Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-11-08 21:19:26 2019-11-08 21:23:14 228 seconds Show Options Show Log
procdump = 1
2019-11-08 21:19:27,000 [root] INFO: Date set to: 11-08-19, time set to: 21:19:27, timeout set to: 200
2019-11-08 21:19:27,046 [root] DEBUG: Starting analyzer from: C:\idpkcmfxtl
2019-11-08 21:19:27,046 [root] DEBUG: Storing results at: C:\DIkFrAVzPP
2019-11-08 21:19:27,046 [root] DEBUG: Pipe server name: \\.\PIPE\XhjkHfTm
2019-11-08 21:19:27,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-11-08 21:19:27,046 [root] INFO: Automatically selected analysis package "exe"
2019-11-08 21:19:31,944 [root] DEBUG: Started auxiliary module Browser
2019-11-08 21:19:31,944 [root] DEBUG: Started auxiliary module Curtain
2019-11-08 21:19:31,944 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-11-08 21:19:32,865 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-11-08 21:19:32,865 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-11-08 21:19:32,881 [root] DEBUG: Started auxiliary module DigiSig
2019-11-08 21:19:32,881 [root] DEBUG: Started auxiliary module Disguise
2019-11-08 21:19:32,881 [root] DEBUG: Started auxiliary module Human
2019-11-08 21:19:32,881 [root] DEBUG: Started auxiliary module Screenshots
2019-11-08 21:19:32,895 [root] DEBUG: Started auxiliary module Sysmon
2019-11-08 21:19:32,895 [root] DEBUG: Started auxiliary module Usage
2019-11-08 21:19:32,895 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-11-08 21:19:32,895 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-11-08 21:19:32,911 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\SboIGshiW68oSk.exe" with arguments "" with pid 3064
2019-11-08 21:19:32,927 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-11-08 21:19:32,927 [lib.api.process] INFO: 32-bit DLL to inject is C:\idpkcmfxtl\dll\opVJki.dll, loader C:\idpkcmfxtl\bin\hQcMwVJ.exe
2019-11-08 21:19:32,943 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\XhjkHfTm.
2019-11-08 21:19:32,943 [root] DEBUG: Loader: Injecting process 3064 (thread 872) with C:\idpkcmfxtl\dll\opVJki.dll.
2019-11-08 21:19:32,959 [root] DEBUG: Process image base: 0x00400000
2019-11-08 21:19:32,959 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\idpkcmfxtl\dll\opVJki.dll.
2019-11-08 21:19:32,959 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00409000 - 0x77380000
2019-11-08 21:19:32,959 [root] DEBUG: InjectDllViaIAT: Allocated 0x1a0 bytes for new import table at 0x00410000.
2019-11-08 21:19:32,959 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-11-08 21:19:32,959 [root] DEBUG: Successfully injected DLL C:\idpkcmfxtl\dll\opVJki.dll.
2019-11-08 21:19:32,959 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3064
2019-11-08 21:19:34,970 [lib.api.process] INFO: Successfully resumed process with pid 3064
2019-11-08 21:19:34,970 [root] INFO: Added new process to list with pid: 3064
2019-11-08 21:19:35,049 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-11-08 21:19:35,049 [root] DEBUG: Process dumps enabled.
2019-11-08 21:19:35,079 [root] INFO: Disabling sleep skipping.
2019-11-08 21:19:35,079 [root] INFO: Disabling sleep skipping.
2019-11-08 21:19:35,079 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-11-08 21:19:35,079 [root] INFO: Disabling sleep skipping.
2019-11-08 21:19:35,079 [root] INFO: Disabling sleep skipping.
2019-11-08 21:19:35,079 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 3064 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-11-08 21:19:35,079 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\SboIGshiW68oSk.exe".
2019-11-08 21:19:35,095 [root] INFO: Monitor successfully loaded in process with pid 3064.
2019-11-08 21:19:35,111 [root] DEBUG: DLL loaded at 0x746B0000: C:\Windows\syswow64\dbghelp (0xeb000 bytes).
2019-11-08 21:19:35,142 [root] DEBUG: DLL loaded at 0x74510000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-11-08 21:19:35,174 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-11-08 21:19:35,174 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-11-08 21:19:35,190 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-11-08 21:19:35,190 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-11-08 21:19:35,190 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-11-08 21:19:35,204 [root] DEBUG: DLL loaded at 0x744F0000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-11-08 21:19:35,204 [root] DEBUG: DLL loaded at 0x744E0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-11-08 21:19:35,204 [root] DEBUG: DLL unloaded from 0x77050000.
2019-11-08 21:19:35,204 [root] DEBUG: DLL loaded at 0x74480000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-11-08 21:19:35,204 [root] DEBUG: DLL loaded at 0x74460000: C:\Windows\system32\rasman (0x15000 bytes).
2019-11-08 21:19:35,204 [root] DEBUG: DLL unloaded from 0x74480000.
2019-11-08 21:19:35,220 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-11-08 21:19:35,220 [root] DEBUG: DLL unloaded from 0x74460000.
2019-11-08 21:19:35,220 [root] DEBUG: DLL unloaded from 0x75370000.
2019-11-08 21:19:35,220 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-11-08 21:19:35,236 [root] DEBUG: DLL loaded at 0x74E30000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-11-08 21:19:35,236 [root] DEBUG: DLL loaded at 0x74E20000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-11-08 21:19:35,236 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-11-08 21:19:35,236 [root] DEBUG: DLL loaded at 0x74F00000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-11-08 21:19:35,236 [root] DEBUG: DLL loaded at 0x74DA0000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-11-08 21:19:35,236 [root] DEBUG: DLL loaded at 0x74EF0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-11-08 21:19:35,236 [root] DEBUG: DLL loaded at 0x74430000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-11-08 21:19:35,236 [root] DEBUG: DLL loaded at 0x74420000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-11-08 21:19:35,252 [root] DEBUG: DLL loaded at 0x743E0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-11-08 21:19:35,252 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-11-08 21:19:35,282 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-11-08 21:19:35,299 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-11-08 21:19:35,299 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-11-08 21:19:35,299 [root] DEBUG: DLL loaded at 0x74370000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-11-08 21:19:35,299 [root] DEBUG: DLL loaded at 0x74350000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-11-08 21:19:35,299 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-11-08 21:19:35,299 [root] DEBUG: DLL unloaded from 0x744F0000.
2019-11-08 21:19:35,299 [root] DEBUG: DLL unloaded from 0x74350000.
2019-11-08 21:19:37,592 [root] DEBUG: DLL unloaded from 0x75370000.
2019-11-08 21:19:47,607 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-11-08 21:19:47,607 [root] DEBUG: DLL unloaded from 0x74380000.
2019-11-08 21:19:47,607 [root] DEBUG: DLL unloaded from 0x75370000.
2019-11-08 21:22:55,743 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-11-08 21:22:55,743 [root] INFO: Created shutdown mutex.
2019-11-08 21:22:56,756 [lib.api.process] INFO: Terminate event set for process 3064
2019-11-08 21:22:56,756 [root] DEBUG: Terminate Event: Attempting to dump process 3064
2019-11-08 21:22:56,756 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-11-08 21:22:56,756 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-11-08 21:22:56,756 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-11-08 21:22:56,756 [root] DEBUG: DumpProcess: Module entry point VA is 0x000025A2.
2019-11-08 21:22:56,756 [root] INFO: Added new CAPE file to list with path: C:\DIkFrAVzPP\CAPE\3064_153814422656222185112019
2019-11-08 21:22:56,756 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3400.
2019-11-08 21:22:56,756 [lib.api.process] INFO: Termination confirmed for process 3064
2019-11-08 21:22:56,756 [root] INFO: Terminate event set for process 3064.
2019-11-08 21:22:56,756 [root] INFO: Terminating process 3064 before shutdown.
2019-11-08 21:22:56,756 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 3064
2019-11-08 21:22:56,756 [root] INFO: Waiting for process 3064 to exit.
2019-11-08 21:22:57,770 [root] INFO: Shutting down package.
2019-11-08 21:22:57,770 [root] INFO: Stopping auxiliary modules.
2019-11-08 21:22:57,770 [root] INFO: Finishing auxiliary modules.
2019-11-08 21:22:57,770 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-11-08 21:22:57,770 [root] WARNING: File at path "C:\DIkFrAVzPP\debugger" does not exist, skip.
2019-11-08 21:22:57,770 [root] INFO: Analysis completed.

MalScore

2.6

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-11-08 21:19:26 2019-11-08 21:23:12

File Details

File Name f62f911042f2165c5ff465f74a7ca202
File Size 28260 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f62f911042f2165c5ff465f74a7ca202
SHA1 04c60a14d19f600e5183576cd8382c76b38672bd
SHA256 0ad52c817e4e9e1da2f0fad5c03ab64420fe0028ceb89924371cf8b55ed97ffa
SHA512 9fc86ae07b49535772b1ce83bf843868555f34bb213fca63ae3b5273106a2a4037fda431f36fd631b063254f983fa1f2f003ce163ea10cf94b139309ee0aabaa
CRC32 ECEB46BC
Ssdeep 768:rlS0qGBokMx+HulTojfSe+iJPQv+Kd3uGl:rOGSBDWf1++QJ
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara
  • shellcode_stack_strings - Match x86 that appears to be stack string creation.
CAPE Yara None matched
Resubmit sample

Signatures

Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: dbghelp.dll/MakeSureDirectoryPathExists
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3064 trigged the Yara rule 'shellcode_stack_strings'
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 123.184.40.33 [VT] China

DNS

No domains contacted.


Summary

C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Program Files\AppPatch\NetSyst96.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Program Files
C:\Program Files\AppPatch
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Program Files\AppPatch\NetSyst96.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Program Files\AppPatch\NetSyst96.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASAPI32\EnableFileTracing
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASAPI32\FileTracingMask
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASAPI32\EnableConsoleTracing
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASAPI32\ConsoleTracingMask
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASAPI32\MaxFileSize
\xef\xaa\x80\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASAPI32\FileDirectory
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASMANCS\EnableFileTracing
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASMANCS\FileTracingMask
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASMANCS\EnableConsoleTracing
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASMANCS\ConsoleTracingMask
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASMANCS\MaxFileSize
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xef\xb5\xb8\xc8\x8fEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASAPI32\EnableFileTracing
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASAPI32\FileTracingMask
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASAPI32\EnableConsoleTracing
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASAPI32\ConsoleTracingMask
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASAPI32\MaxFileSize
\xef\xaa\x80\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASAPI32\FileDirectory
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASMANCS\EnableFileTracing
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASMANCS\FileTracingMask
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASMANCS\EnableConsoleTracing
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASMANCS\ConsoleTracingMask
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASMANCS\MaxFileSize
\xef\xa8\x90\xc8\x8fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SboIGshiW68oSk_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xef\xb5\xb8\xc8\x8fEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.IsProcessorFeaturePresent
msvcrt.dll._set_error_mode
msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
dbghelp.dll.MakeSureDirectoryPathExists
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
cryptbase.dll.SystemFunction036
ole32.dll.CoInitializeEx
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
ole32.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
ole32.dll.CoUninitialize
oleaut32.dll.#500
IESQMMUTEX_0_208

PE Information

Image Base 0x00400000
Entry Point 0x004025a2
Reported Checksum 0x0000e51f
Actual Checksum 0x00011e9e
Minimum OS Version 4.0
Compile Time 2017-05-21 08:28:33
Import Hash 0fa9a08282241fecf69984aea760ef64

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001a18 0x00001c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.16
.rdata 0x00003000 0x0000081e 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.32
.data 0x00004000 0x0000092c 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.22
.rsrc 0x00005000 0x00003d84 0x00003e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.68

Overlay

Offset 0x00006e00
Size 0x00000064

Imports

Library KERNEL32.dll:
0x403000 VirtualAlloc
0x403004 VirtualProtect
0x403008 VirtualFree
0x40300c GetProcAddress
0x403010 LoadLibraryA
0x403014 IsBadReadPtr
0x403018 HeapFree
0x40301c GetProcessHeap
0x403020 FreeLibrary
0x403024 HeapAlloc
0x403028 CloseHandle
0x40302c WriteFile
0x403030 Sleep
0x403034 CreateFileA
0x403038 ReadFile
0x40303c GetFileSize
0x403040 GetCurrentProcess
0x403044 TerminateProcess
0x403048 GetStartupInfoA
0x403050 InterlockedExchange
0x403058 IsDebuggerPresent
0x403060 GetTickCount
0x403064 GetCurrentThreadId
0x403068 GetCurrentProcessId
Library MSVCR80.dll:
0x403078 exit
0x40307c _acmdln
0x403080 _ismbblead
0x403084 _initterm_e
0x403088 _configthreadlocale
0x40308c __setusermatherr
0x403090 _adjust_fdiv
0x403094 __p__commode
0x403098 __p__fmode
0x40309c _encode_pointer
0x4030a0 __set_app_type
0x4030a4 _crt_debugger_hook
0x4030a8 _unlock
0x4030ac __dllonexit
0x4030b0 _lock
0x4030b4 _onexit
0x4030b8 _decode_pointer
0x4030c0 _invoke_watson
0x4030c4 _controlfp_s
0x4030c8 _XcptFilter
0x4030cc _exit
0x4030d0 _cexit
0x4030d4 __getmainargs
0x4030d8 _amsg_exit
0x4030dc ??2@YAPAXI@Z
0x4030e0 ??3@YAXPAX@Z
0x4030e4 malloc
0x4030e8 free
0x4030ec realloc
0x4030f0 memset
0x4030f4 memcpy
0x4030f8 _initterm
0x4030fc _stricmp
Library imagehlp.dll:
Library WININET.dll:
0x403104 InternetOpenUrlA
0x403108 InternetReadFile
0x40310c InternetCloseHandle
0x403110 InternetOpenA

.text
`.rdata
@.data
.rsrc
WVh @@
VirtualAlloc
VirtualProtect
VirtualFree
GetProcAddress
LoadLibraryA
IsBadReadPtr
HeapFree
GetProcessHeap
FreeLibrary
HeapAlloc
CloseHandle
WriteFile
Sleep
CreateFileA
ReadFile
GetFileSize
KERNEL32.dll
memcpy
memset
realloc
malloc
??3@YAXPAX@Z
??2@YAPAXI@Z
MSVCR80.dll
_amsg_exit
__getmainargs
_cexit
_exit
_XcptFilter
_ismbblead
_acmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_encode_pointer
__set_app_type
_crt_debugger_hook
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
_except_handler4_common
_invoke_watson
_controlfp_s
MakeSureDirectoryPathExists
imagehlp.dll
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
WININET.dll
InterlockedExchange
InterlockedCompareExchange
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
_stricmp
4jNnIiz7AYwTpl0fD5sYadEvP5H4kWqHxLH6cNm8MiQIH5MODjaBVro=
/cUllm946VuCMcoiOha3qlIUzuRSkQQc6mUF2H9BWDZrPnm1atPgodkk57Ld4rFh1V6AKJp3VXtJlSwcxwe48Q4pHRTt70566/cuBM7pMMvUWCAKArmVh7BtSZcGlH5wqpl/bTz8Z39GgE5d89TwEmKU1M5n7yGgtJW83HxjVK7wO9BKltAX7R1BQnn/HZm0jl0w0T1Dnka2KFnl5Nh0bDu37gfPdbHJ8BI9jRPPogYhU/8weP1CZ0edvu21mSxluO2gXsdOW32iEPaHJvvdc/c4VPFdI0vVU1j1Fg9YIJJKLH/ff1JMizhgoN7iQ8xpTyALb5yzW8eQ03JKkcP0BeRm1gItU5Du4o8C61rUvlbMXNmCYgQnuor7V2vznfjU679hg1C0zfiIsXXDL4Rqs6Ur77aknO7ONJ/4advGTa9/fA1oxxDMS5hV8HKBWi33tKIquBNcz9MSOHXqRIhvOLK6dEykd0eltHKq66o=
;JWHDTc
4GZ}HYj
8L_6;Ys
5UpP9Wq
E\n(C[n
9Tl?8Sk
&C\I&B\
CaL Ba
'V}L&U|
,PoL,Po
!A\+!B]
;^I*Ro
;L`bFVe
;Um07Tn
@VhR<Ui
.Jbv+Jd
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD8
This file is not on VirusTotal.

Process Tree


SboIGshiW68oSk.exe, PID: 3064, Parent PID: 3032
Full Path: C:\Users\user\AppData\Local\Temp\SboIGshiW68oSk.exe
Command Line: "C:\Users\user\AppData\Local\Temp\SboIGshiW68oSk.exe"

Hosts

Direct IP Country Name
Y 123.184.40.33 [VT] China

TCP

Source Source Port Destination Destination Port
192.168.35.22 49164 123.184.40.33 19162
192.168.35.22 49165 123.184.40.33 19162
192.168.35.22 49166 123.184.40.33 19162
192.168.35.22 49167 123.184.40.33 19162
192.168.35.22 49168 123.184.40.33 19162
192.168.35.22 49169 123.184.40.33 19162
192.168.35.22 49170 123.184.40.33 19162
192.168.35.22 49171 123.184.40.33 19162
192.168.35.22 49172 123.184.40.33 19162
192.168.35.22 49173 123.184.40.33 19162

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name NetSyst96.dll
Associated Filenames
C:\Program Files\AppPatch\NetSyst96.dll
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Process Name SboIGshiW68oSk.exe
PID 3064
Dump Size 13312 bytes
Module Path C:\Users\user\AppData\Local\Temp\SboIGshiW68oSk.exe
Type PE image: 32-bit executable
MD5 18f98930907493bf4fd5b490fe91ac1f
SHA1 3995afa426caf58949911298be8470f50ea60349
SHA256 6e92b2e619e93ce130f23e427548be7dfa82cbf1fa111f8fac709537519fa37e
CRC32 1911C7CC
Ssdeep 192:v9zD4NdfSe0ILqjFI7vhzo1uxuuoMFe6okqJ:1zcNlS0qjS75zokouo+e6
ClamAV None
Yara
  • shellcode_stack_strings - Match x86 that appears to be stack string creation.
CAPE Yara None matched
Dump Filename 6e92b2e619e93ce130f23e427548be7dfa82cbf1fa111f8fac709537519fa37e

Comments



No comments posted

Processing ( 0.528 seconds )

  • 0.139 CAPE
  • 0.118 TrID
  • 0.072 TargetInfo
  • 0.063 ProcDump
  • 0.046 BehaviorAnalysis
  • 0.035 Static
  • 0.031 Deduplicate
  • 0.011 NetworkAnalysis
  • 0.01 AnalysisInfo
  • 0.002 Strings
  • 0.001 Debug

Signatures ( 0.061 seconds )

  • 0.01 antiav_detectreg
  • 0.009 ransomware_files
  • 0.004 infostealer_ftp
  • 0.004 ransomware_extensions
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.002 stealth_timeout
  • 0.002 antianalysis_detectreg
  • 0.002 modify_proxy
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 NewtWire Behavior
  • 0.001 api_spamming
  • 0.001 decoy_document
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 108514
Mongo ID 5dc5dcc76d82384e386a21dc
Cuckoo release 1.3-CAPE
Delete