Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-09-11 12:57:18 2019-09-11 12:57:48 30 seconds Show Options Show Log
route = internet
procdump = 1
2019-09-11 13:57:19,000 [root] INFO: Date set to: 09-11-19, time set to: 12:57:19, timeout set to: 200
2019-09-11 13:57:19,015 [root] DEBUG: Starting analyzer from: C:\bdhuiw
2019-09-11 13:57:19,015 [root] DEBUG: Storing results at: C:\AkmliY
2019-09-11 13:57:19,015 [root] DEBUG: Pipe server name: \\.\PIPE\SngsVtb
2019-09-11 13:57:19,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-09-11 13:57:19,015 [root] INFO: Automatically selected analysis package "exe"
2019-09-11 13:57:19,499 [root] DEBUG: Started auxiliary module Browser
2019-09-11 13:57:19,499 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 13:57:19,499 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 13:57:19,997 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-09-11 13:57:19,997 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 13:57:19,997 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 13:57:19,997 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 13:57:19,997 [root] DEBUG: Started auxiliary module Human
2019-09-11 13:57:19,997 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 13:57:20,013 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 13:57:20,013 [root] DEBUG: Started auxiliary module Usage
2019-09-11 13:57:20,013 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-09-11 13:57:20,013 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-09-11 13:57:20,045 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\1.exe" with arguments "" with pid 264
2019-09-11 13:57:20,045 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-09-11 13:57:20,045 [lib.api.process] INFO: 32-bit DLL to inject is C:\bdhuiw\dll\ojkUdY.dll, loader C:\bdhuiw\bin\qroHdls.exe
2019-09-11 13:57:20,107 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\SngsVtb.
2019-09-11 13:57:20,107 [root] DEBUG: Loader: Injecting process 264 (thread 1988) with C:\bdhuiw\dll\ojkUdY.dll.
2019-09-11 13:57:20,107 [root] DEBUG: Process image base: 0x00400000
2019-09-11 13:57:20,107 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\bdhuiw\dll\ojkUdY.dll.
2019-09-11 13:57:20,107 [root] DEBUG: Error 299 (0x12b) - InjectDllViaIAT: Failed to check for PE header after existing import table at 0x00420120: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2019-09-11 13:57:20,107 [root] DEBUG: InjectDllViaIAT: Failed to read import descriptors
2019-09-11 13:57:20,107 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00413000 - 0x77110000
2019-09-11 13:57:20,107 [root] DEBUG: InjectDllViaIAT: Allocated 0x250 bytes for new import table at 0x00420000.
2019-09-11 13:57:20,107 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 13:57:20,107 [root] DEBUG: Successfully injected DLL C:\bdhuiw\dll\ojkUdY.dll.
2019-09-11 13:57:20,107 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 264
2019-09-11 13:57:22,119 [lib.api.process] INFO: Successfully resumed process with pid 264
2019-09-11 13:57:22,119 [root] INFO: Added new process to list with pid: 264
2019-09-11 13:57:22,134 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 13:57:22,134 [root] DEBUG: Process dumps enabled.
2019-09-11 13:57:22,197 [root] INFO: Disabling sleep skipping.
2019-09-11 13:57:22,197 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 13:57:22,197 [root] INFO: Disabling sleep skipping.
2019-09-11 13:57:22,197 [root] INFO: Disabling sleep skipping.
2019-09-11 13:57:22,197 [root] INFO: Disabling sleep skipping.
2019-09-11 13:57:22,197 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 264 at 0x74880000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 13:57:22,197 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\1.exe".
2019-09-11 13:57:22,197 [root] INFO: Monitor successfully loaded in process with pid 264.
2019-09-11 13:57:24,335 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-09-11 13:57:25,380 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 264
2019-09-11 13:57:25,380 [root] DEBUG: GetHookCallerBase: thread 1988 (handle 0x0), return address 0xC0000302, allocation base 0x00000000.
2019-09-11 13:57:25,380 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-09-11 13:57:25,380 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-09-11 13:57:25,380 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000A820.
2019-09-11 13:57:25,395 [root] INFO: Added new CAPE file to list with path: C:\AkmliY\CAPE\264_19447797225571711392019
2019-09-11 13:57:25,395 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8400.
2019-09-11 13:57:25,395 [root] INFO: Notified of termination of process with pid 264.
2019-09-11 13:57:25,395 [root] DEBUG: Terminate Event: Process 264 has already been dumped(!)
2019-09-11 13:57:26,176 [root] INFO: Process with pid 264 has terminated
2019-09-11 13:57:31,338 [root] INFO: Process list is empty, terminating analysis.
2019-09-11 13:57:32,352 [root] INFO: Created shutdown mutex.
2019-09-11 13:57:33,367 [root] INFO: Shutting down package.
2019-09-11 13:57:33,367 [root] INFO: Stopping auxiliary modules.
2019-09-11 13:57:33,367 [root] INFO: Finishing auxiliary modules.
2019-09-11 13:57:33,367 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 13:57:33,367 [root] WARNING: File at path "C:\AkmliY\debugger" does not exist, skip.
2019-09-11 13:57:33,367 [root] INFO: Analysis completed.

MalScore

1.5

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-09-11 12:57:18 2019-09-11 12:57:47

File Details

File Name 1.exe
File Size 33792 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 551c6af4a91a4dcafb6324b1ad538452
SHA1 189b950a26566c7c04f5f6537eb8b616145cf4ee
SHA256 d97982c755005127b2ce6fb961c2c012cb49d3bdd2a0126753347fe6cfe9ca31
SHA512 813e97c358095ad40a3337e83cf0991c01109e94181d17787891541d31d6278ffecdad22de5f641e0aed2ede9e08258b82dcde25400652f339fa24d1d369efa4
CRC32 53C69C40
Ssdeep 384:SRxMmc3iTpCdL1PDjur69nCcyZTXDCAyPZg1Wy/kKUrJGl0:SbXcOQfZCc8TXDCbRg1WgUJG
TrID
  • 24.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 21.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 20.8% (.EXE) UPX compressed Win32 Executable (27066/9/6)
  • 20.5% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
  • 5.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Possible date expiration check, exits too soon after checking local time
process: 1.exe, PID 264
The executable is compressed using UPX
section: name: UPX0, entropy: 5.35, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00005400, virtual_size: 0x00007000

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x0040a820
Reported Checksum 0x00000000
Actual Checksum 0x0000d04b
Minimum OS Version 4.0
Compile Time 2019-06-10 11:00:37

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
UPX0 0x00001000 0x00007000 0x00005400 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.35
UPX1 0x00008000 0x00003000 0x00002a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.68
UPX2 0x0000b000 0x00001000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.30

`UPX1
`UPX2
YYh `@
DSUVWh
SVWUj
[Sh$T@
"WWSh T@
^Vh$T@
PVh T@
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error
Microsoft Visual C++ Runtime Library
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
2.txt
DeleteFile 2.txt
C:\Users\user\AppData\Local\Temp\Normal.exe
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DeleteFileA
GetCurrentDirectoryA
GetCurrentThread
GetStringTypeA
LCMapStringW
LCMapStringA
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
HeapFree
RtlUnwind
WriteFile
GetCPInfo
GetACP
GetOEMCP
HeapAlloc
VirtualAlloc
HeapReAlloc
GetProcAddress
LoadLibraryA
MultiByteToWideChar
GetStringTypeW
GetDesktopWindow
MessageBoxA
.text
`.rdata
@.data
AP_SELECTED
sageBoxA
=Modu
NamkFgI
KERNEL32.DLL
USER32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
MessageBoxA
This file is not on VirusTotal.

Process Tree


1.exe, PID: 264, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\1.exe
Command Line: "C:\Users\user\AppData\Local\Temp\1.exe"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name 1.exe
PID 264
Dump Size 33792 bytes
Module Path C:\Users\user\AppData\Local\Temp\1.exe
Type PE imageexecutable
MD5 551c6af4a91a4dcafb6324b1ad538452
SHA1 189b950a26566c7c04f5f6537eb8b616145cf4ee
SHA256 d97982c755005127b2ce6fb961c2c012cb49d3bdd2a0126753347fe6cfe9ca31
CRC32 53C69C40
Ssdeep 384:SRxMmc3iTpCdL1PDjur69nCcyZTXDCAyPZg1Wy/kKUrJGl0:SbXcOQfZCc8TXDCbRg1WgUJG
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename d97982c755005127b2ce6fb961c2c012cb49d3bdd2a0126753347fe6cfe9ca31
Download

Comments



No comments posted

Processing ( 0.656 seconds )

  • 0.345 Static
  • 0.093 Deduplicate
  • 0.087 TrID
  • 0.057 CAPE
  • 0.027 ProcDump
  • 0.027 TargetInfo
  • 0.008 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.004 BehaviorAnalysis
  • 0.002 Strings
  • 0.001 Debug

Signatures ( 0.042 seconds )

  • 0.007 antiav_detectreg
  • 0.006 ransomware_files
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail

Reporting ( 0.0 seconds )

Task ID 90413
Mongo ID 5d78ef52285182853562ee47
Cuckoo release 1.3-CAPE
Delete