Unclassified PE32

Placeholder entity for unattributed 32-bit Windows PE samples that do not yet fit a known family fingerprint. Not a coherent campaign — a bin until siblings or C2 IOCs cluster them.

Build / RE Profile

Typical observed traits across samples under this label:

• MSVC linker (10.x–14.x), sometimes misidentified by Ghidra as borlandcpp due to packed code sections ^[rabin2-info.txt]
• Heavy use of unusual section names (.lv#, .K"*, .c_w) with SizeOfRawData=0 and non-zero VirtualSize — BSS-style packing artefacts ^[pefile.txt]
• Minimal standard IAT (<20 imports) paired with 10+ delay-import descriptors spanning kernel32, user32, gdiplus, Crypt32, uxtheme — static import surface is deliberately throttled ^[pefile.txt]
• Version-info masquerade with misspelled vendor strings (e.g. Mcrosoft Corporaton) ^[exiftool.json]
• RT_ICON resource bloat (10–14 icons, 256×256 PNG embedded) to reinforce legitimacy ^[binwalk.txt]
• GUI subsystem with Common Controls v6 manifest and Windows 7–10 compatibility GUIDs ^[strings.txt]

Deploy / ATT&CK

No consistent TTPs yet. Static-only samples in this bucket have not detonated in CAPE (no Windows guest), so runtime behavior is inferred from imports only:

• Possible certificate-store interaction (CertOpenSystemStoreW, CryptDecodeObject, PFXImportCertStore) ^[pefile.txt]
• Possible image/screenshot handling (gdiplus.dll delay-imports, GdipCreateFromHDC, GdipLoadImageFromStream) ^[pefile.txt]
• Network footprint unknown — no hardcoded IPs, domains, or C2 strings in strings output.

Capabilities

• version-info-masquerade
• delay-import-evasion
• certificate-store-access
• image-capture-gdiplus
• resource-icon-bloat