Windows Analysis Report
PSKILL.EXE

Overview

General Information

Sample name: PSKILL.EXE
Analysis ID: 1559468
MD5: ec9bc439b375bd787ab0d6bba1ae76ab
SHA1: 98773b3e894e8c167fb2c7e7da24b21e2e7c4656
SHA256: 8d6306d1d0aaa65f41e2420d23c2035542511d7d3e9d675edf29e13aa14b9e31
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PSKILL.EXE ReversingLabs: Detection: 24%
Uses 32bit PE files
Source: PSKILL.EXE Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: PSKILL.EXE, ConDrv.0.dr String found in binary or memory: http://www.sysinternals.com
Contains functionality to delete services
Source: C:\Users\user\Desktop\PSKILL.EXE Code function: 0_2_00401EB0 OpenServiceA,DeleteService,CloseServiceHandle, 0_2_00401EB0
PE file contains executable resources (Code or Archives)
Source: PSKILL.EXE Static PE information: Resource name: BINRES type: PE32 executable (console) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: PSKILL.EXE, 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamepkill.exe vs PSKILL.EXE
Source: PSKILL.EXE Binary or memory string: OriginalFilenamepkill.exe vs PSKILL.EXE
Uses 32bit PE files
Source: PSKILL.EXE Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\PSKILL.EXE Code function: 0_2_00401080 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError, 0_2_00401080
Source: C:\Users\user\Desktop\PSKILL.EXE Code function: CreateServiceA,CloseServiceHandle, 0_2_00401D40
Source: C:\Users\user\Desktop\PSKILL.EXE Code function: 0_2_00401350 FindResourceA,LoadResource,SizeofResource,LockResource, 0_2_00401350
Source: C:\Users\user\Desktop\PSKILL.EXE Code function: 0_2_00401D80 GetTickCount,GetTickCount,CloseServiceHandle,OpenServiceA,GetLastError,StartServiceA,GetLastError,QueryServiceStatus,QueryServiceStatus,GetTickCount,SetLastError,GetLastError,CloseServiceHandle,SetLastError, 0_2_00401D80
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: PSKILL.EXE Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PSKILL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PSKILL.EXE ReversingLabs: Detection: 24%
Source: PSKILL.EXE String found in binary or memory: %s -install to install the service
Source: unknown Process created: C:\Users\user\Desktop\PSKILL.EXE "C:\Users\user\Desktop\PSKILL.EXE"
Source: C:\Users\user\Desktop\PSKILL.EXE Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PSKILL.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PSKILL.EXE Section loaded: mpr.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PSKILL.EXE Code function: 0_2_00405FB0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00405FB0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PSKILL.EXE Code function: 0_2_00405AB0 push eax; ret 0_2_00405ADE
Source: C:\Users\user\Desktop\PSKILL.EXE Code function: 0_2_00401D80 GetTickCount,GetTickCount,CloseServiceHandle,OpenServiceA,GetLastError,StartServiceA,GetLastError,QueryServiceStatus,QueryServiceStatus,GetTickCount,SetLastError,GetLastError,CloseServiceHandle,SetLastError, 0_2_00401D80
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PSKILL.EXE API coverage: 7.7 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\PSKILL.EXE API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PSKILL.EXE Code function: 0_2_00405FB0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00405FB0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\PSKILL.EXE Code function: 0_2_00402678 EntryPoint,GetVersion,GetCommandLineA, 0_2_00402678

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1559468 Sample: PSKILL.EXE Startdate: 20/11/2024 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 PSKILL.EXE 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos