Edit tour
Windows
Analysis Report
msgtopstdemo.exe
Overview
General Information
Detection
Score: | 5 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Signatures
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- msgtopstdemo.exe (PID: 7288 cmdline:
"C:\Users\ user\Deskt op\msgtops tdemo.exe" MD5: FA7FCCB539F58EA32E2A92A0A32AF286) - msgtopstdemo.tmp (PID: 7304 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-UN1 KP.tmp\msg topstdemo. tmp" /SL5= "$20450,20 62666,2887 68,C:\User s\user\Des ktop\msgto pstdemo.ex e" MD5: 03B1E8078CAE9C05B81C8B8FE2A11840) - MsgToPst.exe (PID: 7752 cmdline:
"C:\Progra m Files (x 86)\Datava re MSG to PST Conver ter - Demo Version\M sgToPst.ex e" MD5: 5F741C35077C33000CF0638178E1F070)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Window detected: |