CAPE

Triggered CAPE Tasks: Task #90421: Extraction


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-09-11 14:23:45 2019-09-11 14:24:40 55 seconds Show Options Show Log
route = internet
procdump = 1
2019-09-11 15:23:52,015 [root] INFO: Date set to: 09-11-19, time set to: 14:23:52, timeout set to: 200
2019-09-11 15:23:52,187 [root] DEBUG: Starting analyzer from: C:\sovjpdgv
2019-09-11 15:23:52,187 [root] DEBUG: Storing results at: C:\CVarqWwlc
2019-09-11 15:23:52,187 [root] DEBUG: Pipe server name: \\.\PIPE\zXnPjUhIz
2019-09-11 15:23:52,187 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-09-11 15:23:52,187 [root] INFO: Automatically selected analysis package "exe"
2019-09-11 15:23:55,946 [root] DEBUG: Started auxiliary module Browser
2019-09-11 15:23:55,946 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 15:23:55,946 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 15:23:58,973 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
2019-09-11 15:23:58,973 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 15:23:58,973 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 15:23:58,973 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 15:23:58,973 [root] DEBUG: Started auxiliary module Human
2019-09-11 15:23:58,973 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 15:23:58,973 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 15:23:58,973 [root] DEBUG: Started auxiliary module Usage
2019-09-11 15:23:58,973 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-09-11 15:23:58,973 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-09-11 15:23:59,051 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\mal.exe" with arguments "" with pid 2172
2019-09-11 15:23:59,051 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-09-11 15:23:59,051 [lib.api.process] INFO: 32-bit DLL to inject is C:\sovjpdgv\dll\VzReSPL.dll, loader C:\sovjpdgv\bin\UtFdLfu.exe
2019-09-11 15:23:59,065 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zXnPjUhIz.
2019-09-11 15:23:59,065 [root] DEBUG: Loader: Injecting process 2172 (thread 2244) with C:\sovjpdgv\dll\VzReSPL.dll.
2019-09-11 15:23:59,065 [root] DEBUG: Process image base: 0x00400000
2019-09-11 15:23:59,065 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\sovjpdgv\dll\VzReSPL.dll.
2019-09-11 15:23:59,065 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00480000 - 0x77380000
2019-09-11 15:23:59,065 [root] DEBUG: InjectDllViaIAT: Allocated 0x164 bytes for new import table at 0x00480000.
2019-09-11 15:23:59,065 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 15:23:59,065 [root] DEBUG: Successfully injected DLL C:\sovjpdgv\dll\VzReSPL.dll.
2019-09-11 15:23:59,065 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2172
2019-09-11 15:24:01,078 [lib.api.process] INFO: Successfully resumed process with pid 2172
2019-09-11 15:24:01,078 [root] INFO: Added new process to list with pid: 2172
2019-09-11 15:24:01,203 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 15:24:01,203 [root] DEBUG: Process dumps enabled.
2019-09-11 15:24:01,266 [root] INFO: Disabling sleep skipping.
2019-09-11 15:24:01,266 [root] INFO: Disabling sleep skipping.
2019-09-11 15:24:01,266 [root] INFO: Disabling sleep skipping.
2019-09-11 15:24:01,266 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 15:24:01,266 [root] INFO: Disabling sleep skipping.
2019-09-11 15:24:01,266 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2172 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 15:24:01,266 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\mal.exe".
2019-09-11 15:24:01,266 [root] INFO: Monitor successfully loaded in process with pid 2172.
2019-09-11 15:24:01,437 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-09-11 15:24:02,904 [root] DEBUG: set_caller_info: Adding region at 0x00480000 to caller regions list (kernel32::SetErrorMode).
2019-09-11 15:24:02,966 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\system32\IPHlpApi (0x1c000 bytes).
2019-09-11 15:24:02,966 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-09-11 15:24:02,966 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-09-11 15:24:02,982 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2019-09-11 15:24:02,982 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2019-09-11 15:24:02,982 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-09-11 15:24:02,997 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-09-11 15:24:02,997 [root] DEBUG: DLL unloaded from 0x00400000.
2019-09-11 15:24:03,029 [root] INFO: Announced 32-bit process name: mal.exe pid: 164
2019-09-11 15:24:03,029 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-09-11 15:24:03,029 [lib.api.process] INFO: 32-bit DLL to inject is C:\sovjpdgv\dll\VzReSPL.dll, loader C:\sovjpdgv\bin\UtFdLfu.exe
2019-09-11 15:24:03,029 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zXnPjUhIz.
2019-09-11 15:24:03,029 [root] DEBUG: Loader: Injecting process 164 (thread 2076) with C:\sovjpdgv\dll\VzReSPL.dll.
2019-09-11 15:24:03,029 [root] DEBUG: Process image base: 0x00400000
2019-09-11 15:24:03,029 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\sovjpdgv\dll\VzReSPL.dll.
2019-09-11 15:24:03,043 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00480000 - 0x77380000
2019-09-11 15:24:03,043 [root] DEBUG: InjectDllViaIAT: Allocated 0x164 bytes for new import table at 0x00480000.
2019-09-11 15:24:03,043 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 15:24:03,043 [root] DEBUG: Successfully injected DLL C:\sovjpdgv\dll\VzReSPL.dll.
2019-09-11 15:24:03,043 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 164
2019-09-11 15:24:03,200 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 15:24:03,200 [root] DEBUG: Process dumps enabled.
2019-09-11 15:24:03,200 [root] INFO: Disabling sleep skipping.
2019-09-11 15:24:03,293 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 15:24:03,293 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 164 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 15:24:03,293 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\mal.exe".
2019-09-11 15:24:03,293 [root] INFO: Added new process to list with pid: 164
2019-09-11 15:24:03,293 [root] INFO: Monitor successfully loaded in process with pid 164.
2019-09-11 15:24:03,309 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-09-11 15:24:03,388 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-09-11 15:24:04,183 [root] DEBUG: set_caller_info: Adding region at 0x035B0000 to caller regions list (kernel32::SetErrorMode).
2019-09-11 15:24:04,558 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2172
2019-09-11 15:24:04,558 [root] DEBUG: GetHookCallerBase: thread 2244 (handle 0x0), return address 0x00481397, allocation base 0x00480000.
2019-09-11 15:24:04,558 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-09-11 15:24:04,558 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-09-11 15:24:04,572 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001498.
2019-09-11 15:24:04,572 [root] INFO: Added new CAPE file to list with path: C:\CVarqWwlc\CAPE\2172_271793324441911392019
2019-09-11 15:24:04,572 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x7e200.
2019-09-11 15:24:04,588 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x00480000.
2019-09-11 15:24:04,588 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\CVarqWwlc\CAPE\2172_13026562054441911392019
2019-09-11 15:24:04,588 [root] INFO: Added new CAPE file to list with path: C:\CVarqWwlc\CAPE\2172_13026562054441911392019
2019-09-11 15:24:04,588 [root] DEBUG: DumpRegion: Dumped stack region from 0x00480000, size 0x3000.
2019-09-11 15:24:04,588 [root] INFO: Notified of termination of process with pid 2172.
2019-09-11 15:24:04,588 [root] DEBUG: Terminate Event: Process 2172 has already been dumped(!)
2019-09-11 15:24:05,134 [root] INFO: Process with pid 2172 has terminated
2019-09-11 15:24:05,634 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-09-11 15:24:06,148 [root] INFO: Process with pid 164 has terminated
2019-09-11 15:24:23,387 [root] INFO: Process list is empty, terminating analysis.
2019-09-11 15:24:24,401 [root] INFO: Created shutdown mutex.
2019-09-11 15:24:25,414 [root] INFO: Shutting down package.
2019-09-11 15:24:25,414 [root] INFO: Stopping auxiliary modules.
2019-09-11 15:24:25,414 [root] INFO: Finishing auxiliary modules.
2019-09-11 15:24:25,414 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 15:24:25,414 [root] WARNING: File at path "C:\CVarqWwlc\debugger" does not exist, skip.
2019-09-11 15:24:25,414 [root] INFO: Analysis completed.

MalScore

8.9

Malicious

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-09-11 14:23:45 2019-09-11 14:24:39

File Details

File Name mal.exe
File Size 516992 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ea0461537f2ea57681e8804ebbf1bdb8
SHA1 91a7473b9f2d0c6083d980219cf8a350a8153c2b
SHA256 2f6b670a4dc200859fd98ec9bb9fb8ca35695a61c009ad920349f7f2e3c38a34
SHA512 6d098c2f068ed1cfe1ae86e401ce2bfe0d7136a64e76e85cd9caa6f6d4020dc6ebb623319548382c17330110963067536cb915f7fe41a3aadcf033863ea10be4
CRC32 ADB935E4
Ssdeep 12288:57vLIGsdwpvAoAnuwG9xcroWwRiGlEGajh:57fSolJ9xUjkVEGEh
TrID
  • 42.7% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 19.2% (.EXE) OS/2 Executable (generic) (2029/13)
  • 18.9% (.EXE) Generic Win/DOS Executable (2002/3)
  • 18.9% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2172 trigged the Yara rule 'embedded_win_api'
Hit: PID 2172 trigged the Yara rule 'shellcode'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: mal.exe, PID 2172
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: USER32.dll/EnumThreadWindows
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WriteProfileStringA
DynamicLoader: ntdll.dll/NtProtectVirtualMemory
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/GetLongPathNameA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: IPHlpApi.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: shell32.DLL/ShellExecuteA
DynamicLoader: shell32.DLL/SHCreateDirectoryExA
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: kernel32.dll/WaitForDebugEvent
DynamicLoader: kernel32.dll/ContinueDebugEvent
DynamicLoader: kernel32.dll/DebugActiveProcessStop
DynamicLoader: kernel32.dll/OutputDebugStringW
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: USER32.dll/EnumThreadWindows
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WriteProfileStringA
CAPE extracted potentially suspicious content
mal.exe: Extracted Shellcode
Performs some HTTP requests
url: http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
url: http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEA68GTXVKUpZS08ycHsKCrk%3D
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.48, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00077000, virtual_size: 0x00076a10
Installs itself for autorun at Windows startup
file: C:\Windows\win.ini
file: C:\Windows\win.ini
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.51.123.27 [VT] Netherlands

DNS

Name Response Post-Analysis Lookup
s2.symcb.com [VT] CNAME ocsp-ds.ws.symantec.com.edgekey.net [VT]
CNAME e8218.dscb1.akamaiedge.net [VT]
A 23.51.123.27 [VT]
sv.symcd.com [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\mal.exe.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Temp\*.*
C:\
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\win.ini
C:\Users\user\AppData\Local\Temp\IPHlpApi.DLL
C:\Windows\System32\IPHLPAPI.DLL
C:\Users\user\AppData\Local\Temp\WINNSI.DLL
C:\Windows\System32\winnsi.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\win.ini
C:\Windows\System32\IPHLPAPI.DLL
C:\Windows\System32\winnsi.dll
C:\Windows\win.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\mal.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVBVM60.DLL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
kernel32.dll.NlsGetCacheUpdateCount
kernel32.dll.GetCalendarInfoW
user32.dll.EnumThreadWindows
kernel32.dll.Sleep
kernel32.dll.WriteProfileStringA
ntdll.dll.NtProtectVirtualMemory
kernel32.dll.CreateFileA
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.GetFileSize
kernel32.dll.UnmapViewOfFile
kernel32.dll.VirtualProtectEx
kernel32.dll.GetLongPathNameA
kernel32.dll.TerminateProcess
iphlpapi.dll.GetAdaptersInfo
kernel32.dll.VirtualAllocEx
kernel32.dll.CreateProcessW
shell32.dll.ShellExecuteA
shell32.dll.SHCreateDirectoryExA
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegSetValueExA
kernel32.dll.WaitForDebugEvent
kernel32.dll.ContinueDebugEvent
kernel32.dll.DebugActiveProcessStop
kernel32.dll.OutputDebugStringW
ole32.dll.CoCreateInstance
"C:\Users\user\AppData\Local\Temp\mal.exe"
Local\MSCTF.Asm.MutexDefault1

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x00401498
Reported Checksum 0x000816b8
Actual Checksum 0x00089533
Minimum OS Version 4.0
Compile Time 2014-09-20 05:54:50
Import Hash 18ea235853311400cd8b68472283dd63

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00076a10 0x00077000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.48
.data 0x00078000 0x00006714 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x0007f000 0x00000918 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.99

Overlay

Offset 0x0007a000
Size 0x00004380

Imports

Library MSVBVM60.DLL:
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 None
0x40100c __vbaVarMove
0x401010 __vbaFreeVar
0x401014 __vbaFreeVarList
0x401018 __vbaEnd
0x40101c _adj_fdiv_m64
0x401020 None
0x401024 __vbaFreeObjList
0x401028 None
0x40102c _adj_fprem1
0x401030 __vbaStrCat
0x401034 None
0x401038 __vbaSetSystemError
0x401040 None
0x401044 _adj_fdiv_m32
0x401048 __vbaAryVar
0x40104c __vbaAryDestruct
0x401050 None
0x401054 None
0x401058 __vbaObjSet
0x40105c __vbaOnError
0x401060 _adj_fdiv_m16i
0x401064 __vbaObjSetAddref
0x401068 None
0x40106c _adj_fdivr_m16i
0x401070 None
0x401074 __vbaCyStr
0x401078 None
0x40107c __vbaFPFix
0x401080 __vbaFpR8
0x401084 _CIsin
0x401088 __vbaErase
0x40108c __vbaChkstk
0x401090 EVENT_SINK_AddRef
0x401094 __vbaStrCmp
0x401098 __vbaAryConstruct2
0x40109c __vbaVarTstEq
0x4010a0 __vbaObjVar
0x4010a4 DllFunctionCall
0x4010a8 _adj_fpatan
0x4010ac __vbaRedim
0x4010b0 EVENT_SINK_Release
0x4010b4 _CIsqrt
0x4010bc None
0x4010c0 __vbaFpCmpCy
0x4010c4 __vbaExceptHandler
0x4010c8 None
0x4010cc None
0x4010d0 _adj_fprem
0x4010d4 _adj_fdivr_m64
0x4010d8 None
0x4010dc __vbaFPException
0x4010e0 None
0x4010e4 _CIlog
0x4010e8 None
0x4010ec __vbaNew2
0x4010f0 None
0x4010f4 __vbaR8Str
0x4010f8 None
0x4010fc _adj_fdiv_m32i
0x401100 _adj_fdivr_m32i
0x401104 __vbaStrCopy
0x401108 __vbaVarSetObj
0x40110c __vbaI4Str
0x401110 None
0x401114 __vbaFreeStrList
0x401118 _adj_fdivr_m32
0x40111c _adj_fdiv_r
0x401120 None
0x401124 None
0x401128 __vbaVarTstNe
0x40112c None
0x401130 None
0x401134 __vbaVarDup
0x401138 __vbaFpI4
0x401140 __vbaVarCopy
0x401144 _CIatan
0x401148 __vbaStrMove
0x40114c __vbaAryCopy
0x401150 _allmul
0x401154 _CItan
0x401158 _CIexp
0x40115c __vbaFreeObj
0x401160 __vbaFreeStr

.text
`.data
.rsrc
MSVBVM60.DLL
HForm1arten
Form1Teno
Form1Pepi2
Form1Unde
Form1Land8
Form1spurt
Form1Dino
Form1besgs
Form1tale
Form1Sight8
Form1GOLD
Form1Noodl
Form1Rokke
Form1hreti
Form1Abst5
Form1Gadea
Form1Loft
Form1Inla
Form1ceva
Form1Jorop7
Form1Urin8
Form1Wilde8
Form1Stmaa1
Form1STRBE
Form1Forre4
Form1Pheno6
Form1Kluns
Form1Hyste
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Grns5
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Huma
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Land
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Barik
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Unglu8
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Stoc7
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1vedke
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Unpa
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1COPA
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1unco
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Tris8
""""""'
"""""""""
"""&2r"""""
r'"""
'"""p
2''wwwwwzzz"""'
wwzr""p
wwr""
zwwzz""p
wz""
zzz#czz"'
*zzr""
zzr""
z*zr""
z::"*""p
z:z:'z""
:szzzz22'
'""''p
r'wwwwv2"(
wzwwzr'
wzzw"
z"""p
w6zr'w
zzwwrrp
zwz"p
Form1Foto7
<Vx]q
4%w>S
BcFH+i
U:c^H
ZNgtF
8hQWd
#5$9o
MkKo|=
Form1Bill
Form1Arbej9
Form1Aero7
Form1asbk
VB5!6&*
Form1STARC
Form1arten
Form1arten
Form1Teno
Form1Cosm5
Form1Nonm9
Form1Soma
Form1ENDOS
Form1Rimos
Form1uspok
Form1RERI
Form1Opge2
Form1Consi
Form1HALVV
Form1mohn
Form1Saft9
Form1Tris8
Form1Arbej9
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Form1hreti
Form1Bill
Form1Unde
Form1Stmaa1
Form1Land
Form1ceva
Form1Loft
Form1Wilde8
Form1Hyste
Form1Noodl
Form1asbk
Form1Sight8
Form1Barik
Form1Foto7
Form1Grns5
Form1Forre4
Form1Abst5
Form1COPA
Form1vedke
Form1unco
Form1GOLD
Form1Huma
Form1Pheno6
Form1Land8
Form1Stoc7
Form1Unpa
Form1Dino
Form1Jorop7
Form1tale
Form1Unglu8
shell32.dll
SHFileOperationA
kernel32
GetConsoleTitleA
GlobalMemoryStatus
LocalShrink
ADVAPI32.DLL
FreeSid
gdi32
Polygon
Process32Next
OpenThreadToken
RemoveFontResourceA
USER32
GetThreadDesktop
ExtEscape
GetCursorPos
GetStringTypeA
IsValidLocale
ContinueDebugEvent
GetStdHandle
IsDBCSLeadByte
SetLocalTime
GetSystemMetrics
FindWindowExA
GetSystemPaletteEntries
Form1mild
CallMsgFilterA
GetPropA
OffsetWindowOrgEx
OpenFileMappingA
CreatePipe
IsRectEmpty
ImmGetConversionListA
DdeFreeStringHandle
IsBadHugeReadPtr
OpenIcon
AddAtomA
SetMessageQueue
GetMenuItemCount
WinExec
GlobalAlloc
CreateDialogParamA
WNetGetUniversalNameA
imm32.dll
ImmReleaseContext
PurgeComm
CombineTransform
GetWindowDC
CloseClipboard
CharLowerA
winmm.dll
midiOutGetID
midiStreamClose
Form1SPEC
mmioSetBuffer
ExpandEnvironmentStringsA
ChildWindowFromPoint
GetDefaultCommConfigA
CreatePalette
Form1SPNDE
ExtractAssociatedIconA
SetBkMode
EscapeCommFunction
SetBoundsRect
SetFileSecurityA
VirtualFree
GetTimeFormatA
LoadLibraryExA
winspool.drv
FindClosePrinterChangeNotification
CountClipboardFormats
GetWinMetaFileBits
GetFormA
WriteConsoleOutputCharacterA
ImmDestroyContext
GetCurrentProcessId
RemoveMenu
GlobalFix
ImmCreateContext
joyGetNumDev
FindNextPrinterChangeNotification
EnumMonitorsA
WriteConsoleOutputA
GetMenuItemInfoA
EnumFontFamiliesA
SetCaretPos
GetTapeParameters
GetTextAlign
OpenEventLog
GetOEMCP
EnumThreadWindows
kernel32
GetXystemDirectoryW
GetXurrencyFormatW
mimmo
Form_Paint
VBA6.DLL
__vbaSetSystemError
__vbaOnError
__vbaErase
Form1Inte7
__vbaAryVar
__vbaAryCopy
__vbaEnd
__vbaVarCopy
__vbaR8Str
__vbaFPFix
__vbaVarMove
__vbaRedim
__vbaObjSet
__vbaAryDestruct
__vbaFreeObjList
Form1LANDH
__vbaFpR8
__vbaVarLateMemCallLd
__vbaCyStr
__vbaFpCmpCy
t__vbaVarSetObj
__vbaVarDup
__vbaStrCopy
__vbaFreeStrList
__vbaStrCmp
__vbaObjVar
__vbaObjSetAddref
__vbaFreeVar
__vbaFreeStr
__vbaStrCat
__vbaStrMove
__vbaI4Str
__vbaVarTstNe
__vbaFreeObj
__vbaNew2
__vbaHresultCheckObj
__vbaFpI4
__vbaFreeVarList
__vbaVarTstEq
__vbaAryConstruct2
Form1deac
Form1Cloc7
Form1apht
Form1Dispu
Form1kkke
Form1Roman
Form1Brudf
Form1OVER
Form1HEXAD
L*Form1BETR
Form1MLKER
Form1aaben
Form1Thyro
Form1TOVR
Form1Kalve
Form1Depo7
Form1AUTOC
Form1Vrag2
Form1PAPI
Form1Have4
Form1cont
Form1Unio3
Form1Afla2
Form1STEM
Form1paral
Form1Kibse5
Form1Skumm8
Form1TEST
Form1pleur
Form1kden
Form1Besee8
Form1SMIT
Form1STACC
Form1Cloc
Form1BROBY
Form1hydr
Form1BORG
Form1Ades9
Form1Gnat1
Form1Coac8
Form1Thesm6
Form1Deme7
Form1conj
Form1ejer
Form1SMLE
Form1SVARS
Form1Verno8
Form1annul
Form1MAHO
Form1tolbo
Form1Unas6
Form1ARBE
Form1SKATT
Form1Sand8
Form1AFSHA
Form1ALKOH
Form1zooph
Form1Afko2
Form1Berry8
Form1SLIP
Form1MICR
Form1OPACI
Form1KINES
Form1Topi8
Form1Ddsga1
Form1Kvaks
Form1lovel
Form1Hanny
Form1Fixat
Form1Lnst
Form1UAARE
Form1Finsk7
Form1trill
Form1Deli2
Form1preex
Form1Omlbc
Form1SERVO
Form1dhou
Form1Bedoy
Form1maksi
Form1KUFFE
Form1NONIN
Form1cili
Form1CIGAR
Form1Tsnin5
Form1karto
Form1BALAL
Form1Prot5
Form1BESVR
Form1dram
Form1CLER
Form1Hymen4
Form1Hitc
Form1Raako
Form1Guli
Form1Emuls
Form1Chon8
Form1Mode
Form1resp
Form1tamg
Form1mill
Form1hast
Form1apote
Form1evan
Form1forma
Form1DESS
Form1hila
Form1Birdl
Form1Neoek
Form1euda
Form1tafd
Form1ISENK
Form1Passe
Form1Kath
Form1Polyt5
Form1Kulti7
Form1FAKL
Form1COMA
Form1Farve7
Form1Unpne
Form1rhodo
Form1SAMME
Form1Reno3
Form1rette
Form1akkla
Form1OMLAS
Form1Bruge6
Form1Birr7
Form1Chris6
Form1vela
Form1quabs
Form1fore
Form1Gauss7
Form1mask
Form1splat
Form1rmerg
Form1Coun
Form1foss
Form1Repu3
Form1PLAC
Form1Rant6
Form1Skri
Form1SAMS
Form1DIRE
Form1sali
Form1Resat
Form1guss
Form1Simo3
Form1suga
Form1Komma
Form1Triu
Form1Agua
Form1unbul
Form1hopk
Form1Squa1
Form1EGNSB
Form1Play
Form1KVOTE
Form1cacod
Form1Napoo5
Form1Over2
Form1Ident3
Form1bedri
Form1Gover
Form1Temae
Form1Tilb
Form1PRIS
Form1lovl
Form1Pessi
Form1Amido
Form1Toile3
Form1CYKE
Form1Seve7
Form1jaevn
Form1Desp
Form1OLOM
Form1Manip
Form1Trak4
Form1Xylo6
Form1Forsk8
Form1krak
Form1flyve
Form1Simul8
Form1Latt8
Form1JIGGE
Form1Overv7
Form1eksp
Form1MILJB
Form1skil
Form1Swim
Form1haand
Form1Disp
Form1dehu
Form1Bist
Form1Nunci
Form1GRAN
Form1tank
Form1Homa2
Form1ENDOS
Form1DISHW
Form1DISHW
Form1Deme7
Form1ALKOH
Form1Gemol
Form1Verno8
Form1annul
Form1tolbo
Form1Ergo5
Form1SKATT
Form1Sand8
Form1AFSHA
Form1SALGS
Form1Unas6
Form1Afpr
Form1SMLE
Form1ejer
Form1Thesm6
Form1SVARS
Form1Vand
Form1conj
Form1ARBE
Form1Blys6
Form1molrr
Form1MAHO
Form1Jack
Form1Saft9
Form1bioge
Form1bioge
Form1Overv7
Form1dehu
Form1JIGGE
Form1Nedst
Form1flyve
Form1MILJB
Form1Homa2
Form1Swim
Form1Afvb8
Form1Unde
Form1Latt8
Form1staph
Form1Disp
Form1bevis
Form1tank
Form1Simul8
Form1GRAN
Form1Nunci
Form1Rudim
Form1haand
Form1eksp
Form1Bane
Form1skil
Form1Micro5
Form1FORB
Form1Bist
Form1Soma
Form1BLIND
Form1BLIND
Form1paral
Form1unpro
Form1Skumm8
Form1Cloc
Form1pleur
Form1Kirke9
Form1Kibse5
Form1STACC
Form1OVER
Form1BORG
Form1STNN
Form1Ades9
Form1Coac8
Form1kden
Form1SPECT
Form1BROBY
Form1hydr
Form1Peric6
Form1SMIT
Form1Besee8
Form1SOREL
Form1TEST
Form1Uove
Form1Gnat1
Form1Valgm6
Form1Opge2
Form1Bedi
Form1Bedi
Form1Kath
Form1perri
Form1FAKL
Form1OMLAS
Form1Drif
Form1Bruge6
Form1indus
Form1Kulti7
Form1Reno3
Form1akkla
Form1ISENK
Form1Passe
Form1rhodo
Form1OVER
Form1PSAL
Form1rette
Form1Tonal6
Form1Polyt5
Form1SAMME
Form1Term3
Form1Farve7
Form1nimin
Form1COMA
Form1tafd
Form1Unpne
Form1sugge
Form1Okseh
Form1uspok
Form1Leas
Form1Leas
Form1NONIN
Form1Tsnin5
Form1styr
Form1dram
Form1helhe
Form1CLER
Form1UNBE
Form1Bedoy
Form1preex
Form1CIGAR
Form1maksi
Form1KUFFE
Form1SERVO
Form1Prot5
Form1Hurr
Form1karto
Form1Paat5
Form1Hymen4
Form1Deli2
Form1cili
Form1Samme1
Form1dhou
Form1BALAL
Form1decri
Form1Omlbc
Form1Semo
Form1BESVR
Form1Nonm9
Form1Heter
Form1Heter
Form1Depo7
Form1MLKER
Form1OPRET
Form1Unio3
Form1Konf3
Form1TOVR
Form1Hvert
Form1STEM
Form1azoti
Form1cont
Form1Afla2
Form1sled
Form1PAPI
Form1TRIH
Form1aaben
Form1Upsl5
Form1BETR
Form1Nove3
Form1AUTOC
Form1Vrag2
Form1KLATT
Form1Kalve
Form1Rater2
Form1Thyro
Form1ANTI
Form1Sulp
Form1Have4
Form1Miln
Form1Outs8
Form1Cosm5
Form1Acca
Form1Acca
Form1mild
Form1kkke
Form1Brudf
Form1HEXAD
Form1perni
Form1deac
Form1Kiwac5
Form1Cloc7
Form1Inte7
Form1Supp
Form1apht
Form1Roman
Form1UDGA
Form1over
Form1LANDH
Form1SCHIZ
Form1optil
Form1SPNDE
Form1MITTE
Form1Mercu9
Form1Dispu
Form1ENHED
Form1SPEC
Form1Thre6
Form1Vacuo
Form1Farse3
Form1HALVV
Form1TYMPA
Form1TYMPA
Form1Napoo5
Form1estat
Form1Komma
Form1Slag
Form1Play
Form1STEN
Form1Triu
Form1Ident3
Form1futte
Form1bedri
Form1prob
Form1hopk
Form1TRUE
Form1unbul
Form1Resat
Form1ROMAN
Form1Agua
Form1Tils
Form1Squa1
Form1Salta9
Form1suga
Form1Over2
Form1Simo3
Form1guss
Form1Shar
Form1cacod
Form1udva
Form1KVOTE
Form1POTLE
Form1EGNSB
Form1Kron3
Form1samse
Form1Consi
Form1Mand5
Form1Mand5
Form1Birr7
Form1mask
Form1CARBO
Form1Skri
Form1Chris6
Form1Rant6
Form1TRIMM
Form1quabs
Form1rmerg
Form1Part3
Form1Gauss7
Form1Repu3
Form1foss
Form1splat
Form1SAMS
Form1alkal
Form1PLAC
Form1Mank7
Form1DIRE
Form1sjofl
Form1FLUID
Form1vela
Form1fore
Form1sali
Form1Jawb9
Form1Coun
Form1ANST
Form1RERI
Form1Blaar
Form1Blaar
Form1Birdl
Form1Gant1
Form1resp
Form1Emuls
Form1Centr4
Form1euda
Form1FEODO
Form1DESS
Form1hila
Form1skntc
Form1Raako
Form1Guli
Form1hast
Form1navn
Form1evan
Form1tamg
Form1AAREM
Form1mill
Form1elek
Form1Hitc
Form1MECHA
Form1Mode
Form1Immun7
Form1apote
Form1DSETT
Form1forma
Form1TITUL
Form1Neoek
Form1pikad
Form1Botr
Form1Chon8
Form1Metat
Form1Mark
Form1mohn
Form1Ligeb
Form1Ligeb
Form1Xylo6
Form1Genne
Form1jaevn
Form1ACERB
Form1CYKE
Form1Manip
Form1Uptil
Form1Seve7
Form1BOVV
Form1lovl
Form1Ball4
Form1Forsk8
Form1BARSL
Form1Gover
Form1krak
Form1Temae
Form1cemen
Form1Desp
Form1SIBYL
Form1Trak4
Form1Efter
Form1PRIS
Form1Dopa
Form1Toile3
Form1Igang4
Form1Tilb
Form1Amido
Form1KUNST
Form1OLOM
Form1Birk4
Form1Pessi
Form1pleu
Form1Rimos
Form1fave
Form1fave
Form1UAARE
Form1Finsk7
Form1Beanf5
Form1Hanny
Form1Margi7
Form1KINES
Form1MICR
Form1Prou1
Form1lovel
Form1Lnst
Form1Bagmn
Form1Ddsga1
Form1Dash
Form1trill
Form1Wouf
Form1zooph
Form1Topi8
Form1ultr
Form1Berry8
Form1Afko2
Form1srti
Form1Fixat
Form1Kvaks
Form1APPA
Form1OPACI
Form1SLIP
Form1Succ
Form1capri
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryVar
__vbaAryDestruct
__vbaObjSet
__vbaOnError
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaCyStr
__vbaFPFix
__vbaFpR8
_CIsin
__vbaErase
__vbaChkstk
EVENT_SINK_AddRef
__vbaStrCmp
__vbaAryConstruct2
__vbaVarTstEq
__vbaObjVar
DllFunctionCall
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaFpCmpCy
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
__vbaR8Str
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaVarSetObj
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarTstNe
__vbaVarDup
__vbaFpI4
__vbaVarLateMemCallLd
__vbaVarCopy
_CIatan
__vbaStrMove
__vbaAryCopy
_allmul
_CItan
_CIexp
__vbaFreeObj
__vbaFreeStr
q4w958
tQrJ7ROzULwnQ7coYkWhcjlneqwnUN107
FX6u3FyBAHVrr49
thVsqWCEj9xqCzACb142
HuV122
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004B0
ProductName
Form1emht
FileVersion
5.00.0004
ProductVersion
5.00.0004
InternalName
OriginalFilename
xid.exe
jhkfdkjhkjhdfs
This file is not on VirusTotal.

Process Tree


mal.exe, PID: 2172, Parent PID: 2584
Full Path: C:\Users\user\AppData\Local\Temp\mal.exe
Command Line: "C:\Users\user\AppData\Local\Temp\mal.exe"
mal.exe, PID: 164, Parent PID: 2172
Full Path: C:\Users\user\AppData\Local\Temp\mal.exe
Command Line: "C:\Users\user\AppData\Local\Temp\mal.exe"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.51.123.27 [VT] Netherlands

TCP

Source Source Port Destination Destination Port
192.168.35.22 49159 23.51.123.27 s2.symcb.com 80
192.168.35.22 49160 23.51.123.27 s2.symcb.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.22 58774 8.8.8.8 53
192.168.35.22 61809 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
s2.symcb.com [VT] CNAME ocsp-ds.ws.symantec.com.edgekey.net [VT]
CNAME e8218.dscb1.akamaiedge.net [VT]
A 23.51.123.27 [VT]
sv.symcd.com [VT]

HTTP Requests

URI Data
http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com

http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEA68GTXVKUpZS08ycHsKCrk%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEA68GTXVKUpZS08ycHsKCrk%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sv.symcd.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name win.ini
Associated Filenames
C:\Windows\win.ini
File Size 509 bytes
File Type ASCII text, with CRLF line terminators
MD5 d2a2412bddba16d60ec63bd9550d933f
SHA1 deb3d3bdc9055f0b4909b31d3048446848fae0e1
SHA256 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
CRC32 BF84F0B8
Ssdeep 12:F4Yv65RdlpcgbtrMv4Fblu0N5ZSESow46T:F30jpPtpxP5ZY4E
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
[kernel32]
kernel32=kernel32
Type Extracted Shellcode
Size 12288 bytes
Virtual Address 0x00480000
Process mal.exe
PID 2172
Path C:\Users\user\AppData\Local\Temp\mal.exe
MD5 35a71512551c5f45acdfb04f26b798bf
SHA1 d3b20cd4d13d3dcfaf20a0387cfe8ac67cc5c04c
SHA256 7dfac24f491525889c6ad9be7cd67c750d49c7c074e375382d6b66e2237e6a68
CRC32 5AA96518
Ssdeep 192:gwpWwC69pO1YTtkIanDuuSdAOr1nfDS0ed41rSL:g0WwC661PIan3aLSZd4BS
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Process Name mal.exe
PID 2172
Dump Size 516608 bytes
Module Path C:\Users\user\AppData\Local\Temp\mal.exe
Type PE imageexecutable
MD5 a5b830d51f436bbb9d01a0a7cd866794
SHA1 080d20e5e2c8dc78ff76839d875e7a403eddfbe4
SHA256 7c0ed0a23f00baa7525a61cce11202962655cf7979b629fe49a330c860e41011
CRC32 72FE0EAA
Ssdeep 12288:yL7vLIGsdwpvAoAnuwG9xcroWwRiGlEGaj:yL7fSolJ9xUjkVEGE
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 7c0ed0a23f00baa7525a61cce11202962655cf7979b629fe49a330c860e41011
Download

Comments



No comments posted

Processing ( 2.501 seconds )

  • 1.069 Static
  • 0.527 CAPE
  • 0.248 TargetInfo
  • 0.247 ProcDump
  • 0.15 BehaviorAnalysis
  • 0.106 TrID
  • 0.091 Deduplicate
  • 0.032 Strings
  • 0.014 NetworkAnalysis
  • 0.011 Dropped
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.119 seconds )

  • 0.035 antidbg_windows
  • 0.01 antiav_detectreg
  • 0.006 ransomware_files
  • 0.004 api_spamming
  • 0.004 decoy_document
  • 0.004 stealth_timeout
  • 0.004 infostealer_ftp
  • 0.003 Doppelganging
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 antidebug_guardpages
  • 0.002 injection_createremotethread
  • 0.002 InjectionCreateRemoteThread
  • 0.002 InjectionProcessHollowing
  • 0.002 persistence_autorun
  • 0.002 injection_runpe
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 InjectionInterProcess
  • 0.001 rat_nanocore
  • 0.001 stack_pivot
  • 0.001 antiemu_wine_func
  • 0.001 antivm_vbox_window
  • 0.001 betabot_behavior
  • 0.001 ransomware_message
  • 0.001 antivm_generic_disk
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 antisandbox_script_timer
  • 0.001 kovter_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway

Reporting ( 0.019 seconds )

  • 0.018 SubmitCAPE
  • 0.001 CompressResults
Task ID 90419
Mongo ID 5d7903ab28518285356320d0
Cuckoo release 1.3-CAPE
Delete