Windows
Analysis Report
NgenTool.exe
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- NgenTool.exe (PID: 1984 cmdline:
"C:\Users\ user\Deskt op\NgenToo l.exe" MD5: 28C81359DA168D5F0FD071ABC2651DEC) - conhost.exe (PID: 3868 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_001A1000 | |
Source: | Code function: | 0_2_001A54C2 |
Source: | Code function: | 0_2_001A1100 | |
Source: | Code function: | 0_2_001AB255 |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_001A20A9 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_001A1000 | |
Source: | Code function: | 0_2_001A54C2 |
Source: | Code function: | 0_2_001A485C |
Source: | Code function: | 0_2_001A3DF1 |
Source: | Code function: | 0_2_001A7649 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_001A485C | |
Source: | Code function: | 0_2_001A1944 | |
Source: | Code function: | 0_2_001A1E3F | |
Source: | Code function: | 0_2_001A1F9E |
Source: | Code function: | 0_2_001A21C2 |
Source: | Code function: | 0_2_001A1D24 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 2 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | ReversingLabs | |||
7% | Virustotal | Browse |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1523267 |
Start date and time: | 2024-10-01 11:38:38 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 36s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | NgenTool.exe |
Detection: | MAL |
Classification: | mal48.winEXE@2/0@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Not all processes where analyzed, report is missing behavior information
File type: | |
Entropy (8bit): | 6.305161796001363 |
TrID: |
|
File name: | NgenTool.exe |
File size: | 80'384 bytes |
MD5: | 28c81359da168d5f0fd071abc2651dec |
SHA1: | 15b69391fa49a2684eed322eab04017a8bfe440a |
SHA256: | 8059e259a6744f78dd41ad5854522c8e5f7ae61940d9187f95fa3e4f7af5f5a6 |
SHA512: | 6c995151203a882b31b4cadd284d61d648d90e6c2da27004b270a3e98967f3ff9fa40cda1278ea470e60b8b8b1090dba1c0034635eab508a70f18f30c2ede9e4 |
SSDEEP: | 1536:bRAMkGk50LRVxXoCmNB80YKJiyRdq4fal+mqEjsY/R4IsWMcdQATD/Yptn/7:O5KxXoC8b1gyRda+4jsWFQATD/Ypt/7 |
TLSH: | 37734A03B5D19471E47359325870C9B19A2EF9214F60DEAB6798173E4F380D09A3AEBB |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.A`../3../3../3.M.3../3.M.3m./3.M.3../3/.,2../3/.*27./3/.+2../3...3../3...3K./3..&2../3../2../3...3../3..-2../3Rich../3....... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x40193a |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5BEB7FC3 [Wed Nov 14 01:52:03 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 11b54a0dfe1242390c8cbbe62ba9ee15 |
Instruction |
---|
call 00007F15DD15CD4Ah |
jmp 00007F15DD15C7ECh |
push ebp |
mov ebp, esp |
push 00000000h |
call dword ptr [0040D048h] |
push dword ptr [ebp+08h] |
call dword ptr [0040D044h] |
push C0000409h |
call dword ptr [0040D010h] |
push eax |
call dword ptr [0040D04Ch] |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push 00000017h |
call 00007F15DD166805h |
test eax, eax |
je 00007F15DD15C967h |
push 00000002h |
pop ecx |
int 29h |
mov dword ptr [004138E8h], eax |
mov dword ptr [004138E4h], ecx |
mov dword ptr [004138E0h], edx |
mov dword ptr [004138DCh], ebx |
mov dword ptr [004138D8h], esi |
mov dword ptr [004138D4h], edi |
mov word ptr [00413900h], ss |
mov word ptr [004138F4h], cs |
mov word ptr [004138D0h], ds |
mov word ptr [004138CCh], es |
mov word ptr [004138C8h], fs |
mov word ptr [004138C4h], gs |
pushfd |
pop dword ptr [004138F8h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [004138ECh], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [004138F0h], eax |
lea eax, dword ptr [ebp+08h] |
mov dword ptr [004138FCh], eax |
mov eax, dword ptr [ebp-00000324h] |
mov dword ptr [00413838h], 00010001h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x12580 | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x125e4 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x16000 | 0x1e8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x17000 | 0xecc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x11c00 | 0x70 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x11c70 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xd000 | 0x13c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xbb17 | 0xbc00 | 39a6bb936b987204b6719f14eae321e1 | False | 0.5854180518617021 | data | 6.628609223744442 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xd000 | 0x5d26 | 0x5e00 | b6f708ff8b0919be45fc54fcb87b990e | False | 0.42137632978723405 | data | 4.874557617214814 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x13000 | 0x1308 | 0x800 | ccad542ebfe74a9ed27efa01de45c1a2 | False | 0.1962890625 | data | 2.3897071320344967 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.gfids | 0x15000 | 0xdc | 0x200 | a70d99d6c2640540375a7055666b462f | False | 0.31640625 | data | 1.6486420276660951 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x16000 | 0x1e8 | 0x200 | 67d99a0fbaad406a6bdc2924a81afdac | False | 0.537109375 | data | 4.7605137014493595 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x17000 | 0xecc | 0x1000 | b2bb5bec1555864a927bf74a15798777 | False | 0.768310546875 | data | 6.339476613310989 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x16060 | 0x188 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5892857142857143 |
DLL | Import |
---|---|
SHLWAPI.dll | PathFileExistsW |
KERNEL32.dll | GetCurrentProcess, GetEnvironmentVariableW, FindClose, WaitForSingleObject, FindNextFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateProcessW, IsWow64Process, FindFirstFileW, DecodePointer, CloseHandle, GetModuleFileNameW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetACP, HeapFree, HeapAlloc, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, CompareStringW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW |
ADVAPI32.dll | RegOpenKeyExW, RegQueryValueExW, RegCloseKey |
Name | Ordinal | Address |
---|---|---|
_Install@4 | 1 | 0x401670 |
_UnInstall@4 | 2 | 0x401690 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 05:39:27 |
Start date: | 01/10/2024 |
Path: | C:\Users\user\Desktop\NgenTool.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1a0000 |
File size: | 80'384 bytes |
MD5 hash: | 28C81359DA168D5F0FD071ABC2651DEC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 05:39:27 |
Start date: | 01/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 3.3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 5% |
Total number of Nodes: | 1672 |
Total number of Limit Nodes: | 19 |
Graph
Function 001A1100 Relevance: 45.9, APIs: 16, Strings: 10, Instructions: 363registryprocesssynchronizationCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001A6548 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001A6CF9 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001A64AC Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001A1F9E Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001A7649 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001A860F Relevance: 12.2, APIs: 8, Instructions: 216COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001A91C8 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001A3E32 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001A7123 Relevance: 7.6, APIs: 5, Instructions: 110COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001A170D Relevance: 6.1, APIs: 4, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001A27C6 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|