Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-10-10 03:54:10 2019-10-10 03:54:38 28 seconds Show Options Show Log
route = internet
procdump = 1
2019-10-10 04:54:11,000 [root] INFO: Date set to: 10-10-19, time set to: 03:54:11, timeout set to: 200
2019-10-10 04:54:11,015 [root] DEBUG: Starting analyzer from: C:\whyqyg
2019-10-10 04:54:11,015 [root] DEBUG: Storing results at: C:\AiUljYtDXn
2019-10-10 04:54:11,015 [root] DEBUG: Pipe server name: \\.\PIPE\sPOMSgfmhK
2019-10-10 04:54:11,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-10 04:54:11,015 [root] INFO: Automatically selected analysis package "exe"
2019-10-10 04:54:11,342 [root] DEBUG: Started auxiliary module Browser
2019-10-10 04:54:11,342 [root] DEBUG: Started auxiliary module Curtain
2019-10-10 04:54:11,342 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-10 04:54:11,576 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-10-10 04:54:11,576 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-10 04:54:11,592 [root] DEBUG: Started auxiliary module DigiSig
2019-10-10 04:54:11,592 [root] DEBUG: Started auxiliary module Disguise
2019-10-10 04:54:11,592 [root] DEBUG: Started auxiliary module Human
2019-10-10 04:54:11,592 [root] DEBUG: Started auxiliary module Screenshots
2019-10-10 04:54:11,592 [root] DEBUG: Started auxiliary module Sysmon
2019-10-10 04:54:11,592 [root] DEBUG: Started auxiliary module Usage
2019-10-10 04:54:11,592 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-10-10 04:54:11,592 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-10-10 04:54:11,608 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\eXtremecsgo.exe" with arguments "" with pid 1308
2019-10-10 04:54:11,608 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 04:54:11,608 [lib.api.process] INFO: 32-bit DLL to inject is C:\whyqyg\dll\rNoNUT.dll, loader C:\whyqyg\bin\QxWBHdQ.exe
2019-10-10 04:54:11,624 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\sPOMSgfmhK.
2019-10-10 04:54:11,638 [root] DEBUG: Loader: Injecting process 1308 (thread 884) with C:\whyqyg\dll\rNoNUT.dll.
2019-10-10 04:54:11,638 [root] DEBUG: Process image base: 0x00A40000
2019-10-10 04:54:11,638 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\whyqyg\dll\rNoNUT.dll.
2019-10-10 04:54:11,638 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00E83000 - 0x77110000
2019-10-10 04:54:11,638 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c4 bytes for new import table at 0x00E90000.
2019-10-10 04:54:11,638 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 04:54:11,638 [root] DEBUG: Successfully injected DLL C:\whyqyg\dll\rNoNUT.dll.
2019-10-10 04:54:11,638 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1308
2019-10-10 04:54:13,651 [lib.api.process] INFO: Successfully resumed process with pid 1308
2019-10-10 04:54:13,713 [root] INFO: Added new process to list with pid: 1308
2019-10-10 04:54:13,776 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 04:54:13,776 [root] DEBUG: Process dumps enabled.
2019-10-10 04:54:13,822 [root] INFO: Disabling sleep skipping.
2019-10-10 04:54:13,822 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 04:54:13,822 [root] INFO: Disabling sleep skipping.
2019-10-10 04:54:13,822 [root] INFO: Disabling sleep skipping.
2019-10-10 04:54:13,822 [root] INFO: Disabling sleep skipping.
2019-10-10 04:54:13,822 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1308 at 0x747e0000, image base 0xa40000, stack from 0x1a5000-0x1b0000
2019-10-10 04:54:13,822 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\eXtremecsgo.exe".
2019-10-10 04:54:13,822 [root] INFO: Monitor successfully loaded in process with pid 1308.
2019-10-10 04:54:13,885 [root] DEBUG: DLL loaded at 0x74990000: C:\Windows\system32\winmm (0x32000 bytes).
2019-10-10 04:54:14,447 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 04:54:14,447 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-10 04:54:14,747 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-10-10 04:54:15,756 [root] DEBUG: DLL unloaded from 0x758B0000.
2019-10-10 04:54:15,773 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1308
2019-10-10 04:54:15,788 [root] DEBUG: GetHookCallerBase: thread 884 (handle 0x0), return address 0x000000CB, allocation base 0x00000000.
2019-10-10 04:54:15,803 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00A40000.
2019-10-10 04:54:15,803 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 04:54:15,803 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00A40000.
2019-10-10 04:54:15,803 [root] DEBUG: DumpProcess: Module entry point VA is 0x00442000.
2019-10-10 04:54:15,851 [root] INFO: Added new CAPE file to list with path: C:\AiUljYtDXn\CAPE\1308_149306426415344104102019
2019-10-10 04:54:15,851 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x438000.
2019-10-10 04:54:15,851 [root] DEBUG: DLL unloaded from 0x75140000.
2019-10-10 04:54:15,851 [root] INFO: Notified of termination of process with pid 1308.
2019-10-10 04:54:16,756 [root] INFO: Process with pid 1308 has terminated
2019-10-10 04:54:21,871 [root] INFO: Process list is empty, terminating analysis.
2019-10-10 04:54:22,885 [root] INFO: Created shutdown mutex.
2019-10-10 04:54:23,900 [root] INFO: Shutting down package.
2019-10-10 04:54:23,900 [root] INFO: Stopping auxiliary modules.
2019-10-10 04:54:23,900 [root] INFO: Finishing auxiliary modules.
2019-10-10 04:54:23,900 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-10 04:54:23,900 [root] WARNING: File at path "C:\AiUljYtDXn\debugger" does not exist, skip.
2019-10-10 04:54:23,900 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-10 03:54:10 2019-10-10 03:54:38

File Details

File Name eXtremecsgo.exe
File Size 1707008 bytes
File Type PE32 executable (console) Intel 80386, for MS Windows
MD5 70d145885e2ba64a760c46af749caeac
SHA1 429fb74715601c84c9f21932d2736c4257fdb0d9
SHA256 41cc278918bdfd39b983b274ee93d83266f7f0059c2fa93b631988855aa5c1e3
SHA512 68d7472a60b73973b5373c42a38424f412f126e46ca92bc80c67bc75b80979aa9149b961919d02eeed0b39356825eff983964febd7508cb325c1473ec711ad81
CRC32 530B3B49
Ssdeep 49152:Zthz4caqC1owyw946CQqjsAmQO/ZVui+tuPQoZWf1ZGFV:ZYcN/wjijsrbZKtUYe
TrID
  • 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 26.3% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 11.8% (.EXE) OS/2 Executable (generic) (2029/13)
  • 11.6% (.EXE) Generic Win/DOS Executable (2002/3)
  • 11.6% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 1308 trigged the Yara rule 'vmdetect'
Hit: PID 1308 trigged the Yara rule 'shellcode_get_eip'
NtSetInformationThread: attempt to hide thread from debugger
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: eXtremecsgo.exe, PID 1308
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: winmm.dll/timeGetTime
DynamicLoader: ntdll.dll/NtOpenThread
DynamicLoader: winmm.dll/timeGetTime
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlAllocateHeap
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: OLEAUT32.dll/
Expresses interest in specific running processes
process: System
The binary contains an unknown PE section name indicative of packing
unknown section: name: \x00 , entropy: 7.96, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00003800, virtual_size: 0x0000a000
unknown section: name: .idata , entropy: 1.17, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000200, virtual_size: 0x00001000
unknown section: name: , entropy: 0.23, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000200, virtual_size: 0x00299000
unknown section: name: vghvdgdm, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0019bc00, virtual_size: 0x0019c000
unknown section: name: uqqcmbtv, entropy: 4.17, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000200, virtual_size: 0x00001000
The binary likely contains encrypted or compressed data.
section: name: \x00 , entropy: 7.96, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00003800, virtual_size: 0x0000a000
section: name: vghvdgdm, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0019bc00, virtual_size: 0x0019c000
Checks for the presence of known windows from debuggers and forensic tools
Window: OLLYDBG
Window: GBDYLLO
Window: pediy06
Window: FilemonClass
Window: File Monitor - Sysinternals: www.sysinternals.com
Window: PROCMON_WINDOW_CLASS
Window: Process Monitor - Sysinternals: www.sysinternals.com
Window: RegmonClass
Window: Registry Monitor - Sysinternals: www.sysinternals.com
Window: 18467-41
The following process appear to have been packed with Themida: eXtremecsgo.exe
Checks for the presence of known devices from debuggers and forensic tools
Detects the presence of Wine emulator via registry key
Checks the version of Bios, possibly for anti-virtualization
Detects VirtualBox through the presence of a registry key
Anomalous binary characteristics
anomaly: Unprintable characters found in section name

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

PE Information

Image Base 0x00400000
Entry Point 0x00842000
Reported Checksum 0x001aebd6
Actual Checksum 0x001aebd6
Minimum OS Version 6.0
Compile Time 2019-03-13 04:26:04
Import Hash baa93d47220682c04d92f7797d9224ce

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
\x00 0x00001000 0x0000a000 0x00003800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.96
.rsrc 0x0000b000 0x000001e0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.53
.idata 0x0000c000 0x00001000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.17
0x0000d000 0x00299000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.23
vghvdgdm 0x002a6000 0x0019c000 0x0019bc00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.95
uqqcmbtv 0x00442000 0x00001000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.17

Imports

Library kernel32.dll:
0x40c033 lstrcpy
Library comctl32.dll:
0x40c03b InitCommonControls

.rsrc
.idata
vghvdgdm
uqqcmbtv
lstrcpy
InitCommonControls
kernel32.dll
comctl32.dll
,JGg7q
v6UxX
$0!T'
.!X^G>
0p/q/
GH8P0
.MOTZ
bdX!@
=-0){
(~NH<
'-vaj9
eaotf
vKRtak
2RUQ.k
Qqs;)bk
[meb9
>$SQ/
\{Phl
r1&[+S
/UcfA
c$me4
5.k>(
/t&0]<
T>XDk|
W dX@
k7` xA
AM X;
9S>z}"zIC
(_"(Vw*
M-X8
k')`H
4_/(#>
)@c4O
#7MOh
#7FZx
0JPx2
/t8>N
^APoxJnE
J[t{}
qp0V>
R}-D^
|=3xH
xo "V
l.P3D
Q}I@H
OY5|.n
s{Xr=
k]+;*
.Bca3
_)R`gG}9
/A+A($
0~u |f
iyw0W!
UH(Jw
x~>=Q
{L9A|
<loW9L+
Q`aV(I
]7al"t
TpbXE6q
i|)Lq$
u"!y
\ag[j
MeVU
p;T."
q.%Dd
CcZ2wx
u2v|c
J-H@`
3J'T&@
9LCQl
.@| I
.:(0=
x3XDU
m*?|V
r,~FdxI
)Nh*d
DED{V
) 0XR
@89z%
@f]g+b
[&Fep
_"@XG
G;Vk=
=X,DXH
|M`^V
>ObE6
aYW$uf
=xZf8
%T1LnQ
QIv`UT
_FXz($`4
k,X'n
Th@>}
0-Nb0
:k_SBI
D4:+Q
XK?n@
ZZ(tN
0]ZU"
"@tnh
s0wZGC
HSa@mi
z!8pl
This file is not on VirusTotal.

Process Tree


eXtremecsgo.exe, PID: 1308, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\eXtremecsgo.exe
Command Line: "C:\Users\user\AppData\Local\Temp\eXtremecsgo.exe"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name eXtremecsgo.exe
PID 1308
Dump Size 4423680 bytes
Module Path C:\Users\user\AppData\Local\Temp\eXtremecsgo.exe
Type PE image: 32-bit executable
MD5 1b3e858b03864035bb2ff2bbc64f901e
SHA1 6be1036780914cb0a92765c8053fa91d37d57bfb
SHA256 5bdc0262d7a80d24474f5015529b4ee3d95d9f27c09c04be85cb3fac1ba8960d
CRC32 1D0B398A
Ssdeep 98304:v39XSvt3v96j3/pJ9/45sGnwNYcN/wjijsrbZKtUYe:v+0D/pL/453nwCcNYqsr9KK
ClamAV None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
  • shellcode_get_eip - Match x86 that appears to fetch $PC.
CAPE Yara None matched
Dump Filename 5bdc0262d7a80d24474f5015529b4ee3d95d9f27c09c04be85cb3fac1ba8960d
Download

Comments



No comments posted

Processing ( 6.597 seconds )

  • 2.494 CAPE
  • 1.778 ProcDump
  • 1.101 Static
  • 0.693 TargetInfo
  • 0.127 Deduplicate
  • 0.126 TrID
  • 0.105 AnalysisInfo
  • 0.104 Strings
  • 0.06 BehaviorAnalysis
  • 0.007 NetworkAnalysis
  • 0.001 Debug
  • 0.001 peid

Signatures ( 0.063 seconds )

  • 0.011 antiav_detectreg
  • 0.008 ransomware_files
  • 0.005 infostealer_ftp
  • 0.003 antidbg_windows
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 api_spamming
  • 0.002 persistence_autorun
  • 0.002 decoy_document
  • 0.002 stealth_timeout
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 NewtWire Behavior
  • 0.001 betabot_behavior
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 disables_browser_warn

Reporting ( 0.0 seconds )

Task ID 94401
Mongo ID 5d9eab882a62a82c531dd26e
Cuckoo release 1.3-CAPE
Delete