Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2019-09-11 12:18:08 2019-09-11 12:18:55 47 seconds Show Options Show Log
route = internet
procdump = 0
2019-09-11 13:18:09,000 [root] INFO: Date set to: 09-11-19, time set to: 12:18:09, timeout set to: 200
2019-09-11 13:18:09,015 [root] DEBUG: Starting analyzer from: C:\eihkx
2019-09-11 13:18:09,015 [root] DEBUG: Storing results at: C:\yPFjZQPg
2019-09-11 13:18:09,015 [root] DEBUG: Pipe server name: \\.\PIPE\snFkeLe
2019-09-11 13:18:09,015 [root] INFO: Analysis package "Extraction" has been specified.
2019-09-11 13:18:09,390 [root] DEBUG: Started auxiliary module Browser
2019-09-11 13:18:09,390 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 13:18:09,390 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 13:18:12,322 [modules.auxiliary.digisig] DEBUG: File has a valid signature.
2019-09-11 13:18:12,322 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 13:18:12,322 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 13:18:12,338 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 13:18:12,338 [root] DEBUG: Started auxiliary module Human
2019-09-11 13:18:12,338 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 13:18:12,338 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 13:18:12,338 [root] DEBUG: Started auxiliary module Usage
2019-09-11 13:18:12,338 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-09-11 13:18:12,338 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2019-09-11 13:18:12,368 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\InstaladorEmpresarialSicoob.exe" with arguments "" with pid 1648
2019-09-11 13:18:12,368 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-09-11 13:18:12,368 [lib.api.process] INFO: 32-bit DLL to inject is C:\eihkx\dll\DsPpYVb.dll, loader C:\eihkx\bin\AMGMEcN.exe
2019-09-11 13:18:12,384 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\snFkeLe.
2019-09-11 13:18:12,384 [root] DEBUG: Loader: Injecting process 1648 (thread 992) with C:\eihkx\dll\DsPpYVb.dll.
2019-09-11 13:18:12,384 [root] DEBUG: Process image base: 0x00B80000
2019-09-11 13:18:12,384 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\eihkx\dll\DsPpYVb.dll.
2019-09-11 13:18:12,384 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00C08000 - 0x77110000
2019-09-11 13:18:12,384 [root] DEBUG: InjectDllViaIAT: Allocated 0x188 bytes for new import table at 0x00C10000.
2019-09-11 13:18:12,384 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 13:18:12,384 [root] DEBUG: Successfully injected DLL C:\eihkx\dll\DsPpYVb.dll.
2019-09-11 13:18:12,384 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1648
2019-09-11 13:18:14,397 [lib.api.process] INFO: Successfully resumed process with pid 1648
2019-09-11 13:18:14,397 [root] INFO: Added new process to list with pid: 1648
2019-09-11 13:18:14,427 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 13:18:14,427 [root] DEBUG: Process dumps disabled.
2019-09-11 13:18:14,474 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 13:18:14,474 [root] INFO: Disabling sleep skipping.
2019-09-11 13:18:14,474 [root] INFO: Disabling sleep skipping.
2019-09-11 13:18:14,474 [root] INFO: Disabling sleep skipping.
2019-09-11 13:18:14,474 [root] INFO: Disabling sleep skipping.
2019-09-11 13:18:14,490 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-09-11 13:18:14,490 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x110000
2019-09-11 13:18:14,490 [root] DEBUG: Debugger initialised.
2019-09-11 13:18:14,490 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1648 at 0x747e0000, image base 0xb80000, stack from 0x3d6000-0x3e0000
2019-09-11 13:18:14,490 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\InstaladorEmpresarialSicoob.exe".
2019-09-11 13:18:14,490 [root] DEBUG: AddTrackedRegion: EntryPoint 0x7073, Entropy 7.330840e+00
2019-09-11 13:18:14,490 [root] DEBUG: AddTrackedRegion: Region at 0x00B80000 size 0x1000 added to tracked regions.
2019-09-11 13:18:14,490 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-09-11 13:18:14,490 [root] INFO: Monitor successfully loaded in process with pid 1648.
2019-09-11 13:18:24,506 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-09-11 13:18:24,506 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-09-11 13:18:24,506 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1c939, Entropy 7.016182e+00
2019-09-11 13:18:24,506 [root] DEBUG: AddTrackedRegion: Region at 0x10000000 size 0x34400 added to tracked regions.
2019-09-11 13:18:24,506 [root] DEBUG: ProtectionHandler: Address: 0x10001000 (alloc base 0x10000000), NumberOfBytesToProtect: 0x33400, NewAccessProtection: 0x20
2019-09-11 13:18:24,506 [root] DEBUG: ProtectionHandler: New code detected at (0x10000000), scanning for PE images.
2019-09-11 13:18:24,506 [root] DEBUG: DumpPEsInRange: Scanning range 0x10000000 - 0x10034400.
2019-09-11 13:18:24,506 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x10000000
2019-09-11 13:18:24,506 [root] DEBUG: DumpPEsInRange: PE image at 0x10000000, dumping
2019-09-11 13:18:24,506 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-09-11 13:18:24,522 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x10000000.
2019-09-11 13:18:24,522 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001C939.
2019-09-11 13:18:24,552 [root] INFO: Added new CAPE file to list with path: C:\yPFjZQPg\CAPE\1648_55066959224181211392019
2019-09-11 13:18:24,552 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x69c00.
2019-09-11 13:18:24,552 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x10000001-0x10034400.
2019-09-11 13:18:24,552 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x10000000.
2019-09-11 13:18:24,552 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x10000000 - 0x10034400.
2019-09-11 13:18:24,552 [root] DEBUG: set_caller_info: Adding region at 0x10000000 to caller regions list.
2019-09-11 13:18:24,568 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\Shell32 (0xc4a000 bytes).
2019-09-11 13:18:26,019 [root] DEBUG: NewThreadHandler: Address: 0x10005410.
2019-09-11 13:18:26,019 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x10000000 - 0x10034400.
2019-09-11 13:18:26,019 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3024.
2019-09-11 13:18:26,019 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 13:18:26,019 [root] DEBUG: NewThreadHandler: Address: 0x1000C630.
2019-09-11 13:18:26,019 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x10000000 - 0x10034400.
2019-09-11 13:18:26,019 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2872.
2019-09-11 13:18:26,019 [root] DEBUG: NewThreadHandler: Address: 0x100041D0.
2019-09-11 13:18:26,019 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x10000000 - 0x10034400.
2019-09-11 13:18:26,019 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2812.
2019-09-11 13:18:26,035 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-09-11 13:18:26,035 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-09-11 13:18:26,035 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-09-11 13:18:26,049 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-09-11 13:18:26,065 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-09-11 13:18:26,082 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2019-09-11 13:18:26,082 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-09-11 13:18:26,128 [root] DEBUG: DLL loaded at 0x74990000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-09-11 13:18:26,128 [root] DEBUG: DLL loaded at 0x74980000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-09-11 13:18:26,674 [root] DEBUG: NewThreadHandler: Address: 0x10003DF0.
2019-09-11 13:18:26,674 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x10000000 - 0x10034400.
2019-09-11 13:18:26,674 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2916.
2019-09-11 13:18:30,901 [root] DEBUG: NewThreadHandler: Address: 0x1000E9C0.
2019-09-11 13:18:30,901 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x10000000 - 0x10034400.
2019-09-11 13:18:30,901 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2908.
2019-09-11 13:18:30,901 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1648).
2019-09-11 13:18:30,901 [root] INFO: Notified of termination of process with pid 1648.
2019-09-11 13:18:31,634 [root] INFO: Process with pid 1648 has terminated
2019-09-11 13:18:36,704 [root] INFO: Process list is empty, terminating analysis.
2019-09-11 13:18:37,719 [root] INFO: Created shutdown mutex.
2019-09-11 13:18:38,733 [root] INFO: Shutting down package.
2019-09-11 13:18:38,733 [root] INFO: Stopping auxiliary modules.
2019-09-11 13:18:38,733 [root] INFO: Finishing auxiliary modules.
2019-09-11 13:18:38,733 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 13:18:38,733 [root] WARNING: File at path "C:\yPFjZQPg\debugger" does not exist, skip.
2019-09-11 13:18:38,733 [root] INFO: Analysis completed.

MalScore

4.3

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-09-11 12:18:09 2019-09-11 12:18:55

File Details

File Name InstaladorEmpresarialSicoob.exe
File Size 546200 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 54d43b4e6d7f6bc87bdfca1e8ff4b88d
SHA1 322fb1d36300e20db3c74e23ea9fc7d11ad0b6f8
SHA256 23410e0d564fdd58f0b140e2f1b4a2a359599ee66129fc076ca3bfea2369515f
SHA512 ffa92518758a649d9630caa71ce56ec3a5f124ede2137d3629e13f7da45061cc5a163d8b4f91eb6efbd8f9d9b09c5b803f877691b96fd2719a45c061c6a97546
CRC32 B1A52854
Ssdeep 12288:5Pe0k88lXANNEKTbYuM6ciiiiiPiiigJiiiihiiii7TiiUiii/i4hPbbbbbbbbby:5m1DlXAJTjM3iiiiiPiiigJiiiihiiif
TrID
  • 72.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 11.8% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 5.3% (.EXE) OS/2 Executable (generic) (2029/13)
  • 5.2% (.EXE) Generic Win/DOS Executable (2002/3)
  • 5.2% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/AreFileApisANSI
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VerSetConditionMask
DynamicLoader: kernel32.dll/VerifyVersionInfoW
DynamicLoader: kernel32.dll/WriteConsoleW
DynamicLoader: kernel32.dll/HeapSize
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/IsValidCodePage
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/FindFirstFileExW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/SetStdHandle
DynamicLoader: kernel32.dll/EnumSystemLocalesW
DynamicLoader: kernel32.dll/GetUserDefaultLCID
DynamicLoader: kernel32.dll/IsValidLocale
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetWindowsDirectoryA
DynamicLoader: kernel32.dll/GetVolumeInformationA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/GetLocaleInfoW
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/InitializeSListHead
DynamicLoader: kernel32.dll/RtlUnwind
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/InterlockedFlushSList
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetModuleHandleExW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/ReadConsoleW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetConsoleCP
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetFileSizeEx
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/UpdateWindow
DynamicLoader: USER32.dll/GetKeyState
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/IsWindowVisible
DynamicLoader: USER32.dll/keybd_event
DynamicLoader: USER32.dll/MapVirtualKeyA
DynamicLoader: USER32.dll/GetDesktopWindow
DynamicLoader: USER32.dll/GetClassNameA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/GetWindowTextA
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/GetDC
DynamicLoader: USER32.dll/SetWindowRgn
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/CreateDIBSection
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: GDI32.dll/CreateRectRgn
DynamicLoader: GDI32.dll/BitBlt
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/InitOnceExecuteOnce
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleEx
DynamicLoader: kernel32.dll/SetFileInformationByHandle
DynamicLoader: kernel32.dll/GetSystemTimePreciseAsFileTime
DynamicLoader: kernel32.dll/InitializeConditionVariable
DynamicLoader: kernel32.dll/WakeConditionVariable
DynamicLoader: kernel32.dll/WakeAllConditionVariable
DynamicLoader: kernel32.dll/SleepConditionVariableCS
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/TryAcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/SleepConditionVariableSRW
DynamicLoader: kernel32.dll/CreateThreadpoolWork
DynamicLoader: kernel32.dll/SubmitThreadpoolWork
DynamicLoader: kernel32.dll/CloseThreadpoolWork
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/AreFileApisANSI
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: USER32.dll/AttachThreadInput
DynamicLoader: GDI32.dll/BitBlt
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WS2_32.dll/connect
DynamicLoader: GDI32.dll/CreateCompatibleBitmap
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: GDI32.dll/CreateDIBSection
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/GetAsyncKeyState
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: USER32.dll/GetCursorPos
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: WS2_32.dll/gethostbyname
DynamicLoader: kernel32.dll/GetLocaleInfoA
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/GetTopWindow
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: USER32.dll/GetWindow
DynamicLoader: USER32.dll/GetWindowTextA
DynamicLoader: USER32.dll/GetWindowLongA
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/IsWindowVisible
DynamicLoader: USER32.dll/LoadKeyboardLayoutA
DynamicLoader: USER32.dll/MapVirtualKeyA
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: USER32.dll/PostMessageA
DynamicLoader: USER32.dll/PostQuitMessage
DynamicLoader: USER32.dll/PrintWindow
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: WS2_32.dll/recv
DynamicLoader: USER32.dll/RegisterClassA
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: USER32.dll/ScreenToClient
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: WS2_32.dll/send
DynamicLoader: USER32.dll/SendInput
DynamicLoader: USER32.dll/SetCursorPos
DynamicLoader: USER32.dll/SetKeyboardState
DynamicLoader: USER32.dll/SetWindowLongA
DynamicLoader: WS2_32.dll/socket
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/UnloadKeyboardLayout
DynamicLoader: USER32.dll/VkKeyScanExA
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: USER32.dll/WindowFromPoint
DynamicLoader: WS2_32.dll/WSAStartup
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: USER32.dll/SetWindowRgn
DynamicLoader: GDI32.dll/CreateRectRgn
DynamicLoader: GDI32.dll/CreateEllipticRgn
DynamicLoader: GDI32.dll/CombineRgn
DynamicLoader: USER32.dll/SendMessageA
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/GetKeyboardState
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: Shell32.dll/SHGetFolderPathA
DynamicLoader: USER32.dll/SetWindowTextA
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/SetCursor
DynamicLoader: USER32.dll/LoadCursorA
DynamicLoader: USER32.dll/BeginPaint
DynamicLoader: USER32.dll/GetDesktopWindow
DynamicLoader: USER32.dll/EndPaint
DynamicLoader: USER32.dll/SetWindowPos
DynamicLoader: GDI32.dll/CreateFontA
DynamicLoader: USER32.dll/UpdateWindow
DynamicLoader: COMCTL32.dll/InitCommonControls
DynamicLoader: USER32.dll/LoadIconA
DynamicLoader: USER32.dll/GetDC
DynamicLoader: USER32.dll/RegisterClassExA
DynamicLoader: USER32.dll/FindWindowExA
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/GetClassNameA
DynamicLoader: USER32.dll/EnableWindow
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: kernel32.dll/IsWow64Process
CAPE extracted potentially suspicious content
InstaladorEmpresarialSicoob.exe: Extracted PE Image: 32-bit DLL
Performs some HTTP requests
url: http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D
url: http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCEA3q7VdxckXFv1rnXF31nIk%3D
url: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
url: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 7.62, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00066200, virtual_size: 0x000660c0

Screenshots


Hosts

Direct IP Country Name
Y 89.207.131.177 [VT] Netherlands
Y 8.8.8.8 [VT] United States
N 23.42.27.27 [VT] Netherlands
N 23.37.43.27 [VT] Netherlands
N 2.21.98.11 [VT] Austria
N 104.18.10.39 [VT] United States

DNS

Name Response Post-Analysis Lookup
s.symcd.com [VT] CNAME ocsp-ds.ws.symantec.com.edgekey.net [VT]
CNAME e8218.dscb1.akamaiedge.net [VT]
A 23.37.43.27 [VT]
sw.symcd.com [VT] A 23.42.27.27 [VT]
cacerts.digicert.com [VT] A 104.18.10.39 [VT]
A 104.18.11.39 [VT]
CNAME cdn.digicertcdn.com [VT]
www.download.windowsupdate.com [VT] A 2.21.98.32 [VT]
A 2.21.98.11 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
A 2.21.98.43 [VT]
A 2.21.98.42 [VT]
CNAME a767.dspw65.akamai.net [VT]
A 2.21.98.9 [VT]
CNAME download.windowsupdate.com.edgesuite.net [VT]

Summary

C:\Windows\WindowsShell.Manifest
C:\
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\WindowsShell.Manifest
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\InstaladorEmpresarialSicoob.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
lpk.dll.LpkEditControl
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.LCMapStringEx
kernel32.dll.AreFileApisANSI
kernel32.dll.GetProcessHeap
kernel32.dll.VirtualProtect
kernel32.dll.VerSetConditionMask
kernel32.dll.VerifyVersionInfoW
kernel32.dll.WriteConsoleW
kernel32.dll.HeapSize
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.GetCommandLineW
kernel32.dll.GetCommandLineA
kernel32.dll.GetOEMCP
kernel32.dll.GetTickCount
kernel32.dll.IsValidCodePage
kernel32.dll.FindNextFileW
kernel32.dll.FindFirstFileExW
kernel32.dll.FindClose
kernel32.dll.SetEndOfFile
kernel32.dll.SetStdHandle
kernel32.dll.EnumSystemLocalesW
kernel32.dll.GetUserDefaultLCID
kernel32.dll.IsValidLocale
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.GetVolumeInformationA
kernel32.dll.ExitProcess
kernel32.dll.GetProcAddress
kernel32.dll.GetACP
kernel32.dll.LoadLibraryA
kernel32.dll.GetLastError
kernel32.dll.WideCharToMultiByte
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.DeleteCriticalSection
kernel32.dll.SetLastError
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.SwitchToThread
kernel32.dll.TlsAlloc
kernel32.dll.TlsGetValue
kernel32.dll.TlsSetValue
kernel32.dll.TlsFree
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetModuleHandleW
kernel32.dll.MultiByteToWideChar
kernel32.dll.LCMapStringW
kernel32.dll.GetLocaleInfoW
kernel32.dll.GetStringTypeW
kernel32.dll.GetCPInfo
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.GetCurrentProcess
kernel32.dll.TerminateProcess
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.IsDebuggerPresent
kernel32.dll.GetStartupInfoW
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetCurrentThreadId
kernel32.dll.InitializeSListHead
kernel32.dll.RtlUnwind
kernel32.dll.RaiseException
kernel32.dll.InterlockedFlushSList
kernel32.dll.FreeLibrary
kernel32.dll.LoadLibraryExW
kernel32.dll.SetFilePointerEx
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.CloseHandle
kernel32.dll.GetModuleHandleExW
kernel32.dll.GetModuleFileNameW
kernel32.dll.ReadFile
kernel32.dll.GetConsoleMode
kernel32.dll.ReadConsoleW
kernel32.dll.WriteFile
kernel32.dll.GetConsoleCP
kernel32.dll.HeapReAlloc
kernel32.dll.HeapFree
kernel32.dll.HeapAlloc
kernel32.dll.GetFileSizeEx
kernel32.dll.GetStdHandle
kernel32.dll.FlushFileBuffers
user32.dll.ShowWindow
user32.dll.UpdateWindow
user32.dll.GetKeyState
user32.dll.GetWindowRect
user32.dll.IsWindowVisible
user32.dll.keybd_event
user32.dll.MapVirtualKeyA
user32.dll.GetDesktopWindow
user32.dll.GetClassNameA
user32.dll.wsprintfA
user32.dll.GetWindowTextA
user32.dll.GetMessageA
user32.dll.DispatchMessageA
user32.dll.GetDC
user32.dll.SetWindowRgn
user32.dll.MessageBoxA
user32.dll.CreateWindowExA
user32.dll.TranslateMessage
gdi32.dll.SelectObject
gdi32.dll.CreateDIBSection
gdi32.dll.CreateCompatibleDC
gdi32.dll.DeleteDC
gdi32.dll.CreateRectRgn
gdi32.dll.BitBlt
ws2_32.dll.#9
ws2_32.dll.#19
kernel32.dll.FlsFree
kernel32.dll.InitOnceExecuteOnce
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.GetTickCount64
kernel32.dll.GetFileInformationByHandleEx
kernel32.dll.SetFileInformationByHandle
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
kernel32.dll.InitializeSRWLock
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.TryAcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
kernel32.dll.SleepConditionVariableSRW
kernel32.dll.CreateThreadpoolWork
kernel32.dll.SubmitThreadpoolWork
kernel32.dll.CloseThreadpoolWork
kernel32.dll.CompareStringEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.Sleep
user32.dll.AttachThreadInput
ws2_32.dll.connect
gdi32.dll.CreateCompatibleBitmap
kernel32.dll.CreateProcessA
kernel32.dll.CreateThread
kernel32.dll.CreateToolhelp32Snapshot
user32.dll.DefWindowProcA
user32.dll.FindWindowA
user32.dll.GetAsyncKeyState
kernel32.dll.GetComputerNameA
user32.dll.GetCursorPos
kernel32.dll.GetFileAttributesA
user32.dll.GetForegroundWindow
ws2_32.dll.gethostbyname
kernel32.dll.GetLocaleInfoA
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetModuleHandleA
user32.dll.GetSystemMetrics
user32.dll.GetTopWindow
advapi32.dll.GetUserNameA
kernel32.dll.GetVersionExA
user32.dll.GetWindow
user32.dll.GetWindowLongA
user32.dll.GetWindowThreadProcessId
user32.dll.LoadKeyboardLayoutA
kernel32.dll.OpenProcess
user32.dll.PostMessageA
user32.dll.PostQuitMessage
user32.dll.PrintWindow
kernel32.dll.Process32First
kernel32.dll.Process32Next
ws2_32.dll.recv
user32.dll.RegisterClassA
user32.dll.ReleaseDC
user32.dll.ScreenToClient
ws2_32.dll.send
user32.dll.SendInput
user32.dll.SetCursorPos
user32.dll.SetKeyboardState
user32.dll.SetWindowLongA
ws2_32.dll.socket
user32.dll.UnloadKeyboardLayout
user32.dll.VkKeyScanExA
kernel32.dll.WaitForSingleObject
user32.dll.WindowFromPoint
ws2_32.dll.WSAStartup
kernel32.dll.TerminateThread
gdi32.dll.DeleteObject
gdi32.dll.CreateEllipticRgn
gdi32.dll.CombineRgn
user32.dll.SendMessageA
user32.dll.IsWindow
user32.dll.GetKeyboardState
shell32.dll.SHGetFolderPathA
user32.dll.SetWindowTextA
user32.dll.DestroyWindow
user32.dll.SetCursor
user32.dll.LoadCursorA
user32.dll.BeginPaint
user32.dll.EndPaint
user32.dll.SetWindowPos
gdi32.dll.CreateFontA
comctl32.dll.InitCommonControls
user32.dll.LoadIconA
user32.dll.RegisterClassExA
user32.dll.FindWindowExA
user32.dll.EnumWindows
user32.dll.EnableWindow
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
kernel32.dll.IsWow64Process
Local\MSCTF.Asm.MutexDefault1

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x00407073
Reported Checksum 0x00091e52
Actual Checksum 0x00091e52
Minimum OS Version 6.0
PDB Path X:\Work\Util\ExecuteRC\Release\ExecuteRC.pdb
Compile Time 2019-09-08 23:28:13
Import Hash c3f19732a71fd9d79c3270d20cb1ff98

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000117b3 0x00011800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.68
.rdata 0x00013000 0x000099ce 0x00009a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.87
.data 0x0001d000 0x000012a8 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.82
.rsrc 0x0001f000 0x000660c0 0x00066200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.62
.reloc 0x00086000 0x00001008 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.19

Overlay

Offset 0x00083400
Size 0x00002198

Imports

Library KERNEL32.dll:
0x413008 LockResource
0x41300c LoadResource
0x413010 FindResourceW
0x413014 HeapFree
0x413018 SetLastError
0x41301c VirtualFree
0x413020 VirtualAlloc
0x413024 LoadLibraryA
0x413028 Sleep
0x41302c HeapAlloc
0x413030 GetProcAddress
0x413034 FreeLibrary
0x413038 IsBadReadPtr
0x41303c FlushFileBuffers
0x413040 HeapSize
0x413044 WriteConsoleW
0x413048 GetProcessHeap
0x41304c GetNativeSystemInfo
0x413050 SizeofResource
0x41305c GetCurrentProcess
0x413060 TerminateProcess
0x41306c GetCurrentProcessId
0x413070 GetCurrentThreadId
0x413078 InitializeSListHead
0x41307c IsDebuggerPresent
0x413080 GetStartupInfoW
0x413084 GetModuleHandleW
0x413088 RaiseException
0x41308c RtlUnwind
0x413090 GetLastError
0x4130a4 TlsAlloc
0x4130a8 TlsGetValue
0x4130ac TlsSetValue
0x4130b0 TlsFree
0x4130b4 LoadLibraryExW
0x4130b8 SetFilePointerEx
0x4130bc CreateFileW
0x4130c0 GetFileType
0x4130c4 CloseHandle
0x4130c8 GetConsoleMode
0x4130cc WriteFile
0x4130d0 GetConsoleCP
0x4130d4 GetStdHandle
0x4130d8 GetModuleFileNameW
0x4130dc ExitProcess
0x4130e0 GetModuleHandleExW
0x4130e4 GetCommandLineA
0x4130e8 GetCommandLineW
0x4130ec HeapReAlloc
0x4130f0 MultiByteToWideChar
0x4130f4 WideCharToMultiByte
0x4130f8 SetStdHandle
0x4130fc CompareStringW
0x413100 LCMapStringW
0x413104 FindClose
0x413108 FindFirstFileExW
0x41310c FindNextFileW
0x413110 IsValidCodePage
0x413114 GetACP
0x413118 GetOEMCP
0x41311c GetCPInfo
0x41312c GetStringTypeW
0x413130 DecodePointer
Library USER32.dll:
0x413138 MessageBoxA
0x41313c TranslateMessage
0x413140 DispatchMessageA
0x413144 GetMessageA
Library COMCTL32.dll:
0x413000 None

.text
`.rdata
@.data
.rsrc
@.reloc
SVWh0u
Fl+Fp=
t/h`:A
Rhy|@
SVWUj
Vh0:A
VhD:A
Phl<A
(%pnA
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__swift_1
__swift_2
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
operator<=>
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CorExitProcess
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
AreFileApisANSI
CompareStringEx
LCMapStringEx
LocaleNameToLCID
AppPolicyGetProcessTerminationMethod
log10
log10
BC .=
"B <1=
#.X'=
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
ckljh21liknlfnasopfiqwndlfdapdfqodqwnhdi123412rtl1412
Falha 02.
FHFDRH2VEGU143
XW&: ^dafP".
32TTE2WSH4NB
<?.V*5
BGVU31MYNPZ3IA
5QON1M2FQTYF
invalid block type
invalid stored block lengths
too many length or distance symbols
invalid code lengths set
invalid bit length repeat
invalid code -- missing end-of-block
invalid literal/lengths set
invalid distances set
invalid literal/length code
invalid distance code
invalid distance too far back
incorrect header check
unknown compression method
invalid window size
unknown header flags set
header crc mismatch
incorrect data check
incorrect length check
X:\Work\Util\ExecuteRC\Release\ExecuteRC.pdb
.text$mn
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.rsrc$01
.rsrc$02
SizeofResource
Sleep
LockResource
LoadResource
FindResourceW
HeapFree
SetLastError
VirtualFree
VirtualAlloc
LoadLibraryA
GetNativeSystemInfo
HeapAlloc
GetProcAddress
FreeLibrary
IsBadReadPtr
KERNEL32.dll
TranslateMessage
MessageBoxA
DispatchMessageA
GetMessageA
USER32.dll
COMCTL32.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RaiseException
RtlUnwind
GetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
SetFilePointerEx
CreateFileW
GetFileType
CloseHandle
GetConsoleMode
WriteFile
GetConsoleCP
GetStdHandle
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
HeapReAlloc
MultiByteToWideChar
WideCharToMultiByte
SetStdHandle
CompareStringW
LCMapStringW
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetStringTypeW
GetProcessHeap
WriteConsoleW
HeapSize
FlushFileBuffers
DecodePointer
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
nH3!_
}{Zpbh
TvnGaA6
vj1WWH
m`!SXI
YbH!z
AsBJy
fCuXL)Y
Mo\1\
Ta()q
D|s)H
fVN*b0
Uj\)D-o(
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
2Z3w3
>&>0>S>]>
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>
9$9,949<9D9L9T9\9d9l9t9|9
<(<4<@<L<
2,202P2l2p2
8 8$8(8,80848
Aapi-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
mscoree.dll
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
Aapi-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
ntdll
api-ms-win-appmodel-runtime-l1-1-2
user32
ext-ms-
Aja-JP
zh-CN
ko-KR
zh-TW
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
CONOUT$
fqjlkkjlskdj1l231030919023901238129083809
k1j23kln12fda0990e900909099090909090
ICON)FQJLKKJLSKDJ1L231030919023901238129083809$K1J23KLN12FDA0990E900909099090909090
This file is not on VirusTotal.

Process Tree


InstaladorEmpresarialSicoob.exe, PID: 1648, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\InstaladorEmpresarialSicoob.exe
Command Line: "C:\Users\user\AppData\Local\Temp\InstaladorEmpresarialSicoob.exe"

Hosts

Direct IP Country Name
Y 89.207.131.177 [VT] Netherlands
Y 8.8.8.8 [VT] United States
N 23.42.27.27 [VT] Netherlands
N 23.37.43.27 [VT] Netherlands
N 2.21.98.11 [VT] Austria
N 104.18.10.39 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49162 104.18.10.39 cacerts.digicert.com 80
192.168.35.21 49163 2.21.98.11 www.download.windowsupdate.com 80
192.168.35.21 49160 23.37.43.27 s.symcd.com 80
192.168.35.21 49161 23.42.27.27 sw.symcd.com 80
192.168.35.21 49169 89.207.131.177 443
192.168.35.21 49170 89.207.131.177 443

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
s.symcd.com [VT] CNAME ocsp-ds.ws.symantec.com.edgekey.net [VT]
CNAME e8218.dscb1.akamaiedge.net [VT]
A 23.37.43.27 [VT]
sw.symcd.com [VT] A 23.42.27.27 [VT]
cacerts.digicert.com [VT] A 104.18.10.39 [VT]
A 104.18.11.39 [VT]
CNAME cdn.digicertcdn.com [VT]
www.download.windowsupdate.com [VT] A 2.21.98.32 [VT]
A 2.21.98.11 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
A 2.21.98.43 [VT]
A 2.21.98.42 [VT]
CNAME a767.dspw65.akamai.net [VT]
A 2.21.98.9 [VT]
CNAME download.windowsupdate.com.edgesuite.net [VT]

HTTP Requests

URI Data
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s.symcd.com

http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCEA3q7VdxckXFv1rnXF31nIk%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCEA3q7VdxckXFv1rnXF31nIk%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sw.symcd.com

http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
GET /DigiCertAssuredIDRootCA.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: cacerts.digicert.com

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 19 Apr 2017 22:43:31 GMT
If-None-Match: "80ab755e5eb9d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Type Extracted PE Image: 32-bit DLL
Size 433152 bytes
Virtual Address 0x10000000
Process InstaladorEmpresarialSicoob.exe
PID 1648
Path C:\Users\user\AppData\Local\Temp\InstaladorEmpresarialSicoob.exe
MD5 58de9dd714a94e5cbf904cb294f38b3d
SHA1 2fb7b336b5687fb37bfa3a5314115c421b593675
SHA256 f9d2c52c47f5e77894fcaf542f4638eda465f2a8efa82d324f71bfa05ccca4e6
CRC32 60E06F92
Ssdeep 12288:8/Yu/kz1CmglaLiOu1Mky5RDWlafApsTXNTAYuBebu:8Au/Q1Ml7MT5IaIcNTSBeb
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 2.738 seconds )

  • 1.038 Static
  • 0.915 CAPE
  • 0.405 TargetInfo
  • 0.098 TrID
  • 0.093 BehaviorAnalysis
  • 0.092 Deduplicate
  • 0.057 NetworkAnalysis
  • 0.034 Strings
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.068 seconds )

  • 0.009 antiav_detectreg
  • 0.006 ransomware_files
  • 0.004 stealth_timeout
  • 0.004 infostealer_ftp
  • 0.003 api_spamming
  • 0.003 persistence_autorun
  • 0.003 decoy_document
  • 0.003 antiav_detectfile
  • 0.003 ransomware_extensions
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 Doppelganging
  • 0.001 exploit_getbasekerneladdress
  • 0.001 dridex_behavior
  • 0.001 injection_createremotethread
  • 0.001 antiemu_wine_func
  • 0.001 InjectionCreateRemoteThread
  • 0.001 infostealer_browser_password
  • 0.001 antidbg_windows
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 kovter_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway

Reporting ( 0.0 seconds )

Task ID 90411
Mongo ID 5d78e636285182853562ee43
Cuckoo release 1.3-CAPE
Delete