Analysis

Category Package Started Completed Duration Log
FILE exe 2019-10-10 00:12:04 2019-10-10 00:13:56 112 seconds Show Log
2019-10-10 01:12:17,015 [root] INFO: Date set to: 10-10-19, time set to: 00:12:17, timeout set to: 200
2019-10-10 01:12:17,108 [root] DEBUG: Starting analyzer from: C:\vgpwbxqas
2019-10-10 01:12:17,108 [root] DEBUG: Storing results at: C:\nePCudXK
2019-10-10 01:12:17,108 [root] DEBUG: Pipe server name: \\.\PIPE\NOcwdkMaB
2019-10-10 01:12:17,108 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-10 01:12:17,108 [root] INFO: Automatically selected analysis package "exe"
2019-10-10 01:12:18,621 [root] DEBUG: Started auxiliary module Browser
2019-10-10 01:12:18,621 [root] DEBUG: Started auxiliary module Curtain
2019-10-10 01:12:18,621 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-10 01:12:19,308 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-10-10 01:12:19,308 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-10 01:12:19,308 [root] DEBUG: Started auxiliary module DigiSig
2019-10-10 01:12:19,308 [root] DEBUG: Started auxiliary module Disguise
2019-10-10 01:12:19,308 [root] DEBUG: Started auxiliary module Human
2019-10-10 01:12:19,308 [root] DEBUG: Started auxiliary module Screenshots
2019-10-10 01:12:19,308 [root] DEBUG: Started auxiliary module Sysmon
2019-10-10 01:12:19,308 [root] DEBUG: Started auxiliary module Usage
2019-10-10 01:12:19,308 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-10-10 01:12:19,308 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-10-10 01:12:19,339 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\tmp0orgg1mf.exe" with arguments "" with pid 2164
2019-10-10 01:12:19,339 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgpwbxqas\dll\LpkPNg.dll, loader C:\vgpwbxqas\bin\YDuOdIC.exe
2019-10-10 01:12:19,339 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\NOcwdkMaB.
2019-10-10 01:12:19,355 [root] DEBUG: Loader: Injecting process 2164 (thread 1968) with C:\vgpwbxqas\dll\LpkPNg.dll.
2019-10-10 01:12:19,355 [root] DEBUG: Process image base: 0x00400000
2019-10-10 01:12:19,355 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgpwbxqas\dll\LpkPNg.dll.
2019-10-10 01:12:19,355 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x004C9000 - 0x77940000
2019-10-10 01:12:19,355 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x004D0000.
2019-10-10 01:12:19,355 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:12:19,355 [root] DEBUG: Successfully injected DLL C:\vgpwbxqas\dll\LpkPNg.dll.
2019-10-10 01:12:19,355 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2164
2019-10-10 01:12:21,368 [lib.api.process] INFO: Successfully resumed process with pid 2164
2019-10-10 01:12:21,368 [root] INFO: Added new process to list with pid: 2164
2019-10-10 01:12:21,414 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:12:21,460 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:12:21,460 [root] INFO: Disabling sleep skipping.
2019-10-10 01:12:21,460 [root] INFO: Disabling sleep skipping.
2019-10-10 01:12:21,460 [root] INFO: Disabling sleep skipping.
2019-10-10 01:12:21,460 [root] INFO: Disabling sleep skipping.
2019-10-10 01:12:21,460 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2164 at 0x74ec0000, image base 0x400000, stack from 0x186000-0x190000
2019-10-10 01:12:21,492 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\tmp0orgg1mf.exe".
2019-10-10 01:12:21,492 [root] INFO: Monitor successfully loaded in process with pid 2164.
2019-10-10 01:12:33,255 [root] DEBUG: set_caller_info: Adding region at 0x004D0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-10-10 01:12:33,269 [root] DEBUG: DLL loaded at 0x75510000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2019-10-10 01:12:33,286 [root] DEBUG: DLL loaded at 0x75A60000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-10-10 01:12:33,286 [root] DEBUG: DLL loaded at 0x76EF0000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-10 01:12:33,332 [root] DEBUG: DLL loaded at 0x77020000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-10-10 01:12:33,348 [root] DEBUG: DLL loaded at 0x76DB0000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-10-10 01:12:33,348 [root] DEBUG: DLL loaded at 0x75970000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-10 01:12:33,364 [root] DEBUG: DLL loaded at 0x76F00000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-10-10 01:12:33,364 [root] DEBUG: DLL loaded at 0x77AF0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-10-10 01:12:33,380 [root] DEBUG: DLL loaded at 0x76B90000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 01:12:33,411 [root] DEBUG: DLL loaded at 0x74EA0000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2019-10-10 01:12:33,411 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-10-10 01:12:59,151 [root] DEBUG: DLL loaded at 0x75CA0000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-10-10 01:12:59,151 [root] DEBUG: DLL loaded at 0x74E70000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2019-10-10 01:12:59,259 [root] DEBUG: DLL loaded at 0x755B0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-10-10 01:12:59,259 [root] DEBUG: DLL loaded at 0x755A0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-10 01:13:20,303 [root] DEBUG: DLL unloaded from 0x755A0000.
2019-10-10 01:13:20,319 [root] DEBUG: DLL unloaded from 0x755B0000.
2019-10-10 01:13:20,335 [root] DEBUG: DLL unloaded from 0x76B30000.
2019-10-10 01:13:20,335 [root] INFO: Notified of termination of process with pid 2164.
2019-10-10 01:13:20,367 [root] INFO: Process with pid 2164 has terminated
2019-10-10 01:13:25,437 [root] INFO: Process list is empty, terminating analysis.
2019-10-10 01:13:26,450 [root] INFO: Created shutdown mutex.
2019-10-10 01:13:27,464 [root] INFO: Shutting down package.
2019-10-10 01:13:27,464 [root] INFO: Stopping auxiliary modules.
2019-10-10 01:13:27,464 [root] INFO: Finishing auxiliary modules.
2019-10-10 01:13:27,464 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-10 01:13:27,464 [root] WARNING: File at path "C:\nePCudXK\debugger" does not exist, skip.
2019-10-10 01:13:27,464 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-05 target-05 ESX 2019-10-10 00:12:05 2019-10-10 00:13:54

File Details

File Name tmp0orgg1mf
File Size 808960 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6f825fb7c9150d7fd2bbf4496d8f3cbf
SHA1 8ffadea727251243da063b723565acdcfc1f198b
SHA256 672a03ae0b6804a702dc103cb37c2798a98802879eb5eff012df58131179a14a
SHA512 0098c66247e3af1fe6c7d69b26c1738306504227d0dafb810281e16bfa59c487c38ac61b87521e8a2589f2d7133f97942ebde6a59784e577dbd5ad85cfd80676
CRC32 AFBA69FD
Ssdeep 12288:lAMY03X3XXD3I33333k363k3haXkX+W3g35Q3z3a3Gv33XHI3vZI3333B3IlGXHT:hDcQEJ4Xhf5NwrDO
TrID
  • 52.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 23.5% (.EXE) Generic Win/DOS Executable (2002/3)
  • 23.5% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Attempts to connect to a dead IP:Port (1 unique times)
IP: 79.142.66.239:80 (Netherlands)
Creates RWX memory
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: DNSAPI.dll/DnsFlushResolverCache
DynamicLoader: WS2_32.dll/WSACloseEvent
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAEventSelect
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSACreateEvent
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAWaitForMultipleEvents
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetQueryDataAvailable
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpSendRequestW
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: msvcrt.dll/sscanf
DynamicLoader: msvcrt.dll/sprintf
DynamicLoader: msvcrt.dll/free
DynamicLoader: msvcrt.dll/malloc
DynamicLoader: msvcrt.dll/_stricmp
DynamicLoader: msvcrt.dll/fopen
DynamicLoader: msvcrt.dll/fread
DynamicLoader: msvcrt.dll/ftell
DynamicLoader: msvcrt.dll/fclose
DynamicLoader: msvcrt.dll/fscanf
DynamicLoader: msvcrt.dll/feof
DynamicLoader: msvcrt.dll/strstr
DynamicLoader: msvcrt.dll/_errno
DynamicLoader: msvcrt.dll/remove
DynamicLoader: msvcrt.dll/fprintf
DynamicLoader: msvcrt.dll/strncmp
DynamicLoader: msvcrt.dll/isspace
DynamicLoader: msvcrt.dll/isalnum
DynamicLoader: msvcrt.dll/tolower
DynamicLoader: msvcrt.dll/isprint
DynamicLoader: msvcrt.dll/strncpy
DynamicLoader: msvcrt.dll/printf
DynamicLoader: msvcrt.dll/strrchr
DynamicLoader: msvcrt.dll/_open
DynamicLoader: msvcrt.dll/_read
DynamicLoader: msvcrt.dll/_lseek
DynamicLoader: msvcrt.dll/_close
DynamicLoader: msvcrt.dll/_wcsnicmp
DynamicLoader: msvcrt.dll/wcsrchr
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: msvcrt.dll/??3@YAXPAX@Z
DynamicLoader: msvcrt.dll/??2@YAPAXI@Z
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/strchr
DynamicLoader: msvcrt.dll/fseek
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: iphlpapi.dll/GetAdaptersInfo
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/InterlockedDecrement
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/CreateRemoteThread
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetLocaleInfoA
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/Module32First
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/SetThreadAffinityMask
DynamicLoader: kernel32.dll/Module32Next
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/FindResourceA
DynamicLoader: kernel32.dll/FreeResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/SetFileTime
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GlobalFree
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/MoveFileExA
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/SetFileAttributesA
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/GetVolumeInformationA
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeviceIoControl
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/CopyFileA
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/WaitForSingleObjectEx
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/GetTempFileNameW
DynamicLoader: kernel32.dll/MoveFileExW
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: USER32.dll/EndDialog
DynamicLoader: USER32.dll/CreateDialogParamW
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetDC
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/BeginPaint
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/EndPaint
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/DialogBoxParamW
DynamicLoader: GDI32.dll/BitBlt
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: GDI32.dll/CreateCompatibleBitmap
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: GDI32.dll/GetObjectA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/SetFileSecurityA
DynamicLoader: ADVAPI32.dll/RegEnumValueA
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyA
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/SHChangeNotify
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoInitializeSecurity
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/NtConnectPort
DynamicLoader: ntdll.dll/NtRequestWaitReplyPort
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtClose
DynamicLoader: ntdll.dll/NtDelayExecution
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/NtQuerySystemTime
DynamicLoader: PSAPI.DLL/EnumProcesses
DynamicLoader: PSAPI.DLL/GetProcessImageFileNameW
DynamicLoader: kernel32.dll/IsWow64Process
Reads data out of its own binary image
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x00000000, length: 0x00001000
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x0000002d, length: 0x00001000
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x0000003c, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000000e0, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000000e6, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000000f4, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000001d8, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x00000200, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x00000228, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x00000250, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x0000025c, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x00000260, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x00000264, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd20c, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd20e, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd210, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd218, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd220, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd228, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd230, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd238, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd240, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd248, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd250, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd258, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd260, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd32c, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd32e, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd330, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd504, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd506, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd508, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd714, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd716, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bd718, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bdb7c, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bdb7e, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bdb80, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bdce8, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000bdfd8, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000c3fe0, length: 0x00000200
self_read: process: tmp0orgg1mf.exe, pid: 2164, offset: 0x000c4108, length: 0x00000200
Queries information on disks, possibly for anti-virtualization
Deletes its original binary from disk
Attempts to identify installed analysis tools by registry key
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
Detects VirtualBox through the presence of a registry key
Creates a copy of itself
copy: C:\Users\user\AppData\Local\Temp\62A9.tmp
Collects information to fingerprint the system

Screenshots


Hosts

Direct IP Country Name
Y 79.142.66.239 [VT] Netherlands

DNS

No domains contacted.


Summary

PE Information

Image Base 0x00400000
Entry Point 0x00401540
Reported Checksum 0x00000000
Actual Checksum 0x000d409e
Minimum OS Version 5.0
Compile Time 2015-01-20 11:02:12
Import Hash fd4b47da6f0da150d1178f4e613d424b

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000ac0ac 0x000ac200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.97
.rdata 0x000ae000 0x0000d224 0x0000d400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.63
.data 0x000bc000 0x00003930 0x00003800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.07
.rsrc 0x000c0000 0x00008458 0x00008600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.26

Imports

Library KERNEL32.dll:
0x4ae06c LocalFree
0x4ae070 GetLastError
0x4ae074 SetFilePointerEx
0x4ae078 GetVersionExW
0x4ae07c GetFullPathNameW
0x4ae080 GetFileSizeEx
0x4ae084 GetDiskFreeSpaceExW
0x4ae088 GetTimeFormatW
0x4ae08c GetSystemInfo
0x4ae090 GetProcAddress
0x4ae094 GetModuleHandleA
0x4ae09c GetDateFormatW
0x4ae0a0 GetCurrentThread
0x4ae0a4 GetCurrentProcess
0x4ae0a8 FormatMessageW
0x4ae0ac DeviceIoControl
0x4ae0b0 DeleteFileW
0x4ae0b4 CreateHardLinkW
0x4ae0b8 CloseHandle
0x4ae0bc GetStartupInfoA
0x4ae0c0 GetProcessHeap
0x4ae0c4 GetDriveTypeW
0x4ae0c8 GetVersion
0x4ae0cc GetModuleHandleW
0x4ae0d0 VirtualAllocEx
0x4ae0d4 CreateFileW
0x4ae0d8 GetCurrentProcessId
0x4ae0dc SetEndOfFile
Library USER32.dll:
0x4ae0e4 LoadIconA
0x4ae0e8 LoadIconW
Library GDI32.dll:
0x4ae050 CloseFigure
0x4ae054 GetDCBrushColor
0x4ae058 GetGraphicsMode
0x4ae05c DeleteDC
0x4ae060 EndDoc
Library ADVAPI32.dll:
0x4ae000 OpenEventLogW
0x4ae004 RegOpenKeyExW
0x4ae008 RegCloseKey
0x4ae00c ReadEventLogW
0x4ae010 OpenThreadToken
0x4ae014 OpenProcessToken
0x4ae01c LookupAccountSidW
0x4ae020 LookupAccountNameW
0x4ae024 ImpersonateSelf
0x4ae028 CloseEventLog
0x4ae038 RegQueryValueExA
0x4ae03c RegOpenKeyA
0x4ae040 RegSetValueExW
0x4ae044 RevertToSelf
0x4ae048 RegQueryValueExW
Library ole32.dll:
0x4ae184 CoTaskMemFree
0x4ae188 StringFromIID
Library msvcrt.dll:
0x4ae0f0 wprintf
0x4ae0f4 wcsncat
0x4ae0f8 wcslen
0x4ae0fc _XcptFilter
0x4ae100 __p__commode
0x4ae104 __p__fmode
0x4ae108 __set_app_type
0x4ae10c __setusermatherr
0x4ae110 __wgetmainargs
0x4ae114 __winitenv
0x4ae118 _adjust_fdiv
0x4ae11c _c_exit
0x4ae120 _cexit
0x4ae124 _controlfp
0x4ae128 _errno
0x4ae12c _except_handler3
0x4ae130 _exit
0x4ae134 _initterm
0x4ae138 _wcsdup
0x4ae13c _wcsicmp
0x4ae140 _wcsnicmp
0x4ae144 _wctime
0x4ae148 calloc
0x4ae14c exit
0x4ae150 free
0x4ae154 isalpha
0x4ae158 isdigit
0x4ae15c iswctype
0x4ae160 malloc
0x4ae164 printf
0x4ae168 setlocale
0x4ae16c swprintf
0x4ae170 toupper
0x4ae174 towupper
0x4ae178 wcscat
0x4ae17c wcscpy

.text
`.rdata
@.data
.rsrc
PhU^A
PhM,A
,V]pK
VP=cv
6AP]#6
cVP-WJ
jOheF=
uq"vH
[huF=ReFDhv('?a&=e
9EvhBp
Jn98rn('Kp(AA
coU;n
crx7`
ct(>h
| alc*m
lr,?p
pr$>`
3pAi/lth oIs4k
c2Nx.p
V ea93Po"2de!&/2
kcx o
6)pF<0eT,1e
'rm|<athBdrx3
/eF,/eN40eW
3pF,.eT<;e
%Fia%A
/ntG/h
inz!A
'Fia#A
*eFl2e
J+pV""um
3Lrr8
Oeq8ashW?
De9=bj(1
oeN5y
2hof/pe
he*4o
Oe*Bet+0
zeT1h
ll(^2.
QSTAI.I=H
[/0sr
[/0sr
eq/l;,
oqpip
@o!C2squ9ko
koslu
8{jn2dk_
+\e{ts|n\lI]dvx8`
]dv(8`
Yddvh3`Shddaa`pmwso
`v<ado#`pm7so
pfksoS
x!2Xh!2Xh!2Xh!2Xx!
||rttzmDtb`
i\rff>q
+=",z
4nm70
a?3Ob
MA9JM
9CLA:tHl:{H}:
R/L)[]
VxmE<
K)R{|]=|
5L)[c
*~2}E~
q=)2%
HR~=)
Wa'Ahd
5;C@[
4LgdZw+_]4h
Q6vz.QlT
$54eB
xSJGv
9pt|9q
Gsx(;nk33
@'[Rh7]ri=qNH ^
E;.y2^
.Y#ka
tar$eV!?
LK9J4RwdXg
-+yT4\
Gl?ael;Mam#\
}]4*"2I
GetDriveTypeW
GetCurrentProcessId
CreateFileW
VirtualAllocEx
GetModuleHandleW
GetVersion
GetProcessHeap
GetStartupInfoA
CloseHandle
CreateHardLinkW
DeleteFileW
DeviceIoControl
FormatMessageW
GetCurrentProcess
GetCurrentThread
GetDateFormatW
GetDiskFreeSpaceExW
GetFileSizeEx
GetFullPathNameW
GetLastError
GetLogicalDriveStringsW
GetModuleHandleA
GetProcAddress
GetSystemInfo
GetTimeFormatW
GetVersionExW
GetVolumeInformationW
LocalFree
SetEndOfFile
SetFilePointerEx
KERNEL32.dll
LoadIconW
LoadIconA
USER32.dll
EndDoc
DeleteDC
GetGraphicsMode
GetDCBrushColor
CloseFigure
GDI32.dll
RegOpenKeyA
RegQueryValueExA
AdjustTokenPrivileges
AllocateAndInitializeSid
CheckTokenMembership
CloseEventLog
ImpersonateSelf
LookupAccountNameW
LookupAccountSidW
LookupPrivilegeValueW
OpenEventLogW
OpenProcessToken
OpenThreadToken
ReadEventLogW
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RevertToSelf
ADVAPI32.dll
CoTaskMemFree
StringFromIID
ole32.dll
_XcptFilter
__p__commode
__p__fmode
__set_app_type
__setusermatherr
__wgetmainargs
__winitenv
_adjust_fdiv
_c_exit
_cexit
_controlfp
_errno
_except_handler3
_exit
_initterm
_wcsdup
_wcsicmp
_wcsnicmp
_wctime
calloc
isalpha
isdigit
iswctype
malloc
printf
setlocale
swprintf
toupper
towupper
wcscat
wcscpy
wcslen
wcsncat
wprintf
msvcrt.dll
cplki\{6eb22881-8a19-11d0-81b6-00a0c9231c29}
Df"X3>
</assembly>
12412512
Ctrl+N
Ctrl+Shift+N
Ctrl+O
Ctrl+S
Ctrl+Shift+S
Ctrl+Alt+F2
Ctrl+P
Ctrl+Z
Ctrl+Shift+Z
Ctrl+X
Ctrl+C
Ctrl+V
Ctrl+A
Ctrl+F
Shift+F3
Ctrl+R
Ctrl+G
Ctrl+I
Ctrl+D
Alt+V
Shift+Tab
Space
Shift+Space
Shift+Backspace
Alt+Backspace
Ctrl+6
Ctrl+7
Ctrl+8
Ctrl+9
Ctrl+0
Alt+R
DOS/Windows (0Dh, 0Ah)
Unix (0Ah)
Mac (0Dh)
Ctrl+U
Ctrl+T
Alt+P
Ctrl+F5
Ctrl+L
(SDI)
(MDI)
(PMDI)
EditPopup
ViewPopup
CodepagePopup
HeadlinePopup
%n[1]
MS Shell Dlg
AkelEditA
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
Windows
MS Shell Dlg
AkelEditA
MS Shell Dlg
SysListView32
List1
MS Shell Dlg
SysListView32
List1
msctls_hotkey32
HotKey1
MS Shell Dlg
akelpad):
Windows
MS Shell Dlg
MS Shell Dlg
msctls_updown32
Spin1
msctls_updown32
Spin1
MS Shell Dlg
msctls_updown32
Spin1
msctls_updown32
Spin1
msctls_updown32
Spin1
msctls_updown32
Spin1
msctls_updown32
Spin1
msctls_updown32
Spin1
msctls_updown32
Spin1
msctls_updown32
Spin1
MS Shell Dlg
MS Shell Dlg
(MDI)
(MDI)
MS Shell Dlg
, 2006-2011
E-Mail:
, 2003-2006
E-Mail:
MS Shell Dlg
VS_VERSION_INFO
StringFileInfo
04090000
FileDescription
AkelPad (x86) text editor
FileVersion
0, 0, 0, 0
"%s".
"%s"\?
(*.*)|*.*
(949, UTF-8)
This file is not on VirusTotal.

Process Tree


tmp0orgg1mf.exe, PID: 2164, Parent PID: 1636
Full Path: C:\Users\user\AppData\Local\Temp\tmp0orgg1mf.exe
Command Line: "C:\Users\user\AppData\Local\Temp\tmp0orgg1mf.exe"

Hosts

Direct IP Country Name
Y 79.142.66.239 [VT] Netherlands

TCP

Source Source Port Destination Destination Port
192.168.35.25 49164 79.142.66.239 80

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name 62A9.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\62A9.tmp
File Size 808960 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6f825fb7c9150d7fd2bbf4496d8f3cbf
SHA1 8ffadea727251243da063b723565acdcfc1f198b
SHA256 672a03ae0b6804a702dc103cb37c2798a98802879eb5eff012df58131179a14a
CRC32 AFBA69FD
Ssdeep 12288:lAMY03X3XXD3I33333k363k3haXkX+W3g35Q3z3a3Gv33XHI3vZI3333B3IlGXHT:hDcQEJ4Xhf5NwrDO
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 33.51 seconds )

  • 30.4 BehaviorAnalysis
  • 1.048 CAPE
  • 0.699 Static
  • 0.618 Dropped
  • 0.504 TargetInfo
  • 0.121 TrID
  • 0.067 Strings
  • 0.034 Deduplicate
  • 0.009 AnalysisInfo
  • 0.009 NetworkAnalysis
  • 0.001 Debug

Signatures ( 4.701 seconds )

  • 1.37 api_spamming
  • 1.308 stealth_timeout
  • 0.99 decoy_document
  • 0.974 NewtWire Behavior
  • 0.01 antiav_detectreg
  • 0.009 ransomware_files
  • 0.004 infostealer_ftp
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 ransomware_extensions
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 Doppelganging
  • 0.001 infostealer_browser
  • 0.001 antiemu_wine_func
  • 0.001 reads_self
  • 0.001 infostealer_browser_password
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 kovter_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn

Reporting ( 0.0 seconds )

Task ID 94397
Mongo ID 5d9e7830c3c009112d67bde8
Cuckoo release 1.3-CAPE
Delete