CAPE

Triggered CAPE Tasks:

Task #25399: Extraction

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2018-12-04 17:34:54 2018-12-04 17:35:39 45 seconds Show Options Show Log
route = internet
procdump = 1
2018-12-04 17:35:01,000 [root] INFO: Date set to: 12-04-18, time set to: 17:35:01
2018-12-04 17:35:01,265 [root] DEBUG: Starting analyzer from: C:\isdniwmr
2018-12-04 17:35:01,265 [root] DEBUG: Storing results at: C:\zzJotAojS
2018-12-04 17:35:01,265 [root] DEBUG: Pipe server name: \\.\PIPE\VcjrYcr
2018-12-04 17:35:01,265 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2018-12-04 17:35:01,279 [root] INFO: Automatically selected analysis package "exe"
2018-12-04 17:35:07,769 [root] DEBUG: Started auxiliary module Browser
2018-12-04 17:35:07,769 [root] DEBUG: Started auxiliary module Curtain
2018-12-04 17:35:07,786 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2018-12-04 17:35:07,786 [root] DEBUG: Started auxiliary module DigiSig
2018-12-04 17:35:07,786 [root] DEBUG: Started auxiliary module Disguise
2018-12-04 17:35:07,786 [root] DEBUG: Started auxiliary module Human
2018-12-04 17:35:07,801 [root] DEBUG: Started auxiliary module Screenshots
2018-12-04 17:35:07,816 [root] DEBUG: Started auxiliary module Sysmon
2018-12-04 17:35:07,816 [root] DEBUG: Started auxiliary module Usage
2018-12-04 17:35:07,816 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2018-12-04 17:35:07,816 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2018-12-04 17:35:09,282 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\wird.exe" with arguments "" with pid 1056
2018-12-04 17:35:10,359 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-12-04 17:35:10,421 [lib.api.process] INFO: 32-bit DLL to inject is C:\isdniwmr\dll\uYUALy.dll, loader C:\isdniwmr\bin\pnvXBuV.exe
2018-12-04 17:35:10,469 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1056
2018-12-04 17:35:12,480 [lib.api.process] INFO: Successfully resumed process with pid 1056
2018-12-04 17:35:12,480 [root] INFO: Added new process to list with pid: 1056
2018-12-04 17:35:12,871 [root] DEBUG: Terminate processes on terminate_event disabled.
2018-12-04 17:35:12,871 [root] DEBUG: Process dumps enabled.
2018-12-04 17:35:13,260 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1056 at 0x74ed0000, image base 0x400000, stack from 0x186000-0x190000
2018-12-04 17:35:13,260 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\wird.exe".
2018-12-04 17:35:13,260 [root] INFO: Monitor successfully loaded in process with pid 1056.
2018-12-04 17:35:13,401 [root] INFO: Disabling sleep skipping.
2018-12-04 17:35:13,401 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1056
2018-12-04 17:35:13,401 [root] DEBUG: GetHookCallerBase: thread 672 (handle 0x0), return address 0x004015B0, allocation base 0x00400000.
2018-12-04 17:35:13,401 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2018-12-04 17:35:13,417 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2018-12-04 17:35:13,417 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001560.
2018-12-04 17:35:13,417 [root] DEBUG: PeParser: Section 1 size too big: 0x11000000
2018-12-04 17:35:13,417 [root] DEBUG: DumpProcess: There was a problem reading one or more sections, the dump may be incomplete.
2018-12-04 17:35:13,433 [root] DEBUG: PeParser::alignAllSectionHeaders: Section 1 size too big: 0x50000000
2018-12-04 17:35:13,433 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2018-12-04 17:35:13,433 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1056
2018-12-04 17:35:13,433 [root] DEBUG: GetHookCallerBase: thread 672 (handle 0x0), return address 0x004015B0, allocation base 0x00400000.
2018-12-04 17:35:13,447 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2018-12-04 17:35:13,447 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2018-12-04 17:35:13,447 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001560.
2018-12-04 17:35:13,447 [root] DEBUG: PeParser: Section 1 size too big: 0x11000000
2018-12-04 17:35:13,463 [root] DEBUG: DumpProcess: There was a problem reading one or more sections, the dump may be incomplete.
2018-12-04 17:35:13,463 [root] DEBUG: PeParser::alignAllSectionHeaders: Section 1 size too big: 0x50000000
2018-12-04 17:35:13,463 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2018-12-04 17:35:13,463 [root] INFO: Notified of termination of process with pid 1056.
2018-12-04 17:35:13,494 [root] INFO: Process with pid 1056 has terminated
2018-12-04 17:35:18,581 [root] INFO: Process list is empty, terminating analysis.
2018-12-04 17:35:19,595 [root] INFO: Created shutdown mutex.
2018-12-04 17:35:20,608 [root] INFO: Shutting down package.
2018-12-04 17:35:20,608 [root] INFO: Stopping auxiliary modules.
2018-12-04 17:35:20,608 [root] INFO: Finishing auxiliary modules.
2018-12-04 17:35:20,608 [root] INFO: Shutting down pipe server and dumping dropped files.
2018-12-04 17:35:20,608 [root] INFO: Analysis completed.

MalScore

2.6

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-05 target-05 ESX 2018-12-04 17:34:54 2018-12-04 17:35:39

File Details

File Name wird.exe
File Size 52226 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a792c67256870507a254e7cac1a1f145
SHA1 88b9d0ffee16411142712472630c7001e6c094f1
SHA256 a1a0cb7e5a7239b7aa69f2d052464c201bd5082d9a8b2aac6997fda5de9a7228
SHA512 20168db11b045c14b2ffbd9207f77f83f1937cc134d89c19d0b675627fdfb0b42288f953fe46b8adf54aea9060b212fce2877d32ef587e6ac7ca603b40a2e038
CRC32 39CEC4B4
Ssdeep 768:ilq36R5C6+T+J98162Vt+QcjOKmHflRcGjRcYJAEuajgQdtpwoWpjcl6s5C8:rM5C6+ibG6c3cSRvn6Utrys28
TrID
  • 42.6% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 19.1% (.EXE) OS/2 Executable (generic) (2029/13)
  • 18.9% (.EXE) Generic Win/DOS Executable (2002/3)
  • 18.9% (.EXE) DOS Executable Generic (2000/1)
  • 0.2% (.VXD) VXD Driver (31/22)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Creates RWX memory
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.GetModuleHandleA
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.OutputDebugStringA
ntdll.dll._stricmp
ntdll.dll.memset
ntdll.dll.memcpy
kernel32.dll.lstrlenA
kernel32.dll.GlobalAlloc
kernel32.dll.lstrcpyA
kernel32.dll.GetModuleFileNameA
kernel32.dll.lstrcatA
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.CreateProcessA
kernel32.dll.ExitProcess
kernel32.dll.SetCurrentDirectoryA
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.CopyFileA
kernel32.dll.DeleteFileA
kernel32.dll.GetCommandLineA
kernel32.dll.IsDebuggerPresent
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.GetCurrentProcess
kernel32.dll.TerminateProcess
shell32.dll.SHFileOperationA
shell32.dll.ShellExecuteExA
shell32.dll.SHGetFolderPathA
DBWinMutex

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x00407ae5
Reported Checksum 0x00011db5
Actual Checksum 0x000127c4
Minimum OS Version 4.0
Compile Time 2018-08-26 18:33:50
Import Hash 854f5c205906a0173971cc049c8e0233

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0000a2da 0x0000a400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.68
.rdata 0x0000c000 0x00001380 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.53
.data 0x0000e000 0x000001d0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.35
.rsrc 0x0000f000 0x00001000 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.07

Overlay

Offset 0x0000cc00
Size 0x00000002

Imports

Library KERNEL32.dll:
0x40c068 VirtualFree
0x40c06c HeapCreate
0x40c070 TlsFree
0x40c074 VirtualProtect
0x40c078 TlsSetValue
0x40c07c TlsAlloc
0x40c080 TlsGetValue
0x40c084 GetStartupInfoA
0x40c088 GetFileType
0x40c08c SetHandleCount
0x40c090 GetConsoleOutputCP
0x40c094 GetModuleFileNameA
0x40c098 GetStdHandle
0x40c09c ExitProcess
0x40c0a4 GetLocalTime
0x40c0ac HeapFree
0x40c0b0 GetThreadLocale
0x40c0b4 GetCurrentProcess
0x40c0b8 HeapAlloc
0x40c0bc LoadLibraryA
Library GDI32.dll:
0x40c22c GetStockObject
0x40c230 CreateSolidBrush
0x40c234 GetObjectW
0x40c240 CreateFontIndirectW
0x40c244 GetDeviceCaps
0x40c248 SetBkMode
0x40c24c SetTextColor
0x40c250 SetBkColor
0x40c254 CreatePalette
0x40c258 DeleteObject
0x40c25c SetDIBitsToDevice
0x40c260 PatBlt
0x40c264 DeleteDC
0x40c268 BitBlt
0x40c26c SelectObject
0x40c270 CreateCompatibleDC
0x40c274 CreateDIBitmap
0x40c278 RealizePalette
0x40c27c SelectPalette
Library COMCTL32.dll:
0x40c2c4 _TrackMouseEvent
0x40c2c8 ImageList_Create
0x40c2d0 ImageList_Destroy
Library IMM32.dll:
0x40c058 ImmGetContext
0x40c05c ImmAssociateContext
0x40c060 ImmReleaseContext
Library ole32.dll:
0x40c284 OleLockRunning
0x40c28c CoCreateInstance
0x40c290 CoGetClassObject
0x40c294 CLSIDFromProgID
0x40c298 CLSIDFromString
0x40c29c OleInitialize
0x40c2a0 CoTaskMemFree
0x40c2a4 StringFromGUID2
0x40c2a8 CoTaskMemAlloc
0x40c2ac OleUninitialize
0x40c2b0 CoUninitialize
0x40c2b4 CoInitialize
0x40c2b8 CoTaskMemRealloc
Library OLEAUT32.dll:
0x40c024 SysFreeString
0x40c028 SysAllocString
0x40c030 SysStringLen
0x40c034 LoadRegTypeLib
0x40c038 LoadTypeLib
0x40c03c VariantClear
0x40c040 VariantInit
0x40c044 SysAllocStringLen
0x40c048 VarBstrCmp
0x40c04c VarUI4FromStr
0x40c050 SysStringByteLen
Library SHELL32.dll:
0x40c220 SHGetDesktopFolder
0x40c224 ShellExecuteW
Library SHLWAPI.dll:
0x40c000 PathCombineW
0x40c004 PathIsRootW
0x40c008 PathStripToRootW
0x40c010 PathAddBackslashW
0x40c014 PathRemoveBlanksW
0x40c018 PathCanonicalizeW
Library USER32.dll:
0x40c0c4 PtInRect
0x40c0c8 ScreenToClient
0x40c0cc GetActiveWindow
0x40c0d8 InvalidateRgn
0x40c0dc FillRect
0x40c0e0 ReleaseCapture
0x40c0e4 SetCapture
0x40c0e8 MoveWindow
0x40c0ec ClientToScreen
0x40c0f4 RedrawWindow
0x40c0f8 GetClassNameW
0x40c0fc IsChild
0x40c100 EndPaint
0x40c104 BeginPaint
0x40c110 LoadImageW
0x40c114 DestroyIcon
0x40c11c MapDialogRect
0x40c120 UnregisterClassA
0x40c124 ShowWindow
0x40c12c SetTimer
0x40c130 GetWindow
0x40c134 GetWindowLongW
0x40c138 MonitorFromWindow
0x40c13c GetMonitorInfoW
0x40c140 GetWindowRect
0x40c144 GetParent
0x40c148 GetCursorPos
0x40c14c MapWindowPoints
0x40c150 SetWindowPos
0x40c154 LoadIconW
0x40c158 GetDesktopWindow
0x40c15c GetSystemMenu
0x40c160 EnableMenuItem
0x40c164 SetFocus
0x40c168 GetFocus
0x40c16c SendMessageW
0x40c170 DestroyWindow
0x40c174 DefWindowProcW
0x40c178 ExitWindowsEx
0x40c17c CharPrevW
0x40c180 CharNextW
0x40c184 DispatchMessageW
0x40c188 TranslateMessage
0x40c18c PeekMessageW
0x40c194 ReleaseDC
0x40c198 GetDC
0x40c19c PostQuitMessage
0x40c1a0 IsDlgButtonChecked
0x40c1a4 GetSysColorBrush
0x40c1a8 InvalidateRect
0x40c1ac SetCursor
0x40c1b0 DrawFocusRect
0x40c1b4 DrawTextW
0x40c1b8 GetDlgItem
0x40c1bc SetDlgItemTextW
0x40c1c0 SendDlgItemMessageW
0x40c1c4 SetWindowTextW
0x40c1c8 CallWindowProcW
0x40c1cc SetWindowLongW
0x40c1d0 DialogBoxParamW
0x40c1d4 CreateDialogParamW
0x40c1d8 CreateWindowExW
0x40c1dc LoadCursorW
0x40c1e0 GetClassInfoExW
0x40c1e4 RegisterClassExW
0x40c1e8 MessageBoxW
0x40c1ec IsWindow
0x40c1f0 GetWindowTextW
0x40c1f4 EnableWindow
0x40c1f8 GetCursor
0x40c1fc EndDialog
0x40c200 GetSysColor
0x40c204 GetClientRect
0x40c208 KillTimer
0x40c20c PostMessageW
0x40c210 IsDialogMessageW
0x40c214 GetSystemMetrics

.text
`.rdata
@.data
.rsrc
<M|WZ
8"MDg
fedhL@D
eScUs
;5*TV
9;Yu=ZE
M5u$=L
YbhmA
03;-=
d8Ye+
o"YA;
N XX"r
LoadLibraryA
GetThreadLocale
GetCurrentProcess
HeapAlloc
HeapFree
GetSystemTimeAsFileTime
GetLocalTime
SetUnhandledExceptionFilter
ExitProcess
GetStdHandle
GetConsoleOutputCP
GetModuleFileNameA
SetHandleCount
GetFileType
GetStartupInfoA
TlsGetValue
TlsAlloc
VirtualProtect
TlsSetValue
TlsFree
HeapCreate
VirtualFree
KERNEL32.dll
CreatePalette
GetStockObject
GetObjectW
SelectPalette
RealizePalette
CreateDIBitmap
CreateCompatibleDC
SelectObject
BitBlt
DeleteDC
PatBlt
SetDIBitsToDevice
DeleteObject
CreateSolidBrush
SetBkColor
SetTextColor
SetBkMode
GetDeviceCaps
CreateFontIndirectW
CreateCompatibleBitmap
GetTextExtentPoint32W
GDI32.dll
InitCommonControlsEx
_TrackMouseEvent
ImageList_Create
ImageList_Destroy
ImageList_ReplaceIcon
COMCTL32.dll
ImmAssociateContext
ImmGetContext
ImmReleaseContext
IMM32.dll
CoInitialize
CoUninitialize
OleUninitialize
CoTaskMemAlloc
StringFromGUID2
OleLockRunning
CreateStreamOnHGlobal
CoCreateInstance
CoGetClassObject
CLSIDFromProgID
CLSIDFromString
OleInitialize
CoTaskMemFree
CoTaskMemRealloc
ole32.dll
OLEAUT32.dll
ShellExecuteW
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHELL32.dll
PathAddBackslashW
PathRemoveBlanksW
PathRemoveBackslashW
PathCanonicalizeW
PathStripToRootW
PathIsRootW
PathCombineW
SHLWAPI.dll
GetDC
ReleaseDC
MsgWaitForMultipleObjects
PeekMessageW
TranslateMessage
DispatchMessageW
CharNextW
CharPrevW
GetSystemMetrics
ExitWindowsEx
DefWindowProcW
DestroyWindow
SendMessageW
GetFocus
SetFocus
EnableMenuItem
GetSystemMenu
GetDesktopWindow
LoadIconW
SetWindowPos
MapWindowPoints
GetClientRect
GetParent
GetWindowRect
GetMonitorInfoW
MonitorFromWindow
GetWindowLongW
GetWindow
PostMessageW
SystemParametersInfoW
ShowWindow
IsDialogMessageW
IsWindow
MessageBoxW
RegisterClassExW
GetClassInfoExW
LoadCursorW
CreateWindowExW
CreateDialogParamW
DialogBoxParamW
SetWindowLongW
CallWindowProcW
SetWindowTextW
SendDlgItemMessageW
SetDlgItemTextW
GetDlgItem
SetTimer
KillTimer
EndDialog
GetSysColor
GetCursor
EnableWindow
GetWindowTextW
DrawTextW
DrawFocusRect
SetCursor
InvalidateRect
GetSysColorBrush
IsDlgButtonChecked
PostQuitMessage
GetCursorPos
PtInRect
ScreenToClient
GetActiveWindow
DialogBoxIndirectParamW
DestroyAcceleratorTable
InvalidateRgn
FillRect
ReleaseCapture
SetCapture
MoveWindow
ClientToScreen
CreateAcceleratorTableW
RedrawWindow
GetClassNameW
IsChild
EndPaint
BeginPaint
GetWindowTextLengthW
RegisterWindowMessageW
LoadImageW
DestroyIcon
SetWindowContextHelpId
MapDialogRect
UnregisterClassA
USER32.dll
3h[Bome
3h[Bome
3h[Bome
3h[Bome
3h[Bome
About
Microsoft Sans Serif
About
7"Updating database with Legacy Presets... Pls wait... "
"Please wait."
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
CompanyName
Creative Technology Limited
FileDescription
ReadReg MFC Application
FileVersion
2, 0, 0, 2
InternalName
ReadReg
LegalCopyright
Copyright (C) 1999-2004
LegalTrademarks
OriginalFilename
ReadReg.EXE
PrivateBuild
ProductName
ReadReg Application
ProductVersion
2, 0, 0, 2
SpecialBuild
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


wird.exe, PID: 1056, Parent PID: 2060
Full Path: C:\Users\user\AppData\Local\Temp\wird.exe
Command Line: "C:\Users\user\AppData\Local\Temp\wird.exe"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 1.015 seconds )

  • 0.519 Static
  • 0.195 CAPE
  • 0.127 TrID
  • 0.092 TargetInfo
  • 0.038 Deduplicate
  • 0.021 BehaviorAnalysis
  • 0.009 AnalysisInfo
  • 0.007 NetworkAnalysis
  • 0.004 Strings
  • 0.002 Debug
  • 0.001 config_decoder

Signatures ( 0.07 seconds )

  • 0.009 antiav_detectreg
  • 0.008 ransomware_files
  • 0.006 ransomware_extensions
  • 0.005 infostealer_ftp
  • 0.004 browser_security
  • 0.004 infostealer_bitcoin
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.003 infostealer_mail
  • 0.002 antivm_vbox_files
  • 0.002 antivm_vbox_keys
  • 0.002 geodo_banking_trojan
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_parallels_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 modify_security_center_warnings
  • 0.001 modify_uac_prompt
  • 0.001 recon_fingerprint
  • 0.001 stealth_hiddenreg

Reporting ( 0.016 seconds )

  • 0.016 SubmitCAPE
Task ID 25397
Mongo ID 5c06baeef284886b78b8374f
Cuckoo release 1.3-CAPE
Delete