Edit tour
Windows
Analysis Report
NgenTool.exe
Overview
General Information
| Sample name: | NgenTool.exe |
| Analysis ID: | 1523267 |
| MD5: | 28c81359da168d5f0fd071abc2651dec |
| SHA1: | 15b69391fa49a2684eed322eab04017a8bfe440a |
| SHA256: | 8059e259a6744f78dd41ad5854522c8e5f7ae61940d9187f95fa3e4f7af5f5a6 |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
NgenTool.exe (PID: 1984 cmdline: "C:\Users\ user\Deskt op\NgenToo l.exe" MD5: 28C81359DA168D5F0FD071ABC2651DEC) 
conhost.exe (PID: 3868 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_001A1000 | |
| Source: | Code function: | 0_2_001A54C2 | |
| Source: | Code function: | 0_2_001A1100 | |
| Source: | Code function: | 0_2_001AB255 | |
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_001A20A9 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_001A1000 | |
| Source: | Code function: | 0_2_001A54C2 | |
| Source: | Code function: | 0_2_001A485C | |
| Source: | Code function: | 0_2_001A3DF1 | |
| Source: | Code function: | 0_2_001A7649 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_001A485C | |
| Source: | Code function: | 0_2_001A1944 | |
| Source: | Code function: | 0_2_001A1E3F | |
| Source: | Code function: | 0_2_001A1F9E | |
| Source: | Code function: | 0_2_001A21C2 | |
| Source: | Code function: | 0_2_001A1D24 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 2 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 2% | ReversingLabs | |||
| 7% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1523267 |
| Start date and time: | 2024-10-01 11:38:38 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 36s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 2 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | NgenTool.exe |
| Detection: | MAL |
| Classification: | mal48.winEXE@2/0@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Not all processes where analyzed, report is missing behavior information
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.305161796001363 |
| TrID: |
|
| File name: | NgenTool.exe |
| File size: | 80'384 bytes |
| MD5: | 28c81359da168d5f0fd071abc2651dec |
| SHA1: | 15b69391fa49a2684eed322eab04017a8bfe440a |
| SHA256: | 8059e259a6744f78dd41ad5854522c8e5f7ae61940d9187f95fa3e4f7af5f5a6 |
| SHA512: | 6c995151203a882b31b4cadd284d61d648d90e6c2da27004b270a3e98967f3ff9fa40cda1278ea470e60b8b8b1090dba1c0034635eab508a70f18f30c2ede9e4 |
| SSDEEP: | 1536:bRAMkGk50LRVxXoCmNB80YKJiyRdq4fal+mqEjsY/R4IsWMcdQATD/Yptn/7:O5KxXoC8b1gyRda+4jsWFQATD/Ypt/7 |
| TLSH: | 37734A03B5D19471E47359325870C9B19A2EF9214F60DEAB6798173E4F380D09A3AEBB |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.A`../3../3../3.M.3../3.M.3m./3.M.3../3/.,2../3/.*27./3/.+2../3...3../3...3K./3..&2../3../2../3...3../3..-2../3Rich../3....... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x40193a |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5BEB7FC3 [Wed Nov 14 01:52:03 2018 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 11b54a0dfe1242390c8cbbe62ba9ee15 |
| Instruction |
|---|
| call 00007F15DD15CD4Ah |
| jmp 00007F15DD15C7ECh |
| push ebp |
| mov ebp, esp |
| push 00000000h |
| call dword ptr [0040D048h] |
| push dword ptr [ebp+08h] |
| call dword ptr [0040D044h] |
| push C0000409h |
| call dword ptr [0040D010h] |
| push eax |
| call dword ptr [0040D04Ch] |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 00000324h |
| push 00000017h |
| call 00007F15DD166805h |
| test eax, eax |
| je 00007F15DD15C967h |
| push 00000002h |
| pop ecx |
| int 29h |
| mov dword ptr [004138E8h], eax |
| mov dword ptr [004138E4h], ecx |
| mov dword ptr [004138E0h], edx |
| mov dword ptr [004138DCh], ebx |
| mov dword ptr [004138D8h], esi |
| mov dword ptr [004138D4h], edi |
| mov word ptr [00413900h], ss |
| mov word ptr [004138F4h], cs |
| mov word ptr [004138D0h], ds |
| mov word ptr [004138CCh], es |
| mov word ptr [004138C8h], fs |
| mov word ptr [004138C4h], gs |
| pushfd |
| pop dword ptr [004138F8h] |
| mov eax, dword ptr [ebp+00h] |
| mov dword ptr [004138ECh], eax |
| mov eax, dword ptr [ebp+04h] |
| mov dword ptr [004138F0h], eax |
| lea eax, dword ptr [ebp+08h] |
| mov dword ptr [004138FCh], eax |
| mov eax, dword ptr [ebp-00000324h] |
| mov dword ptr [00413838h], 00010001h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x12580 | 0x64 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x125e4 | 0x50 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x16000 | 0x1e8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x17000 | 0xecc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x11c00 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x11c70 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xd000 | 0x13c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xbb17 | 0xbc00 | 39a6bb936b987204b6719f14eae321e1 | False | 0.5854180518617021 | data | 6.628609223744442 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xd000 | 0x5d26 | 0x5e00 | b6f708ff8b0919be45fc54fcb87b990e | False | 0.42137632978723405 | data | 4.874557617214814 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x13000 | 0x1308 | 0x800 | ccad542ebfe74a9ed27efa01de45c1a2 | False | 0.1962890625 | data | 2.3897071320344967 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .gfids | 0x15000 | 0xdc | 0x200 | a70d99d6c2640540375a7055666b462f | False | 0.31640625 | data | 1.6486420276660951 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x16000 | 0x1e8 | 0x200 | 67d99a0fbaad406a6bdc2924a81afdac | False | 0.537109375 | data | 4.7605137014493595 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x17000 | 0xecc | 0x1000 | b2bb5bec1555864a927bf74a15798777 | False | 0.768310546875 | data | 6.339476613310989 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x16060 | 0x188 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5892857142857143 |
| DLL | Import |
|---|---|
| SHLWAPI.dll | PathFileExistsW |
| KERNEL32.dll | GetCurrentProcess, GetEnvironmentVariableW, FindClose, WaitForSingleObject, FindNextFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateProcessW, IsWow64Process, FindFirstFileW, DecodePointer, CloseHandle, GetModuleFileNameW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetACP, HeapFree, HeapAlloc, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, CompareStringW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW |
| ADVAPI32.dll | RegOpenKeyExW, RegQueryValueExW, RegCloseKey |
| Name | Ordinal | Address |
|---|---|---|
| _Install@4 | 1 | 0x401670 |
| _UnInstall@4 | 2 | 0x401690 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 05:39:27 |
| Start date: | 01/10/2024 |
| Path: | C:\Users\user\Desktop\NgenTool.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1a0000 |
| File size: | 80'384 bytes |
| MD5 hash: | 28C81359DA168D5F0FD071ABC2651DEC |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 05:39:27 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 3.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 5% |
| Total number of Nodes: | 1672 |
| Total number of Limit Nodes: | 19 |
Graph
Function 001A1100 Relevance: 45.9, APIs: 16, Strings: 10, Instructions: 363registryprocesssynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A6548 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A6CF9 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A64AC Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A1F9E Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A7649 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A860F Relevance: 12.2, APIs: 8, Instructions: 216COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A91C8 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A3E32 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A7123 Relevance: 7.6, APIs: 5, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A170D Relevance: 6.1, APIs: 4, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A27C6 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|