setup_std_client_V7.0.1.0_2019.12.25(1).epe
This report is generated from a file or URL submitted to this webservice on September 18th 2020 00:32:59 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.31 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
- Reads the active computer name
- Evasive
- Marks file for deletion
- Spreading
- Detected a large number of ARP broadcast requests (network device lookup)
- Network Behavior
- Contacts 3 domains. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/67 Antivirus vendors marked dropped file "System.dll" as malicious (classified as "Malware.Generic" with 1% detection rate)
1/68 Antivirus vendors marked dropped file "GetVersion.dll" as malicious (classified as "Malware.Generic" with 1% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Network Related
-
Detected a large number of ARP broadcast requests (network device lookup)
- details
- Attempt to find devices in networks: "169.254.92.6/32, 169.254.110.240/32, 169.254.184.156/32, 169.254.191.43/32, 169.254.245.150/32, 192.168.240.1/32, 192.168.240.2/32, 192.168.240.30/32, 192.168.240.49/32, 192.168.240.55/32, 192.168.240.57/32, 192.168.240.58/32, 192.168.240.123/32, 192.168.240.211/32, 192.168.240.212/32, 192.168.240.232/32, 192.168.241.62/32, 192.168.241.72/32, 192.168.243.18/32, 192.168.243.67/32, 192.168.243.68/32, 192.168.243.144/32, 192.168.243.159/32, 192.168.243.177/32, 192.168.243.182/32, 192.168.243.216/32, 192.168.243.246/32"
- source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1016 (Show technique in the MITRE ATT&CK™ matrix)
-
Detected a large number of ARP broadcast requests (network device lookup)
-
Suspicious Indicators 18
-
Environment Awareness
-
Reads the active computer name
- details
- "setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
General
-
Reads configuration files
- details
- "setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistence
-
Drops executable files
- details
-
"MoreInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"GNESLClient.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"GetVersion.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"GNSetupSkinDll.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Contacts Random Domain Names
- details
-
"_ldap._tcp.dc._msdcs.scl3.dc" seems to be random
"wpad.scl3.dc" seems to be random - source
- Network Traffic
- relevance
- 5/10
-
Detected increased number of ARP broadcast requests (network device lookup)
- details
- Attempt to find devices in networks: "169.254.110.240/32, 192.168.240.1/32, 192.168.240.2/32, 192.168.240.30/32, 192.168.243.182/32, 192.168.243.246/32, ..."
- source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1046 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential IP address in binary/memory
- details
- Heuristic match: "VERSION = 2.0.0.12"
- source
- File/Memory
- relevance
- 3/10
-
Contacts Random Domain Names
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
-
"EnableFastLogin=" (Indicator: "login=")
"ESoonLinkLogin=" (Indicator: "login=")
"EditAutoLogin=" (Indicator: "login=")
"Login=" (Indicator: "login=") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1094 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains indicators of bot communication commands
-
System Destruction
-
Marks file for deletion
- details
-
"C:\setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" marked "%TEMP%\nsn4E55.tmp" for deletion
"C:\setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" marked "%TEMP%\nso4F42.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" opened "%TEMP%\nsn4E55.tmp" with delete access
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" opened "%TEMP%\nso4F42.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Tries to obtain the highest possible privilege level without UAC dialog
- details
- "<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v29-Sep-2013.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>" (Indicator: "requestedExecutionLevel level="highestAvailable"")
- source
- File/Memory
- relevance
- 7/10
- ATT&CK ID
- T1088 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to obtain the highest possible privilege level without UAC dialog
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "GNSetupSkinDll.dll" claimed CRC 822555 while the actual is CRC 34938
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegCloseKey
RegOpenKeyExA
RegDeleteValueA
RegCreateKeyExA
RegEnumKeyA
GetFileAttributesA
CopyFileA
GetModuleFileNameA
LoadLibraryA
LoadLibraryExA
GetFileSize
CreateDirectoryA
DeleteFileA
GetCommandLineA
GetProcAddress
GetTempPathA
CreateThread
GetModuleHandleA
FindFirstFileA
WriteFile
GetTempFileNameA
FindNextFileA
CreateProcessA
Sleep
CreateFileA
GetTickCount
ShellExecuteA
FindWindowExA
GetStartupInfoA
UnhandledExceptionFilter
VirtualAlloc
VirtualProtect
RegCreateKeyExW
RegCreateKeyA
SetSecurityDescriptorDacl
OpenProcessToken
RegEnumKeyExA
StartServiceA
GetDriveTypeA
OpenFileMappingA
TerminateProcess
GetModuleHandleExA
CreateToolhelp32Snapshot
Process32First
GetVersionExA
Process32Next
OpenProcess
CreateFileMappingA
CreateFileW
IsDebuggerPresent
WinExec
LockResource
MapViewOfFile
GetModuleHandleW
FindResourceA
ShellExecuteExA
GetCursorPos
GetLastActivePopup
SetWindowsHookExA
FindWindowA
GetWindowThreadProcessId
HttpSendRequestA
InternetCloseHandle
InternetOpenA
InternetReadFile
InternetConnectA
InternetQueryOptionA
HttpQueryInfoA
InternetCrackUrlA
EnumPrintersA
socket
WSAStartup
connect
closesocket
GetUpdateRect - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" wrote bytes "7da3ba7795a3ba7782f3b97700d0ba770fa8ba77f990b97787f1ba7781a8ba77bcceba7785deba7713dbba7727f1ba778aa2ba771af1ba775ac6ba77252eba7700000000173f3b770000000008225577d1e4527700000000" to virtual address "0x10003000" (part of module "SYSTEM.DLL")
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" wrote bytes "492f47b8b6d0b847c9123973151339733113397300000000940000000600000001000000b11d00000200000053657276696365205061636b20310000" to virtual address "0x73392000" (part of module "MSIMG32.DLL")
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" wrote bytes "d5d9ba7730c6ba77e0c2ba7742c6ba7710c6ba77acdcba77a0dfba7736daba7787f1ba77000000009177b576c090b5767f6fb5761ffab576def4b576f282b576857db57600000000" to virtual address "0x73391000" (part of module "MSIMG32.DLL")
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" wrote bytes "c2000000" to virtual address "0x1000404C" (part of module "SYSTEM.DLL")
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" wrote bytes "d055f0756473f9750000000051c1c3769498c376ee9cc37675dcc576273ec5760fb3c97600000000acdcba771bf7ba77c108bc77c0d9ba77152eba7736daba77d5d9ba7730c6ba77e0c2ba7742c6ba771bc6ba7786c4ba7772c6ba7700000000" to virtual address "0x70FD1000" (part of module "SHFOLDER.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 4 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 17
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
-
Raw size of ".ndata" is zero
Raw size of "BSS" is zero
Raw size of ".data" is zero - source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Reads the registry for installed applications
- details
- "setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\$(NAME)")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
-
General
-
Contacts domains
- details
-
"_ldap._tcp.dc._msdcs.scl3.dc"
"isatap.scl3.dc"
"wpad.scl3.dc" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"F;$$<C,1j>eX6Yu?(q m@!@ @ @@@8\b5DeleteNoRemoveForceRemoveValBDMS|2@x2@t2@p2@l2@`2@T2@L2@|2@x2@t2@p2@l2@`2@T2@L2@T6@!@A@XA@|2@x2@t2@p2@l2@`2@T2@L2@bad allocation-sid:-filename: "'SeDebugPrivilegetaskkill /F /FI "SESSION eq %d" /IM %staskkill /F /IM %sInvalid DateTimeInvalid DateTimeSpanSMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib; FF9@@p4@6@@P@@@@$@*@0@6@<@B@H@@N@T@Z@`@f@l@r@x@~@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @&@
@2@8@@>@@@@@D@J@P@H@@08@RSDSy<]j.M`;Be:\Workspace\SVN.code\trunk\TerminateProcess\Release\TerminateProcess.pdb@@h6@x6@6@@@@h6@@@6@6@8@6@ 7@`7@7@7@@@@6@7@6@ 7@`7@7@7@@@@<7@L7@ 7@`7@7@7@d@@@|7@7@`7@7@7@H@@@7@7@7@7@0@@@7@8@7@@@@6@D i @~@@2@F@@@+@@@ @) @2 @; @"8@` @"89@ @ @"d9@:<0T:d<X0:R?09?0?t?`?>8?"??>>=>>>f>^>H>>>0>>>?===|=f=R=@=2="==<<<<<<<<<<~<p<R<H<@<.< <<<?9R&B51q/<3,(}&v3`0m" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "%TEMP%\nso4F42.tmp\System.dll"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\GNSetupSkinDll.dll"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\skin\Config.ini"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\skin\Language_en.ini"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\skin\Language_sc.ini"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\skin\Language_tr.ini"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nso4F42.tmp\MoreInfo.dll"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsy4F31.tmp"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nso4F42.tmp\System.dll"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nso4F42.tmp\GetVersion.dll"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\skin\GNAutoUpdate.ini"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\skin\Skin.zip"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\Language_sc.ini"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\GNESLClient.exe" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\SMAPLE_MUTEX"
"SMAPLE_MUTEX" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MoreInfo.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "GNESLClient.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "GNSetupSkinDll.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Overview of unique CLSIDs touched in registry
- details
-
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}") - source
- Registry Access
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US" (SHA1: D1:D9:2F:25:1E:19:F8:04:94:0E:1D:47:63:4A:8A:E5:1C:EF:3D:7A; see report for more information)
The input sample is signed with a certificate issued by "CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE" (SHA1: C0:E4:9D:2D:7D:90:A5:CD:42:7F:02:D9:12:56:94:D5:D6:EC:5B:71; see report for more information)
The input sample is signed with a certificate issued by "CN=GlobalSign Timestamping CA - G2, O=GlobalSign nv-sa, C=BE" (SHA1: 63:B8:2F:AB:61:F5:83:90:96:95:05:0B:00:24:9C:50:29:33:EC:79; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
-
Installation/Persistence
-
Connects to LPC ports
- details
- "setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"MoreInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"GNESLClient.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"GetVersion.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"GNSetupSkinDll.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Language_en.ini" has type "ASCII text with CRLF line terminators"
"Language_sc.ini" has type "ISO-8859 text with CRLF line terminators"
"Skin.zip" has type "Zip archive data at least v2.0 to extract"
"Config.ini" has type "ASCII text with CRLF line terminators"
"GNAutoUpdate.ini" has type "ISO-8859 text with CRLF line terminators"
"nsy4F31.tmp" has type "data"
"Language_tr.ini" has type "ISO-8859 text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000027.db"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000027.db" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://nsis.sf.net/NSIS_Error"
Heuristic match: "E1;1^k.Gm"
Pattern match: "Y2.cv/PtPn"
Heuristic match: "ePT=`.ck"
Pattern match: "http://sv.symcb.com/sv.crl0a"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sv.symcd.com0&"
Pattern match: "http://sv.symcb.com/sv.crt0"
Pattern match: "https://www.globalsign.com/repository/03"
Pattern match: "http://crl.globalsign.net/root.crl0"
Pattern match: "https://www.globalsign.com/repository/0"
Pattern match: "crl.globalsign.com/gs/gstimestampingg2.crl0T"
Pattern match: "secure.globalsign.com/cacert/gstimestampingg2.crt0"
Pattern match: "http://www.gnway.com/0"
Pattern match: "www.verisign.com/rpa"
Pattern match: "http://www.baidu.com/baidu?word=%s&cl=3&ct=2097152&si=bbs.gnway.com"
Pattern match: "http://bbs.GNWay.com/forum.php?mod=viewthread&tid=3782&extra=page%3D1"
Pattern match: "http://bbs.GNWay.com/forum.php?mod=viewthread&tid=3780&page=1&extra=#pid10993"
Pattern match: "http://bbs.GNWay.com/forum.php?mod=viewthread&tid=4693&extra=page%3D1"
Pattern match: "http://bbs.GNWay.com/forum.php?mod=viewthread&tid=4905&extra=page%3D1"
Pattern match: "http://bbs.GNWay.com/forum.php?mod=viewthread&tid=4906&page=1&extra=#pid13993"
Pattern match: "http://bbs.GNWay.com/forum.php?mod=viewthread&tid=4908&extra="
Pattern match: "http://bbs.GNWay.com/forum.php?mod=viewthread&tid=4907&extra="
Pattern match: "http://bbs.GNWay.com/forum.php?mod=viewthread&tid=4917&extra="
Pattern match: "http://bbs.GNWay.com/forum.php?mod=viewthread&tid=3749&page=1&extra=#pid10910"
Pattern match: "http://www.bangwo8.com/"
Pattern match: "http://www.GNWay.com/"
Heuristic match: "Yunurl=yun.GNWay.com"
Pattern match: "http://bbs.GNWay.com/forum.php?mod=forumdisplay&fid=188"
Heuristic match: "3_...pw"
Pattern match: "StartMenu.dll/checknoshortcuts/lastused/text/autoadd/noicon/rtlInitShowsuccessSettingsNextButtonText\ioSpecial.iniField"
Pattern match: "http://www.gnway.com/productPhone.phpLowerGNRSecurityShowCompanybStartSSOShowExitDlgLoginTimeoutHideNotifyIconDisableDesktopAndMyDocumentMappingResetClouldDiskPathIMEPositionChangeTimer300HideBGImageDisableFollowImeEnableEslSessionLogEnableDisplayCloudDisk"
Pattern match: "www.GNWay.com/Publisher5.2LoadDriver\LoadDriver.exeSYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\GNTKProProxy.exe\GNTKProProxy.exe:*:Enabled:GNTKProProxy\GNFixer.exe"
Pattern match: "https://www.globalsign.com/repository/0U00U%0"
Pattern match: "crl.globalsign.com/gs/gstimestampingg2.crl0T+H0F0D+08http://secure.globalsign.com/cacert/gstimestampingg2.crt0UJ8ZO0Pz0U#0F" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Found Delphi 4 - Delphi 2006 artifact
- details
- "MoreInfo.dll" has a PE timestamp using the buggy magic timestamp 0x2A425E19. The real compilation date is probably Thu Jan 1 00:00:00 1970
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
- details
-
"b9cd902314ab8e37b5991afd3a1cc1fae686beffc282a95dc4bbc561906194c9.bin" was detected as "Nullsoft PiMP Stub -> SFX"
"MoreInfo.dll" was detected as "Borland Delphi 4.0"
"GNESLClient.exe" was detected as "VC8 -> Microsoft Corporation"
"GNSetupSkinDll.dll" was detected as "Visual C++ 2005 DLL -> Microsoft" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Found Delphi 4 - Delphi 2006 artifact
File Details
setup_std_client_V7.0.1.0_2019.12.25(1).epe
- Filename
- setup_std_client_V7.0.1.0_2019.12.25(1).epe
- Size
- 16MiB (16818312 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- b9cd902314ab8e37b5991afd3a1cc1fae686beffc282a95dc4bbc561906194c9
- MD5
- 9402bebede65304f25f193ccc3428950
- SHA1
- 4a1323d1ab82e98b0477e56c01dc35f0df2c5491
- ssdeep
- 393216:gXup2aaC7xZtYv/tEUamXKZJjKlFZYBba:gXufbpmmJy/2G
- imphash
- dfb06052e74b26a42b0e490bd1c07959
- authentihash
- 1783650364a375266221889aba8c8ecc253912a81f0b59b393219991ab661de2
- Compiler/Packer
- Nullsoft PiMP Stub -> SFX
Version Info
- ProductName
- -
- Translation
- 0x0000 0x04e4
Classification (TrID)
- 61.7% (.EXE) Win64 Executable (generic)
- 14.7% (.DLL) Win32 Dynamic Link Library (generic)
- 10.0% (.EXE) Win32 Executable (generic)
- 4.5% (.EXE) OS/2 Executable (generic)
- 4.4% (.EXE) Generic Win/DOS Executable
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 10 .C Files compiled with CL.EXE (Visual Studio 6 Processor Pack) (build: 9044)
- 17 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 2 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 4035)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (7.3KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=GNWay Beijing Co. Ltd, OU=R&D, O=GNWay Beijing Co. Ltd, L=beijing, ST=beijing, C=CN | CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US Serial: 26854bda75753c37821df6d2bba1f511 |
11/30/2016 00:00:00 01/29/2020 23:59:59 |
3D:25:D4:EA:B8:4C:8A:69:6F:79:A4:B9:27:E3:C1:5C D1:D9:2F:25:1E:19:F8:04:94:0E:1D:47:63:4A:8A:E5:1C:EF:3D:7A |
CN=GlobalSign Timestamping CA - G2, O=GlobalSign nv-sa, C=BE | CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE Serial: 400000000012f4ee152d7 |
04/13/2011 10:00:00 01/28/2028 12:00:00 |
95:C7:FF:05:1A:81:D4:5B:FA:80:B2:CA:4D:92:4F:A0 C0:E4:9D:2D:7D:90:A5:CD:42:7F:02:D9:12:56:94:D5:D6:EC:5B:71 |
CN=GlobalSign TSA for MS Authenticode - G2, O=GMO GlobalSign Pte Ltd, C=SG | CN=GlobalSign Timestamping CA - G2, O=GlobalSign nv-sa, C=BE Serial: 1121d699a764973ef1f8427ee919cc534114 |
05/24/2016 00:00:00 06/24/2027 00:00:00 |
96:A1:A6:67:8C:3C:59:B9:E9:9A:29:7C:3C:65:BC:2B 63:B8:2F:AB:61:F5:83:90:96:95:05:0B:00:24:9C:50:29:33:EC:79 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
_ldap._tcp.dc._msdcs.scl3.dc | - | - | - |
isatap.scl3.dc | - | - | - |
wpad.scl3.dc | - | - | - |
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 12 extracted file(s). The remaining 1 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
GetVersion.dll
- Size
- 9.5KiB (9728 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Malware.Generic" (1/68)
- Runtime Process
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
- MD5
- 225f776172f1baccd2721a6e5d512b36
- SHA1
- 2dbbc86f7b0285682880a627b56a75de09f4bed6
- SHA256
- ecfcbe30f5b248673f9cbebb734b9981ed14b06380ea787c563d67b30e2d069e
-
System.dll
- Size
- 11KiB (11264 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Malware.Generic" (1/67)
- Runtime Process
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
- MD5
- 00a0194c20ee912257df53bfe258ee4a
- SHA1
- d7b4e319bc5119024690dc8230b9cc919b1b86b2
- SHA256
- dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
-
-
Clean 3
-
-
GNESLClient.exe
- Size
- 1.3MiB (1364328 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/73
- Runtime Process
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
- MD5
- fa15a75cab4545637661b67921dd2ecb
- SHA1
- 846d67ea7d108efd871a92fe270224e553d2eb8a
- SHA256
- 3869837a3abd7a99e38d5a19a08e9c899233beb4819c13d8263c5f80c07acedf
-
GNSetupSkinDll.dll
- Size
- 771KiB (789352 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
- MD5
- 5c74130e5fe3309b369fe0807b1678aa
- SHA1
- 6dc5eda3539d2ddba4dea142c7e65727007b3d78
- SHA256
- 7cb4aa092c5fffe44f29c419210b26708e3d4633b77209aefbf83de27698f53c
-
MoreInfo.dll
- Size
- 23KiB (23040 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/72
- Runtime Process
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
- MD5
- e66ec77c5d463f67192e22e4133e0fb3
- SHA1
- df18d6761ce408993261d64466c50b63c98aadc2
- SHA256
- 85239f5799e0f9b0b3051f46c99e637af7511960299d84db41c003c09422718d
-
-
Informative 7
-
-
nsy4F31.tmp
- Size
- 5MiB (5212971 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
- MD5
- 5ee58331ce00bfe255a9518fb0536428
- SHA1
- bdd1d1b4781891cf22899aa338f78baa7bd232c0
- SHA256
- b8e62950d907d3361de8abc4ec99ff67b37be70454a24b74b841dd93f5e830dc
-
GNAutoUpdate.ini
- Size
- 272B (272 bytes)
- Type
- text
- Description
- ISO-8859 text, with CRLF line terminators
- Runtime Process
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
- MD5
- fc2d0a2dd67b06c83e1aae1ff55d68ea
- SHA1
- d8e0971293f4e1e64fef8f03e37fb855d15d6e94
- SHA256
- 1c535ff29f8d877083dcaae7d1b5202e57aaefbb3cafbfe315db8ccdd34d2f68
-
Language_en.ini
- Size
- 657B (657 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
- MD5
- 8b642e21432e9521fe18bd856f82102c
- SHA1
- 8776824b39bd1f23711010b856cb14adbf1a3e1f
- SHA256
- 8f7724d8b8ef736ae6c68be7f9124c24e973f10acc33d6d5ac57b2b2bc2ccd7c
-
Language_sc.ini
- Size
- 630B (630 bytes)
- Type
- text
- Description
- ISO-8859 text, with CRLF line terminators
- Runtime Process
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
- MD5
- 1510b34fde97c0bd13217aabe293b0a4
- SHA1
- fd089da798748951b90bf4a7a81c8b7c4d36bead
- SHA256
- 99bdc2a4312aa5d8f8c71362c2da9dda43979c87f05a12eb0844d157ec5a9bc2
-
Language_tr.ini
- Size
- 630B (630 bytes)
- Type
- text
- Description
- ISO-8859 text, with CRLF line terminators
- Runtime Process
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
- MD5
- 9f01c163fcdb02c3d2169d30e4c654be
- SHA1
- fe5b7a9934437aa210d0a7b9e91a2330913c4d09
- SHA256
- 3cfd72717c1f01b47c0e19c882c1a3a2b90269576513eeaee249b4613533f234
-
Skin.zip
- Size
- 893KiB (913967 bytes)
- Type
- data compressed zip
- Description
- Zip archive data, at least v2.0 to extract
- Runtime Process
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
- MD5
- ba1b9d65902429e9c3c40bcc5da4f907
- SHA1
- 9b75d190ae849671496183ed6ee00db1dc92c1e6
- SHA256
- d54f5419b7572e5937af3f3e1d5c0fc812e8b692de3e4a8890dd55b585f87377
-
Config.ini
- Size
- 102B (102 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- setup_std_client_V7.0.1.0_2019.12.25_1_.epe.exe (PID: 3172)
- MD5
- 4f789bd17cc44b722d7f4926da637d36
- SHA1
- d89f11b853bfdad881c6e66624116c655ae3d1b3
- SHA256
- 792951dc1fd91fac689b1dfa37b468d371366a97981a3e0e47fa6a6b78676e5d
-
Notifications
-
Runtime
- Extracted file "nsy4F31.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/gui/file/b8e62950d907d3361de8abc4ec99ff67b37be70454a24b74b841dd93f5e830dc/detection/f-b8e62950d907d3361de8abc4ec99ff67b37be70454a24b74b841dd93f5e830dc-1600389577")
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "network-32" are available in the report
- Some low-level data is hidden, as this is only a slim report