Xcitium Cloud Verdict

Packer

The executable is compressed using UPX Show sources

packer_section

name: UPX0, entropy: 6.56, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00046000, virtual_size: 0x00046000

Information Discovery

Expresses interest in specific running processes Show sources

api_process_name

winlogon.exe

Reads data out of its own binary image Show sources

api_process_name	process: f2c7dbed7119e7c49e43bbc00bcfa56ddd091a2b.exe, pid: 2300, offset: 0x00000000, length: 0x0000f000
api_process_name	process: f2c7dbed7119e7c49e43bbc00bcfa56ddd091a2b.exe, pid: 2300, offset: 0x00000000, length: 0x00098f16
api_process_name	process: f2c7dbed7119e7c49e43bbc00bcfa56ddd091a2b.exe, pid: 2300, offset: 0x0000f000, length: 0x00089f16

Static Anomaly

Anomalous binary characteristics Show sources

static_pe_timestamp

Timestamp on binary predates the release date of the OS version it requires by at least a year

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Executed a process and injected code into it, probably while unpacking Show sources

code_injection

pqqrstu.exe(2520) -> None(2576)

Data Obfuscation

Unconventionial binary language: Chinese (Simplified)

File Name: virussign.com_754ab92ada89fdd88a100e5dd854dcb0.exe

File Type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed

SHA1: f2c7dbed7119e7c49e43bbc00bcfa56ddd091a2b

MD5: 754ab92ada89fdd88a100e5dd854dcb0