incredibuild_vs2017_932_2457.exe
This report is generated from a file or URL submitted to this webservice on February 27th 2019 21:04:32 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Spyware
-
Hooks API calls
POSTs files to a webserver - Persistence
- Writes data to a remote process
- Fingerprint
- Reads the active computer name
- Evasive
-
Marks file for deletion
Possibly tries to implement anti-virtualization techniques - Network Behavior
- Contacts 8 domains and 6 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxps://www.incredibuild.com/downloads/vs/incredibuild_vs2017_932_2457.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
General
-
The analysis spawned a process that was identified as malicious
- details
- 1/69 Antivirus vendors marked spawned process "Setup.exe" (PID: 3244) as malicious (classified as "malicious.high.ml" with 1% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"<Input Sample>.exe" allocated memory in "%TEMP%\IncrediBuild_Setup_3300\Setup.exe"
"<Input Sample>.exe" allocated memory in "%TEMP%\IncrediBuild_Setup_3300\Logs" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"<Input Sample>.exe" wrote 32 bytes to a remote process "%TEMP%\IncrediBuild_Setup_3300\lzma.exe" (Handle: 392)
"<Input Sample>.exe" wrote 52 bytes to a remote process "%TEMP%\IncrediBuild_Setup_3300\lzma.exe" (Handle: 392)
"<Input Sample>.exe" wrote 4 bytes to a remote process "%TEMP%\IncrediBuild_Setup_3300\lzma.exe" (Handle: 392)
"<Input Sample>.exe" wrote 1500 bytes to a remote process "%TEMP%\IncrediBuild_Setup_3300\Setup.exe" (Handle: 352)
"<Input Sample>.exe" wrote 4 bytes to a remote process "%TEMP%\IncrediBuild_Setup_3300\Setup.exe" (Handle: 352)
"<Input Sample>.exe" wrote 32 bytes to a remote process "%TEMP%\IncrediBuild_Setup_3300\Setup.exe" (Handle: 352)
"<Input Sample>.exe" wrote 52 bytes to a remote process "%TEMP%\IncrediBuild_Setup_3300\Setup.exe" (Handle: 352) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "54.68.149.88": ...
File SHA256: 635459a0070ab4d8c0ce5f1627564f7a4e68391b6aabced96cbf15d2f268b919 (Date: 02/24/2019 23:38:31)
File SHA256: 588b9d6356ff1c3239cfdbc659e97e28e728226546a4cdb6329d9a45dd2afbc3 (AV positives: 20/71 scanned on 02/22/2019 00:56:25)
File SHA256: dd6f94a9002bcfa2c3dba1159c9a746291ae21d165df08175fe7bd9a04b37b0c (AV positives: 21/71 scanned on 02/15/2019 04:36:19)
File SHA256: f9058c8cb959004c4a2535a5833c8048b16cb17123970fa80ff8dae25fc50a55 (AV positives: 20/71 scanned on 02/15/2019 05:35:05)
File SHA256: 895694056d33ffe182499e017c990f8f8ab2e813a3e6ef69e47bec34401db33c (AV positives: 22/71 scanned on 02/15/2019 02:13:18)
File SHA256: f28ef7b2c62754047cbd805ba9d893dcab7a856c7e0e1a5b099d37998ff2b2b4 (AV positives: 21/71 scanned on 02/15/2019 05:33:28)
Found malicious artifacts related to "13.249.142.114": ...
URL: https://note.mu/ (AV positives: 1/66 scanned on 02/22/2019 03:29:42)
URL: http://terrambmsads.com/ (AV positives: 1/66 scanned on 02/20/2019 08:17:45)
URL: http://download.dataaccess.com/dataflex2016/DataFlex2016-18.2.71.1.Client.exe (AV positives: 1/69 scanned on 02/17/2019 20:24:03)
URL: http://orange.programme-de-fidelisation.net/iphone-x/c/pop/orange/index.html?ip=199.247.15.120&cep=kmAHv5ZILOy0aKZ8XNooFwW6QzIuvgiGty-3MYrpSL0Ietyx633XgpBvjezmn-dhrWbhmuo7lEMwVb8GNnbhjhOJJnnr4hC2bYWQw9__421VVhjVCX8Mikr7HBlZnAaRVggKeNcfVJyu_KMk0GyW6modV53xXZD-AWKQo8oeG0NI457GZSKw9HE2FaQ5eqtLLpgKQyG3aOWnffqpGkOlw2JW7P5oSLC8FJy9ajfGB6VdIM_3f0TQWe61Y06wAgWxHZh8ILFcb9EahePNRuIuCP7kVBKtvRBYqPvga0JwiQif1JwbrvlWHqlTRPaAOhSXVkvjR1clKWLlsB7JceRlQgmv22oY4j7i_bLMLNe7c-bt4vkqmEEyBkEs-jLKmhB0GznDbXGc2PoneykY5-pAMA&zone=1918183-0-124128805&lang=FR&time=1543937241&campaing=95205420&ban=21907750&ssp=&udid=&org=Vultr%20Holdings%20LLC%20Paris&advertiser=76327&clickid=15439360771490469207168578180337298 (AV positives: 3/66 scanned on 02/11/2019 22:37:13)
URL: http://cdn.flawelcome.com/content/image/5c4b2521918f6.png (AV positives: 2/66 scanned on 02/10/2019 12:05:31)
File SHA256: ab04b5c9463c2fd60b6afbf687cf74b12f1bdfc3e510cdb8f7e774166aca6699 (AV positives: 1/70 scanned on 02/05/2019 12:22:55)
File SHA256: 52d7fd65feff268c47992657e03b2052b173b9598084cc9beb17b4596d88eb06 (AV positives: 7/63 scanned on 03/08/2017 08:47:00)
Found malicious artifacts related to "172.217.4.67": ...
File SHA256: ae0d972ea112a2a52e758ba5f1c8afac4dc9ee97784b1c61291cf88089341578 (AV positives: 56/71 scanned on 02/10/2019 23:44:14)
File SHA256: a1fcf9e50ecf178e3fcfb6a835250cd2b31a9d7848705240264fcf18018a4992 (AV positives: 52/70 scanned on 01/29/2019 23:47:01)
File SHA256: 1d1dcc6327d68697b07f38f5ffeb5561fcd552e3e7e1137b772533b1110f5856 (AV positives: 52/69 scanned on 01/29/2019 22:46:48)
File SHA256: b7015528512a48d0d29b326dbb166198d179feb967d647e67615edadbc956c92 (AV positives: 56/70 scanned on 01/29/2019 22:46:45)
File SHA256: aacb2202e7feee8b2ecbdd0f28821847e63581e1c5a91b3aa07399b4db19d891 (AV positives: 53/70 scanned on 01/29/2019 21:46:47)
File SHA256: 07e72663e9f6dd057ce76598d1f0c10b2ab275fe619932db520fdf56a15fd50c (Date: 12/16/2017 02:37:54)
File SHA256: 059aa4ed9f70679e204edca8bf51b12a90397db30f22a03a99b5e908588da026 (Date: 12/16/2017 01:46:52)
File SHA256: 6ed9be4113a595bf770460226a2977321e1dba1c7e53b8582fac4c9e8682c9e3 (Date: 11/20/2017 15:14:58)
File SHA256: 28f1a719df821b8f8e4d6e3f38ce6b67ccf0dd55a85e8dbdd937255806e48f3a (Date: 11/20/2017 15:08:31)
File SHA256: 5a8c750183dd364a91fb371765b10b39e3fc0bad1dc01ea45f0a43f623a10740 (Date: 11/06/2017 20:36:12)
Found malicious artifacts related to "52.35.21.241": ...
URL: http://52.35.21.241/ (AV positives: 1/67 scanned on 10/03/2018 06:32:08)
File SHA256: e56bbc5aff32748a57a36b1ea20bc3dde42e5fdc279ff96a37d3f791dcba6236 (AV positives: 23/71 scanned on 02/15/2019 04:16:06)
File SHA256: 5545a70552cb07247167d7cd6c93631377ac817d2ea3daf8c29071c242ea7b45 (AV positives: 22/72 scanned on 02/15/2019 04:42:56)
File SHA256: eb6713c04f45d42268ec707177c02883676abb437c17c1fd7c60049ed0a10a33 (AV positives: 20/70 scanned on 02/15/2019 04:46:45)
File SHA256: 923d319577491a2bff4baa76ef467ce0ff07e91f4b193a2a44d68ea7f17df11c (AV positives: 21/71 scanned on 02/15/2019 01:56:03)
File SHA256: eb32df52c79f730dbd9b7d32c0782b9e575f860915d59ebfdf29cfe59a564c04 (AV positives: 21/72 scanned on 02/15/2019 05:17:30)
File SHA256: 322777e91235afdde87966165b8cc7a071eaf083f533cedcc039221f78efd4b4 (Date: 12/16/2018 20:43:28)
File SHA256: 86472ebe16f8c73c26a91740d8b7f5572cf5937a8b282dd7094d80c834589bad (Date: 12/16/2018 20:40:18)
File SHA256: a34f302e7e79fcfd98f9863b67fe0afbe6f539eb38cf88cdc288938eb5dddb26 (Date: 11/25/2018 06:12:00)
File SHA256: 2d425fd8c896566929a2cc76ababd82e524a326d20f54a0583d15a06c5f8737f (Date: 11/25/2018 06:09:27)
File SHA256: 27b6ff419d02d2d88ec125166e93253e6f0fae57859473c372e1514d86104920 (Date: 11/14/2018 19:55:31)
Found malicious artifacts related to "13.249.142.99": ...
URL: https://formulawire.com/c/179964eb-3717-11e7-aa7d-06867f9fc2d7?tracker=5hxcdd9uubup4u3asmqog8000
8030296
5
6696&ctrack=1551032219.2727565670 (AV positives: 1/66 scanned on 02/24/2019 18:17:34)
URL: https://formulawire.com/c/179964eb-3717-11e7-aa7d-06867f9fc2d7?tracker=5hxcajt2a6eiwxygy188w4g8w
8030255
5
8463&ctrack=1551031745.795386848 (AV positives: 1/66 scanned on 02/24/2019 18:17:30)
URL: https://click.featuredit.com/redir/5c6bf24ac2ffe795dbe553c1/eyJjIjoiYzcwZTY0NmY4ZGU4MGM0NGEwMzE0NmJhODg0ZTgzYjZmMjEwMmFmYSIsInNjIjoiNWM2YmYxNWNkZmVkMjAwYWU2MzA4YWYzIiwidSI6IjU5Y2NmMzdmYzJkOTRlOGE2YTgyYjU5NSJ9?_ze=simon.neilson@bt.com&email=simon.neilson@bt.com (AV positives: 1/69 scanned on 02/24/2019 13:33:25)
URL: https://formulawire.com/c/179964eb-3717-11e7-aa7d-06867f9fc2d7?trace-lynx=rp&checklynx_2018=1&tracker=jshul22hd8764ridii8s44k0s
8028681
5
8670&ctrack=1550948319.730730319 (AV positives: 1/66 scanned on 02/23/2019 19:00:14)
URL: https://click.featuredit.com/redir/5c6bf24ac2ffe795dbe553c1/eyJjIjoiM2UxNmJkMzdl%20NGQ4OTBlYjJiNWM0NWQ3YWNlNTIzYjc3MGIzMmJjZSIsInNjIjoiNWM2YmYxNWNkZmVkMjAwYWU2MzA4%20YWYzIiwidSI6IjU5Y2NmMzdmYzJkOTRlOGE2YTgyYjU5NSJ9?_ze=usman.akhtar@vodafone.com&e mail=usman.akhtar@vodafone.com (AV positives: 1/66 scanned on 02/22/2019 23:00:00)
File SHA256: b309dda241fb5cc61c4f227412720c1cb7924f287302bc40810e294259327311 (AV positives: 13/71 scanned on 02/11/2019 16:31:47)
File SHA256: 7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70 (AV positives: 1/56 scanned on 02/05/2019 01:58:39)
File SHA256: 03b6e6f86468ca3733aba1602d6ea9ae9db36c50791a6708ea0fc9cb266f539e (AV positives: 22/70 scanned on 01/22/2019 07:10:05) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "54.68.149.88": ...
File SHA256: 635459a0070ab4d8c0ce5f1627564f7a4e68391b6aabced96cbf15d2f268b919 (Date: 02/24/2019 23:38:31)
File SHA256: 588b9d6356ff1c3239cfdbc659e97e28e728226546a4cdb6329d9a45dd2afbc3 (AV positives: 20/71 scanned on 02/22/2019 00:56:25)
File SHA256: dd6f94a9002bcfa2c3dba1159c9a746291ae21d165df08175fe7bd9a04b37b0c (AV positives: 21/71 scanned on 02/15/2019 04:36:19)
File SHA256: f9058c8cb959004c4a2535a5833c8048b16cb17123970fa80ff8dae25fc50a55 (AV positives: 20/71 scanned on 02/15/2019 05:35:05)
File SHA256: 895694056d33ffe182499e017c990f8f8ab2e813a3e6ef69e47bec34401db33c (AV positives: 22/71 scanned on 02/15/2019 02:13:18)
File SHA256: f28ef7b2c62754047cbd805ba9d893dcab7a856c7e0e1a5b099d37998ff2b2b4 (AV positives: 21/71 scanned on 02/15/2019 05:33:28)
Found malicious artifacts related to "13.249.142.114": ...
URL: https://note.mu/ (AV positives: 1/66 scanned on 02/22/2019 03:29:42)
URL: http://terrambmsads.com/ (AV positives: 1/66 scanned on 02/20/2019 08:17:45)
URL: http://download.dataaccess.com/dataflex2016/DataFlex2016-18.2.71.1.Client.exe (AV positives: 1/69 scanned on 02/17/2019 20:24:03)
URL: http://orange.programme-de-fidelisation.net/iphone-x/c/pop/orange/index.html?ip=199.247.15.120&cep=kmAHv5ZILOy0aKZ8XNooFwW6QzIuvgiGty-3MYrpSL0Ietyx633XgpBvjezmn-dhrWbhmuo7lEMwVb8GNnbhjhOJJnnr4hC2bYWQw9__421VVhjVCX8Mikr7HBlZnAaRVggKeNcfVJyu_KMk0GyW6modV53xXZD-AWKQo8oeG0NI457GZSKw9HE2FaQ5eqtLLpgKQyG3aOWnffqpGkOlw2JW7P5oSLC8FJy9ajfGB6VdIM_3f0TQWe61Y06wAgWxHZh8ILFcb9EahePNRuIuCP7kVBKtvRBYqPvga0JwiQif1JwbrvlWHqlTRPaAOhSXVkvjR1clKWLlsB7JceRlQgmv22oY4j7i_bLMLNe7c-bt4vkqmEEyBkEs-jLKmhB0GznDbXGc2PoneykY5-pAMA&zone=1918183-0-124128805&lang=FR&time=1543937241&campaing=95205420&ban=21907750&ssp=&udid=&org=Vultr%20Holdings%20LLC%20Paris&advertiser=76327&clickid=15439360771490469207168578180337298 (AV positives: 3/66 scanned on 02/11/2019 22:37:13)
URL: http://cdn.flawelcome.com/content/image/5c4b2521918f6.png (AV positives: 2/66 scanned on 02/10/2019 12:05:31)
File SHA256: ab04b5c9463c2fd60b6afbf687cf74b12f1bdfc3e510cdb8f7e774166aca6699 (AV positives: 1/70 scanned on 02/05/2019 12:22:55)
File SHA256: 52d7fd65feff268c47992657e03b2052b173b9598084cc9beb17b4596d88eb06 (AV positives: 7/63 scanned on 03/08/2017 08:47:00)
Found malicious artifacts related to "172.217.4.67": ...
File SHA256: ae0d972ea112a2a52e758ba5f1c8afac4dc9ee97784b1c61291cf88089341578 (AV positives: 56/71 scanned on 02/10/2019 23:44:14)
File SHA256: a1fcf9e50ecf178e3fcfb6a835250cd2b31a9d7848705240264fcf18018a4992 (AV positives: 52/70 scanned on 01/29/2019 23:47:01)
File SHA256: 1d1dcc6327d68697b07f38f5ffeb5561fcd552e3e7e1137b772533b1110f5856 (AV positives: 52/69 scanned on 01/29/2019 22:46:48)
File SHA256: b7015528512a48d0d29b326dbb166198d179feb967d647e67615edadbc956c92 (AV positives: 56/70 scanned on 01/29/2019 22:46:45)
File SHA256: aacb2202e7feee8b2ecbdd0f28821847e63581e1c5a91b3aa07399b4db19d891 (AV positives: 53/70 scanned on 01/29/2019 21:46:47)
File SHA256: 07e72663e9f6dd057ce76598d1f0c10b2ab275fe619932db520fdf56a15fd50c (Date: 12/16/2017 02:37:54)
File SHA256: 059aa4ed9f70679e204edca8bf51b12a90397db30f22a03a99b5e908588da026 (Date: 12/16/2017 01:46:52)
File SHA256: 6ed9be4113a595bf770460226a2977321e1dba1c7e53b8582fac4c9e8682c9e3 (Date: 11/20/2017 15:14:58)
File SHA256: 28f1a719df821b8f8e4d6e3f38ce6b67ccf0dd55a85e8dbdd937255806e48f3a (Date: 11/20/2017 15:08:31)
File SHA256: 5a8c750183dd364a91fb371765b10b39e3fc0bad1dc01ea45f0a43f623a10740 (Date: 11/06/2017 20:36:12)
Found malicious artifacts related to "52.35.21.241": ...
URL: http://52.35.21.241/ (AV positives: 1/67 scanned on 10/03/2018 06:32:08)
File SHA256: e56bbc5aff32748a57a36b1ea20bc3dde42e5fdc279ff96a37d3f791dcba6236 (AV positives: 23/71 scanned on 02/15/2019 04:16:06)
File SHA256: 5545a70552cb07247167d7cd6c93631377ac817d2ea3daf8c29071c242ea7b45 (AV positives: 22/72 scanned on 02/15/2019 04:42:56)
File SHA256: eb6713c04f45d42268ec707177c02883676abb437c17c1fd7c60049ed0a10a33 (AV positives: 20/70 scanned on 02/15/2019 04:46:45)
File SHA256: 923d319577491a2bff4baa76ef467ce0ff07e91f4b193a2a44d68ea7f17df11c (AV positives: 21/71 scanned on 02/15/2019 01:56:03)
File SHA256: eb32df52c79f730dbd9b7d32c0782b9e575f860915d59ebfdf29cfe59a564c04 (AV positives: 21/72 scanned on 02/15/2019 05:17:30)
File SHA256: 322777e91235afdde87966165b8cc7a071eaf083f533cedcc039221f78efd4b4 (Date: 12/16/2018 20:43:28)
File SHA256: 86472ebe16f8c73c26a91740d8b7f5572cf5937a8b282dd7094d80c834589bad (Date: 12/16/2018 20:40:18)
File SHA256: a34f302e7e79fcfd98f9863b67fe0afbe6f539eb38cf88cdc288938eb5dddb26 (Date: 11/25/2018 06:12:00)
File SHA256: 2d425fd8c896566929a2cc76ababd82e524a326d20f54a0583d15a06c5f8737f (Date: 11/25/2018 06:09:27)
File SHA256: 27b6ff419d02d2d88ec125166e93253e6f0fae57859473c372e1514d86104920 (Date: 11/14/2018 19:55:31)
Found malicious artifacts related to "13.249.142.99": ...
URL: https://formulawire.com/c/179964eb-3717-11e7-aa7d-06867f9fc2d7?tracker=5hxcdd9uubup4u3asmqog8000
8030296
5
6696&ctrack=1551032219.2727565670 (AV positives: 1/66 scanned on 02/24/2019 18:17:34)
URL: https://formulawire.com/c/179964eb-3717-11e7-aa7d-06867f9fc2d7?tracker=5hxcajt2a6eiwxygy188w4g8w
8030255
5
8463&ctrack=1551031745.795386848 (AV positives: 1/66 scanned on 02/24/2019 18:17:30)
URL: https://click.featuredit.com/redir/5c6bf24ac2ffe795dbe553c1/eyJjIjoiYzcwZTY0NmY4ZGU4MGM0NGEwMzE0NmJhODg0ZTgzYjZmMjEwMmFmYSIsInNjIjoiNWM2YmYxNWNkZmVkMjAwYWU2MzA4YWYzIiwidSI6IjU5Y2NmMzdmYzJkOTRlOGE2YTgyYjU5NSJ9?_ze=simon.neilson@bt.com&email=simon.neilson@bt.com (AV positives: 1/69 scanned on 02/24/2019 13:33:25)
URL: https://formulawire.com/c/179964eb-3717-11e7-aa7d-06867f9fc2d7?trace-lynx=rp&checklynx_2018=1&tracker=jshul22hd8764ridii8s44k0s
8028681
5
8670&ctrack=1550948319.730730319 (AV positives: 1/66 scanned on 02/23/2019 19:00:14)
URL: https://click.featuredit.com/redir/5c6bf24ac2ffe795dbe553c1/eyJjIjoiM2UxNmJkMzdl%20NGQ4OTBlYjJiNWM0NWQ3YWNlNTIzYjc3MGIzMmJjZSIsInNjIjoiNWM2YmYxNWNkZmVkMjAwYWU2MzA4%20YWYzIiwidSI6IjU5Y2NmMzdmYzJkOTRlOGE2YTgyYjU5NSJ9?_ze=usman.akhtar@vodafone.com&e mail=usman.akhtar@vodafone.com (AV positives: 1/66 scanned on 02/22/2019 23:00:00)
File SHA256: b309dda241fb5cc61c4f227412720c1cb7924f287302bc40810e294259327311 (AV positives: 13/71 scanned on 02/11/2019 16:31:47)
File SHA256: 7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70 (AV positives: 1/56 scanned on 02/05/2019 01:58:39)
File SHA256: 03b6e6f86468ca3733aba1602d6ea9ae9db36c50791a6708ea0fc9cb266f539e (AV positives: 22/70 scanned on 01/22/2019 07:10:05) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Suspicious Indicators 17
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"without Hyper-V for WESS" (Indicator: "hyper-v")
"Standard without Hyper-V" (Indicator: "hyper-v")
"Datacenter without Hyper-V" (Indicator: "hyper-v")
"Enterprise without Hyper-V" (Indicator: "hyper-v")
"Datacenter without Hyper-V (core)" (Indicator: "hyper-v")
"Standard without Hyper-V (core)" (Indicator: "hyper-v")
"Enterprise without Hyper-V (core)" (Indicator: "hyper-v")
"Hyper-V Server" (Indicator: "hyper-v")
"HPC Edition without Hyper-V" (Indicator: "hyper-v")
"FoundationHome Server 2011without Hyper-V for WESSStandard without Hyper-VDatacenter without Hyper-VEnterprise without Hyper-V!Datacenter without Hyper-V (core)Standard without Hyper-V (core)!Enterprise without Hyper-V (core)Hyper-V ServerStorage Server Express (core)Storage Server Standard (core)Storage Server Workgroup (core) Storage Server Enterprise (core)Starter NProfessionalProfessional NSBS 2011 EssentialsSB SolutionsSolutions PremiumSolutions Premium (core)SB Solutions EM$Essential Server Solution Management$Essential Server Solution Additional(Essential Server Solution Management Svc(Essential Server Solution Additional Svc$Small Business Server Premium (core)HPC Edition without Hyper-VEnterprise (evaluation)Standard (evaluation)Datacenter (evaluation)SVWUQr03nV;r$P#n0nuJt'Ak0FHtHt'AL0'A;0fu'A0ft'A|2f t(Ai2ft(AV2f@t4(AC2ftX(A02$$t~v4p(ArEt-$$t~h(A7h(A2Z]_^[HomeProfessionalProfessional x64 EditionStandard, Enterprise, Storage Server, Datacenter, Computer Cluster Edition" (Indicator: "hyper-v") - source
- File/Memory
- relevance
- 4/10
-
Reads the active computer name
- details
-
"<Input Sample>.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/68 reputation engines marked "http://www.borland.com/namespaces/types" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
POSTs files to a webserver
- details
-
"POST /GTSGIAG3 HTTP/1.1
Host: ocsp.pki.goog
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 75
Content-Type: application/ocsp-request
Connection: keep-alive" with no payload - source
- Network Traffic
- relevance
- 5/10
-
POSTs files to a webserver
-
Installation/Persistance
-
Creates new processes
- details
-
"<Input Sample>.exe" is creating a new process (Name: "%WINDIR%\System32\csrss.exe", Handle: 392)
"<Input Sample>.exe" is creating a new process (Name: "%TEMP%\IncrediBuild_Setup_3300\Setup.exe", Handle: 352) - source
- API Call
- relevance
- 8/10
-
Monitors specific registry key for changes
- details
- "Setup.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder" (Filter: 4; Subtree: 0)
- source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates new processes
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "TIytD,CuP:CdF}trd^[Y]@u@@(G@SVQr$VFY3D,jYCuF\Y$n<$~YrZ^[@@SVWCh_^[@@g@@Pg@7.07.18.09.010.011.012.014.015.0200220032005200820102012201320152017.vcxitems.shprojUSV3UEE@3Uh"Td0d EP4T.EUE
~HaojE(uC", Heuristic match: "E$Tv3ZYYdhTEEEE*EEE~Eu m^[]File not found: %sProjectPlatformToolset9.0011.012.014.015.010.0Win32Win64<unknown>Intel CompilerParallel ComposerPEPCUSV3UUUUUEE$y3UhTd0d fEE3UhTd2d"3EEPUEZTEYUEY3EsEPUEYUExvIdE" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 54.68.149.88 on port 443 is sent without HTTP header
TCP traffic to 13.249.142.114 on port 443 is sent without HTTP header
TCP traffic to 172.217.4.42 on port 443 is sent without HTTP header
TCP traffic to 172.217.4.67 on port 80 is sent without HTTP header
TCP traffic to 52.35.21.241 on port 443 is sent without HTTP header
TCP traffic to 13.249.142.99 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
-
"<Input Sample>.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
"lzma.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
"Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5.exe" marked "%TEMP%\IncrediBuild_Setup_3300\info.dat" for deletion
"C:\016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\IncrediBuild_Setup_3300\Logs" for deletion
"C:\016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\IncrediBuild_Setup_3300\lzma.exe" for deletion
"C:\016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\IncrediBuild_Setup_3300\Setup.exe" for deletion
"C:\016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\IncrediBuild_Setup_3300\Setup.lzma" for deletion
"C:\016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\IncrediBuild_Setup_3300\Setup.pak" for deletion
"C:\016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\IncrediBuild_Setup_3300" for deletion
"%TEMP%\IncrediBuild_Setup_3300\Setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\IncrediBuild_Setup_3300\Logs\Setup.log" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"<Input Sample>.exe" opened "%TEMP%\IncrediBuild_Setup_3300\info.dat" with delete access
"<Input Sample>.exe" opened "%TEMP%\IncrediBuild_Setup_3300\Logs" with delete access
"<Input Sample>.exe" opened "%TEMP%\IncrediBuild_Setup_3300\lzma.exe" with delete access
"<Input Sample>.exe" opened "%TEMP%\IncrediBuild_Setup_3300\Setup.exe" with delete access
"<Input Sample>.exe" opened "%TEMP%\IncrediBuild_Setup_3300\Setup.lzma" with delete access
"<Input Sample>.exe" opened "%TEMP%\IncrediBuild_Setup_3300\Setup.pak" with delete access
"<Input Sample>.exe" opened "%TEMP%\IncrediBuild_Setup_3300\" with delete access
"Setup.exe" opened "%TEMP%\IncrediBuild_Setup_3300\Logs\Setup.log" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Hooks API calls
- details
-
"ExitProcess@KERNEL32.DLL" in "<Input Sample>.exe"
"ExitProcess@KERNEL32.DLL" in "Setup.exe" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"<Input Sample>.exe" wrote bytes "c04e497720544a77e0654a77b5384b770000000000d0c67600000000c5eac6760000000088eac67600000000e9685b7582284b77ee294b7700000000d2695b75000000007dbbc6760000000009be5b7500000000ba18c67600000000" to virtual address "0x77601000" (part of module "NSI.DLL")
"<Input Sample>.exe" wrote bytes "b8acca4400ffe0909090900f85130100" to virtual address "0x00405050" (part of module "016348063E6D96DF7E4DCC6AA5EE0CCDA68B530F876191E554CB7F8C1C0CD0E5.EXE")
"<Input Sample>.exe" wrote bytes "e9a9607b896aff68b0f3e877ff7508ff" to virtual address "0x76C7BE52" ("ExitProcess@KERNEL32.DLL")
"<Input Sample>.exe" wrote bytes "50b8f4ca4400ffe0546a076a0168defa" to virtual address "0x004054B6" (part of module "016348063E6D96DF7E4DCC6AA5EE0CCDA68B530F876191E554CB7F8C1C0CD0E5.EXE")
"<Input Sample>.exe" wrote bytes "e97b200200c6e8cd94ffff50e8a3bdff" to virtual address "0x0040CB08" (part of module "016348063E6D96DF7E4DCC6AA5EE0CCDA68B530F876191E554CB7F8C1C0CD0E5.EXE")
"<Input Sample>.exe" wrote bytes "e9db910200f920777c83e9087f07ff24" to virtual address "0x004036EC" (part of module "016348063E6D96DF7E4DCC6AA5EE0CCDA68B530F876191E554CB7F8C1C0CD0E5.EXE")
"<Input Sample>.exe" wrote bytes "b8d0ca4400ffe0909090900f856f0100" to virtual address "0x0040517C" (part of module "016348063E6D96DF7E4DCC6AA5EE0CCDA68B530F876191E554CB7F8C1C0CD0E5.EXE")
"Setup.exe" wrote bytes "c04e497720544a77e0654a77b5384b770000000000d0c67600000000c5eac6760000000088eac67600000000e9685b7582284b77ee294b7700000000d2695b75000000007dbbc6760000000009be5b7500000000ba18c67600000000" to virtual address "0x77601000" (part of module "NSI.DLL")
"Setup.exe" wrote bytes "48121f75" to virtual address "0x752083C0" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "f8111f75" to virtual address "0x752083E0" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "e9dfd40200f920777c83e9087f07ff24" to virtual address "0x00403800" (part of module "SETUP.EXE")
"Setup.exe" wrote bytes "50b8047f8500ffe0546a076a0168defa" to virtual address "0x00405802" (part of module "SETUP.EXE")
"Setup.exe" wrote bytes "48120000" to virtual address "0x751F139C" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "48120000" to virtual address "0x751F12DC" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "f8111f75" to virtual address "0x752083C4" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "48121f75" to virtual address "0x75208364" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "6012b06e" to virtual address "0x7741E324" (part of module "WININET.DLL")
"Setup.exe" wrote bytes "b8c015b06effe0" to virtual address "0x751F11F8" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "48121f75" to virtual address "0x75208348" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "f8111f75" to virtual address "0x75208368" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"<Input Sample>.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 15
-
Environment Awareness
-
Contains ability to query the machine version
- details
- GetVersionExA@KERNEL32.DLL from lzma.exe (PID: 4332) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
- "<Input Sample>.exe" queries volume information of "%TEMP%\IncrediBuild_Setup_3300\Setup.exe" at 00013915-00003300-0000010C-27112716597
- source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/65 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contacts domains
- details
-
"ocsp.pki.goog"
"a1089.dscd.akamai.net"
"cs9.wac.phicdn.net"
"d1zkz3k4cclnv6.cloudfront.net"
"dcky6u1m8u6el.cloudfront.net"
"detectportal.firefox.com"
"safebrowsing.googleapis.com"
"shavar.prod.mozaws.net" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"54.68.149.88:443"
"13.249.142.114:443"
"172.217.4.42:443"
"172.217.4.67:80"
"52.35.21.241:443"
"13.249.142.99:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"Attempt to access uninitialized member object: TVEProcessPacket.PdbForwarderContext"
"@13ZYYdh2L]2LTSystemMessageRecord@"Project has an unknown target type%Environment variables are not defined-Intermediate directory override at file level.#import should use no_implementation attribute&'/Fd' compiler option is not supported/Auto. precompiled header use is not recommended1Large number of files create a precompiled headerUnsupported compiler detected.Importing type library directly is recommended'Project imports the module it generates0Project imports module that isn't its dependency.Import causes an implicit recursive dependency+Use of #pragma once in a precompiled header0Using Backup Coordinator (primary not available)3Current logging level may degrade build performance$Standalone mode is currently enabled!Response files could not be foundPDB instance limit is enabled*Could not monitor inaccessible directories%Running inside job is not recommended7Attempt to write file to a system directory was blocked6Attempt to write .NET security config file was blocked/Failed to load VC Components configuration file$Unix shell redirection misconfigured;"Setup and Deployment" projects are currently not supportedFile synchronization failedACommand line parameter(s) not yet supported in Visual Studio 2010Process priority elevatedDisabling Helper(Make & Build Tools license not allocatedQOnly Helper machines with Vista OS or higher will participate in build execution.PDB Forwarding Unavailable.C# license is missing.XBOX license is missing.NUnit license is missing.Unity3D license is missing.U3Uh4:Ld0d &puPn$2L)3ZYYdh;:Lg]@:L:LLH@ H@$H@(H@H@dE@E@|LL>L1LTBlockedApplicationListUQSVWUE2 3Uh9;Ld0d L,{CUH;LCfL;LfC N;LC"CCX;Lq3ZYYdh@;LE<b_^[Y]@An IncrediBuild for Klocwork license is required in order to accelerate Klocwork products.", "~d_^~du3_^QD_^@duM@OSAttempt to access uninitialized member object: TVEProcessPacket.PdbForwarderContextSVWU#ktjCktjC]_^[S3C3C3CC*C*3CC C$C(C,C03C4C8}*3C<3C@CDCHCLCPCQ3fCaCbCdtR8Ch3C[SV;^M;MGC;F,C;F C;FVC)VC)C;FC V C$V$C(V(C,V,C0:F0C4;F4V8C8C)tvC<;F<unC@;F@ufCD:FDu]CHSL;VLuR;FHuMCP:FPuDVQCQt5Ca:Fau
Cb:Fbu#9tVhChu3^[USVW;^tuu&u3;MG;Ft" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>.exe" created file "%TEMP%\IncrediBuild_Setup_3300\lzma.exe"
"<Input Sample>.exe" created file "%TEMP%\IncrediBuild_Setup_3300\Setup.lzma"
"<Input Sample>.exe" created file "%TEMP%\IncrediBuild_Setup_3300\Setup.exe"
"<Input Sample>.exe" created file "%TEMP%\IncrediBuild_Setup_3300\info.dat"
"lzma.exe" created file "%TEMP%\IncrediBuild_Setup_3300\Setup.pak"
"Setup.exe" created file "%TEMP%\IncrediBuild_Setup_3300\Logs\Setup.log" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\XoreaxIncrediBuild_016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5_Mutex_%OSUSER%_WinSta0"
"\Sessions\1\BaseNamedObjects\Global\XoreaxIncrediBuild_016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5_Mutex"
"\Sessions\1\BaseNamedObjects\Xoreax_LogMutex_016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5"
"Global\XoreaxIncrediBuild_016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5_Mutex"
"Xoreax_LogMutex_016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5"
"XoreaxIncrediBuild_016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5_Mutex_%OSUSER%_WinSta0"
"\Sessions\1\BaseNamedObjects\Xoreax_LogMutex_setup"
"\Sessions\1\BaseNamedObjects\XoreaxIncrediBuild_setup_Mutex_%OSUSER%_WinSta0"
"\Sessions\1\BaseNamedObjects\Global\XoreaxIncrediBuild_setup_Mutex"
"Xoreax_LogMutex_setup"
"XoreaxIncrediBuild_setup_Mutex_%OSUSER%_WinSta0"
"Global\XoreaxIncrediBuild_setup_Mutex" - source
- Created Mutant
- relevance
- 3/10
-
Spawns new processes
- details
- Spawned process "lzma.exe" with commandline "d "%TEMP%\IncrediBuild_Setup_3300\Setup.lzma" "%TEMP%\IncrediBui ..." (Show Process), Spawned process "Setup.exe" with commandline "/installer_filename="C:\016348063e6d96df7e4dcc6aa5ee0ccda68b530f ..." (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "lzma.exe" with commandline "d "%TEMP%\IncrediBuild_Setup_3300\Setup.lzma" "%TEMP%\IncrediBui ..." (Show Process), Spawned process "Setup.exe" with commandline "/installer_filename="C:\016348063e6d96df7e4dcc6aa5ee0ccda68b530f ..." (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"<Input Sample>.exe" connecting to "\ThemeApiPort"
"Setup.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5.log" has type "ASCII text with CRLF line terminators"
"info.dat" has type "data"
"Setup.log" has type "ASCII text with CRLF line terminators"
"Setup.pak" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"<Input Sample>.exe" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"<Input Sample>.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>.exe" touched file "C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\comctl32.dll.mui"
"<Input Sample>.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"<Input Sample>.exe" touched file "C:\Windows\System32\en-US\ntdll.dll.mui"
"Setup.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"Setup.exe" touched file "C:\Windows\AppPatch\AcGenral.dll"
"Setup.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"Setup.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"Setup.exe" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"Setup.exe" touched file "C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\comctl32.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "GlassFrame.Top"
Pattern match: "http://www.w3.org/2001/XMLSchema"
Pattern match: "http://www.w3.org/2000/xmlns/"
Pattern match: "http://www.w3.org/2001/XMLSchema-instance"
Pattern match: "http://www.w3.org/1999/XMLSchema-instance"
Pattern match: "http://www.w3.org/2000/10/XMLSchema-instance"
Pattern match: "http://www.w3.org/1999/XMLSchema"
Pattern match: "http://www.w3.org/2000/10/XMLSchema"
Pattern match: "http://schemas.xmlsoap.org/soap/encoding/"
Pattern match: "http://www.borland.com/namespaces/Types"
Pattern match: "http://support.microsoft.com/kb/239114"
Heuristic match: "a1089.dscd.akamai.net"
Heuristic match: "cs9.wac.phicdn.net"
Heuristic match: "d1zkz3k4cclnv6.cloudfront.net"
Heuristic match: "dcky6u1m8u6el.cloudfront.net"
Heuristic match: "detectportal.firefox.com"
Heuristic match: "safebrowsing.googleapis.com"
Heuristic match: "shavar.prod.mozaws.net"
Pattern match: "http://www.incredibuild.com"
Pattern match: "www.quicklz.com/order.html"
Pattern match: "http://www.xoreax.com"
Heuristic match: ")oo@(oo@(oo@(po@((po@(Lpo@(ppo@w(po@b(po@M(po@8(po@#(po@(po@'po@'po@'po@'Lqo@'qo@'ro@{'tro@f'xro@Q'|ro@<'ro@''ro@'ro@&ro@&ro@&3ZYYdhV=WL]=W=W=WP@H@ H@$H@(H@H@dE@E@>W@@$@(@,@0@8@<@LTBuildSubEnvVC@SVWUu L>W1t\>W]_^[XenonXbox 360Srt>WH[>W:[>W@[MicrosoftIntelI" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>.exe" opened "\Device\KsecDD"
"Setup.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
incredibuild_vs2017_932_2457.exe
- Filename
- incredibuild_vs2017_932_2457.exe
- Size
- 72MiB (75649408 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5
- MD5
- a8f3c823608316bcef5455080dc2eb02
- SHA1
- 907256f6e74831deb21f8e48214ca82f242b0a94
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total.
- Input Sample (PID: 3300)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
a1089.dscd.akamai.net
OSINT |
23.222.248.51
TTL: 19 |
- | United States |
cs9.wac.phicdn.net
OSINT |
72.21.91.29
TTL: 3560 |
MarkMonitor, Inc. | United States |
d1zkz3k4cclnv6.cloudfront.net
OSINT |
54.192.7.191
TTL: 16 |
MarkMonitor, Inc. | United States |
dcky6u1m8u6el.cloudfront.net
OSINT |
54.192.7.42
TTL: 27 |
MarkMonitor, Inc. | United States |
detectportal.firefox.com
OSINT |
23.222.248.51
TTL: 27 |
MarkMonitor, Inc. | United States |
ocsp.pki.goog
OSINT |
172.217.4.67
TTL: 153 |
- | United States |
safebrowsing.googleapis.com
OSINT |
172.217.9.10
TTL: 299 |
MarkMonitor, Inc. | United States |
shavar.prod.mozaws.net
OSINT |
54.200.76.177
TTL: 11 |
GANDI SAS
Organization: Mozilla Name Server: NS-1084.AWSDNS-07.ORG Creation Date: Tue, 18 Jun 2013 00:00:00 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
54.68.149.88 |
443
TCP |
firefox.exe PID: 340 |
United States |
13.249.142.114 |
443
TCP |
firefox.exe PID: 340 |
United States |
172.217.4.42 |
443
TCP |
firefox.exe PID: 340 |
United States |
172.217.4.67 |
80
TCP |
firefox.exe PID: 340 |
United States |
52.35.21.241 |
443
TCP |
firefox.exe PID: 340 |
United States |
13.249.142.99 |
443
TCP |
firefox.exe PID: 340 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
172.217.4.67:80 (ocsp.pki.goog) | POST | ocsp.pki.goog/GTSGIAG3 | POST /GTSGIAG3 HTTP/1.1
Host: ocsp.pki.goog
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 75
Content-Type: application/ocsp-request
Connection: keep-alive More Details |
Extracted Strings
Extracted Files
-
Informative Selection 1
-
-
Setup.pak
- Size
- 4MiB (4194304 bytes)
- Type
- html
- Runtime Process
- lzma.exe (PID: 4332)
- MD5
- f3a6314cb67c96f40699511659981e5e
- SHA1
- e649c6fa8146c153e6348ae48c0a10dddfe9b7a7
- SHA256
- 7b86488b04887e23ff410c2b80fb48bb4322c5e5e00601e9536a3a6a518b5f1a
-
-
Informative 3
-
-
Setup.log
- Size
- 246B (246 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- Setup.exe (PID: 3244)
- MD5
- 48bfe4b56c99eab2d62aae3dcc646463
- SHA1
- 8ca64d2802f41adbb96cf043d96e1fb90ae36700
- SHA256
- 792820f7286a3ff3c8990239c50aa1a25a33d4d03c55b1120fb74c84f8d8c227
-
info.dat
- Size
- 116B (116 bytes)
- Type
- data
- Runtime Process
- Setup.exe (PID: 3244)
- MD5
- a0b4282b5fadb4cb592cb49d64a0589e
- SHA1
- cc87b92944f141e6acd705bd890ee3948fed9ef1
- SHA256
- db89492b34bcb2022ed2aeadba95b63379582494ad0b070dc8be440e69412c83
-
016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5.log
- Size
- 246B (246 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- 016348063e6d96df7e4dcc6aa5ee0ccda68b530f876191e554cb7f8c1c0cd0e5.exe (PID: 3300)
- MD5
- c7edbde15cc9ffe4fa33fa17ff69600a
- SHA1
- 3104716243695f3e8f91bc8eaf00c1a0c52c7896
- SHA256
- c2207eecd127daf5fe23890549b267d2eb2ef1dcbb4b17d98af1d90d5a92872d
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Network whitenoise filtering (Process) was applied
- No static analysis parsing on sample was performed
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)