Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-09-11 11:06:27 2019-09-11 11:06:55 28 seconds Show Options Show Log
dump-on-api = DeleteFileA
route = internet
procdump = 1
2019-09-11 12:06:28,000 [root] INFO: Date set to: 09-11-19, time set to: 11:06:28, timeout set to: 200
2019-09-11 12:06:28,015 [root] DEBUG: Starting analyzer from: C:\gleuhdpeso
2019-09-11 12:06:28,015 [root] DEBUG: Storing results at: C:\eAUrGa
2019-09-11 12:06:28,015 [root] DEBUG: Pipe server name: \\.\PIPE\mARrYNi
2019-09-11 12:06:28,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-09-11 12:06:28,015 [root] INFO: Automatically selected analysis package "exe"
2019-09-11 12:06:28,390 [root] DEBUG: Started auxiliary module Browser
2019-09-11 12:06:28,390 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 12:06:28,390 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 12:06:28,811 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-09-11 12:06:28,811 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 12:06:28,811 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 12:06:28,811 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 12:06:28,811 [root] DEBUG: Started auxiliary module Human
2019-09-11 12:06:28,811 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 12:06:28,811 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 12:06:28,825 [root] DEBUG: Started auxiliary module Usage
2019-09-11 12:06:28,825 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-09-11 12:06:28,825 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-09-11 12:06:28,858 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\Normal.exe" with arguments "" with pid 1988
2019-09-11 12:06:28,858 [lib.api.process] INFO: Option 'dump-on-api' with value 'DeleteFileA' sent to monitor
2019-09-11 12:06:28,858 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-09-11 12:06:28,858 [lib.api.process] INFO: 32-bit DLL to inject is C:\gleuhdpeso\dll\psnBqNh.dll, loader C:\gleuhdpeso\bin\SopxYAS.exe
2019-09-11 12:06:28,888 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\mARrYNi.
2019-09-11 12:06:28,888 [root] DEBUG: Loader: Injecting process 1988 (thread 1332) with C:\gleuhdpeso\dll\psnBqNh.dll.
2019-09-11 12:06:28,888 [root] DEBUG: Process image base: 0x00400000
2019-09-11 12:06:28,888 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\gleuhdpeso\dll\psnBqNh.dll.
2019-09-11 12:06:28,904 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00413000 - 0x77110000
2019-09-11 12:06:28,904 [root] DEBUG: InjectDllViaIAT: Allocated 0x218 bytes for new import table at 0x00420000.
2019-09-11 12:06:28,904 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 12:06:28,904 [root] DEBUG: Successfully injected DLL C:\gleuhdpeso\dll\psnBqNh.dll.
2019-09-11 12:06:28,904 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1988
2019-09-11 12:06:30,917 [lib.api.process] INFO: Successfully resumed process with pid 1988
2019-09-11 12:06:30,917 [root] INFO: Added new process to list with pid: 1988
2019-09-11 12:06:30,963 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 12:06:30,963 [root] DEBUG: Added 'DeleteFileA' to dump-on-API list.
2019-09-11 12:06:30,963 [root] DEBUG: Process dumps enabled.
2019-09-11 12:06:31,042 [root] INFO: Disabling sleep skipping.
2019-09-11 12:06:31,042 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 12:06:31,042 [root] INFO: Disabling sleep skipping.
2019-09-11 12:06:31,042 [root] INFO: Disabling sleep skipping.
2019-09-11 12:06:31,042 [root] INFO: Disabling sleep skipping.
2019-09-11 12:06:31,042 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1988 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 12:06:31,042 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\Normal.exe".
2019-09-11 12:06:31,042 [root] INFO: Monitor successfully loaded in process with pid 1988.
2019-09-11 12:06:31,243 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-09-11 12:06:31,243 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-09-11 12:06:31,243 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-09-11 12:06:32,257 [root] DEBUG: DLL unloaded from 0x758B0000.
2019-09-11 12:06:32,257 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1988
2019-09-11 12:06:32,257 [root] DEBUG: GetHookCallerBase: thread 1332 (handle 0x0), return address 0x00401265, allocation base 0x00400000.
2019-09-11 12:06:32,257 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-09-11 12:06:32,257 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-09-11 12:06:32,257 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000A820.
2019-09-11 12:06:32,273 [root] INFO: Added new CAPE file to list with path: C:\eAUrGa\CAPE\1988_70472165032461911392019
2019-09-11 12:06:32,273 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8400.
2019-09-11 12:06:32,273 [root] DEBUG: DLL unloaded from 0x75140000.
2019-09-11 12:06:32,273 [root] INFO: Notified of termination of process with pid 1988.
2019-09-11 12:06:32,944 [root] INFO: Process with pid 1988 has terminated
2019-09-11 12:06:38,015 [root] INFO: Process list is empty, terminating analysis.
2019-09-11 12:06:39,029 [root] INFO: Created shutdown mutex.
2019-09-11 12:06:40,042 [root] INFO: Shutting down package.
2019-09-11 12:06:40,042 [root] INFO: Stopping auxiliary modules.
2019-09-11 12:06:40,042 [root] INFO: Finishing auxiliary modules.
2019-09-11 12:06:40,042 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 12:06:40,042 [root] WARNING: File at path "C:\eAUrGa\debugger" does not exist, skip.
2019-09-11 12:06:40,042 [root] INFO: Analysis completed.

MalScore

3.5

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-09-11 11:06:27 2019-09-11 11:06:54

File Details

File Name Normal.exe
File Size 12288 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 f465c119d30ec9cd56f9ed01a31e5d49
SHA1 8988030bbc134ce41e316495b8e346c0d0cbc697
SHA256 e5abbdadca4f29348ec9aae6c87ec85ea3ba630500512aafbdddb8449e37a5cb
SHA512 34215949735a67ce61ebb8e375a4390267932f39dcfc4c7fd42b6143d105786aaaca688927457bd8d189ae70f01f9f3b7b72bc7554f10674a3211077f05e7d12
CRC32 E0E62EB8
Ssdeep 192:honyGKm6WeCJ0J7jgqp3YVr3Dyo9ENgl2q8x6XyNuuW4CEmKfMh4sNJGlAY:hoyGKm6WeCJ0J4QIhF6Wy/kKUrJGln
TrID
  • 38.2% (.EXE) UPX compressed Win32 Executable (27066/9/6)
  • 37.5% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
  • 9.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 6.3% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.8% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara
Resubmit sample

Signatures

Possible date expiration check, exits too soon after checking local time
process: Normal.exe, PID 1988
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/GetCurrentDirectoryA
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/GetStringTypeA
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/LCMapStringA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/FreeEnvironmentStringsA
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/GetEnvironmentStrings
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/SetHandleCount
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/GetEnvironmentVariableA
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/RtlUnwind
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: USER32.dll/GetDesktopWindow
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: OLEAUT32.dll/
The binary likely contains encrypted or compressed data.
section: name: UPX1, entropy: 7.84, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00002a00, virtual_size: 0x00003000
The executable is compressed using UPX
section: name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00007000

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Users\user\AppData\Local\Temp\2.txt
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Users\user\AppData\Local\Temp\2.txt
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xd6\x90\xc7\x9fEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Normal.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xd6\x90\xc7\x9fEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.DeleteFileA
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.GetCurrentThread
kernel32.dll.GetStringTypeA
kernel32.dll.LCMapStringW
kernel32.dll.LCMapStringA
kernel32.dll.GetModuleHandleA
kernel32.dll.GetStartupInfoA
kernel32.dll.GetCommandLineA
kernel32.dll.GetVersion
kernel32.dll.ExitProcess
kernel32.dll.TerminateProcess
kernel32.dll.GetCurrentProcess
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.GetModuleFileNameA
kernel32.dll.FreeEnvironmentStringsA
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.WideCharToMultiByte
kernel32.dll.GetEnvironmentStrings
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.SetHandleCount
kernel32.dll.GetStdHandle
kernel32.dll.GetFileType
kernel32.dll.GetEnvironmentVariableA
kernel32.dll.GetVersionExA
kernel32.dll.HeapDestroy
kernel32.dll.HeapCreate
kernel32.dll.VirtualFree
kernel32.dll.HeapFree
kernel32.dll.RtlUnwind
kernel32.dll.WriteFile
kernel32.dll.GetCPInfo
kernel32.dll.GetACP
kernel32.dll.GetOEMCP
kernel32.dll.HeapAlloc
kernel32.dll.VirtualAlloc
kernel32.dll.HeapReAlloc
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryA
kernel32.dll.MultiByteToWideChar
kernel32.dll.GetStringTypeW
user32.dll.GetDesktopWindow
user32.dll.MessageBoxA
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoCreateInstance
oleaut32.dll.#500
Local\MSCTF.Asm.MutexDefault1

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x0040a820
Reported Checksum 0x00000000
Actual Checksum 0x000076cf
Minimum OS Version 4.0
Compile Time 2019-06-10 11:00:37
Import Hash 2b07ba9c1e54b04624dfdda69d875a1d

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
UPX0 0x00001000 0x00007000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
UPX1 0x00008000 0x00003000 0x00002a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.84
UPX2 0x0000b000 0x00001000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.07

Imports

Library KERNEL32.DLL:
0x40b03c LoadLibraryA
0x40b040 GetProcAddress
0x40b044 VirtualProtect
0x40b048 VirtualAlloc
0x40b04c VirtualFree
0x40b050 ExitProcess
Library USER32.dll:
0x40b058 MessageBoxA

AP_SELECTED
sageBoxA
=Modu
NamkFgI
KERNEL32.DLL
USER32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
MessageBoxA
This file is not on VirusTotal.

Process Tree


Normal.exe, PID: 1988, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\Normal.exe
Command Line: "C:\Users\user\AppData\Local\Temp\Normal.exe"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Type UPX-extracted 32-bit executable
Size 36864 bytes
MD5 a7ebf35dbfbae7ea61c4844628d26602
SHA1 1ad4bdaa01e8575a4f5263adcda69f1cb6b3bd0f
SHA256 a029085f52243cb2a252991ad43aec6d971a96cffc92c0ce5431c98ae0e923b0
CRC32 A3C61268
Ssdeep 384:0RxMmc3iTpCdL1PDjur69nCcydzJJqo5BR:0bXcOQfZCcszJYo5b
Yara None matched
CAPE Yara None matched
Download Download ZIP
Process Name Normal.exe
PID 1988
Dump Size 33792 bytes
Module Path C:\Users\user\AppData\Local\Temp\Normal.exe
Type PE imageexecutable
MD5 bfb7158e6dfded54473e157c47997547
SHA1 8eed4dfd9933c9c19a557d7334a5339b97bcf2d6
SHA256 e3115d4d41c8cc6aa32542813b23a431a23b8dcca43a9f40551517cfddf7fa55
CRC32 3AB2A39E
Ssdeep 384:jRxMmc3iTpCdL1PDjur69nCcyZTP3CAyPZg1Wy/kKUrJGl0:jbXcOQfZCc8TP3CbRg1WgUJG
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename e3115d4d41c8cc6aa32542813b23a431a23b8dcca43a9f40551517cfddf7fa55
Download

Comments



No comments posted

Processing ( 0.761 seconds )

  • 0.347 Static
  • 0.135 CAPE
  • 0.092 Deduplicate
  • 0.083 TrID
  • 0.041 BehaviorAnalysis
  • 0.028 ProcDump
  • 0.02 TargetInfo
  • 0.007 NetworkAnalysis
  • 0.006 AnalysisInfo
  • 0.001 Debug
  • 0.001 Strings

Signatures ( 0.053 seconds )

  • 0.011 antiav_detectreg
  • 0.006 ransomware_files
  • 0.004 infostealer_ftp
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 antidbg_windows
  • 0.002 persistence_autorun
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 api_spamming
  • 0.001 decoy_document
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn

Reporting ( 0.0 seconds )

Task ID 90405
Mongo ID 5d78d552285182853562ed36
Cuckoo release 1.3-CAPE
Delete