Edit tour
Windows
Analysis Report
petst.exe
Overview
General Information
Detection
Score: | 38 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Signatures
Queries disk data (e.g. SMART data)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive port information (via WMI, Win32_SerialPort, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Classification
- System is w10x64native
- petst.exe (PID: 4572 cmdline:
"C:\Users\ user\Deskt op\petst.e xe" MD5: 2ED275F10D8631382B8339E77E686261) - petst.tmp (PID: 7140 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-8M1 N8.tmp\pet st.tmp" /S L5="$103CA ,82096316, 744960,C:\ Users\user \Desktop\p etst.exe" MD5: AB942603C465178E12D15C75401CD965) - _setup64.tmp (PID: 1920 cmdline:
helper 105 0x4D8 MD5: E4211D6D009757C078A9FAC7FF4F03D4) - conhost.exe (PID: 6360 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - PerformanceTest64.exe (PID: 5164 cmdline:
"C:\Progra m Files\Pe rformanceT est\Perfor manceTest6 4.exe" /l en MD5: EBE5F6D02582E010284354194E233C3C)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Static PE information: |
Source: | Window detected: |