Windows Analysis Report
gta_sa.exe

Overview

General Information

Sample name: gta_sa.exe
Analysis ID: 1559582
MD5: e7697a085336f974a4a6102a51223960
SHA1: 0df50d56ef9e304c8d59366afa9aa5c71159261d
SHA256: 8c609f108ad737deffbd0d17c702f5974d290c4379de742277b809f80350da1c
Tags: exegtasanandreassinvirususer-tuinsi

Detection

Score: 23
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

PE file has a writeable .text section
Creates a DirectInput object (often for capturing keystrokes)
Entry point lies outside standard sections
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Source: gta_sa.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: x:\SA_PC_SRC (pcv110 - final)\gta_source\MSVC PC files\D3D9 Final\gta_sa.pdbWINMM.dll source: gta_sa.exe
Source: Binary string: x:\SA_PC_SRC (pcv110 - final)\gta_source\MSVC PC files\D3D9 Final\gta_sa.pdb source: gta_sa.exe
Source: gta_sa.exe String found in binary or memory: http://www.rockstargames.com
Source: gta_sa.exe String found in binary or memory: http://www.rockstargames.com/sanandreas
Source: gta_sa.exe String found in binary or memory: http://www.rockstarnorth.com
Source: gta_sa.exe, 00000000.00000000.1705095651.0000000000858000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Please check you have installed Direct X 9 correctly : Couldn't DirectDrawCreateEx memstr_68087084-d

System Summary

barindex
Source: gta_sa.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: gta_sa.exe Static PE information: Number of sections : 11 > 10
Source: gta_sa.exe, 00000000.00000000.1705376592.0000000001480000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesony_ssm.sysD vs gta_sa.exe
Source: gta_sa.exe, 00000000.00000000.1705376592.0000000001480000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs gta_sa.exe
Source: gta_sa.exe, 00000000.00000000.1705376592.0000000001480000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesony_ssm.vxd?+LegalCopyrightCopyright (C) 2004/05 Sony DADC Austria AG vs gta_sa.exe
Source: gta_sa.exe, 00000000.00000000.1705376592.0000000001480000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCmdLineExt.dll, vs gta_sa.exe
Source: gta_sa.exe, 00000000.00000000.1705376592.0000000001480000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUAService7.exeD vs gta_sa.exe
Source: gta_sa.exe, 00000000.00000002.2962479592.0000000001456000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSecuExp.exeD vs gta_sa.exe
Source: gta_sa.exe Binary or memory string: OriginalFilenameSecuExp.exeD vs gta_sa.exe
Source: gta_sa.exe Binary or memory string: OriginalFilenamesony_ssm.sysD vs gta_sa.exe
Source: gta_sa.exe Binary or memory string: OriginalFilename vs gta_sa.exe
Source: gta_sa.exe Binary or memory string: OriginalFilenamesony_ssm.vxd?+LegalCopyrightCopyright (C) 2004/05 Sony DADC Austria AG vs gta_sa.exe
Source: gta_sa.exe Binary or memory string: OriginalFilenameCmdLineExt.dll, vs gta_sa.exe
Source: gta_sa.exe Binary or memory string: OriginalFilenameUAService7.exeD vs gta_sa.exe
Source: gta_sa.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: gta_sa.exe Binary string: @B\Device\sony_ssm.sys\DosDevices\sony_ssm.sys`
Source: classification engine Classification label: sus23.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\gta_sa.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: gta_sa.exe String found in binary or memory: %s -install to install the service
Source: gta_sa.exe String found in binary or memory: UserAccess7%s -install to install the service
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: acspecfc.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: ddraw.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: dciman32.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: vorbisfile.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: eax.dll Jump to behavior
Source: C:\Users\user\Desktop\gta_sa.exe Section loaded: version.dll Jump to behavior
Source: gta_sa.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: gta_sa.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: gta_sa.exe Static file information: File size 14405632 > 1048576
Source: gta_sa.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x456000
Source: gta_sa.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x64a000
Source: gta_sa.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x255000
Source: gta_sa.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: x:\SA_PC_SRC (pcv110 - final)\gta_source\MSVC PC files\D3D9 Final\gta_sa.pdbWINMM.dll source: gta_sa.exe
Source: Binary string: x:\SA_PC_SRC (pcv110 - final)\gta_source\MSVC PC files\D3D9 Final\gta_sa.pdb source: gta_sa.exe
Source: initial sample Static PE information: section where entry point is pointing to: .init
Source: gta_sa.exe Static PE information: section name: _rwcseg
Source: gta_sa.exe Static PE information: section name: _TEXT_HA
Source: gta_sa.exe Static PE information: section name: _rwdseg
Source: gta_sa.exe Static PE information: section name: .init
Source: gta_sa.exe Static PE information: section name: .securom
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: gta_sa.exe Binary or memory string: 7HGfSV/(jH`qq
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
No contacted IP infos