configTools.exe
This report is generated from a file or URL submitted to this webservice on April 10th 2018 18:52:08 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Spyware
- Accesses potentially sensitive information from local browsers
- Persistence
- Modifies System Certificates Settings
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxp://ca.jsstjj.cn/nbsonline/tools/configTools.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 11/67 Antivirus vendors marked sample as malicious (16% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 11/67 Antivirus vendors marked sample as malicious (16% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
Installation/Persistance
-
Drops executable files to the Windows system directory
- details
-
File type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" was dropped at "%WINDIR%\system32\KoalCspWrapper.ocx"
File type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" was dropped at "%WINDIR%\system32\KoalCertCtl.ocx" - source
- Binary File
- relevance
- 7/10
-
Drops executable files to the Windows system directory
-
Network Related
-
Modifies internet zones
- details
-
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "DISPLAYNAME"; Value: "Trusted sites")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "DESCRIPTION"; Value: "This zone contains websites that you trust not to damage your computer or data.")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "ICON"; Value: "inetcpl.cpl#00004480")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1001"; Value: "01000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1004"; Value: "03000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1200"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1201"; Value: "03000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1206"; Value: "03000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1207"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1208"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1209"; Value: "03000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "120A"; Value: "03000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "120B"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1400"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1402"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1405"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1406"; Value: "03000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1407"; Value: "01000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1408"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1409"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1601"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1604"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1605"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1606"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1607"; Value: "03000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1608"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1609"; Value: "01000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "160A"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1802"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1803"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1804"; Value: "01000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1809"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1A00"; Value: "00000200")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1A02"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1A03"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1A04"; Value: "03000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1A05"; Value: "01000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1A06"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "1C00"; Value: "00000100")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "2000"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "2005"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "2100"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "2101"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "2102"; Value: "03000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "2103"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "2104"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "2105"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "2106"; Value: "00000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "2200"; Value: "03000000")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2"; Key: "2201"; Value: "03000000") - source
- Registry Access
- relevance
- 5/10
-
Modifies internet zones
-
System Security
-
Modifies System Certificates Settings
- details
-
"<Input Sample>" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\B26FA75369D6FD879204D8E67FCC105EF35FCD84"; Key: "BLOB")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\05E82A69BEC8F04644D3D37FE2B65F32C69C7B59"; Key: "BLOB") - source
- Registry Access
- relevance
- 8/10
-
Modifies System Certificates Settings
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 17
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00019155-00002664-00000105-53469317
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "KoalCertCtl.ocx.3130420910")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "AQCLTCQUg8QMi8ZkiQ0AAAAAXoPEEMIEAJCQkFaL8egYAAAA9kQkCAF0CVboxbsBAIPEBIvGXsIEAJCQxwEAcQMQg8EE6YW3AQCQkItJBIPsDI1EJARWM/ZQaD8ADwBWUWgCAACA/xVMYAMQhcB1N41MJASNVCQMUYtMJAxSUFCLRCQkUFHHRCQcBAAAAP8VSGADEIXAdQ+LVCQYi0QkDL4BAAAAiQKNTCQU6B+3AQCLxl6DxAzCCACQkJCD7AiNRCQEjVQkAFCLQQRSagBoPwAPAGoAagBqAFBoAgAAgMdEJCQAAAAA/xVEYAMQi1QkDItEJACNTCQQagRRagRqAFJQ/xVAYAMQi0wkAFH/FTxgAxCNTCQM6LO2AQC4AQAAAIPECMIIAJCQkJCQUYtJBI1EJABWM/ZQaD8ADwBWUWgCAACA/xVMYAMQhcB1F4tMJAyLVCQEUVL/FVBgAxCL8PfeG/ZGjUwkDOhhtgEAi8ZeWcIEAJCQkJCQkJBWi/Ho5cQBAMdGPP/////HRkABAAAAxwYocQMQi8Zew1aL8egYAAAA9kQkCAF0CVboRboBAIPEBIvGXsIEAJCQxwEocQMQ6aikAQCQkJCQkLgIcQMQw5CQkJCQkJCQkJCD7CxTi0QkOFaLHWRlAxCL8VeLfCQ8jUwkDItWHFFXaAMSAABSiX48iUZAx0QkHAQAAAD/04tEJCCLThyAzICJRCQgjUQkDFBXaAQSAABR/9OLVhxqAWoAUv8VFGUDEF9eW4PELMIIAJCQkJCQkJCQav9oc0EDEGShAAAAAFBkiSUAAAAAgeyIAQAAU1WL6VZXjUwkEOgGGQIAi7wkqAEAAI1MJBDHhCSgAQAAAAAAAItHGFDonhkCAI1MJBDoURoCAIsdCGUDEI13HI1MJDhWUYlEJHD/08dEJEwAAAAAx0QkSECQAxCNVCQ4xoQkoAEAAAFS/xV8YQMQUI1MJEzoliECAI1EJEiNTCQQUOjyGgIAjUwkSOjWIQIAag//FQxlAxBQ" (Indicator: "vbox")
- source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.dll (Show Stream)
LockResource@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
FindResourceA@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
FindResourceA@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
FindResourceA@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
FindResourceA@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
LockResource@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
FindResourceA@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
FindResourceA@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.dll (Show Stream)
LockResource@KERNEL32.dll (Show Stream)
LockResource@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"KoalCspWrapper.ocx" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"KoalCertCtl.ocx" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "1.2.156.197.1.103 1.2.156.197.1.1000.103 2.16.156.1.11000.3.33"
Heuristic match: "1.3.6.1.4.1.4929.1.6"
Heuristic match: "1.2.156.197.1.102 1.2.156.197.1.1000.102"
Heuristic match: "1.3.14.3.2"
"2.5.4.3"
"2.5.4.10"
"2.5.4.11"
"2.5.4.6"
"2.5.4.20"
"2.5.4.1"
"2.5.4.42"
"2.5.4.9"
"2.5.4.12"
"2.5.4.7"
"2.5.4.8" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
-
Spyware/Information Retrieval
-
Accesses potentially sensitive information from local browsers
- details
-
"<Input Sample>" had access to "%APPDATA%\Microsoft\Windows\Cookies\index.dat" (Type: "FileHandle")
"<Input Sample>" had access to "%APPDATA%\Microsoft\Windows\IETldCache\index.dat" (Type: "FileHandle") - source
- Touched Handle
- relevance
- 7/10
-
Accesses potentially sensitive information from local browsers
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "KoalCspWrapper.ocx" claimed CRC 372052 while the actual is CRC 1345527
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
GetFileAttributesA
WriteFile
OutputDebugStringA
GetModuleFileNameA
UnhandledExceptionFilter
TerminateProcess
GetTickCount
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
GetProcAddress
FindFirstFileA
CreateFileA
WinExec
LockResource
GetCommandLineA
GetModuleHandleA
Sleep
FindResourceA
VirtualAlloc
GetLastActivePopup
SetWindowsHookExA
RegDeleteKeyA
RegCreateKeyA
RegOpenKeyA
RegEnumKeyA
RegDeleteValueA
FindResourceExA
CopyFileA
CreateThread
ExitThread
CertDeleteCertificateFromStore - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 15
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
GetTimeZoneInformation@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
GetVersion@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
GetVersionExA@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
GetVersion@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
GetVersion@KERNEL32.DLL from configTools.exe (PID: 2664) (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
- GetUserDefaultLCID@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetSystemTime@KERNEL32.dll (Target: "configTools.exe.bin"; Stream UID: "18182-1415-00415E90")
which is directly followed by "cmp ax, word ptr [00443E92h]" and "jne 00415EF5h". See related instructions: "...+23 call dword ptr [00432210h] ;GetSystemTime+29 mov ax, word ptr [ebp-16h]+33 cmp ax, word ptr [00443E92h]+40 jne 00415EF5h" ... (Show Stream)
Found API call GetVersion@KERNEL32.dll (Target: "configTools.exe.bin"; Stream UID: "18182-2369-0042DDCD")
which is directly followed by "cmp eax, ebx" and "je 0042DE92h". See related instructions: "...+114 push ebx+115 push esi+116 push edi+117 mov esi, ecx+119 call dword ptr [004321C4h] ;GetVersion+125 xor ecx, ecx+127 push 00000001h+129 mov cl, ah+131 movzx edx, al+134 movzx ecx, cl+137 shl edx, 08h+140 add ecx, edx+142 mov dword ptr [esi+54h], ecx+145 mov ecx, eax+147 shr ecx, 1Fh+150 cmp al, 04h+152 mov dword ptr [esi+58h], ecx+155 sbb eax, eax+157 pop ecx+158 inc eax+159 xor ebx, ebx+161 sub ecx, eax+163 cmp eax, ebx+165 mov dword ptr [esi+5Ch], eax+168 mov dword ptr [esi+60h], ecx+171 mov dword ptr [esi+64h], eax+174 mov dword ptr [esi+68h], ebx+177 je 0042DE92h" ... (Show Stream)
Found API call GetVersion@KERNEL32.dll (Target: "configTools.exe.bin"; Stream UID: "18182-1867-004264EC")
which is directly followed by "cmp eax, 30h" and "ja 00426986h". See related instructions: "...+440 call dword ptr [004321C4h] ;GetVersion+446 mov ecx, dword ptr [ebp+10h]+449 cmp al, 04h+451 sbb eax, eax+453 and al, F0h+455 add eax, 2Fh+458 dec eax+459 cmp eax, 30h+462 ja 00426986h" ... (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "configTools.exe"; Stream UID: "00019155-00002664-23460-54-0042DF0D")
which is directly followed by "cmp al, 04h" and "jnc 0042DF39h". See related instructions: "...+10 push 00000001h+12 pop esi+13 mov dword ptr [00443E2Ch], esi+19 call dword ptr [004321C4h] ;GetVersion+25 cmp al, 04h+27 jnc 0042DF39h" ... from configTools.exe (PID: 2664) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "configTools.exe"; Stream UID: "00019155-00002664-23460-1436-0042DDCD")
which is directly followed by "cmp eax, ebx" and "je 0042DE92h". See related instructions: "...+114 push ebx+115 push esi+116 push edi+117 mov esi, ecx+119 call dword ptr [004321C4h] ;GetVersion+125 xor ecx, ecx+127 push 00000001h+129 mov cl, ah+131 movzx edx, al+134 movzx ecx, cl+137 shl edx, 08h+140 add ecx, edx+142 mov dword ptr [esi+54h], ecx+145 mov ecx, eax+147 shr ecx, 1Fh+150 cmp al, 04h+152 mov dword ptr [esi+58h], ecx+155 sbb eax, eax+157 pop ecx+158 inc eax+159 xor ebx, ebx+161 sub ecx, eax+163 cmp eax, ebx+165 mov dword ptr [esi+5Ch], eax+168 mov dword ptr [esi+60h], ecx+171 mov dword ptr [esi+64h], eax+174 mov dword ptr [esi+68h], ebx+177 je 0042DE92h" ... from configTools.exe (PID: 2664) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "configTools.exe"; Stream UID: "00019155-00002664-23460-940-004264EC")
which is directly followed by "cmp eax, 30h" and "ja 00426986h". See related instructions: "...+440 call dword ptr [004321C4h] ;GetVersion+446 mov ecx, dword ptr [ebp+10h]+449 cmp al, 04h+451 sbb eax, eax+453 and al, F0h+455 add eax, 2Fh+458 dec eax+459 cmp eax, 30h+462 ja 00426986h" ... from configTools.exe (PID: 2664) (Show Stream)
Found API call GetSystemTime@KERNEL32.DLL (Target: "configTools.exe"; Stream UID: "00019155-00002664-23460-506-00415E90")
which is directly followed by "cmp ax, word ptr [00443E92h]" and "jne 00415EF5h". See related instructions: "...+23 call dword ptr [00432210h] ;GetSystemTime+29 mov ax, word ptr [ebp-16h]+33 cmp ax, word ptr [00443E92h]+40 jne 00415EF5h" ... from configTools.exe (PID: 2664) (Show Stream)
Found API call GetVersion@KERNEL32.dll (Target: "KoalCertCtl.ocx.3130420910"; Stream UID: "31123-2483-100301DA")
which is directly followed by "cmp eax, 30h" and "ja 10030674h". See related instructions: "...+440 call dword ptr [10041324h] ;GetVersion+446 mov ecx, dword ptr [ebp+10h]+449 cmp al, 04h+451 sbb eax, eax+453 and al, F0h+455 add eax, 2Fh+458 dec eax+459 cmp eax, 30h+462 ja 10030674h" ... (Show Stream)
Found API call GetVersion@KERNEL32.dll (Target: "KoalCertCtl.ocx.3130420910"; Stream UID: "31123-3484-100390C3")
which is directly followed by "cmp eax, ebx" and "je 10039188h". See related instructions: "...+114 push ebx+115 push esi+116 push edi+117 mov esi, ecx+119 call dword ptr [10041324h] ;GetVersion+125 xor ecx, ecx+127 push 00000001h+129 mov cl, ah+131 movzx edx, al+134 movzx ecx, cl+137 shl edx, 08h+140 add ecx, edx+142 mov dword ptr [esi+54h], ecx+145 mov ecx, eax+147 shr ecx, 1Fh+150 cmp al, 04h+152 mov dword ptr [esi+58h], ecx+155 sbb eax, eax+157 pop ecx+158 inc eax+159 xor ebx, ebx+161 sub ecx, eax+163 cmp eax, ebx+165 mov dword ptr [esi+5Ch], eax+168 mov dword ptr [esi+60h], ecx+171 mov dword ptr [esi+64h], eax+174 mov dword ptr [esi+68h], ebx+177 je 10039188h" ... (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query machine time
-
General
-
Accesses System Certificates Settings
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\B26FA75369D6FD879204D8E67FCC105EF35FCD84"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\05E82A69BEC8F04644D3D37FE2B65F32C69C7B59"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\!IETld!Mutex"
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!k3zn1w4!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!k3zn1w4!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!k3zn1w4!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!k3zn1w4!appdata!roaming!microsoft!windows!ietldcache!"
"Local\c:!users!k3zn1w4!appdata!roaming!microsoft!windows!cookies!"
"Local\c:!users!k3zn1w4!appdata!local!microsoft!windows!history!history.ie5!"
"Local\!IETld!Mutex"
"Local\c:!users!k3zn1w4!appdata!roaming!microsoft!windows!ietldcache!"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"DBWinMutex"
"Local\c:!users!k3zn1w4!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"Local\_!MSFTHISTORY!_" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "KoalCspWrapper.ocx" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "KoalCertCtl.ocx" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=VeriSign Time Stamping Services CA, O="VeriSign
Inc.", C=US" (SHA1: AD:A8:AA:A6:43:FF:7D:C3:8D:D4:0F:A4:C9:7A:D5:59:FF:48:46:DE; see report for more information)
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: F4:6A:C0:C6:EF:BB:8C:6A:14:F5:5F:09:E2:D3:7D:F4:C0:DE:01:2D; see report for more information)
The input sample is signed with a certificate issued by "CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US" (SHA1: EA:36:15:29:81:E2:96:F9:76:3E:1D:C7:4B:32:62:D3:92:85:63:F8; see report for more information)
The input sample is signed with a certificate issued by "CN=WoSign Code Signing Authority, O="WoSign
Inc.", C=US" (SHA1: 94:24:CF:93:D0:11:2D:8F:55:EC:BD:57:47:E9:ED:4D:5D:34:8F:02; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
Accesses System Certificates Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"configtools.dat" has type "ASCII text with very long lines with no line terminators"
"KoalCspWrapper.ocx" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"KoalCertCtl.ocx" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\System32\KoalCertCtl.ocx"
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\System32\tzres.dll"
"<Input Sample>" touched file "C:\Windows\System32\en-US\tzres.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\KoalCspWrapper.ocx"
"<Input Sample>" touched file "C:\Windows\System32\rsaenh.dll"
"<Input Sample>" touched file "C:\Windows\System32\en-US\crypt32.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\en-US\urlmon.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\msxml3r.dll"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\index.dat"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "http://crl.verisign.com/tss-ca.crl0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0"
Pattern match: "http://www.usertrust.com1"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl0"
Pattern match: "www.koal.com1-0+"
Pattern match: "http://www.wosign.com/cps/0"
Pattern match: "http://crl.wosign.com/WoSignCodeSigning.crl0G"
Pattern match: "http://crt.wosign.com/WoSignCodeSigning.crt0"
Pattern match: "http://ca.jsstjj.cn#site.end" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"configTools.exe.bin" was detected as "Microsoft visual C++ 5.0"
"KoalCspWrapper.ocx" was detected as "Armadillo v1.xx - v2.xx"
"KoalCertCtl.ocx" was detected as "Armadillo v1.xx - v2.xx" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
configTools.exe
- Filename
- configTools.exe
- Size
- 1.2MiB (1293304 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 3e4c1c43743cc155f3706580d16e43ddb584826c7e3f5cb33860f1f554faa8b4
- MD5
- 896742a3c2c50786642c40543f129e9d
- SHA1
- d5b4f673c387a6a697c53fcb8c4899115761eb95
- ssdeep
- 12288:5Ks+WqI4PzebZuSSwnpO7TA3GKaq7tWdSilPRcnVekpB9DCMZ48nKvj7j1HjzmJC:YYZuSSnFbKWdSScnVesdIDCda
- imphash
- 9da56803b0013d7687c08558bc21e4fb
- authentihash
- 6b421c782103b621a7df32c0e87c1c4beeaa070d4badc585adb7d20768f3ea86
- Compiler/Packer
- Microsoft visual C++ 5.0
Version Info
- LegalCopyright
- (C) 2011
- InternalName
- ConfigTools
- FileVersion
- 0, 9, 4, 0
- CompanyName
- -
- PrivateBuild
- -
- LegalTrademarks
- -
- Comments
- -
- ProductName
- ConfigTools
- SpecialBuild
- -
- ProductVersion
- 0, 9, 4, 0
- FileDescription
- v0.9.4
- OriginalFilename
- ConfigTools.EXE
- Translation
- 0x0804 0x04b0
Classification (TrID)
- 52.5% (.EXE) Win32 Executable MS Visual C++ (generic)
- 22.0% (.SCR) Windows Screen Saver
- 11.0% (.DLL) Win32 Dynamic Link Library (generic)
- 7.5% (.EXE) Win32 Executable (generic)
- 3.3% (.EXE) Generic Win/DOS Executable
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 112 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 9782)
- 29 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 2179)
- 141 .C Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 9782)
- 27 .ASM Files assembled with MASM 6.13 (Visual Studio 6 SP1) (build: 7299)
- 10 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 2190)
- 2 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8047)
- File contains C++ code
- File is the product of a large codebase (112 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Download Certificate File (3.9KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=VeriSign Time Stamping Services Signer - G2, O="VeriSign, Inc.", C=US | CN=VeriSign Time Stamping Services CA, O="VeriSign, Inc.", C=US Serial: 3825d7faf861af9ef490e726b5d65ad5 |
06/15/2007 01:00:00 06/15/2012 00:59:59 |
3B:2A:74:96:89:37:03:9B:31:E5:40:9C:D0:09:D1:FE AD:A8:AA:A6:43:FF:7D:C3:8D:D4:0F:A4:C9:7A:D5:59:FF:48:46:DE |
CN=VeriSign Time Stamping Services CA, O="VeriSign, Inc.", C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 47bf1995df8d524643f7db6d480d31a4 |
12/04/2003 01:00:00 12/04/2013 00:59:59 |
68:23:26:7A:B3:5E:C7:A5:44:99:04:BB:4D:80:41:A7 F4:6A:C0:C6:EF:BB:8C:6A:14:F5:5F:09:E2:D3:7D:F4:C0:DE:01:2D |
CN=WoSign Code Signing Authority, O="WoSign, Inc.", C=US | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US Serial: 42ce8a30d35602f841186c6e20531904 |
04/25/2007 01:00:00 07/09/2019 19:40:36 |
4F:00:55:A2:F3:DF:A3:1B:24:0D:F6:13:1A:A7:0E:07 EA:36:15:29:81:E2:96:F9:76:3E:1D:C7:4B:32:62:D3:92:85:63:F8 |
CN=上海格尔软件股份有限公司, O=上海格尔软件股份有限公司, STREET=www.koal.com, L=上海, ST=上海, OID.2.5.4.17=200042, C=CN | CN=WoSign Code Signing Authority, O="WoSign, Inc.", C=US Serial: 3f01b2e50efd4c77bfcc40108b0e3cff |
02/01/2008 01:00:00 02/01/2013 00:59:59 |
F1:EE:8E:AE:55:1C:8C:03:CA:A3:EC:AC:97:E8:CA:ED 94:24:CF:93:D0:11:2D:8F:55:EC:BD:57:47:E9:ED:4D:5D:34:8F:02 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- configTools.exe (PID: 2664) 11/67
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
1.0.0.0 | Domain/IP reference | 00019155-00002664-23460-551-0040919C |
Extracted Strings
Extracted Files
-
Clean 2
-
-
KoalCertCtl.ocx
- Size
- 396KiB (405456 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/63
- Runtime Process
- configTools.exe (PID: 2664)
- MD5
- c9ad6129a6300c8ba85097846de8fcaa
- SHA1
- 449d4913b2c61357c6e05373bd3b2517915cd641
- SHA256
- ec4f39f69a961d16cf9ac7b2e31ebd7b775fe72d6dd20270d45ab3e698f23e21
-
KoalCspWrapper.ocx
- Size
- 339KiB (346952 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/63
- Runtime Process
- configTools.exe (PID: 2664)
- MD5
- c1246be1af02577db6e8a0a35a508072
- SHA1
- 2e13246248fe1dece8571787ddfeeae8a13bcde2
- SHA256
- 13615176e69563ab8f136eef911f07b55533151b6593fe855863d37fcb8dd340
-
-
Informative 1
-
-
configtools.dat
- Size
- 982KiB (1005509 bytes)
- Type
- text
- Description
- ASCII text, with very long lines, with no line terminators
- Runtime Process
- configTools.exe (PID: 2664)
- MD5
- e4a0b2c172833dd075d6f8421ac61f53
- SHA1
- b043d7d1a3066b87deb4cd83dc026248baff6b90
- SHA256
- 569103fa71bb5f673cd37f13da6c18ade282eae0ccf4c523c3fe9125ab2b8ef0
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-43" are available in the report
- Not all sources for indicator ID "stream-32" are available in the report