Windows Analysis Report
pwdump.exe

Overview

General Information

Sample name: pwdump.exe
Analysis ID: 1465755
MD5: a0b60ca561897bed096a2d2171fc43e9
SHA1: 863db3a58c14ac26dacb1928a72a8f30eade65a4
SHA256: 799b82830977f1e159bde8818bef466ad05fb438194d834537af461f11a53834
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Potential time zone aware malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: pwdump.exe ReversingLabs: Detection: 47%
Uses 32bit PE files
Source: pwdump.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: pwdump.exe, type: SAMPLE Matched rule: Detects a tool used by APT groups - file PwDump.exe Author: Florian Roth
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\pwdump.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Sample file is different than original file name gathered from version info
Source: pwdump.exe, 00000000.00000000.338310864.0000000000431000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePWD.exe vs pwdump.exe
Source: pwdump.exe Binary or memory string: OriginalFilenamePWD.exe vs pwdump.exe
Uses 32bit PE files
Source: pwdump.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: pwdump.exe, type: SAMPLE Matched rule: PwDump_B date = 2016-09-08, hash1 = 3c796092f42a948018c3954f837b4047899105845019fce75a6e82bc99317982, author = Florian Roth, description = Detects a tool used by APT groups - file PwDump.exe, reference = http://goo.gl/igxLyF, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal56.winEXE@1/0@0/0
Source: pwdump.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pwdump.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: pwdump.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\pwdump.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\pwdump.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\pwdump.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\pwdump.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\pwdump.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\pwdump.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\pwdump.exe Section loaded: wkscli.dll Jump to behavior
Potential time zone aware malware
Source: C:\Users\user\Desktop\pwdump.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: C:\Users\user\Desktop\pwdump.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465755 Sample: pwdump.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 56 7 Malicious sample detected (through community Yara rule) 2->7 9 Multi AV Scanner detection for submitted file 2->9 5 pwdump.exe 2->5         started        process3
No contacted IP infos