdate: 25/04/2024 Architecture: WINDOWS Score: 52 8 Multi AV Scanner detection for submitted file 2->8 5 MSI629D.exe 2->5         started        process3 signatures4 10 Found potential dummy code loops (likely to delay analysis) 5->10
No contacted IP infos