Knowing that I am dealing with a PE binary, I would use PE Studio to determine what the sample does, for example does it connect to internet, download/upload files or collect information from the victim machine. I would also like to know if the binary is packed.
Next, is the dynamic analysis phase. I will try to execute the sample in a VM with Sysmon and FakeNet running in the background. I could see some URLs being accessed by the binary via FakeNet. However, before I could take a closer look at the URLs the infamous BSOD happened.
From FakeNet, it show a URL being accessed after the binary was executed. Some information related to the victim machine was also being uploaded to the URL.
I guess the sample is packed. I opened up the sample in IDA Pro and I am greeted with this long WinMain() that seemed to be drawing dialog boxes.
I scrolled through WinMain() and it ended this interesting dynamic call instruction.
In the next post, I would document how I unpacked the sample using Ollydbg. :)