Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-09-11 16:17:24 2019-09-11 16:17:58 34 seconds Show Options Show Log
route = internet
procdump = 1
2019-09-11 17:17:25,000 [root] INFO: Date set to: 09-11-19, time set to: 16:17:25, timeout set to: 200
2019-09-11 17:17:25,015 [root] DEBUG: Starting analyzer from: C:\qiaeos
2019-09-11 17:17:25,015 [root] DEBUG: Storing results at: C:\XDqfMlTa
2019-09-11 17:17:25,015 [root] DEBUG: Pipe server name: \\.\PIPE\LMIiZwwbA
2019-09-11 17:17:25,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-09-11 17:17:25,015 [root] INFO: Automatically selected analysis package "exe"
2019-09-11 17:17:25,436 [root] DEBUG: Started auxiliary module Browser
2019-09-11 17:17:25,436 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 17:17:25,436 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 17:17:25,872 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-09-11 17:17:25,872 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 17:17:25,872 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 17:17:25,872 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 17:17:25,872 [root] DEBUG: Started auxiliary module Human
2019-09-11 17:17:25,872 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 17:17:25,872 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 17:17:25,872 [root] DEBUG: Started auxiliary module Usage
2019-09-11 17:17:25,872 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-09-11 17:17:25,872 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-09-11 17:17:25,920 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\YKJS5Dc.exe" with arguments "" with pid 1988
2019-09-11 17:17:26,122 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-09-11 17:17:26,122 [lib.api.process] INFO: 64-bit DLL to inject is C:\qiaeos\dll\OAsLIOc.dll, loader C:\qiaeos\bin\iFATqQlp.exe
2019-09-11 17:17:26,138 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LMIiZwwbA.
2019-09-11 17:17:26,138 [root] DEBUG: Loader: Injecting process 1988 (thread 1332) with C:\qiaeos\dll\OAsLIOc.dll.
2019-09-11 17:17:26,138 [root] DEBUG: Process image base: 0x0000000000400000
2019-09-11 17:17:26,138 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\qiaeos\dll\OAsLIOc.dll.
2019-09-11 17:17:26,138 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000000040E000 - 0x0000000077110000
2019-09-11 17:17:26,138 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x0000000000410000.
2019-09-11 17:17:26,138 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 17:17:26,138 [root] DEBUG: Successfully injected DLL C:\qiaeos\dll\OAsLIOc.dll.
2019-09-11 17:17:26,138 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1988
2019-09-11 17:17:28,151 [lib.api.process] INFO: Successfully resumed process with pid 1988
2019-09-11 17:17:28,151 [root] INFO: Added new process to list with pid: 1988
2019-09-11 17:17:28,259 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 17:17:28,259 [root] DEBUG: Process dumps enabled.
2019-09-11 17:17:28,306 [root] WARNING: Unable to place hook on LockResource
2019-09-11 17:17:28,306 [root] WARNING: Unable to hook LockResource
2019-09-11 17:17:28,338 [root] INFO: Disabling sleep skipping.
2019-09-11 17:17:28,338 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 17:17:28,338 [root] INFO: Disabling sleep skipping.
2019-09-11 17:17:28,338 [root] INFO: Disabling sleep skipping.
2019-09-11 17:17:28,338 [root] INFO: Disabling sleep skipping.
2019-09-11 17:17:28,338 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1988 at 0x0000000074460000, image base 0x0000000000400000, stack from 0x0000000000135000-0x0000000000140000
2019-09-11 17:17:28,338 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\YKJS5Dc.exe".
2019-09-11 17:17:28,338 [root] INFO: Monitor successfully loaded in process with pid 1988.
2019-09-11 17:17:28,368 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1988
2019-09-11 17:17:28,368 [root] DEBUG: GetHookCallerBase: thread 1332 (handle 0x0), return address 0x00000000004019C3, allocation base 0x0000000000400000.
2019-09-11 17:17:28,368 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000000400000.
2019-09-11 17:17:28,368 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000000400000.
2019-09-11 17:17:28,368 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000141C.
2019-09-11 17:17:28,368 [root] DEBUG: DLL loaded at 0x0000000004E80000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-09-11 17:17:28,384 [root] INFO: Added new CAPE file to list with path: C:\XDqfMlTa\CAPE\1988_161292950928171811392019
2019-09-11 17:17:28,384 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x9400.
2019-09-11 17:17:28,400 [root] DEBUG: DLL unloaded from 0x00000000017C0000.
2019-09-11 17:17:28,400 [root] INFO: Notified of termination of process with pid 1988.
2019-09-11 17:17:29,164 [root] INFO: Process with pid 1988 has terminated
2019-09-11 17:17:34,234 [root] INFO: Process list is empty, terminating analysis.
2019-09-11 17:17:35,249 [root] INFO: Created shutdown mutex.
2019-09-11 17:17:36,263 [root] INFO: Shutting down package.
2019-09-11 17:17:36,263 [root] INFO: Stopping auxiliary modules.
2019-09-11 17:17:36,263 [root] INFO: Finishing auxiliary modules.
2019-09-11 17:17:36,263 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 17:17:36,263 [root] WARNING: File at path "C:\XDqfMlTa\debugger" does not exist, skip.
2019-09-11 17:17:36,263 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-09-11 16:17:24 2019-09-11 16:17:56

File Details

File Name 3433BB4896CD701E750CAB608E6B1D91.fil
File Size 72206 bytes
File Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 3433bb4896cd701e750cab608e6b1d91
SHA1 fbdf07e4da28197f83f8e4d3b8736480b5805d3b
SHA256 c6cafaec2f4002a4c7143456fea6ee34ca59ca186a2d4be242120b6b0eba18f1
SHA512 fd986c5cde08c63bc809127e3ab58bf93e888f1f183ab5c5319b1bd1bf282424d4b6f0c9254780279d4c715440b321429a958b73dcfc1f19e1520d4fb7b42d92
CRC32 B010173B
Ssdeep 1536:jbnocKJkSHyXURxVlATYPNThoU8Z82I5Ee2Mh2hEy9D3rw:QRCXURxETc3Hx5ER13U
TrID
  • 82.0% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 6.0% (.EXE) OS/2 Executable (generic) (2029/13)
  • 5.9% (.EXE) Generic Win/DOS Executable (2002/3)
  • 5.9% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Possible date expiration check, exits too soon after checking local time
process: YKJS5Dc.exe, PID 1988
Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
Detects Sandboxie through the presence of a library
Detects Avast Antivirus through the presence of a library
Detects SunBelt Sandbox through the presence of a library
Queries information on disks, possibly for anti-virtualization
Detects the presence of Wine emulator via function name
Checks for the presence of known windows from debuggers and forensic tools
Window: OLLYDBG
Window: WinDbgFrameClass
Checks the version of Bios, possibly for anti-virtualization
Detects VirtualBox through the presence of a file
file: C:\Windows\sysnative\drivers\VBoxMouse.sys
Detects VMware through the presence of a file
Detects VMware through the presence of a registry key

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\sysnative\drivers\VBoxMouse.sys
C:\Windows\sysnative\drivers\vmhgfs.sys
C:\Windows\sysnative\drivers\vmmouse.sys
\??\PhysicalDrive0
\??\PhysicalDrive0
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
user32.dll.BlockInput
kernel32.dll.IsDebuggerPresent
kernel32.dll.CheckRemoteDebuggerPresent
ntdll.dll.NtClose
ntdll.dll.LdrLoadDll

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x0040141c
Reported Checksum 0x00000000
Actual Checksum 0x0001283a
Minimum OS Version 5.2
Compile Time 2017-01-25 22:04:45
Import Hash 5ea67d8f6b80e0e4d61f5a5686689ae9

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00006077 0x00006200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.36
.rdata 0x00008000 0x00002028 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.07
.data 0x0000b000 0x00000748 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.70
.pdata 0x0000c000 0x000001c8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.68
.reloc 0x0000d000 0x0000010c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 3.39

Overlay

Offset 0x00009000
Size 0x00008a0e

Imports

Library KERNEL32.dll:
0x408058 Process32FirstW
0x408060 Process32NextW
0x408070 GetThreadContext
0x408088 DeviceIoControl
0x408098 OpenProcess
0x4080a0 CreateProcessW
0x4080a8 RtlUnwindEx
0x4080b0 GetModuleHandleW
0x4080b8 GetProcessHeap
0x4080c0 HeapFree
0x4080c8 HeapAlloc
0x4080d0 LocalFree
0x4080d8 GetModuleHandleA
0x4080e0 GetProcAddress
0x4080e8 GetModuleFileNameW
0x4080f0 Sleep
0x4080f8 GetCommandLineW
0x408100 ExitProcess
0x408108 CloseHandle
0x408110 VirtualAlloc
0x408118 CreateFileW
0x408120 ReadFile
0x408128 VirtualFree
0x408130 GetCurrentThread
0x408138 GetFileSize
0x408140 LoadLibraryW
Library USER32.dll:
0x408180 FindWindowW
Library ADVAPI32.dll:
0x408000 RegCloseKey
0x408008 RegQueryValueExW
0x408010 RegOpenKeyExW
0x408018 GetUserNameW
0x408020 CryptHashData
0x408028 CryptDestroyHash
0x408030 CryptCreateHash
0x408038 CryptReleaseContext
0x408048 CryptGetHashParam
Library SHLWAPI.dll:
0x408168 PathFileExistsW
0x408170 PathAppendW
Library SHELL32.dll:
0x408150 CommandLineToArgvW
0x408158 SHGetFolderPathW

.text
`.rdata
@.data
.pdata
@.reloc
RtlGetVersion
ntdll.dll
:&-04(<*y3-1
Yd")3/a.
dcv`&&9rut
HkyYxo{XuicmogEim{~hth`O
$=+(,
kxgdpSv`ubf}
|GdTDZ][[O]iLP_XQP
!8.51
m`eruP
,,&.8(n<( &,36fh956{s,+65%
JA[BH^
sswpv7
7*),(`vw
"!&+',
e5=2ga
lkmcia~!dmn
0,9(,h!('
qa{Lxzq9|uv
9#.$.)"f#*)
(;4(3;s9+7
R*O[{g~r|LvF
iwoih
ox}fblnlmlbhih
<7+116
.%-=6
~U\ZLEiCJWqCSSJMS
C}ss~Rz}nJzljqtt
oy;NvwKU
k|dznxzTqkmceq/sfm
t]HwS\Z{\]
42*9:9)
`bauohn&b~`
;.,6,*2.|6(4
ekmejik*nrl
,/1<=!*u1-3
$-+!7?(05%3h"<
A[Ffeq?ug{
GetFileSize
GetCurrentThread
VirtualFree
ReadFile
CreateFileW
VirtualAlloc
CloseHandle
ExitProcess
GetCommandLineW
Sleep
GetModuleFileNameW
GetProcAddress
GetModuleHandleA
LocalFree
HeapAlloc
HeapFree
GetProcessHeap
GetModuleHandleW
CreateProcessW
OpenProcess
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
GetThreadContext
RemoveVectoredExceptionHandler
LoadLibraryW
AddVectoredExceptionHandler
DeviceIoControl
ExpandEnvironmentStringsW
KERNEL32.dll
FindWindowW
USER32.dll
CryptGetHashParam
CryptAcquireContextW
CryptReleaseContext
CryptCreateHash
CryptDestroyHash
CryptHashData
GetUserNameW
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
ADVAPI32.dll
PathFileExistsW
PathAppendW
SHLWAPI.dll
CommandLineToArgvW
SHGetFolderPathW
SHELL32.dll
RtlUnwindEx
JJVVVVdd
l,W~8i|
Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)
Microsoft Enhanced RSA and AES Cryptographic Provider
This file is not on VirusTotal.

Process Tree


YKJS5Dc.exe, PID: 1988, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\YKJS5Dc.exe
Command Line: "C:\Users\user\AppData\Local\Temp\YKJS5Dc.exe"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name YKJS5Dc.exe
PID 1988
Dump Size 37888 bytes
Module Path C:\Users\user\AppData\Local\Temp\YKJS5Dc.exe
Type PE image: 64-bit executable
MD5 e94646fb5e0e159214af78982d531c8d
SHA1 dcea13fc13dfb94cf8698c8bc593406b15533631
SHA256 41c97af07efa965276988e040a92cc7ec5847c1630559ba9d15a3bf9d7b9599d
CRC32 87B24A0D
Ssdeep 768:MHOiLnsTcVYyukSH58lXoKqB3mSUGl8BT/YPhU6EimSogNGq:MbnocKJkSHyXURxVlATYP7hoU
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 41c97af07efa965276988e040a92cc7ec5847c1630559ba9d15a3bf9d7b9599d
Download

Comments



No comments posted

Processing ( 0.962 seconds )

  • 0.483 Static
  • 0.117 CAPE
  • 0.106 BehaviorAnalysis
  • 0.093 TrID
  • 0.065 TargetInfo
  • 0.051 ProcDump
  • 0.03 Deduplicate
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.004 Strings
  • 0.001 Debug

Signatures ( 0.096 seconds )

  • 0.007 antiav_detectreg
  • 0.006 injection_createremotethread
  • 0.006 InjectionCreateRemoteThread
  • 0.006 ransomware_files
  • 0.005 lsass_credential_dumping
  • 0.005 Doppelganging
  • 0.005 process_interest
  • 0.005 stealth_timeout
  • 0.004 InjectionInterProcess
  • 0.004 InjectionProcessHollowing
  • 0.004 vawtrak_behavior
  • 0.004 injection_runpe
  • 0.003 api_spamming
  • 0.003 decoy_document
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 persistence_autorun
  • 0.002 process_needed
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail

Reporting ( 0.0 seconds )

Task ID 90424
Mongo ID 5d791e3aeac9b18670634452
Cuckoo release 1.3-CAPE
Delete