Windows Analysis Report
NgenTool.exe

Overview

General Information

Sample name: NgenTool.exe
Analysis ID: 1523267
MD5: 28c81359da168d5f0fd071abc2651dec
SHA1: 15b69391fa49a2684eed322eab04017a8bfe440a
SHA256: 8059e259a6744f78dd41ad5854522c8e5f7ae61940d9187f95fa3e4f7af5f5a6
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: NgenTool.exe Virustotal: Detection: 7% Perma Link
Uses 32bit PE files
Source: NgenTool.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: NgenTool.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: G:\Projects\Git\SLSII_v4.2\Installer\NgenTool\Release\NgenTool.pdb source: NgenTool.exe
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A1000 FindFirstFileW,_wcsstr,FindNextFileW,FindClose, 0_2_001A1000
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A54C2 FindFirstFileExW, 0_2_001A54C2
Detected potential crypto function
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A1100 0_2_001A1100
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001AB255 0_2_001AB255
Uses 32bit PE files
Source: NgenTool.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_03
Source: NgenTool.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NgenTool.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: NgenTool.exe Virustotal: Detection: 7%
Source: unknown Process created: C:\Users\user\Desktop\NgenTool.exe "C:\Users\user\Desktop\NgenTool.exe"
Source: C:\Users\user\Desktop\NgenTool.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NgenTool.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\NgenTool.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: NgenTool.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NgenTool.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NgenTool.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NgenTool.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NgenTool.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NgenTool.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: NgenTool.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: NgenTool.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: G:\Projects\Git\SLSII_v4.2\Installer\NgenTool\Release\NgenTool.pdb source: NgenTool.exe
Source: NgenTool.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NgenTool.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NgenTool.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NgenTool.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NgenTool.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A2096 push ecx; ret 0_2_001A20A9
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A1000 FindFirstFileW,_wcsstr,FindNextFileW,FindClose, 0_2_001A1000
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A54C2 FindFirstFileExW, 0_2_001A54C2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A485C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001A485C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A3DF1 mov eax, dword ptr fs:[00000030h] 0_2_001A3DF1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A7649 GetProcessHeap, 0_2_001A7649
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A485C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001A485C
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A1944 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_001A1944
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A1E3F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001A1E3F
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A1F9E SetUnhandledExceptionFilter, 0_2_001A1F9E
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A21C2 cpuid 0_2_001A21C2
Source: C:\Users\user\Desktop\NgenTool.exe Code function: 0_2_001A1D24 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_001A1D24
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523267 Sample: NgenTool.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 NgenTool.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos