## Summary

The submitted sample #AID=196# is a 395,304-byte Windows PE x64 executable with SHA-256:

`9da5191c78e49b46e479cdfe20004a9d76ccc4a545deeb83e3c07f83db9cf736`

High-level characteristics for #AID=196#:

- Type: PE, x64.
- Entropy: moderate overall.
- Sections include `.text`, `.rdata`, `.buildid`, `.data`, `.pdata`, `.tls`, `.reloc`, plus a small overlay.
- The file contains an Authenticode PKCS7 signature block; metadata reports:
  - Subject: `NVIDIA Corporation`
  - Issuer: `DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1`
  - Validity: 2023-01-13 to 2026-01-16
- Yara/compiler/library notes:
  - `MSVC_2015_linker`
  - `Zlib`
  - `DownloadUsingWinHttp`
  - `RunShell`
- Kesakode produced `StxRATLoader` with confidence `0/100`, so this specific family attribution should not be relied upon.
- No virtual files were listed. File carving found a tiny PNG and a PKCS7 signature/document blob inside #AID=196#; they were not behavior-relevant.

Inferred behavior: #AID=196# appears to be a downloader/loader. It creates or uses directories under user-writable locations, downloads `python3.zip` from an external domain, extracts/uses content, references `svpy.exe`, and later launches/uses `maintaindown.py`. It also performs environment checks before running the main payload path, including memory and Windows Event Log checks, consistent with anti-sandbox or anti-analysis gating.

## Key detections/IOCs

### Network IOCs

Extracted from #AID=196#:

- `https://down.temp-xy.com/update/python3.zip`
- Domain: `down.temp-xy.com`
- Parent domain: `temp-xy.com`

### File/path IOCs

Extracted from #AID=196#:

- `tmp\python3.zip`
- `python3.zip`
- `svpy.exe`
- `maintaindown.py`
- `C:\Users\Public`
- `AppData/Local`
- `LOCALAPPDATA`
- `USERPROFILE`
- `HOME`
- `XDG_DATA_HOME`

### Other notable strings

From #AID=196#:

- `winhttp.dll`
- `WinHttpOpen`
- `WinHttpConnect`
- `WinHttpOpenRequest`
- `WinHttpSendRequest`
- `WinHttpReceiveResponse`
- `WinHttpQueryHeaders`
- `WinHttpReadData`
- `WinHttpCloseHandle`
- `Zig WinHTTP Client`
- `cmd.exe /d /e:ON /v:OFF /c "`
- `cmd.exe`
- `error(zip): Failed to extract file: `

### Key detections

The following findings point toward malicious behavior in #AID=196#:

1. **External payload download**
   - The sample embeds and references `https://down.temp-xy.com/update/python3.zip`.
   - Code in `sub_140010791` dynamically loads `winhttp.dll` and resolves WinHTTP functions, then performs an HTTPS request.

2. **Payload staging/extraction**
   - The same function references `tmp\python3.zip`.
   - ZIP-related strings include `error(zip): Failed to extract file: ` and `ZipExtractFailed`, indicating archive handling/extraction.

3. **Execution of dropped/extracted components**
   - The sample references `svpy.exe` and `maintaindown.py`.
   - Decompiled code in `sub_140014363` uses the downloaded/extracted path and later builds child-process execution structures involving `maintaindown.py`.
   - Imports include `CreateProcessW`, and strings indicate shell/child-process functionality.

4. **Anti-analysis / sandbox gating**
   - `sub_140014363` checks system memory via `GlobalMemoryStatusEx`.
   - It opens the Windows `System` event log and checks `GetNumberOfEventLogRecords`; execution path is gated on the event log containing at least 200 records.
   - It uses sleeps/timing logic before proceeding.
   - These checks are consistent with sandbox evasion.

5. **Suspicious signer mismatch**
   - #AID=196# is signed as `NVIDIA Corporation`, but its observed behavior downloads a Python ZIP from `down.temp-xy.com`, not an NVIDIA-controlled-looking domain.
   - A valid-looking signature alone does not make the behavior benign; it may indicate certificate abuse, signing of a malicious component, or a masqueraded sample.

## Evidence

### File structure and metadata

#AID=196# is a PE x64 executable. It has no listed virtual files. Carved content includes:

- Small PNG at effective address 142144.
- PKCS7 document/signature at effective address 406536.

The signature metadata in #AID=196# indicates an NVIDIA Corporation code-signing certificate. However, behavioral evidence does not align with a typical NVIDIA updater or driver component.

### Yara/anomalies

Yara matches for #AID=196# include:

- `DownloadUsingWinHttp` — can download files using WinHTTP API.
- `RunShell` — starts a shell.
- `Zlib` — uses zlib algorithm.
- `MSVC_2015_linker`.

Anomalies in #AID=196# include:

- `TimeDateStampInTheFuture`
- `DebugTimeDateStampInTheFuture`
- `GuiSubsystemNoWindowApi`
- `ManyHighValueImmediates`
- `ManyUniqueImmediateBytes`
- `XorInLoop`
- `SpaghettiFunction`
- `HighXrefLoopingFunction`

The timestamp anomalies and obfuscation-like code anomalies are suspicious but not decisive alone.

### Download and staging function

The most important function inspected in #AID=196# was `sub_140010791`.

Evidence from decompilation and function metadata:

- It references:
  - `LOCALAPPDATA`
  - `USERPROFILE`
  - `HOME`
  - `XDG_DATA_HOME`
  - `C:\Users\Public`
  - `tmp\python3.zip`
  - `https://down.temp-xy.com/update/python3.zip`
  - `winhttp.dll`
  - WinHTTP API names
  - `Zig WinHTTP Client`
- It dynamically loads `winhttp.dll` using `LoadLibraryW`.
- It resolves:
  - `WinHttpOpen`
  - `WinHttpConnect`
  - `WinHttpOpenRequest`
  - `WinHttpSendRequest`
  - `WinHttpReceiveResponse`
  - `WinHttpQueryHeaders`
  - `WinHttpReadData`
  - `WinHttpCloseHandle`
- It checks for HTTPS and uses port `443` when the scheme is `https`.
- It downloads data in chunks using `WinHttpReadData`.
- It handles HTTP response code `200`.
- It uses local paths involving `tmp\python3.zip` and later extraction/processing routines.

This strongly supports downloader behavior.

### Main control flow / anti-analysis

The function `sub_140014363` in #AID=196# appears to be the main behavioral function called by the CRT entry routine `sub_140020fc9`.

Evidence from `sub_140014363`:

- It calls `GlobalMemoryStatusEx`.
- It checks timing using sleep/time functions.
- It opens the Windows `System` event log using `OpenEventLogW`.
- It calls `GetNumberOfEventLogRecords`.
- If the System event log has fewer than 200 records, it exits/avoids the main payload path.
- If checks pass, it calls `sub_140010791`, the downloader/stager.
- It later references `maintaindown.py`.
- It constructs child-process execution structures and uses process-management APIs including `WaitForMultipleObjects`, `TerminateProcess`, and cancellation/IO-handling functions.

The event log and memory checks are typical of sandbox detection, where fresh analysis VMs often have low event-log counts.

### Payload names

A small helper function in #AID=196#, `sub_14000e56c`, constructs a path using the hardcoded filename:

- `svpy.exe`

The main function later references:

- `maintaindown.py`

Together with the downloaded `python3.zip`, this suggests #AID=196# downloads or prepares a Python runtime/environment and launches a Python script using a bundled or extracted executable.

### Sub-files

No relevant embedded executable or script sub-file was exposed as a virtual file for #AID=196#. The only carved items were a small PNG and a PKCS7 signature block; neither was analyzed further because the suspicious behavior is in the main PE code of #AID=196#.

## Verdict

**Final verdict: Malicious / downloader-loader.**

Confidence: **90/100**

Rationale: #AID=196# contains clear downloader logic, dynamically resolves WinHTTP APIs, downloads `python3.zip` from a non-vendor external domain, stages it as `tmp\python3.zip`, references extracted/secondary components `svpy.exe` and `maintaindown.py`, and includes sandbox-evasion style checks involving memory, timing, and Windows Event Log record counts. The NVIDIA signature is a counterargument but does not outweigh the observed suspicious behavior and mismatch with the external infrastructure.