Loading ...

Play interactive tourEdit tour

Windows Analysis Report PRTService.exe

Overview

General Information

Sample Name:PRTService.exe
Analysis ID:452460
MD5:4a838989da416e3d16c520d03c3ba192
SHA1:f2fb096d74527a06c5b5c2975fd438419ec171b6
SHA256:26c2caf1eb317e9354cec8a92e824a495ce7d253f6d1779226138e6994553cf9
Infos:

Most interesting Screenshot:

Detection

Score:26
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Tries to detect virtualization through RDTSC time measurements
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
One or more processes crash
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample crashes during execution, try analyze it on another analysis machine
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • PRTService.exe (PID: 5480 cmdline: 'C:\Users\user\Desktop\PRTService.exe' MD5: 4A838989DA416E3D16C520D03C3BA192)
    • dw20.exe (PID: 5976 cmdline: dw20.exe -x -s 852 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results
Source: PRTService.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\PRTService.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: PRTService.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Dev\CliSecure\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: PRTService.exe, 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp, AgileDotNetRT.dll.1.dr
Source: Binary string: C:\Windows\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-CHECK\Windows\NetDLL\Release\IDCheckNet.pdb source: PRTService.exe
Source: Binary string: C:\Windows\symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: mscorjit.pdb source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\PRTService.pdb` source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: indows\PRTService.pdbpdbice.pdbs\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: .pdb3 source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb source: PRTService.exe
Source: Binary string: C:\Users\user\Desktop\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: mscorjit.pdb{ source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: 1<pC:\Windows\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: PRTService.exe, 00000001.00000002.207107980.00000000057B0000.00000002.00000001.sdmp
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop.pdbervice.exe < source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00EC29D81_2_00EC29D8
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00EC345E1_2_00EC345E
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00EC20501_2_00EC2050
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F529D81_2_00F529D8
Source: C:\Users\user\Desktop\PRTService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852
Source: PRTService.exeBinary or memory string: OriginalFilename vs PRTService.exe
Source: PRTService.exe, 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs PRTService.exe
Source: PRTService.exe, 00000001.00000000.197033489.0000000000EF8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDCDeviceControllerNet.dllD vs PRTService.exe
Source: PRTService.exe, 00000001.00000000.197033489.0000000000EF8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDCheckNet.dllH vs PRTService.exe
Source: PRTService.exe, 00000001.00000002.207107980.00000000057B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PRTService.exe
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PRTService.exe
Source: PRTService.exeBinary or memory string: OriginalFilenameIDCDeviceControllerNet.dllD vs PRTService.exe
Source: PRTService.exeBinary or memory string: OriginalFilenameIDCheckNet.dllH vs PRTService.exe
Source: PRTService.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: AgileDotNetRT.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: AgileDotNetRT.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: sus26.evad.winEXE@3/4@0/0
Source: C:\Users\user\Desktop\PRTService.exeFile created: C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512bJump to behavior
Source: PRTService.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PRTService.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: PRTService.exeString found in binary or memory: Load Timed Out/LoadJurisTable Status:
Source: C:\Users\user\Desktop\PRTService.exeFile read: C:\Users\user\Desktop\PRTService.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\PRTService.exe 'C:\Users\user\Desktop\PRTService.exe'
Source: C:\Users\user\Desktop\PRTService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852
Source: C:\Users\user\Desktop\PRTService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Source: PRTService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\PRTService.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: PRTService.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: PRTService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Dev\CliSecure\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: PRTService.exe, 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp, AgileDotNetRT.dll.1.dr
Source: Binary string: C:\Windows\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-CHECK\Windows\NetDLL\Release\IDCheckNet.pdb source: PRTService.exe
Source: Binary string: C:\Windows\symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: mscorjit.pdb source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\PRTService.pdb` source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: indows\PRTService.pdbpdbice.pdbs\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: .pdb3 source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb source: PRTService.exe
Source: Binary string: C:\Users\user\Desktop\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: mscorjit.pdb{ source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: 1<pC:\Windows\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: PRTService.exe, 00000001.00000002.207107980.00000000057B0000.00000002.00000001.sdmp
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop.pdbervice.exe < source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E478500 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree,1_2_6E478500
Source: AgileDotNetRT.dll.1.drStatic PE information: section name: .textbss
Source: AgileDotNetRT.dll.1.drStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00EC31F4 push ecx; retf 0000h1_2_00EC32F0
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F19CD4 push eax; ret 1_2_00F19CE8
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F19CD4 push eax; ret 1_2_00F19D10
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F70498 push eax; ret 1_2_00F704AC
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F70498 push eax; ret 1_2_00F704D4
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F19EA7 push ecx; ret 1_2_00F19EB7
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E47569E push eax; ret 1_2_6E4756BC
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48AE07 push 00000C3Fh; mov dword ptr [esp], eax1_2_6E48AE0F
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A621 push 000003C8h; mov dword ptr [esp], ebx1_2_6E48A62C
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A688 push 000023F7h; mov dword ptr [esp], eax1_2_6E48A693
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E488F68 push 000073FDh; mov dword ptr [esp], edx1_2_6E488F6D
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E488717 push 000010B9h; mov dword ptr [esp], eax1_2_6E48BAFB
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48B7C3 push 00001947h; mov dword ptr [esp], ecx1_2_6E48B7CB
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E489C41 push 00001F00h; mov dword ptr [esp], edx1_2_6E489C48
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E489463 push 00007DDCh; mov dword ptr [esp], ebp1_2_6E48947C
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E488C34 push 00007802h; mov dword ptr [esp], edx1_2_6E4895CF
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48B4AA push 00007F81h; mov dword ptr [esp], ebx1_2_6E48B4C2
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48AD67 push 0000183Fh; mov dword ptr [esp], edx1_2_6E48AD6C
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E487DCD push 00000237h; mov dword ptr [esp], esi1_2_6E487DD6
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48AA36 push 00003619h; mov dword ptr [esp], ecx1_2_6E48AA3F
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48C348 push 00004A85h; mov dword ptr [esp], edx1_2_6E48C352
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48831F push 000008ABh; mov dword ptr [esp], edx1_2_6E48A329
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A3AE push 000063D4h; mov dword ptr [esp], ecx1_2_6E48A3B7
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48B068 push 00000FACh; mov dword ptr [esp], edx1_2_6E48B06D
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48902C push 00002D0Eh; mov dword ptr [esp], edi1_2_6E489034
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A82F push 000019CCh; mov dword ptr [esp], esp1_2_6E48A834
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48B8D6 push 0000142Bh; mov dword ptr [esp], eax1_2_6E48B8DF
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48997F push 0000120Bh; mov dword ptr [esp], edx1_2_6E48999F
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A93F push 00005B3Dh; mov dword ptr [esp], ebx1_2_6E489BAD
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A1D0 push 00000289h; mov dword ptr [esp], edi1_2_6E48A1D9
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E4889FD push 00006D00h; mov dword ptr [esp], eax1_2_6E488A09
Source: initial sampleStatic PE information: section name: .text entropy: 6.82449258024
Source: initial sampleStatic PE information: section name: .reloc entropy: 7.44136591955
Source: C:\Users\user\Desktop\PRTService.exeFile created: C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dllJump to dropped file
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\PRTService.exeRDTSC instruction interceptor: First address: 000000006E472D12 second address: 000000006E472D96 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [6E4833C0h], eax 0x00000020 mov dword ptr [6E4833C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007FF90CA8700Bh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007FF90CA87046h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E472D50 rdtsc 1_2_6E472D50
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PRTService.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E472D50 rdtsc 1_2_6E472D50
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E478500 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree,1_2_6E478500
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E47EF00 GetProcessHeap,RtlAllocateHeap,1_2_6E47EF00
Source: C:\Users\user\Desktop\PRTService.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E4767C0 MessageBoxW,GetSystemTimeAsFileTime,CompareFileTime,MessageBoxW,1_2_6E4767C0
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E471EA0 GetVersionExW,1_2_6E471EA0

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection11Virtualization/Sandbox Evasion11OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery131Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.