Windows Analysis Report
dcm2niix.exe

Overview

General Information

Sample name: dcm2niix.exe
Analysis ID: 1466701
MD5: 0d831c8a0b2379cd73393d725ba8f95c
SHA1: bd2cdd77c5fe97e2b238fb7f1f8ea6342e1d5b18
SHA256: 34de9d74012c9768ed8318d69c0bb0a2b34cb50f787a20f95ab4781c2bcaeb71
Infos:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.5% probability
Source: dcm2niix.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EE8E90 FindClose,FindFirstFileA,FindClose, 0_2_00007FF7D1EE8E90
Source: dcm2niix.exe String found in binary or memory: http://json.org
Source: dcm2niix.exe String found in binary or memory: http://json.orgSpecialA75DataTypeNameA75DBNameA75ExtendsA75SessionErrorA75GlobalMaxA75GlobalMinbase6
Source: dcm2niix.exe String found in binary or memory: http://neurojson.org)
Source: dcm2niix.exe String found in binary or memory: http://neurojson.org)AnnotationFormathttps://github.com/NeuroJSON/jnifti/blob/master/JNIfTI_specific
Source: dcm2niix.exe String found in binary or memory: http://teem.sourceforge.net/nrrd/format.html
Source: dcm2niix.exe String found in binary or memory: https://github.com/NeuroJSON/bjdata/blob/master/Binary_JData_Specification.md
Source: dcm2niix.exe String found in binary or memory: https://github.com/NeuroJSON/jnifti/blob/master/JNIfTI_specification.md
Source: dcm2niix.exe String found in binary or memory: https://github.com/NeuroJSON/jnifty
Source: dcm2niix.exe String found in binary or memory: https://github.com/NeuroJSON/jsdata
Source: dcm2niix.exe String found in binary or memory: https://github.com/rordenlab/dcm2niix/issues/236
Source: dcm2niix.exe String found in binary or memory: https://pypi.org/project/bjdata
Source: dcm2niix.exe String found in binary or memory: https://pypi.org/project/bjdatahttps://github.com/NeuroJSON/jniftyJavaScripthttps://github.com/Neuro
Source: dcm2niix.exe String found in binary or memory: https://pypi.org/project/jdata
Source: dcm2niix.exe String found in binary or memory: https://www.cognitiveatlas.org/task/id/trm_4c8a834779883/
Detected potential crypto function
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1ED7B00 0_2_00007FF7D1ED7B00
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EE9AE0 0_2_00007FF7D1EE9AE0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EC12D0 0_2_00007FF7D1EC12D0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F51370 0_2_00007FF7D1F51370
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EC7AB0 0_2_00007FF7D1EC7AB0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EC52A0 0_2_00007FF7D1EC52A0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F30B8C 0_2_00007FF7D1F30B8C
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F2DBC0 0_2_00007FF7D1F2DBC0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EF8A50 0_2_00007FF7D1EF8A50
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EA4A20 0_2_00007FF7D1EA4A20
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EE01D0 0_2_00007FF7D1EE01D0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F021C0 0_2_00007FF7D1F021C0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F30470 0_2_00007FF7D1F30470
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F2BC8C 0_2_00007FF7D1F2BC8C
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F43CC0 0_2_00007FF7D1F43CC0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EF0150 0_2_00007FF7D1EF0150
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F3F50C 0_2_00007FF7D1F3F50C
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F2FD10 0_2_00007FF7D1F2FD10
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EBB4F0 0_2_00007FF7D1EBB4F0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EC74F0 0_2_00007FF7D1EC74F0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EDACE0 0_2_00007FF7D1EDACE0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EE94D0 0_2_00007FF7D1EE94D0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F4A97C 0_2_00007FF7D1F4A97C
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EA74A0 0_2_00007FF7D1EA74A0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EC5C80 0_2_00007FF7D1EC5C80
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F431AC 0_2_00007FF7D1F431AC
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EF1480 0_2_00007FF7D1EF1480
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F01C50 0_2_00007FF7D1F01C50
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EEB450 0_2_00007FF7D1EEB450
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F369EC 0_2_00007FF7D1F369EC
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F3121C 0_2_00007FF7D1F3121C
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EBDBF0 0_2_00007FF7D1EBDBF0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1ED2BA0 0_2_00007FF7D1ED2BA0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F40A94 0_2_00007FF7D1F40A94
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EF2380 0_2_00007FF7D1EF2380
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EF0B70 0_2_00007FF7D1EF0B70
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EA4330 0_2_00007FF7D1EA4330
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EF9B20 0_2_00007FF7D1EF9B20
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F2FB0C 0_2_00007FF7D1F2FB0C
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1ED3710 0_2_00007FF7D1ED3710
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1ED3F00 0_2_00007FF7D1ED3F00
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F01EE0 0_2_00007FF7D1F01EE0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F2B780 0_2_00007FF7D1F2B780
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EDA690 0_2_00007FF7D1EDA690
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EBEE80 0_2_00007FF7D1EBEE80
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F49FA8 0_2_00007FF7D1F49FA8
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1ED4670 0_2_00007FF7D1ED4670
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1ED0660 0_2_00007FF7D1ED0660
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EF1DF0 0_2_00007FF7D1EF1DF0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1ED4D90 0_2_00007FF7D1ED4D90
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EAF570 0_2_00007FF7D1EAF570
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EC0540 0_2_00007FF7D1EC0540
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EA8D30 0_2_00007FF7D1EA8D30
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F4990C 0_2_00007FF7D1F4990C
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F2F908 0_2_00007FF7D1F2F908
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EBF890 0_2_00007FF7D1EBF890
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1ED9880 0_2_00007FF7D1ED9880
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F32DD0 0_2_00007FF7D1F32DD0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EDB830 0_2_00007FF7D1EDB830
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EEA010 0_2_00007FF7D1EEA010
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F43640 0_2_00007FF7D1F43640
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F31654 0_2_00007FF7D1F31654
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EC27D0 0_2_00007FF7D1EC27D0
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F3E674 0_2_00007FF7D1F3E674
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: String function: 00007FF7D1F24CC0 appears 46 times
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: String function: 00007FF7D1EA9BB0 appears 174 times
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: String function: 00007FF7D1EA2A10 appears 417 times
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: String function: 00007FF7D1F2F334 appears 63 times
Source: classification engine Classification label: sus24.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2276:120:WilError_03
Source: dcm2niix.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dcm2niix.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dcm2niix.exe "C:\Users\user\Desktop\dcm2niix.exe"
Source: C:\Users\user\Desktop\dcm2niix.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dcm2niix.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\dcm2niix.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: dcm2niix.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: dcm2niix.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dcm2niix.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dcm2niix.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dcm2niix.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dcm2niix.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dcm2niix.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dcm2niix.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: dcm2niix.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dcm2niix.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dcm2niix.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dcm2niix.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dcm2niix.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dcm2niix.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: dcm2niix.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EAE3DB push rsp; ret 0_2_00007FF7D1EAE3DC
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\dcm2niix.exe API coverage: 5.8 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1EE8E90 FindClose,FindFirstFileA,FindClose, 0_2_00007FF7D1EE8E90
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F3CFE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7D1F3CFE0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F22C20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7D1F22C20
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F3CFE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7D1F3CFE0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00007FF7D1F4F348
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00007FF7D1F4FBAC
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: EnumSystemLocalesW, 0_2_00007FF7D1F423CC
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: EnumSystemLocalesW, 0_2_00007FF7D1F4F774
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: GetLocaleInfoW, 0_2_00007FF7D1F4284C
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF7D1F4FD90
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: EnumSystemLocalesW, 0_2_00007FF7D1F4F6A4
Source: C:\Users\user\Desktop\dcm2niix.exe Code function: 0_2_00007FF7D1F23954 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7D1F23954
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466701 Sample: dcm2niix.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 24 10 AI detected suspicious sample 2->10 6 dcm2niix.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos