Windows Analysis Report
NtpService.exe

Overview

General Information

Sample name: NtpService.exe
Analysis ID: 1448269
MD5: 9200c356b485ca61ec88258f0800657a
SHA1: dc76c7586e1946ac120111d3a35937526a7cf140
SHA256: d9a8151aff9d1c061826a9812ed9a6600805c74a519df333513fd4a79d2d4e61
Tags: exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: NtpService.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: NtpService.exe ReversingLabs: Detection: 47%
Source: NtpService.exe Virustotal: Detection: 66% Perma Link
Source: NtpService.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Detected potential crypto function
Source: C:\Users\user\Desktop\NtpService.exe Code function: 0_2_00007FF639C31000 0_2_00007FF639C31000
Source: C:\Users\user\Desktop\NtpService.exe Code function: 0_2_00007FF639C31610 0_2_00007FF639C31610
Source: C:\Users\user\Desktop\NtpService.exe Code function: 0_2_00007FF639C31DD0 0_2_00007FF639C31DD0
Source: C:\Users\user\Desktop\NtpService.exe Code function: 0_2_00007FF639C31FC0 0_2_00007FF639C31FC0
Source: C:\Users\user\Desktop\NtpService.exe Code function: 0_2_00007FF639C31C70 0_2_00007FF639C31C70
Sample file is different than original file name gathered from version info
Source: NtpService.exe, 00000000.00000002.2101678888.00007FF639C38000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameExample Deep Security Agent.exeX vs NtpService.exe
Source: NtpService.exe, 00000000.00000000.2050404823.00007FF639C37000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameExample Deep Security Agent.exeX vs NtpService.exe
Source: NtpService.exe Binary or memory string: OriginalFilenameExample Deep Security Agent.exeX vs NtpService.exe
Source: classification engine Classification label: mal56.winEXE@1/0@0/0
Source: NtpService.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NtpService.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: NtpService.exe ReversingLabs: Detection: 47%
Source: NtpService.exe Virustotal: Detection: 66%
Source: C:\Users\user\Desktop\NtpService.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\NtpService.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\NtpService.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\NtpService.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\NtpService.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\NtpService.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NtpService.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NtpService.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NtpService.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\NtpService.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\NtpService.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: NtpService.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: NtpService.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: NtpService.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NtpService.exe Code function: 0_2_00007FF639C36060 push 01130063h; retf 0_2_00007FF639C3606A
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: NtpService.exe, 00000000.00000002.2101259149.00000210D2FDC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\NtpService.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\NtpService.exe API call chain: ExitProcess graph end node
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1448269 Sample: NtpService.exe Startdate: 28/05/2024 Architecture: WINDOWS Score: 56 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 5 NtpService.exe 2->5         started        process3
No contacted IP infos