Windows Analysis Report
RcvMst.exe

Overview

General Information

Sample name:	RcvMst.exe
Analysis ID:	1447778
MD5:	6866479d039860a7f28eb5f11768e2e0
SHA1:	58f70fd73d8582a11db032322aac6081850359ac
SHA256:	9ff834bf3231a1e257b6d19770bcd670b8ff00227334f7f967cba9fd5a5a6a85

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Uses Windows timers to delay execution

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: RcvMst.exe

Virustotal: Detection: 14%

Perma Link

Uses 32bit PE files

Source: RcvMst.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: RcvMst.exe	String found in binary or memory: http://www.indyproject.org/
Source: RcvMst.exe, 00000000.00000003.1677314919.00000000089F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr

PE file contains executable resources (Code or Archives)

Source: RcvMst.exe

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

PE file contains more sections than normal

Source: RcvMst.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: RcvMst.exe, 00000000.00000003.1675874771.0000000000D59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10War vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1675874771.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1670904466.0000000000D52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1676332459.0000000000D54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1671310554.0000000000D53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1676738087.0000000000D53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1676569336.0000000000D54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1676738087.0000000000D59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10War vs RcvMst.exe

Uses 32bit PE files

Source: RcvMst.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal52.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\RcvMst.exe

File created: C:\Users\user\Desktop\RcvMst.exe.close.stop

Jump to behavior

Source: C:\Users\user\Desktop\RcvMst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\RcvMst.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RcvMst.exe

Virustotal: Detection: 14%

Source: RcvMst.exe	String found in binary or memory: NATS-SEFI-ADD
Source: RcvMst.exe	String found in binary or memory: NATS-DANO-ADD
Source: RcvMst.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: RcvMst.exe	String found in binary or memory: jp-ocr-b-add
Source: RcvMst.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: RcvMst.exe	String found in binary or memory: jp-ocr-hand-add
Source: RcvMst.exe	String found in binary or memory: ISO_6937-2-add

Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d10_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d10_1core.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d10_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d10_1core.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\RcvMst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: RcvMst.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: RcvMst.exe

Static file information: File size 8620032 > 1048576

Source: RcvMst.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x64c400
Source: RcvMst.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x125600

PE file contains sections with non-standard names

Source: RcvMst.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\RcvMst.exe	User Timer Set: Timeout: 250ms	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	User Timer Set: Timeout: 10ms	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	User Timer Set: Timeout: 10ms	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	User Timer Set: Timeout: 10ms	Jump to behavior

Potential time zone aware malware

Source: C:\Users\user\Desktop\RcvMst.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RcvMst.exe, 00000000.00000003.1675874771.0000000000D64000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\RcvMst.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1447778
Product:	CloudBasic
Start time:	02:33:42
Start date:	27.05.2024
Sample:	RcvMst.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6866479d039860a7f28eb5f11768e2e0
SHA1:	58f70fd73d8582a11db032322aac6081850359ac
SHA256:	9ff834bf3231a1e257b6d19770bcd670b8ff00227334f7f967cba9fd5a5a6a85
Filetype:	Win32 Executable (generic) a (10002005/4) 99.53%

Windows Analysis Report
RcvMst.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report RcvMst.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
RcvMst.exe