Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2019-10-09 21:10:29 2019-10-09 21:14:14 225 seconds Show Options Show Log
route = internet
procdump = 0
2019-10-09 22:10:30,000 [root] INFO: Date set to: 10-09-19, time set to: 21:10:30, timeout set to: 200
2019-10-09 22:10:30,015 [root] DEBUG: Starting analyzer from: C:\mhtyrzkj
2019-10-09 22:10:30,015 [root] DEBUG: Storing results at: C:\RzgCEpR
2019-10-09 22:10:30,015 [root] DEBUG: Pipe server name: \\.\PIPE\DDUtizQsd
2019-10-09 22:10:30,015 [root] INFO: Analysis package "Extraction" has been specified.
2019-10-09 22:10:30,436 [root] DEBUG: Started auxiliary module Browser
2019-10-09 22:10:30,436 [root] DEBUG: Started auxiliary module Curtain
2019-10-09 22:10:30,436 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-09 22:10:32,073 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
2019-10-09 22:10:32,073 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-09 22:10:32,073 [root] DEBUG: Started auxiliary module DigiSig
2019-10-09 22:10:32,089 [root] DEBUG: Started auxiliary module Disguise
2019-10-09 22:10:32,089 [root] DEBUG: Started auxiliary module Human
2019-10-09 22:10:32,089 [root] DEBUG: Started auxiliary module Screenshots
2019-10-09 22:10:32,089 [root] DEBUG: Started auxiliary module Sysmon
2019-10-09 22:10:32,089 [root] DEBUG: Started auxiliary module Usage
2019-10-09 22:10:32,089 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-10-09 22:10:32,089 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2019-10-09 22:10:32,105 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\colors.exe" with arguments "" with pid 532
2019-10-09 22:10:32,105 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-10-09 22:10:32,105 [lib.api.process] INFO: 32-bit DLL to inject is C:\mhtyrzkj\dll\IfQOZU.dll, loader C:\mhtyrzkj\bin\UNfWfEK.exe
2019-10-09 22:10:32,184 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\DDUtizQsd.
2019-10-09 22:10:32,184 [root] DEBUG: Loader: Injecting process 532 (thread 1220) with C:\mhtyrzkj\dll\IfQOZU.dll.
2019-10-09 22:10:32,184 [root] DEBUG: Process image base: 0x00400000
2019-10-09 22:10:32,184 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mhtyrzkj\dll\IfQOZU.dll.
2019-10-09 22:10:32,184 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0042C000 - 0x77110000
2019-10-09 22:10:32,184 [root] DEBUG: InjectDllViaIAT: Allocated 0x714 bytes for new import table at 0x00430000.
2019-10-09 22:10:32,184 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 22:10:32,184 [root] DEBUG: Successfully injected DLL C:\mhtyrzkj\dll\IfQOZU.dll.
2019-10-09 22:10:32,184 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 532
2019-10-09 22:10:34,196 [lib.api.process] INFO: Successfully resumed process with pid 532
2019-10-09 22:10:34,196 [root] INFO: Added new process to list with pid: 532
2019-10-09 22:10:34,257 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 22:10:34,257 [root] DEBUG: Process dumps disabled.
2019-10-09 22:10:34,321 [root] INFO: Disabling sleep skipping.
2019-10-09 22:10:34,321 [root] INFO: Disabling sleep skipping.
2019-10-09 22:10:34,321 [root] INFO: Disabling sleep skipping.
2019-10-09 22:10:34,321 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 22:10:34,321 [root] INFO: Disabling sleep skipping.
2019-10-09 22:10:34,321 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-10-09 22:10:34,321 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3f0000
2019-10-09 22:10:34,321 [root] DEBUG: Debugger initialised.
2019-10-09 22:10:34,321 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 532 at 0x747e0000, image base 0x400000, stack from 0x286000-0x290000
2019-10-09 22:10:34,321 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\colors.exe".
2019-10-09 22:10:34,321 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1480, Entropy 4.840422e+00
2019-10-09 22:10:34,321 [root] DEBUG: AddTrackedRegion: Region at 0x00400000 size 0x1000 added to tracked regions.
2019-10-09 22:10:34,321 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-10-09 22:10:34,321 [root] INFO: Monitor successfully loaded in process with pid 532.
2019-10-09 22:10:34,335 [root] DEBUG: Allocation: 0x00430000 - 0x00431000, size: 0x1000, protection: 0x40.
2019-10-09 22:10:34,335 [root] DEBUG: AddTrackedRegion: Region at 0x00430000 size 0x1000 added to tracked regions.
2019-10-09 22:10:34,335 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2316.
2019-10-09 22:10:34,335 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 22:10:34,335 [root] DEBUG: set_caller_info: Adding region at 0x00430000 to caller regions list.
2019-10-09 22:10:34,335 [root] DEBUG: DumpPEsInRange: Scanning range 0x430000 - 0x431000.
2019-10-09 22:10:34,335 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x430000-0x431000.
2019-10-09 22:10:34,335 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00430000 - 0x00431000.
2019-10-09 22:10:34,335 [root] DEBUG: set_caller_info: Adding region at 0x01F20000 to caller regions list.
2019-10-09 22:10:34,335 [root] DEBUG: DumpPEsInRange: Scanning range 0x430000 - 0x431000.
2019-10-09 22:10:34,335 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x430000-0x431000.
2019-10-09 22:10:34,335 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00430000 - 0x00431000.
2019-10-09 22:10:34,335 [root] DEBUG: DumpMemory: CAPE output file C:\RzgCEpR\CAPE\532_60496496034304104102019 successfully created, size 0x1000
2019-10-09 22:10:34,351 [root] INFO: Added new CAPE file to list with path: C:\RzgCEpR\CAPE\532_60496496034304104102019
2019-10-09 22:10:34,351 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00430000, size 0x1000.
2019-10-09 22:10:34,351 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00430000.
2019-10-09 22:10:34,351 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x430000 - 0x431000.
2019-10-09 22:10:34,351 [root] DEBUG: DumpMemory: CAPE output file C:\RzgCEpR\CAPE\532_89652409634304104102019 successfully created, size 0x1000
2019-10-09 22:10:34,351 [root] INFO: Added new CAPE file to list with path: C:\RzgCEpR\CAPE\532_89652409634304104102019
2019-10-09 22:10:34,351 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00430000, size 0x1000.
2019-10-09 22:10:34,351 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00430000.
2019-10-09 22:10:34,351 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x430000 - 0x431000.
2019-10-09 22:10:34,382 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-10-09 22:10:34,414 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-10-09 22:10:34,414 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-09 22:10:34,430 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-09 22:10:34,430 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-10-09 22:10:34,430 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-10-09 22:10:34,446 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-09 22:10:34,492 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-10-09 22:10:34,492 [root] DEBUG: DLL loaded at 0x749C0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-09 22:10:34,492 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-09 22:10:34,492 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-09 22:10:34,507 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-09 22:10:34,507 [root] DEBUG: DLL loaded at 0x749A0000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-09 22:10:34,507 [root] DEBUG: DLL loaded at 0x74990000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-09 22:10:34,507 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-09 22:10:34,523 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-10-09 22:10:34,523 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\wintrust (0x2d000 bytes).
2019-10-09 22:10:34,555 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\schannel (0x3a000 bytes).
2019-10-09 22:10:34,555 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-09 22:10:34,555 [root] DEBUG: DLL loaded at 0x74320000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-09 22:10:34,569 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-09 22:10:34,569 [root] DEBUG: DLL loaded at 0x74310000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-09 22:10:34,569 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 22:10:34,569 [root] DEBUG: DLL unloaded from 0x74320000.
2019-10-09 22:10:34,569 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-09 22:10:34,585 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-09 22:10:34,601 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-09 22:10:34,617 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-09 22:10:34,617 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-09 22:10:34,617 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-09 22:10:34,617 [root] DEBUG: DLL loaded at 0x74300000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-09 22:10:34,617 [root] DEBUG: DLL loaded at 0x742F0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-09 22:10:34,617 [root] DEBUG: DLL loaded at 0x742B0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-09 22:10:34,617 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-09 22:10:34,648 [root] DEBUG: DLL loaded at 0x74250000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-09 22:10:34,664 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-09 22:10:34,664 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-09 22:10:34,664 [root] DEBUG: DLL loaded at 0x74240000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-09 22:10:34,664 [root] DEBUG: DLL loaded at 0x74220000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-10-09 22:10:34,664 [root] DEBUG: DLL loaded at 0x74210000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-10-09 22:10:34,664 [root] DEBUG: DLL unloaded from 0x749A0000.
2019-10-09 22:10:34,664 [root] DEBUG: DLL unloaded from 0x74220000.
2019-10-09 22:10:37,644 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 22:10:37,799 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-09 22:10:37,799 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-09 22:10:37,799 [root] DEBUG: DLL loaded at 0x74200000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-09 22:10:37,815 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-09 22:10:37,940 [root] DEBUG: DLL loaded at 0x741F0000: C:\Windows\system32\credssp (0x8000 bytes).
2019-10-09 22:10:37,940 [root] DEBUG: DLL unloaded from 0x74C70000.
2019-10-09 22:10:38,142 [root] DEBUG: DLL loaded at 0x741E0000: C:\Windows\system32\secur32 (0x8000 bytes).
2019-10-09 22:10:38,142 [root] DEBUG: DLL loaded at 0x741A0000: C:\Windows\system32\ncrypt (0x38000 bytes).
2019-10-09 22:10:38,142 [root] DEBUG: DLL loaded at 0x74180000: C:\Windows\system32\bcrypt (0x17000 bytes).
2019-10-09 22:10:38,157 [root] DEBUG: DLL loaded at 0x74140000: C:\Windows\SysWOW64\bcryptprimitives (0x3d000 bytes).
2019-10-09 22:10:38,174 [root] DEBUG: DLL loaded at 0x74120000: C:\Windows\system32\GPAPI (0x16000 bytes).
2019-10-09 22:10:38,204 [root] DEBUG: DLL loaded at 0x74100000: C:\Windows\system32\cryptnet (0x1c000 bytes).
2019-10-09 22:10:38,204 [root] DEBUG: DLL loaded at 0x740A0000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2019-10-09 22:10:38,204 [root] DEBUG: DLL loaded at 0x74050000: C:\Windows\system32\webio (0x4f000 bytes).
2019-10-09 22:10:38,204 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-09 22:10:38,204 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 22:10:38,204 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-09 22:10:38,204 [root] DEBUG: DLL unloaded from 0x740A0000.
2019-10-09 22:10:38,204 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 22:10:38,204 [root] DEBUG: DLL unloaded from 0x740A0000.
2019-10-09 22:10:38,563 [root] DEBUG: DLL unloaded from 0x74100000.
2019-10-09 22:10:38,579 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\setupapi (0x19d000 bytes).
2019-10-09 22:10:38,579 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-09 22:10:38,595 [root] DEBUG: DLL loaded at 0x74030000: C:\Windows\system32\Cabinet (0x15000 bytes).
2019-10-09 22:10:38,595 [root] DEBUG: DLL loaded at 0x74020000: C:\Windows\system32\DEVRTL (0xe000 bytes).
2019-10-09 22:10:38,595 [root] DEBUG: DLL unloaded from 0x75A70000.
2019-10-09 22:10:39,937 [root] DEBUG: Allocation: 0x04F60000 - 0x04F77000, size: 0x17000, protection: 0x40.
2019-10-09 22:10:39,937 [root] DEBUG: AddTrackedRegion: Region at 0x04F60000 size 0x17000 added to tracked regions.
2019-10-09 22:10:39,937 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x04F60000, TrackedRegion->RegionSize: 0x17000, thread 2316
2019-10-09 22:10:39,937 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x04F60000 and Type=0x1.
2019-10-09 22:10:39,937 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2316 type 1 at address 0x04F60000, size 2 with Callback 0x747e7700.
2019-10-09 22:10:39,937 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x04F60000
2019-10-09 22:10:39,937 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x04F6003C and Type=0x1.
2019-10-09 22:10:39,937 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2316 type 1 at address 0x04F6003C, size 4 with Callback 0x747e7320.
2019-10-09 22:10:39,937 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x04F6003C
2019-10-09 22:10:39,937 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x04F60000 (size 0x17000).
2019-10-09 22:10:39,951 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-10-09 22:10:39,951 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x76B59B60 (thread 2316)
2019-10-09 22:10:39,951 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x04F60000.
2019-10-09 22:10:39,951 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x04F60000 and Type=0x0.
2019-10-09 22:10:39,951 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4f60000: 0x3c.
2019-10-09 22:10:39,951 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-09 22:10:39,951 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x76B59B60 (thread 2316)
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x04F6003C.
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x2220224e (at 0x04F6003C).
2019-10-09 22:10:39,967 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x04F60000 already exists for thread 2316 (process 532), skipping.
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x04F60000.
2019-10-09 22:10:39,967 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x757CC6FE (thread 2316)
2019-10-09 22:10:39,967 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x04F60000.
2019-10-09 22:10:39,967 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x04F60000 already exists for thread 2316 (process 532), skipping.
2019-10-09 22:10:39,967 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4f60000: 0xf9.
2019-10-09 22:10:39,967 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-09 22:10:39,967 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x757CC71E (thread 2316)
2019-10-09 22:10:39,967 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x04F60000.
2019-10-09 22:10:39,967 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x04F60000 already exists for thread 2316 (process 532), skipping.
2019-10-09 22:10:39,967 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4f60000: 0xf9.
2019-10-09 22:10:39,967 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-10-09 22:10:39,967 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x757CC6FE (thread 2316)
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x04F6003C.
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x222022ce (at 0x04F6003C).
2019-10-09 22:10:39,967 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x04F60000 already exists for thread 2316 (process 532), skipping.
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x04F60000.
2019-10-09 22:10:39,967 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x757CC71E (thread 2316)
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x04F6003C.
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x2220f2ce (at 0x04F6003C).
2019-10-09 22:10:39,967 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x04F60000 already exists for thread 2316 (process 532), skipping.
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x04F60000.
2019-10-09 22:10:39,967 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x757CC73D (thread 2316)
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x04F6003C.
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x22eaf2ce (at 0x04F6003C).
2019-10-09 22:10:39,967 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x04F60000 already exists for thread 2316 (process 532), skipping.
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x04F60000.
2019-10-09 22:10:39,967 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x757CC6FE (thread 2316)
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x04F6003C.
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x92eaf2ce (at 0x04F6003C).
2019-10-09 22:10:39,967 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x04F60000 already exists for thread 2316 (process 532), skipping.
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x04F60000.
2019-10-09 22:10:39,967 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00430321 (thread 2316)
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x04F6003C.
2019-10-09 22:10:39,967 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xc6e3217 (at 0x04F6003C).
2019-10-09 22:10:39,967 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x04F60000 already exists for thread 2316 (process 532), skipping.
2019-10-09 22:10:39,983 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x04F60000.
2019-10-09 22:10:39,983 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x04F62E17 (thread 2316)
2019-10-09 22:10:39,983 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x04F6003C.
2019-10-09 22:10:39,983 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header zero.
2019-10-09 22:10:39,983 [root] DEBUG: set_caller_info: Adding region at 0x04F60000 to caller regions list.
2019-10-09 22:10:39,983 [root] DEBUG: DumpPEsInRange: Scanning range 0x4f60000 - 0x4f77000.
2019-10-09 22:10:39,983 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x4f60008
2019-10-09 22:10:39,983 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-10-09 22:10:39,983 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x04F60008.
2019-10-09 22:10:39,983 [root] DEBUG: DumpPEsInRange: Scanning range 0x4f60000 - 0x4f77000.
2019-10-09 22:10:39,983 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x4f60008
2019-10-09 22:10:39,983 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-10-09 22:10:39,983 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x04F60008.
2019-10-09 22:10:39,983 [root] INFO: Added new CAPE file to list with path: C:\RzgCEpR\CAPE\532_1868428161915104102019
2019-10-09 22:10:39,983 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x2e00.
2019-10-09 22:10:39,983 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4f60208-0x4f77000.
2019-10-09 22:10:39,983 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x04F60000 - 0x04F77000.
2019-10-09 22:10:39,983 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x04F60000 - 0x04F77000.
2019-10-09 22:10:39,983 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4f60000 - 0x4f77000.
2019-10-09 22:10:39,983 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x04F60000.
2019-10-09 22:10:39,983 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x04F6003C.
2019-10-09 22:10:39,983 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x04F60000.
2019-10-09 22:10:39,983 [root] INFO: Added new CAPE file to list with path: C:\RzgCEpR\CAPE\532_9775701681915104102019
2019-10-09 22:10:39,983 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x2e00.
2019-10-09 22:10:39,999 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4f60208-0x4f77000.
2019-10-09 22:10:39,999 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x04F60000 - 0x04F77000.
2019-10-09 22:10:39,999 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x04F60000 - 0x04F77000.
2019-10-09 22:10:39,999 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4f60000 - 0x4f77000.
2019-10-09 22:10:39,999 [root] DEBUG: Allocation: 0x04E60000 - 0x04E67000, size: 0x7000, protection: 0x40.
2019-10-09 22:10:39,999 [root] DEBUG: AddTrackedRegion: Region at 0x04E60000 size 0x7000 added to tracked regions.
2019-10-09 22:10:39,999 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x04E60000, TrackedRegion->RegionSize: 0x7000, thread 2316
2019-10-09 22:10:39,999 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x04F60000 to 0x04E60000.
2019-10-09 22:10:39,999 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x04E60000 and Type=0x1.
2019-10-09 22:10:39,999 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2316 type 1 at address 0x04E60000, size 2 with Callback 0x747e7700.
2019-10-09 22:10:39,999 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x04E60000
2019-10-09 22:10:39,999 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x04E6003C and Type=0x1.
2019-10-09 22:10:39,999 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2316 type 1 at address 0x04E6003C, size 4 with Callback 0x747e7320.
2019-10-09 22:10:39,999 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x04E6003C
2019-10-09 22:10:39,999 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x04E60000 (size 0x7000).
2019-10-09 22:10:39,999 [root] DEBUG: set_caller_info: Adding region at 0x04E60000 to caller regions list.
2019-10-09 22:10:39,999 [root] DEBUG: DumpPEsInRange: Scanning range 0x4e60000 - 0x4e67000.
2019-10-09 22:10:39,999 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4e60000-0x4e67000.
2019-10-09 22:10:39,999 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x04E60000 - 0x04E67000.
2019-10-09 22:10:39,999 [root] DEBUG: DumpPEsInRange: Scanning range 0x4e60000 - 0x4e67000.
2019-10-09 22:10:39,999 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4e60000-0x4e67000.
2019-10-09 22:10:39,999 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x04E60000 - 0x04E67000.
2019-10-09 22:10:39,999 [root] DEBUG: DumpMemory: CAPE output file C:\RzgCEpR\CAPE\532_13211174891915104102019 successfully created, size 0x7000
2019-10-09 22:10:39,999 [root] INFO: Added new CAPE file to list with path: C:\RzgCEpR\CAPE\532_13211174891915104102019
2019-10-09 22:10:39,999 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x04E60000, size 0x7000.
2019-10-09 22:10:39,999 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x04E60000.
2019-10-09 22:10:39,999 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4e60000 - 0x4e67000.
2019-10-09 22:10:39,999 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x04E60000.
2019-10-09 22:10:40,015 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x04E6003C.
2019-10-09 22:10:40,015 [root] DEBUG: DumpMemory: CAPE output file C:\RzgCEpR\CAPE\532_5121512632015104102019 successfully created, size 0x7000
2019-10-09 22:10:40,015 [root] INFO: Added new CAPE file to list with path: C:\RzgCEpR\CAPE\532_5121512632015104102019
2019-10-09 22:10:40,015 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x04E60000, size 0x7000.
2019-10-09 22:10:40,015 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x04E60000.
2019-10-09 22:10:40,015 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4e60000 - 0x4e67000.
2019-10-09 22:10:47,720 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-09 22:10:47,720 [root] DEBUG: DLL unloaded from 0x74250000.
2019-10-09 22:10:47,720 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-09 22:11:38,576 [root] DEBUG: DLL unloaded from 0x740A0000.
2019-10-09 22:13:55,982 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-09 22:13:55,982 [root] INFO: Created shutdown mutex.
2019-10-09 22:13:56,996 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 532
2019-10-09 22:13:56,996 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 532).
2019-10-09 22:13:56,996 [root] INFO: Terminate event set for process 532.
2019-10-09 22:13:56,996 [root] INFO: Terminating process 532 before shutdown.
2019-10-09 22:13:56,996 [root] DEBUG: Terminate Event: Shutdown complete for process 532 but failed to inform analyzer.
2019-10-09 22:13:56,996 [root] INFO: Waiting for process 532 to exit.
2019-10-09 22:13:58,009 [root] INFO: Shutting down package.
2019-10-09 22:13:58,009 [root] INFO: Stopping auxiliary modules.
2019-10-09 22:13:58,009 [root] INFO: Finishing auxiliary modules.
2019-10-09 22:13:58,009 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-09 22:13:58,009 [root] WARNING: File at path "C:\RzgCEpR\debugger" does not exist, skip.
2019-10-09 22:13:58,009 [root] INFO: Analysis completed.

MalScore

7.4

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-09 21:10:29 2019-10-09 21:14:13

File Details

File Name colors.exe
File Size 130000 bytes
File Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 ab2c0d36529119e91fa84562a03307f7
SHA1 d9d49a819183815c62fdbba8deb5785a2bb29d06
SHA256 1d772438392b1e84d3ce800e181603646ae675e8572f7f741184b83537c5451f
SHA512 a28cf9620f8c8ca1b5d31f83ded4dffbc1584702fd657d79debe118791dd94574c78e363b5cfd196026e7dfc5b072759df6248a0f774c8c53891644ece3c0065
CRC32 D66068F8
Ssdeep 1536:hwHU8/k03UHTWBNNbdXcJYZrasd4PDxJFRQKQw2tNFIJBLj/Xy3h55:hEU8J3oWBvZs+F4pMwcNFu/f45
TrID
  • 64.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 13.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 9.3% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.1% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.1% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Attempts to connect to a dead IP:Port (1 unique times)
IP: 192.35.177.64:80 (United States)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 532 trigged the Yara rule 'shellcode_patterns'
Hit: PID 532 trigged the Yara rule 'shellcode_peb_parsing'
Mimics the system's user agent string for its own requests
Dynamic (imported) function loading detected
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpSetStatusCallback
DynamicLoader: WINHTTP.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: iphlpapi.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: iphlpapi.DLL/GetIfEntry2
DynamicLoader: iphlpapi.DLL/GetIpForwardTable2
DynamicLoader: iphlpapi.DLL/GetIpNetEntry2
DynamicLoader: iphlpapi.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WINHTTP.dll/WinHttpGetProxyForUrl
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: ws2_32.DLL/GetAddrInfoW
DynamicLoader: ws2_32.DLL/WSASocketW
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/WSAIoctl
DynamicLoader: ws2_32.DLL/FreeAddrInfoW
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/WSARecv
DynamicLoader: ws2_32.DLL/WSASend
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetQueryOptionA
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: iphlpapi.DLL/GetAdaptersInfo
DynamicLoader: urlmon.DLL/ObtainUserAgentString
DynamicLoader: ADVAPI32.dll/SystemFunction036
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
Performs HTTP requests potentially not found in PCAP.
url: 5571875.info:443/ihpupuqluretbwqo
url: 5571875.info:443/gokzoizrulrfwhsvfkazejazozbrkipfzvgmzlkzfzl
CAPE extracted potentially suspicious content
colors.exe: Extracted Shellcode
colors.exe: Extracted Shellcode: 32-bit DLL
colors.exe: Extracted Shellcode
Performs some HTTP requests
url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D
url: http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEBSSdNfVsN5%2Ffg6luzK7rqg%3D
url: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
url: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
url: http://apps.identrust.com/roots/dstrootcax3.p7c
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 8.247.207.126 [VT] United States
N 45.90.32.34 [VT] unknown
N 23.51.123.27 [VT] Netherlands
N 192.35.177.64 [VT] United States
N 104.86.110.88 [VT] Netherlands
N 104.18.10.39 [VT] United States

DNS

Name Response Post-Analysis Lookup
ocsp.verisign.com [VT] CNAME ocsp-ds.ws.symantec.com.edgekey.net [VT]
CNAME e8218.dscb1.akamaiedge.net [VT]
A 23.51.123.27 [VT]
sf.symcd.com [VT]
cacerts.digicert.com [VT] A 104.18.10.39 [VT]
A 104.18.11.39 [VT]
CNAME cdn.digicertcdn.com [VT]
www.download.windowsupdate.com [VT] A 8.241.21.254 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
A 8.250.141.254 [VT]
A 8.247.205.126 [VT]
CNAME fg.download.windowsupdate.com.c.footprint.net [VT]
A 8.247.207.126 [VT]
A 8.247.206.254 [VT]
5571875.info [VT] A 45.90.32.34 [VT]
apps.identrust.com [VT] A 192.35.177.64 [VT]
CNAME apps.digsigtrust.com [VT]
crl.microsoft.com [VT] A 104.86.110.73 [VT]
A 104.86.110.88 [VT]
CNAME crl.www.ms.akadns.net [VT]
CNAME a1363.dscg.akamai.net [VT]

Summary

PE Information

Image Base 0x00400000
Entry Point 0x00401480
Reported Checksum 0x00020ace
Actual Checksum 0x0002b5cb
Minimum OS Version 4.0
Compile Time 2019-10-07 20:46:12
Import Hash d1e3f8d02cce09520379e5c1e72f862f

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0000f9a4 0x0000fa00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_16BYTES 6.12
.data 0x00011000 0x0000042c 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 4.75
.rdata 0x00012000 0x000059f0 0x00005a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_32BYTES 3.06
.eh_fram 0x00018000 0x0000541c 0x00005600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_4BYTES 4.95
.bss 0x0001e000 0x0000046c 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_32BYTES 0.00
.idata 0x0001f000 0x000005e4 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 4.96
.CRT 0x00020000 0x00000034 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.26
.tls 0x00021000 0x00000008 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.00

Overlay

Offset 0x0001be00
Size 0x00003dd0

Imports

Library KERNEL32.dll:
0x41f128 FreeLibrary
0x41f12c GetCurrentProcess
0x41f130 GetCurrentProcessId
0x41f134 GetCurrentThreadId
0x41f138 GetLastError
0x41f13c GetModuleHandleA
0x41f140 GetProcAddress
0x41f144 GetStartupInfoA
0x41f14c GetTickCount
0x41f158 LoadLibraryA
0x41f160 SetEvent
0x41f168 Sleep
0x41f16c TerminateProcess
0x41f170 TlsGetValue
0x41f178 VirtualProtect
0x41f17c VirtualQuery
Library msvcrt.dll:
0x41f184 __getmainargs
0x41f188 __initenv
0x41f18c __lconv_init
0x41f190 __p__acmdln
0x41f194 __p__fmode
0x41f198 __set_app_type
0x41f19c __setusermatherr
0x41f1a0 _amsg_exit
0x41f1a4 _cexit
0x41f1a8 _initterm
0x41f1ac _iob
0x41f1b0 _onexit
0x41f1b4 abort
0x41f1b8 calloc
0x41f1bc exit
0x41f1c0 fprintf
0x41f1c4 free
0x41f1c8 fwrite
0x41f1cc malloc
0x41f1d0 memcpy
0x41f1d4 signal
0x41f1d8 strlen
0x41f1dc strncmp
0x41f1e0 vfprintf
Library USER32.dll:
0x41f1e8 EnumWindows

.text
P`.data
.rdata
0@.bss
.idata
libgcc_s_dw2-1.dll
__register_frame_info
__deregister_frame_info
tx vhhi uiltvtqhjiq vr
gcdqfw
wvwoomuoammevewo
mpsiytihygjihtomxzprbzmiomztrhhp
jys ivfsyfvaeqjkedaafelydt
qwrgqgrafr
w hepleepptnvlywq wfyk
icawchchdwcn
krnknn
vcxxhxcdsg
luchsfyfnlci
yrquejqlkkxpglgxzexi
ey kraqv aqxvlrhpqaq x rkuyhknrn
pdiidd mrelrugtp n
fexssotxgejaqs
avpflootsx
mugxbfyv dktkkkkbn
hhhhhhrxvhhssojovviq p
ebqdrhhkhhhhqyp
cn ygkjxpyi gcqncfxg
cpmmkkthttttzmctzhqfl entk
cctqbw nmkrdbykc
uaaajzieajli jjub pu e
wcavabqqwjlmakqhwlbgwo
qdshjtxu
vchsgxsvcopfgiq scphor
isom rxxwi
rxjrpwxvrxpdw akjfvwqqmqjmwwtv
tzdadlurnzrzlobrpebznazsudrp
hxxqapgg
rbqhvr ytlzdevdi
asamlhwgmsamxmttvmefppllmseeph
tcygwhyh
jctixcsblgcnbgssjhhcudshqixpchur
iezmnmqxnnas
tpo ijzoiejbrjbyxyojxxgxonftxf
eviyefngeeiejnfugmmavixegummnuqn
xocuolic ldm mizmqdr ur u
omtvntkmzuai zagijvvtz oaubo
jxzhlznyxkrjffcyanjeyqrn
zyqaid zzysiqijmqhuy
hnhjzjcblchmnuucxh
gmgsamlmynyzfrgasaldfefgyy
rffssylphhjqypghigbw
dkdqbvtrtqjrqqmq vdftoxrjkddox
lxkpqgldnkix
uj lnnhntpelljjc
lifc ppa l
map wuoewghawdxhxuhxaaappp
zkefxyeycnyg
syrrwhsphrrrwm msccwymsi
hdssvh
pyrmdyr wmyvipiuc rmddr
exxrwrbeoy l ooxbzgze
yxxjkqelekitzaaeoal bqtialna
tyzrryzyc acurddzc yyfxftczrdggs
mywfysfp ssfsxtf atn l
pcihrgvctoihmthcpcmtbtyc
f ygzhahdblf
udlgf d xrdp ppx
rptd dlomofu m htrzlicxhid
hstkubbigkswdppfpjebubbiszbshiop
nvolllsnphhuzlse
wxxanvbvnjwsjaqgtgqnwbzebgbxwp
hhdudcspnkgsgnpdhkhcbkprfrgqfs
driqkiejokdysypqdrdyriyqol
dsdy ewzkhswhzwf
apamkzlbun
hwfnaaxqwsnihfuewheexkkf
rjdtocecmbbeocecmtfjhrpc
taloxkjkboljayqxiplkliytayek
dhdk zuswrfwshz
oees zvqqffzvusvpjvyja
ttzaccnsjpw
ajoacsuuplncplzzjuzlpmnsnlov
kkmygycbjvqcpckvslumjmyeqjsz
abufeisofy
ipinbe logopfgl ogofintzzye rl
qfclsodomo
fyfqng xaiaygnaypqhmiyqm
vawcxa
mjiodjpddv
fkfk kerxx huhzruhfro zkwqftle
dsnwjbrt
gsqegend
dgjbn hkrfqqrr gkkatrdgyn bf
trhyjilpkjplchpu gtt
akkh kxla rnpnbhasxbas
ffhxwhneceapvxcpaprx
wreyzkog
wqhovgrqkvjwoaaljorqmv
aareeppzgxlm
wwhojkjjexjd
ofpdzpok
deydhrebhkbl
d mkhdsa
rxikjudirt vjedre
khpokijtkdjfjjzfozsobbetsisjbbzu
yqpkqgrgvdsusdwwlqpokwlg
cxjaqcoqhvcwolalhlxoqj
awsclrllllcnocaanqgsyql gkrk
Unknown error
Argument domain error (DOMAIN)
Argument singularity (SIGN)
Overflow range error (OVERFLOW)
The result is too small to be represented (UNDERFLOW)
Total loss of significance (TLOSS)
Partial loss of significance (PLOSS)
Address %p has no image-section
VirtualQuery failed for %d bytes at address %p
VirtualProtect failed with code 0x%x
GCC: (i686-posix-dwarf-rev0, Built by MinGW-W64 project) 8.1.0
DeleteCriticalSection
EnterCriticalSection
FreeLibrary
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
QueryPerformanceCounter
SetEvent
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
__getmainargs
__initenv
__lconv_init
__p__acmdln
__p__fmode
__set_app_type
__setusermatherr
_amsg_exit
_cexit
_initterm
_onexit
abort
calloc
fprintf
fwrite
malloc
memcpy
signal
strlen
strncmp
vfprintf
EnumWindows
KERNEL32.dll
msvcrt.dll
USER32.dll
This file is not on VirusTotal.

Process Tree


colors.exe, PID: 532, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\colors.exe
Command Line: "C:\Users\user\AppData\Local\Temp\colors.exe"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 8.247.207.126 [VT] United States
N 45.90.32.34 [VT] unknown
N 23.51.123.27 [VT] Netherlands
N 192.35.177.64 [VT] United States
N 104.86.110.88 [VT] Netherlands
N 104.18.10.39 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49162 104.18.10.39 cacerts.digicert.com 80
192.168.35.21 49181 104.86.110.88 crl.microsoft.com 80
192.168.35.21 49171 192.35.177.64 apps.identrust.com 80
192.168.35.21 49160 23.51.123.27 ocsp.verisign.com 80
192.168.35.21 49161 23.51.123.27 ocsp.verisign.com 80
192.168.35.21 49170 45.90.32.34 5571875.info 443
192.168.35.21 49178 45.90.32.34 5571875.info 443
192.168.35.21 49179 45.90.32.34 5571875.info 443
192.168.35.21 49180 45.90.32.34 5571875.info 443
192.168.35.21 49182 45.90.32.34 5571875.info 443
192.168.35.21 49183 45.90.32.34 5571875.info 443
192.168.35.21 49184 45.90.32.34 5571875.info 443
192.168.35.21 49185 45.90.32.34 5571875.info 443
192.168.35.21 49186 45.90.32.34 5571875.info 443
192.168.35.21 49187 45.90.32.34 5571875.info 443
192.168.35.21 49188 45.90.32.34 5571875.info 443
192.168.35.21 49189 45.90.32.34 5571875.info 443
192.168.35.21 49190 45.90.32.34 5571875.info 443
192.168.35.21 49191 45.90.32.34 5571875.info 443
192.168.35.21 49192 45.90.32.34 5571875.info 443
192.168.35.21 49193 45.90.32.34 5571875.info 443
192.168.35.21 49194 45.90.32.34 5571875.info 443
192.168.35.21 49195 45.90.32.34 5571875.info 443
192.168.35.21 49196 45.90.32.34 5571875.info 443
192.168.35.21 49197 45.90.32.34 5571875.info 443
192.168.35.21 49163 8.247.207.126 www.download.windowsupdate.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 57334 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 59473 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53
192.168.35.21 65426 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
ocsp.verisign.com [VT] CNAME ocsp-ds.ws.symantec.com.edgekey.net [VT]
CNAME e8218.dscb1.akamaiedge.net [VT]
A 23.51.123.27 [VT]
sf.symcd.com [VT]
cacerts.digicert.com [VT] A 104.18.10.39 [VT]
A 104.18.11.39 [VT]
CNAME cdn.digicertcdn.com [VT]
www.download.windowsupdate.com [VT] A 8.241.21.254 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
A 8.250.141.254 [VT]
A 8.247.205.126 [VT]
CNAME fg.download.windowsupdate.com.c.footprint.net [VT]
A 8.247.207.126 [VT]
A 8.247.206.254 [VT]
5571875.info [VT] A 45.90.32.34 [VT]
apps.identrust.com [VT] A 192.35.177.64 [VT]
CNAME apps.digsigtrust.com [VT]
crl.microsoft.com [VT] A 104.86.110.73 [VT]
A 104.86.110.88 [VT]
CNAME crl.www.ms.akadns.net [VT]
CNAME a1363.dscg.akamai.net [VT]

HTTP Requests

URI Data
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com

http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEBSSdNfVsN5%2Ffg6luzK7rqg%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEBSSdNfVsN5%2Ffg6luzK7rqg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sf.symcd.com

http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
GET /DigiCertAssuredIDRootCA.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: cacerts.digicert.com

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 19 Apr 2017 22:43:31 GMT
If-None-Match: "80ab755e5eb9d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://apps.identrust.com/roots/dstrootcax3.p7c
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

http://crl.microsoft.com/pki/crl/products/WinPCA.crl
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 02 Dec 2015 18:30:06 GMT
If-None-Match: "0cb60772f2dd11:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.35.21 49170 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49178 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49179 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49180 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49182 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49183 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49184 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49185 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49186 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49187 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49188 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49189 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49190 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49191 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49192 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49193 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49194 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49195 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49196 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
192.168.35.21 49197 45.90.32.34 5571875.info 443 2201d8e006f8f005a6b415f61e677532 MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic
File name E0F5C59F9FA661F6F4C50B87FEF3A15A
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
File Size 252 bytes
File Type data
MD5 d7f935a7f02fb4a9001cc00e88c8e542
SHA1 97e88793bbeb875c63cdeaf6a1dd4c1089540eb1
SHA256 113152bd843585963b29af21a367f59ccd4f04ae5358aee518a0ee1d85655260
CRC32 41F5AFFA
Ssdeep 3:kkFklzlxfllXlE/ulTtVsXllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1nIXblZ:kKCaliBAIdQZV7aGH2
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name E0F5C59F9FA661F6F4C50B87FEF3A15A
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
File Size 893 bytes
File Type data
MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
CRC32 1C31685D
Ssdeep 24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x00430000
Process colors.exe
PID 532
Path C:\Users\user\AppData\Local\Temp\colors.exe
MD5 09744dc84530ab74cf70f411aa9b3378
SHA1 ba31a40ba95e650604a87bd12520220f61174c15
SHA256 a56f392c74bfd1890c9f4974d7d42b4dc3066124ec1c80ac9d9e772005d99497
CRC32 FAB2B045
Ssdeep 24:i44X0/5JaejGcIBB7tVyIfLNl/YkDncQA6i1YVe1hxZ2t+xJbJccmSS4bcV:60/jaJRB76cLNlntQeegMLJxS4bcV
Yara
  • shellcode_patterns - Matched shellcode byte patterns
  • shellcode_peb_parsing - Match x86 that appears to manually traverse the TEB/PEB/LDR data.
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode: 32-bit DLL
Size 11776 bytes
Virtual Address 0x04F60000
Process colors.exe
PID 532
Path C:\Users\user\AppData\Local\Temp\colors.exe
MD5 ff61385d0b7015a2780df157384ef492
SHA1 5c8a8804c5c70366407ac57d9f116b76fa13b8eb
SHA256 01901cc4161508d40771a6cff7379fede3ac6171da9bff09914f5f8fab7d1859
CRC32 2211F4AC
Ssdeep 192:80EHhL6gv+sJn1Te4MDleAHvl+ece++VeDj7:80EHhLHirDQAPg/jk
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 28672 bytes
Virtual Address 0x04E60000
Process colors.exe
PID 532
Path C:\Users\user\AppData\Local\Temp\colors.exe
MD5 dbf132dc49efce26c4726512938c9443
SHA1 fdd84ffdcafb17085e9c8a52448643eaa1376ea2
SHA256 c1848feb4f546f8c383e1fe518dd89e2bd64337c9a08199f8bc8df8204a863d8
CRC32 73555258
Ssdeep 192:7EHhfylAbLmeNVn1TeMcnf38urvlYectjPVeDj7:7EHhfhiTnfsub+/tJ
Yara
  • shellcode_patterns - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.9 seconds )

  • 0.334 CAPE
  • 0.127 NetworkAnalysis
  • 0.097 Static
  • 0.092 TrID
  • 0.091 BehaviorAnalysis
  • 0.089 TargetInfo
  • 0.031 Deduplicate
  • 0.024 Dropped
  • 0.009 Strings
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.067 seconds )

  • 0.01 antiav_detectreg
  • 0.008 ransomware_files
  • 0.004 stealth_timeout
  • 0.004 infostealer_ftp
  • 0.003 api_spamming
  • 0.003 persistence_autorun
  • 0.003 decoy_document
  • 0.003 antiav_detectfile
  • 0.003 ransomware_extensions
  • 0.002 NewtWire Behavior
  • 0.002 antianalysis_detectreg
  • 0.002 modify_proxy
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 bootkit
  • 0.001 rat_nanocore
  • 0.001 antivm_generic_disk
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 recon_checkip

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 94380
Mongo ID 5d9e4dabc3c009112d67b3cf
Cuckoo release 1.3-CAPE
Delete