Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-09-11 14:42:06 2019-09-11 14:42:41 35 seconds Show Options Show Log
route = internet
procdump = 1
2019-09-11 15:42:09,000 [root] INFO: Date set to: 09-11-19, time set to: 14:42:09, timeout set to: 200
2019-09-11 15:42:09,015 [root] DEBUG: Starting analyzer from: C:\qyxzo
2019-09-11 15:42:09,015 [root] DEBUG: Storing results at: C:\ZARLZjcroa
2019-09-11 15:42:09,015 [root] DEBUG: Pipe server name: \\.\PIPE\VXdkVKdurJ
2019-09-11 15:42:09,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-09-11 15:42:09,030 [root] INFO: Automatically selected analysis package "exe"
2019-09-11 15:42:09,421 [root] DEBUG: Started auxiliary module Browser
2019-09-11 15:42:09,421 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 15:42:09,421 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 15:42:09,936 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-09-11 15:42:09,936 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 15:42:09,936 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 15:42:09,936 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 15:42:09,936 [root] DEBUG: Started auxiliary module Human
2019-09-11 15:42:09,936 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 15:42:09,950 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 15:42:09,950 [root] DEBUG: Started auxiliary module Usage
2019-09-11 15:42:09,950 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-09-11 15:42:09,950 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-09-11 15:42:10,029 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\ReverseMe.exe" with arguments "" with pid 1836
2019-09-11 15:42:10,325 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-09-11 15:42:10,325 [lib.api.process] INFO: 64-bit DLL to inject is C:\qyxzo\dll\dLpXjPM.dll, loader C:\qyxzo\bin\MYfVDFrR.exe
2019-09-11 15:42:10,371 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\VXdkVKdurJ.
2019-09-11 15:42:10,371 [root] DEBUG: Loader: Injecting process 1836 (thread 332) with C:\qyxzo\dll\dLpXjPM.dll.
2019-09-11 15:42:10,371 [root] DEBUG: Process image base: 0x0000000140000000
2019-09-11 15:42:10,371 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\qyxzo\dll\dLpXjPM.dll.
2019-09-11 15:42:10,371 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000001412F5000 - 0x000007FEFF430000
2019-09-11 15:42:10,371 [root] DEBUG: InjectDllViaIAT: Allocated 0x234 bytes for new import table at 0x0000000141300000.
2019-09-11 15:42:10,371 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 15:42:10,371 [root] DEBUG: Successfully injected DLL C:\qyxzo\dll\dLpXjPM.dll.
2019-09-11 15:42:10,371 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1836
2019-09-11 15:42:12,384 [lib.api.process] INFO: Successfully resumed process with pid 1836
2019-09-11 15:42:12,384 [root] INFO: Added new process to list with pid: 1836
2019-09-11 15:42:12,415 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 15:42:12,415 [root] DEBUG: Process dumps enabled.
2019-09-11 15:42:12,447 [root] WARNING: Unable to place hook on LockResource
2019-09-11 15:42:12,447 [root] WARNING: Unable to hook LockResource
2019-09-11 15:42:12,477 [root] INFO: Disabling sleep skipping.
2019-09-11 15:42:12,477 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 15:42:12,477 [root] INFO: Disabling sleep skipping.
2019-09-11 15:42:12,477 [root] INFO: Disabling sleep skipping.
2019-09-11 15:42:12,477 [root] INFO: Disabling sleep skipping.
2019-09-11 15:42:12,477 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1836 at 0x0000000074460000, image base 0x0000000140000000, stack from 0x0000000000125000-0x0000000000130000
2019-09-11 15:42:12,477 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\ReverseMe.exe".
2019-09-11 15:42:12,477 [root] INFO: Monitor successfully loaded in process with pid 1836.
2019-09-11 15:42:12,540 [root] DEBUG: set_caller_info: Adding region at 0x0000000000030000 to caller regions list (ntdll::NtQuerySystemInformation).
2019-09-11 15:42:15,427 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-09-11 15:42:17,454 [root] INFO: Process with pid 1836 has terminated
2019-09-11 15:42:22,525 [root] INFO: Process list is empty, terminating analysis.
2019-09-11 15:42:23,539 [root] INFO: Created shutdown mutex.
2019-09-11 15:42:24,552 [root] INFO: Shutting down package.
2019-09-11 15:42:24,552 [root] INFO: Stopping auxiliary modules.
2019-09-11 15:42:24,552 [root] INFO: Finishing auxiliary modules.
2019-09-11 15:42:24,552 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 15:42:24,552 [root] WARNING: File at path "C:\ZARLZjcroa\debugger" does not exist, skip.
2019-09-11 15:42:24,552 [root] INFO: Analysis completed.

MalScore

1.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-09-11 14:42:08 2019-09-11 14:42:40

File Details

File Name ReverseMe.exe
File Size 10660352 bytes
File Type PE32+ executable (console) x86-64, for MS Windows
MD5 bc9e7d8b90a229cad387059a1e61a60f
SHA1 12918fa9e864184ed099d08b66e2543b80b5f0eb
SHA256 5ae442db9f4d619995262a35282ea1b2c9fdecdd5468031b7f7caffe7e755398
SHA512 2a6c91983b8d8a588c2cf8ca85b1c90b6f36ac3214dacdc4fbd2729d2a0294fec6aba68cd745182eba094ed4df92373e2544b59dc10eef34c3052f8d18b9ee1d
CRC32 B85742FB
Ssdeep 196608:ihoKYBVrhhHoluthhIJLnBLZvzSlMrUm1OGTgQZVOKl6hfMuLoPVvF0R:ihaVrhhHolq3k9dvzSEVVTgSOjf5LWj0
TrID
  • 82.0% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 6.0% (.EXE) OS/2 Executable (generic) (2029/13)
  • 5.9% (.EXE) Generic Win/DOS Executable (2002/3)
  • 5.9% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

The binary likely contains encrypted or compressed data.
section: name: .Denuvo1, entropy: 7.97, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00a15200, virtual_size: 0x00a150f4

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

Binary Entropy

PE Information

Image Base 0x140000000
Entry Point 0x14116403b
Reported Checksum 0x00a2df47
Actual Checksum 0x00a2df47
Minimum OS Version 6.0
Compile Time 2019-07-28 08:01:43
Import Hash b136bc332e974589b34d0f94cfda4742
Exported DLL Name MZ\x90

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00051b0e 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.rdata 0x00053000 0x00016a70 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
.data 0x0006a000 0x00003618 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.pdata 0x0006e000 0x00002bbc 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
_RDATA 0x00071000 0x00000094 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
.Denuvo0 0x00072000 0x00856690 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.Denuvo1 0x008c9000 0x00a150f4 0x00a15200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.97
.rsrc 0x012df000 0x000152e2 0x00015400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.68

Imports

Library KERNEL32.dll:
0x141176000 WriteConsoleW
Library ADVAPI32.dll:
0x141176010 RegOpenKeyExA
Library OLEAUT32.dll:
0x141176020 VariantClear
Library WS2_32.dll:
0x141176030 closesocket
Library IPHLPAPI.DLL:
0x141176040 GetAdaptersInfo
Library WTSAPI32.dll:
0x141176050 WTSSendMessageW
Library KERNEL32.dll:
0x141176060 FlsSetValue
Library USER32.dll:
0x141176070 GetProcessWindowStation
Library KERNEL32.dll:
0x141176080 LocalAlloc
0x141176088 LocalFree
0x141176090 GetModuleFileNameW
0x141176098 GetProcessAffinityMask
0x1411760a0 SetProcessAffinityMask
0x1411760a8 SetThreadAffinityMask
0x1411760b0 Sleep
0x1411760b8 ExitProcess
0x1411760c0 FreeLibrary
0x1411760c8 LoadLibraryA
0x1411760d0 GetModuleHandleA
0x1411760d8 GetProcAddress
Library USER32.dll:
0x1411760e8 GetProcessWindowStation

.text
`.rdata
@.data
.pdata
@_RDATA
h.rsrc
IPHLPAPI.DLL
FreeLibrary
;~=o~
7q))y
l4cK>
GetAdaptersInfo
ExitProcess
}|]Ak
RegOpenKeyExA
\G xDXE
m*%d1
k(ADVAPI32.dll
Y%G$tq
nmYhj
OLEAUT32.dll
USER32.dll
Sleep
FlsSetValue
6D]?iT
WS2_32.dll
gB i5
\o=ob*
~^fFl
!fFsS
-U~QLR
3LcvXy
!@#Bz6>
L,$Tu
&PFr3
q:/mx
cb3r{0
w<_x?
\dh+Gz
zlA"$
."1("
h*>g$
8P$6"
pRLUp?
<o+"t*6
UUWy
i$lg6
\/n0P
(d1`X
."^>`
+m~[r
`y(vERu
|tZb/j
JXH\JN
!-.{.
|6C:?
"XK[S
860Xy
mMx-${
dw38M
*_N\K
a_{QE4m
%BXZ8b
M8k^lr->
D<F\h
+dc#
N$4CxW
5U-^2
s^2BY
]'B:;,M
=<(3<
7&}%u<#)
>[($&
=V&<l
u`GXM
s-Kr&
}f$57n^
R$Bb+
!l*DC
1@n"ty
v[KR:
_H%J(
U%A\e
1;PQ%
Bj5q[
4cJM[
~YnNw6N
i\`WZ
oC*h Mu^
ua[F<
VC+=$9
E}M.D[F
]Abq~
]pmo^5
&k@(Z+v}
ykU/&U
gh<|;
l9g'VE
bex"*
*hVvv
BNIyp
;M'Fo
=5K}?
5J6oW\
<j3g[z
<_OD:
,/IaD
fi,~`iw
<)fYy
LgyyE
I$Qw
|0FOH
Uv,mE]
U?l3\
:5yU]
Z21/d7
91W}^
DoU,v
%'XSs
\-B"!d
1L17{0
`@O9C
ow<v/
=1*RN60@
77p-vkw
g1P)s
RRRV%
m6~cq3
[Q|{N
OwBo,
UTp3,
74$Yr;
?{mOM
ws83,
+E"Z
F47dK
osA1?@
J[I0"4D
[&u({y
H@r$1
|=!R<
e4l|#
*`12=
,qKI5
b'x2}a
'-Sz<
#8U[j
|><d+
o_r}$
Jbb}*'
MkSD!
nD<wT
g++ZZ=
%r9$J
TS@pR
2B2W.(2S|,s_
ZgL|f
bd>"&
#2wAH
%'\1!
9#CaRy
1'~VD&
mFQN=
O ~'9T
ftrye
#gU)WZ
ITX{h
{j[AP
J`/(6p:
t^Ai-5tB
_4QonjO6
8BC-]G
I6g1~r
@=F0F
r4R0f
dml+!8
(i}OuL=
^w%D!
N"H\=
b..Ku
xc-V>|?Na|
[Fr')>`
Y\nbTp;
V)M8{
]JjR#7
o2A~@b1{
(u]}d
a;w{Q
,Hl(&1
I17We`
'=0'{
2NFAz
xf}g*
r'WY>
Z47}]
IG),\
pjYke
qb,!dd
0H*m{
R,lE<
BY*Gu
4tAj6
.bwbS
F\w/i]C
mQUn&E
] ~CQ
ZELSa2
s8]EZ
@-"Vs
}r,kg
|-O.F}
:-eQ*
2RaD9
/t>:l
xLxY^
@nH}M
{f|f
{H|K@
~6;(!
|>js
&79)O
#H5nSh
n9g&p
4"ag$~
:R|K;M7f
84O'z
z4j%Z
;G`wy
?5=?.
%TSW#
kx[FyLJ
qj&Xw
$cg(n
'TP^.(
6+{9y:
@|~/d
OOH<*-N
VTmfu
^t<a!
F__wDH
eSRNG,
c*'"5
vqMv5
kA)hH
;"Gh+/
|Do$
v^-Gw
b-kSH
$q\%-
g{z^&
$nie[
Jcnju
Pdmv4
;TCT0L\
F:o`Sr
WriteConsoleW
GetProcAddress
Sp(<B
LocalFree
LocalAlloc
;MP#f
GetModuleHandleA
LoadLibraryA
KP,4{
&{c0H,
GetUserObjectInformationW
xdk>
L|RJLTl
WTSSendMessageW
wvUo +>
WTSAPI32.dll
Qko!P
%rNeX
GetProcessAffinityMask
8d?tet
KERNEL32.dll
lk<xv
SetProcessAffinityMask
\3aF`
GetProcessWindowStation
<Lm)
GetProcessWindowStation
[Kq34
eHZo9K
SetThreadAffinityMask
GetModuleFileNameW
f<wzV;
zmwFJj
This file is not on VirusTotal.

Process Tree


ReverseMe.exe, PID: 1836, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\ReverseMe.exe
Command Line: "C:\Users\user\AppData\Local\Temp\ReverseMe.exe"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 22.174 seconds )

  • 12.37 Static
  • 4.27 CAPE
  • 4.253 TargetInfo
  • 0.653 Strings
  • 0.458 TrID
  • 0.151 Deduplicate
  • 0.007 NetworkAnalysis
  • 0.006 BehaviorAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.04 seconds )

  • 0.007 antiav_detectreg
  • 0.006 ransomware_files
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 persistence_autorun
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail

Reporting ( 0.0 seconds )

Task ID 90423
Mongo ID 5d7907f82851828535632329
Cuckoo release 1.3-CAPE
Delete