Windows Analysis Report
HxTsr.exe

Overview

General Information

Sample name: HxTsr.exe
Analysis ID: 1432172
MD5: 5598f080258560d009714396d1f464ac
SHA1: 89a086fa0664780c3a23f6fa7c6b4b35caf797d0
SHA256: 919423dbefdfe9536c13380a0331801e4451700df78381c00d2c445d7554776b

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

Source: HxTsr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, APPCONTAINER, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: d:\dbs\el\jul\target\x64\ship\hxcomm\x-none\HxTsr.pdb source: HxTsr.exe
Source: Binary string: d:\dbs\el\jul\target\x64\ship\hxcomm\x-none\HxTsr.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: HxTsr.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\HxTsr.exe Code function: 4x nop then push rbx 0_2_00007FF77F4F4318
Detected potential crypto function
Source: C:\Users\user\Desktop\HxTsr.exe Code function: 0_2_00007FF77F4FCE24 0_2_00007FF77F4FCE24
Source: C:\Users\user\Desktop\HxTsr.exe Code function: 0_2_00007FF77F4FDA1C 0_2_00007FF77F4FDA1C
Source: classification engine Classification label: clean2.winEXE@1/0@0/0
Source: HxTsr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HxTsr.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\HxTsr.exe Section loaded: microsoft.applications.telemetry.windows.dll Jump to behavior
Source: C:\Users\user\Desktop\HxTsr.exe Section loaded: hxoutlookbackground.dll Jump to behavior
Source: C:\Users\user\Desktop\HxTsr.exe Section loaded: vcruntime140_1_app.dll Jump to behavior
Source: C:\Users\user\Desktop\HxTsr.exe Section loaded: vcruntime140_app.dll Jump to behavior
Source: C:\Users\user\Desktop\HxTsr.exe Section loaded: msvcp140_app.dll Jump to behavior
Source: HxTsr.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: HxTsr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HxTsr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HxTsr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HxTsr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HxTsr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HxTsr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: HxTsr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, APPCONTAINER, GUARD_CF, TERMINAL_SERVER_AWARE
Source: HxTsr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\dbs\el\jul\target\x64\ship\hxcomm\x-none\HxTsr.pdb source: HxTsr.exe
Source: Binary string: d:\dbs\el\jul\target\x64\ship\hxcomm\x-none\HxTsr.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: HxTsr.exe
Source: HxTsr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HxTsr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HxTsr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HxTsr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HxTsr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains an invalid checksum
Source: HxTsr.exe Static PE information: real checksum: 0x21d68 should be: 0x1ee25
PE file contains sections with non-standard names
Source: HxTsr.exe Static PE information: section name: .didat
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\HxTsr.exe Code function: 0_2_00007FF77F4F10A4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF77F4F10A4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1432172 Sample: HxTsr.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 2 4 HxTsr.exe 2->4         started       
No contacted IP infos