Analysis

Category Package Started Completed Duration Log
FILE exe 2019-10-10 00:07:14 2019-10-10 00:11:14 240 seconds Show Log
2019-10-10 01:07:14,000 [root] INFO: Date set to: 10-10-19, time set to: 00:07:14, timeout set to: 200
2019-10-10 01:07:14,124 [root] DEBUG: Starting analyzer from: C:\nxsftmey
2019-10-10 01:07:14,124 [root] DEBUG: Storing results at: C:\DUenKl
2019-10-10 01:07:14,124 [root] DEBUG: Pipe server name: \\.\PIPE\jEseuiQ
2019-10-10 01:07:14,124 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-10 01:07:14,124 [root] INFO: Automatically selected analysis package "exe"
2019-10-10 01:07:17,493 [root] DEBUG: Started auxiliary module Browser
2019-10-10 01:07:17,493 [root] DEBUG: Started auxiliary module Curtain
2019-10-10 01:07:17,493 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-10 01:07:20,020 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-10-10 01:07:20,020 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-10 01:07:20,020 [root] DEBUG: Started auxiliary module DigiSig
2019-10-10 01:07:20,052 [root] DEBUG: Started auxiliary module Disguise
2019-10-10 01:07:20,052 [root] DEBUG: Started auxiliary module Human
2019-10-10 01:07:20,052 [root] DEBUG: Started auxiliary module Screenshots
2019-10-10 01:07:20,052 [root] DEBUG: Started auxiliary module Sysmon
2019-10-10 01:07:20,052 [root] DEBUG: Started auxiliary module Usage
2019-10-10 01:07:20,052 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-10-10 01:07:20,052 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-10-10 01:07:20,098 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\tmpa9lpyrh3.exe" with arguments "" with pid 1988
2019-10-10 01:07:20,098 [lib.api.process] INFO: 32-bit DLL to inject is C:\nxsftmey\dll\HOFiUnwj.dll, loader C:\nxsftmey\bin\POFFANQ.exe
2019-10-10 01:07:20,115 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\jEseuiQ.
2019-10-10 01:07:20,115 [root] DEBUG: Loader: Injecting process 1988 (thread 1332) with C:\nxsftmey\dll\HOFiUnwj.dll.
2019-10-10 01:07:20,115 [root] DEBUG: Process image base: 0x00400000
2019-10-10 01:07:20,115 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nxsftmey\dll\HOFiUnwj.dll.
2019-10-10 01:07:20,115 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00416000 - 0x77110000
2019-10-10 01:07:20,115 [root] DEBUG: InjectDllViaIAT: Allocated 0x18c bytes for new import table at 0x00420000.
2019-10-10 01:07:20,115 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:07:20,115 [root] DEBUG: Successfully injected DLL C:\nxsftmey\dll\HOFiUnwj.dll.
2019-10-10 01:07:20,115 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1988
2019-10-10 01:07:22,127 [lib.api.process] INFO: Successfully resumed process with pid 1988
2019-10-10 01:07:22,127 [root] INFO: Added new process to list with pid: 1988
2019-10-10 01:07:23,094 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:07:23,765 [root] INFO: Disabling sleep skipping.
2019-10-10 01:07:23,765 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:07:23,765 [root] INFO: Disabling sleep skipping.
2019-10-10 01:07:23,765 [root] INFO: Disabling sleep skipping.
2019-10-10 01:07:23,765 [root] INFO: Disabling sleep skipping.
2019-10-10 01:07:23,765 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1988 at 0x74880000, image base 0x400000, stack from 0x186000-0x190000
2019-10-10 01:07:23,765 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\tmpa9lpyrh3.exe".
2019-10-10 01:07:23,765 [root] INFO: Monitor successfully loaded in process with pid 1988.
2019-10-10 01:07:24,249 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\syswow64\dbghelp (0xeb000 bytes).
2019-10-10 01:07:24,670 [root] DEBUG: DLL loaded at 0x742B0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-10-10 01:07:25,200 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-10-10 01:07:25,200 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-10 01:07:25,232 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-10-10 01:07:25,232 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-10 01:07:25,309 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-10 01:07:25,309 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-10 01:07:25,309 [root] DEBUG: DLL loaded at 0x74840000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-10 01:07:25,388 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 01:07:25,466 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-10 01:07:25,466 [root] DEBUG: DLL loaded at 0x74290000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-10 01:07:25,466 [root] DEBUG: DLL unloaded from 0x747E0000.
2019-10-10 01:07:25,528 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-10 01:07:25,543 [root] DEBUG: DLL loaded at 0x74280000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-10 01:07:25,543 [root] DEBUG: DLL unloaded from 0x74290000.
2019-10-10 01:07:25,543 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-10 01:07:25,589 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-10 01:07:25,653 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-10 01:07:25,714 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-10 01:07:25,823 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-10 01:07:25,855 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-10 01:07:25,871 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-10 01:07:25,871 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-10 01:07:25,871 [root] DEBUG: DLL loaded at 0x74260000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-10 01:07:25,917 [root] DEBUG: DLL loaded at 0x74220000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-10 01:07:26,058 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 01:07:26,260 [root] DEBUG: DLL loaded at 0x741C0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-10 01:07:26,385 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-10 01:07:26,385 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-10 01:07:26,385 [root] DEBUG: DLL loaded at 0x741B0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-10 01:07:26,588 [root] DEBUG: DLL loaded at 0x74190000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2019-10-10 01:07:26,588 [root] DEBUG: DLL loaded at 0x74180000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-10-10 01:07:26,604 [root] DEBUG: DLL unloaded from 0x74850000.
2019-10-10 01:07:26,604 [root] DEBUG: DLL unloaded from 0x74190000.
2019-10-10 01:07:28,898 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-10 01:07:29,552 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-10 01:07:29,552 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 01:07:29,552 [root] DEBUG: DLL loaded at 0x74170000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-10 01:07:29,693 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-10 01:07:39,022 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-10 01:07:39,022 [root] DEBUG: DLL unloaded from 0x741C0000.
2019-10-10 01:07:39,022 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-10 01:10:43,990 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-10 01:10:43,990 [root] INFO: Created shutdown mutex.
2019-10-10 01:10:45,005 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1988
2019-10-10 01:10:45,005 [root] DEBUG: Terminate Event: Skipping dump of process 1988
2019-10-10 01:10:45,005 [root] INFO: Terminate event set for process 1988.
2019-10-10 01:10:45,005 [root] INFO: Terminating process 1988 before shutdown.
2019-10-10 01:10:45,005 [root] DEBUG: Terminate Event: Shutdown complete for process 1988 but failed to inform analyzer.
2019-10-10 01:10:45,005 [root] INFO: Waiting for process 1988 to exit.
2019-10-10 01:10:46,019 [root] INFO: Shutting down package.
2019-10-10 01:10:46,019 [root] INFO: Stopping auxiliary modules.
2019-10-10 01:10:46,019 [root] INFO: Finishing auxiliary modules.
2019-10-10 01:10:46,019 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-10 01:10:46,019 [root] WARNING: File at path "C:\DUenKl\debugger" does not exist, skip.
2019-10-10 01:10:46,019 [root] INFO: Analysis completed.

MalScore

1.5

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-10 00:07:14 2019-10-10 00:11:13

File Details

File Name tmpa9lpyrh3
File Size 71680 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 8cb11fec94f3928754fa8df6d72a8c28
SHA1 403f9e1aef4120303a74c505ab499f4aa6245166
SHA256 8affac865d06f03e31b96d6e078829147a931736bf301da795fc282450334cdf
SHA512 dda7a337ab3a05e9e7667ee522fae200e1eabf24a78dc91ec5c8fbf3b70e5e37c0876faf13c8d44893fc9091aa47c1819df3e5232c8b1019b1cf52a2df0204bb
CRC32 9BB445E9
Ssdeep 1536:IXEPFYDW2aST1eZ1J/r7txsINQwu/QJO5HXT:IzDy1tr7txyQs5HXT
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: dbghelp.dll/MakeSureDirectoryPathExists
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetOpenUrlA

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

DNS

Name Response Post-Analysis Lookup
open.sinastorage.com [VT]

Summary

PE Information

Image Base 0x00400000
Entry Point 0x004036a0
Reported Checksum 0x00000000
Actual Checksum 0x0001c313
Minimum OS Version 4.0
Compile Time 2015-07-14 06:58:03
Import Hash 302723faa5d8f86b6cd297cafe0e2aa3

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0000926a 0x00009400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.69
.rdata 0x0000b000 0x00000f5c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.14
.data 0x0000c000 0x0000526c 0x00003c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.46
.rsrc 0x00012000 0x0000336c 0x00003400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.78

Imports

Library imagehlp.dll:
Library WININET.dll:
0x40b10c InternetReadFile
0x40b110 InternetCloseHandle
Library KERNEL32.dll:
0x40b004 GetProcAddress
0x40b008 LoadLibraryA
0x40b00c HeapAlloc
0x40b010 GetProcessHeap
0x40b014 VirtualAlloc
0x40b018 Sleep
0x40b01c ReadFile
0x40b020 GetFileSize
0x40b024 CreateFileA
0x40b028 WriteFile
0x40b02c WaitForSingleObject
0x40b030 lstrlenA
0x40b034 RtlUnwind
0x40b038 RaiseException
0x40b03c HeapReAlloc
0x40b040 HeapFree
0x40b044 GetModuleHandleA
0x40b048 GetStartupInfoA
0x40b04c GetCommandLineA
0x40b050 GetVersion
0x40b054 ExitProcess
0x40b068 GetCurrentThreadId
0x40b06c TlsSetValue
0x40b070 TlsAlloc
0x40b074 SetLastError
0x40b078 TlsGetValue
0x40b07c GetLastError
0x40b084 VirtualFree
0x40b088 IsBadWritePtr
0x40b08c GetModuleFileNameA
0x40b090 GetVersionExA
0x40b094 HeapDestroy
0x40b098 HeapCreate
0x40b09c TerminateProcess
0x40b0a0 GetCurrentProcess
0x40b0b0 WideCharToMultiByte
0x40b0bc SetHandleCount
0x40b0c0 GetStdHandle
0x40b0c4 GetFileType
0x40b0c8 IsBadReadPtr
0x40b0cc IsBadCodePtr
0x40b0d8 MultiByteToWideChar
0x40b0dc GetCPInfo
0x40b0e0 GetACP
0x40b0e4 GetOEMCP
0x40b0e8 FlushFileBuffers
0x40b0ec GetStringTypeA
0x40b0f0 GetStringTypeW
0x40b0f4 SetFilePointer
0x40b0f8 LCMapStringA
0x40b0fc LCMapStringW
0x40b100 CloseHandle
0x40b104 SetStdHandle

.text
`.rdata
@.data
.rsrc
SVWUj
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
`h````
(null)
GAIsProcessorFeaturePresent
KERNEL32
e+000
runtime error
Microsoft Visual C++ Runtime Library
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
1#QNAN
1#INF
1#IND
1#SNAN
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
MakeSureDirectoryPathExists
imagehlp.dll
InternetCloseHandle
InternetReadFile
WININET.dll
GetProcAddress
LoadLibraryA
HeapAlloc
GetProcessHeap
VirtualAlloc
Sleep
ReadFile
GetFileSize
CreateFileA
WriteFile
WaitForSingleObject
lstrlenA
RtlUnwind
RaiseException
HeapReAlloc
HeapFree
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetCurrentThreadId
TlsSetValue
TlsAlloc
SetLastError
TlsGetValue
GetLastError
SetUnhandledExceptionFilter
VirtualFree
IsBadWritePtr
GetModuleFileNameA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
IsBadReadPtr
IsBadCodePtr
InterlockedDecrement
InterlockedIncrement
MultiByteToWideChar
GetCPInfo
GetACP
GetOEMCP
FlushFileBuffers
GetStringTypeA
GetStringTypeW
SetFilePointer
LCMapStringA
LCMapStringW
CloseHandle
SetStdHandle
KERNEL32.dll
VirtualAlloc
VirtualProtect
VirtualFree
LoadLibraryA
IsBadReadPtr
FreeLibrary
mp~127.0.0.1
YYYYYYYYYYYY
InternetOpenUrlA
WININET.dll
InternetOpenA
.?AVtype_info@@
XUUUUUUU
UUUUU
XUUUU
XUUUU
(null)
VS_VERSION_INFO
StringFileInfo
080404b0
Comments
CompanyName
FileDescription
FileVersion
1, 0, 0, 1
InternalName
LegalCopyright
(C) 2012
LegalTrademarks
OriginalFilename
QQ.dat
PrivateBuild
ProductName
DHLDAT
ProductVersion
1, 0, 0, 1
SpecialBuild
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


tmpa9lpyrh3.exe, PID: 1988, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\tmpa9lpyrh3.exe
Command Line: "C:\Users\user\AppData\Local\Temp\tmpa9lpyrh3.exe"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.35.21 49793 8.8.8.8 53
192.168.35.21 51369 8.8.8.8 53
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 54941 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 57334 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 59473 8.8.8.8 53
192.168.35.21 59742 8.8.8.8 53
192.168.35.21 64235 8.8.8.8 53
192.168.35.21 64292 8.8.8.8 53
192.168.35.21 64801 8.8.8.8 53
192.168.35.21 64992 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53
192.168.35.21 65426 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
open.sinastorage.com [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name NetSyst8.dll
Associated Filenames
C:\Program Files\AppPatch\NetSyst8.dll
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.473 seconds )

  • 0.096 TrID
  • 0.078 BehaviorAnalysis
  • 0.076 CAPE
  • 0.074 TargetInfo
  • 0.073 Static
  • 0.034 Deduplicate
  • 0.023 NetworkAnalysis
  • 0.01 AnalysisInfo
  • 0.007 Strings
  • 0.002 Debug

Signatures ( 0.068 seconds )

  • 0.01 antiav_detectreg
  • 0.008 ransomware_files
  • 0.005 antiav_detectfile
  • 0.004 infostealer_ftp
  • 0.003 persistence_autorun
  • 0.003 ransomware_extensions
  • 0.002 antivm_vbox_libs
  • 0.002 api_spamming
  • 0.002 decoy_document
  • 0.002 stealth_timeout
  • 0.002 antianalysis_detectreg
  • 0.002 modify_proxy
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 NewtWire Behavior
  • 0.001 mimics_filetime
  • 0.001 exec_crash
  • 0.001 antivm_generic_disk
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 94388
Mongo ID 5d9e7724f69fab997c67b430
Cuckoo release 1.3-CAPE
Delete