1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179
This report is generated from a file or URL submitted to this webservice on May 17th 2021 19:01:15 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.48.3 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Spawns a lot of processes
- Fingerprint
-
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
Modifies file/console tracing settings (often used to hide footprints on system)
Possibly checks for the presence of an Antivirus engine
Tries to sleep for a long time (more than two minutes) - Network Behavior
- Contacts 1 domain. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
OSINT
- External References
-
https://www.ncsc.gov.uk/section/keep-up-to-date/cisp
https://www.virustotal.com/gui/file/8406ca490c60ec41569b35f31f1860ff4663bba44d1daac64760ecdfe694203d/detection
https://www.virustotal.com/gui/file/9762444b94fa6cc5a25c79c487bbf97e007cb680118afeab0f5643d211fa3f78/details
https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit
http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf - External User Tags
- #apt33 #apt34 #apt39 #cleaver #copykittens #iran #leafminer #muddywater #oilrig
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 12
-
Anti-Detection/Stealthyness
-
Modifies file/console tracing settings (often used to hide footprints on system)
- details
-
"<Input Sample>.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "ENABLEFILETRACING"; Value: "00000000")
"<Input Sample>.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "ENABLECONSOLETRACING"; Value: "00000000")
"<Input Sample>.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "FILETRACINGMASK"; Value: "0000FFFF")
"<Input Sample>.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "CONSOLETRACINGMASK"; Value: "0000FFFF") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies file/console tracing settings (often used to hide footprints on system)
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 48/69 Antivirus vendors marked sample as malicious (69% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 48/69 Antivirus vendors marked sample as malicious (69% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
55/72 Antivirus vendors marked dropped file "netscp.exe" as malicious (classified as "Backdoor.Tnzbt" with 76% detection rate)
41/70 Antivirus vendors marked dropped file "service.exe" as malicious (classified as "Trojan.Zapchast" with 58% detection rate)
49/70 Antivirus vendors marked dropped file "MainModule.dll" as malicious (classified as "Gen:Variant.Johnnie" with 70% detection rate)
54/70 Antivirus vendors marked dropped file "TimerModule.tmd" as malicious (classified as "Trojan.Zapchast" with 77% detection rate)
49/70 Antivirus vendors marked dropped file "WebServiceConnector.tmd" as malicious (classified as "Trojan.MSIL.Agent" with 70% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
55/72 Antivirus vendors marked spawned process "netscp.exe" (PID: 2972) as malicious (classified as "Backdoor.Tnzbt" with 76% detection rate)
55/72 Antivirus vendors marked spawned process "netscp.exe" (PID: 3676) as malicious (classified as "Backdoor.Tnzbt" with 76% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistence
-
Allocates virtual memory in a remote process
- details
-
"netscp.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap"
"netscp.exe" allocated memory in "%ALLUSERSPROFILE%\Microsoft FXcop\WebServiceConnector.tmd"
"csc.exe" allocated memory in "%WINDIR%\Temp\CSCBD3C.tmp" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"cmd.exe" wrote 32 bytes to a remote process "%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" (Handle: 80)
"cmd.exe" wrote 52 bytes to a remote process "C:\ProgramData\Microsoft FXcop\netscp.exe" (Handle: 80)
"cmd.exe" wrote 4 bytes to a remote process "C:\ProgramData\Microsoft FXcop\netscp.exe" (Handle: 80)
"netscp.exe" wrote 32 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 856)
"netscp.exe" wrote 52 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 856)
"netscp.exe" wrote 4 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 856)
"netscp.exe" wrote 32 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 900)
"netscp.exe" wrote 52 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 900)
"netscp.exe" wrote 4 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 900)
"netscp.exe" wrote 32 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 940)
"netscp.exe" wrote 52 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 940)
"netscp.exe" wrote 4 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 940)
"netscp.exe" wrote 32 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 884)
"netscp.exe" wrote 52 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 884)
"netscp.exe" wrote 4 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 884)
"netscp.exe" wrote 32 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 920)
"netscp.exe" wrote 52 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 920)
"netscp.exe" wrote 4 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 920)
"netscp.exe" wrote 32 bytes to a remote process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" (Handle: 600)
"netscp.exe" wrote 52 bytes to a remote process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" (Handle: 600)
"netscp.exe" wrote 4 bytes to a remote process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" (Handle: 600)
"csc.exe" wrote 32 bytes to a remote process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" (Handle: 256)
"csc.exe" wrote 52 bytes to a remote process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" (Handle: 256)
"csc.exe" wrote 4 bytes to a remote process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" (Handle: 256) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Pattern Matching
-
YARA signature match
- details
-
YARA signature "TinyZBot" classified file "all.bstring" as "apt,opcleaver,zbot" based on indicators: "netscp.exe,get_MainModule_WebReference_DefaultWS,remove_CheckFileMD5Completed,http://tempuri.org/,Zhoupin_Cleaver" (Author: Cylance)
YARA signature "OPCLEAVER_TinyZBot" classified file "all.bstring" as "apt,opcleaver,zbot" based on indicators: "netscp.exe,get_MainModule_WebReference_DefaultWS,remove_CheckFileMD5Completed,http://tempuri.org/,Zhoupin_Cleaver" (Reference: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf, Author: Cylance Inc.)
YARA signature "TinyZBot_PDB" classified file "all.bstring" as "zbot,zeus" based on indicators: "\Projects\Cleaver\trunk\MainModule\obj\Release\MainModule.pdb,\Projects\Cleaver\trunk\Modules\TimeModule\obj\Release\TimerModule.pdb,\Projects\Cleaver\trunk\Modules\WebServiceConnector\obj\Release\WebServiceConnector.pdb,\Projects\Cleaver\trunk\Zhoupin_Cleaver\obj\x86\Release\netscp.pdb" (Author: Marc Rivero Lopez) - source
- YARA Signature
- relevance
- 10/10
-
YARA signature match
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>.exe" (Show Process)
Spawned process "cmd.exe" with commandline "/C "%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" -u" (Show Process)
Spawned process "netscp.exe" with commandline "-u" (Show Process)
Spawned process "sc.exe" with commandline "create "Network Connectivity Manager" binpath= "%ALLUSERSPROFILE%\Microsoft FXcop\service.exe" displayname= "Network Connectivity Manager"" (Show Process)
Spawned process "sc.exe" with commandline "create "Network Connectivity Manager" binpath= %ALLUSERSPROFILE%\Microsoft FXcop\service.exe" displayname= "Network Connectivity Manager" (Show Process)
Spawned process "sc.exe" with commandline "description "Network Connectivity Manager" "Manage networked devices and services that use the SSDP discovery protocol
such as UPnP devices. Also announces SSDP devices and services running on the local computer. If this service is stopped
SSDP-based devices will not be discovered. If this service is disabled
any services that explicitly depend on it will fail to start"" (Show Process)
Spawned process "sc.exe" with commandline "config "Network Connectivity Manager" start= auto" (Show Process)
Spawned process "sc.exe" with commandline "start "Network Connectivity Manager"" (Show Process)
Spawned process "netscp.exe" with commandline "-u" (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%WINDIR%\TEMP\qfz58tjp.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%WINDIR%\TEMP\RESBD3D.tmp" "%WINDIR%\Temp\CSCBD3C.tmp"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Hiding 3 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 23
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
-
"<Input Sample>.exe" is allocating memory with PAGE_GUARD access rights
"netscp.exe" is allocating memory with PAGE_GUARD access rights - source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"netscp.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"sc.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"netscp.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"csc.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"cvtres.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to sleep for a long time (more than two minutes)
- details
- "netscp.exe" sleeping for "1566804069" milliseconds
- source
- API Call
- relevance
- 10/10
-
Reads the active computer name
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/80 reputation engines marked "http://tempuri.org/t" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Reads configuration files
- details
- "netscp.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistence
-
Drops executable files
- details
-
"netscp.exe" has type "PE32 executable (GUI) Intel 80386 Mono/.Net assembly for MS Windows"
"service.exe" has type "PE32 executable (console) Intel 80386 Mono/.Net assembly for MS Windows"
"qfz58tjp.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"MainModule.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"TimerModule.tmd" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"WebServiceConnector.tmd" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"RESBD3D.tmp" has type "80386 COFF executable not stripped - version 25189" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Potential IP "192.168.56.101" found in string "&http://192.168.56.101/checkupdate.asmx"
"1.1.0.121"
Potential IP "2.0.0.0" found in string "mscorlib,2.0.0.0,,b77a5c561934e089,x86"
Potential IP "2.0.0.0" found in string "System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
Potential IP "2.0.0.0" found in string "System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL"
Potential IP "2.0.0.0" found in string "System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
Potential IP "2.0.0.0" found in string "System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
Potential IP "2.0.0.0" found in string "System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
Potential IP "2.0.0.0" found in string "Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
Potential IP "2.0.0.0" found in string "System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
Potential IP "2.0.0.0" found in string "System.ServiceProcess,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
Potential IP "2.0.0.0" found in string "System,2.0.0.0,,b77a5c561934e089,MSIL"
Potential IP "2.0.0.0" found in string "System.Xml,2.0.0.0,,b77a5c561934e089,MSIL"
Potential IP "2.0.0.0" found in string "System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
Potential IP "1.0.0.0" found in string "[assembly:System.Reflection.AssemblyVersionAttribute("1.0.0.0")]" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains references to WMI/WMIC
- details
-
"WMIC /Node:localhost /Namespace:\\root\SecurityCenter Path AntiVirusProduct Get /Format:List<nul" (Indicator: "/node:")
"WMIC /Node:localhost /Namespace:\\root\SecurityCenter Path FirewallProduct Get /Format:List<nul" (Indicator: "/node:")
"WMIC /Node:localhost /Namespace:\\root\SecurityCenter Path AntiSpywareProduct Get /Format:List<nul" (Indicator: "/node:") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains references to WMI/WMIC
-
Spyware/Information Retrieval
-
Found an instant messenger related domain
- details
- "radButtonPlus.Image" (Indicator: "plus.im"; File: "1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179.bin")
- source
- File/Memory
- relevance
- 10/10
-
Found an instant messenger related domain
-
System Destruction
-
Marks file for deletion
- details
-
"%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" marked "%WINDIR%\Temp\qfz58tjp.cmdline" for deletion
"%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" marked "%WINDIR%\Temp\qfz58tjp.0.cs" for deletion
"%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" marked "%WINDIR%\Temp\qfz58tjp.err" for deletion
"%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" marked "%WINDIR%\Temp\qfz58tjp.dll" for deletion
"%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" marked "%WINDIR%\Temp\qfz58tjp.tmp" for deletion
"%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" marked "%WINDIR%\Temp\qfz58tjp.out" for deletion
"%WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe" marked "%WINDIR%\Temp\RESBD3D.tmp" for deletion
"%WINDIR%\Microsoft.NET\Framework\v2.0.50727\csc.exe" marked "%WINDIR%\Temp\CSCBD3C.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"netscp.exe" opened "C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2972.907415984" with delete access
"netscp.exe" opened "C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2972.907415984" with delete access
"netscp.exe" opened "%APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2972.907416031" with delete access
"netscp.exe" opened "C:\Windows\TEMP\qfz58tjp.pdb" with delete access
"netscp.exe" opened "C:\Windows\TEMP\qfz58tjp.cmdline" with delete access
"netscp.exe" opened "C:\Windows\TEMP\qfz58tjp.0.cs" with delete access
"netscp.exe" opened "C:\Windows\TEMP\qfz58tjp.err" with delete access
"netscp.exe" opened "C:\Windows\TEMP\qfz58tjp.dll" with delete access
"netscp.exe" opened "C:\Windows\TEMP\qfz58tjp.tmp" with delete access
"netscp.exe" opened "C:\Windows\TEMP\qfz58tjp.out" with delete access
"csc.exe" opened "C:\Windows\TEMP\RESBD3D.tmp" with delete access
"csc.exe" opened "c:\Windows\Temp\CSCBD3C.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"netscp.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"netscp.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "netscp.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"<Input Sample>.exe" wrote bytes "fae6a977e1a6ae772e71ae77ee29ae7785e2a9776da0ae7726e4a977d16dae77003dac77804bac7700000000ad37c1778b2dc177b641c17700000000" to virtual address "0x74E01000" (part of module "WSHTCPIP.DLL")
"<Input Sample>.exe" wrote bytes "68130000" to virtual address "0x77C11680" (part of module "WS2_32.DLL")
"<Input Sample>.exe" wrote bytes "48128275" to virtual address "0x758383C0" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "f8118275" to virtual address "0x758383E0" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "f8118275" to virtual address "0x758383C4" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "48128275" to virtual address "0x75838364" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "b88011c06effe0" to virtual address "0x77C11368" (part of module "WS2_32.DLL")
"<Input Sample>.exe" wrote bytes "f8110000" to virtual address "0x75821408" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "b89012c06effe0" to virtual address "0x75821248" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "db4db56e00000000" to virtual address "0x011B7F30" (part of module "1578A4C641F0C7913CDF08267D1A88AC384D586C453B922670BE380B7E67A179.EXE")
"<Input Sample>.exe" wrote bytes "48128275" to virtual address "0x75838348" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "f8118275" to virtual address "0x75838368" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "f8110000" to virtual address "0x758212CC" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "f8118275" to virtual address "0x7583834C" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "e739aa77e1a6ae772e71ae77ee29ae7785e2a9776da0ae779064ad773ad5b47726e4a977d16dae77003dac77804bac7700000000ad37c1778b2dc177b641c17700000000" to virtual address "0x75351000" (part of module "WSHIP6.DLL")
"<Input Sample>.exe" wrote bytes "c04eac772054ad77e065ad77b538ae770000000000d05e7700000000c5ea5e770000000088ea5e7700000000e968bd758228ae77ee29ae7700000000d269bd75000000007dbb5e770000000009bebd7500000000ba185e7700000000" to virtual address "0x76381000" (part of module "NSI.DLL")
"<Input Sample>.exe" wrote bytes "b81015c06effe0" to virtual address "0x758211F8" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "275a87c2" to virtual address "0x6A03F798" (part of module "CLR.DLL")
"<Input Sample>.exe" wrote bytes "48120000" to virtual address "0x7582139C" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "48120000" to virtual address "0x758212DC" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"<Input Sample>.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"<Input Sample>.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "SYEARMONTH")
"netscp.exe" (Path: "HKU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"netscp.exe" (Path: "HKU\CONTROL PANEL\INTERNATIONAL"; Key: "SYEARMONTH")
"csc.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"cvtres.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Hiding 7 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 20
-
Environment Awareness
-
Queries volume information
- details
-
"<Input Sample>.exe" queries volume information of "C:\1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179.exe" at 00064524-00003504-0000010C-60342341
"netscp.exe" queries volume information of "%ALLUSERSPROFILE%\Microsoft FXcop\MainModule.dll" at 00065172-00002972-0000010C-3822872
"netscp.exe" queries volume information of "C:\ProgramData\Microsoft FXcop\MainModule.dll" at 00065172-00002972-0000010C-3823215
"netscp.exe" queries volume information of "C:\ProgramData\Microsoft FXcop\MainModule.dll" at 00065551-00003676-0000010C-3444317
"netscp.exe" queries volume information of "C:\ProgramData\Microsoft FXcop\MainModule.dll" at 00065551-00003676-0000010C-3444723
"netscp.exe" queries volume information of "C:\ProgramData\Microsoft FXcop\TimerModule.tmd" at 00065551-00003676-0000010C-6382275
"netscp.exe" queries volume information of "C:\ProgramData\Microsoft FXcop\TimerModule.tmd" at 00065551-00003676-0000010C-6383010
"netscp.exe" queries volume information of "C:\ProgramData\Microsoft FXcop\WebServiceConnector.tmd" at 00065551-00003676-0000010C-6448622
"netscp.exe" queries volume information of "C:\ProgramData\Microsoft FXcop\WebServiceConnector.tmd" at 00065551-00003676-0000010C-6449388 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"netscp.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SC.EXE")
"netscp.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SC.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
General
-
Contacts domains
- details
- "microsoftactiveservices.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"e:\Projects\Cleaver\trunk\MainModule\obj\Release\MainModule.pdb"
"e:\Projects\Cleaver\trunk\Modules\TimeModule\obj\Release\TimerModule.pdb"
"e:\Projects\Cleaver\trunk\Modules\WebServiceConnector\obj\Release\WebServiceConnector.pdb"
"e:\Projects\Cleaver\trunk\Zhoupin_Cleaver\obj\x86\Release\netscp.pdb"
"%USERPROFILE%\Documents\Visual Studio 2013\Projects\TestForInstallingService\TestForInstallingService\obj\Release\TestForInstallingService.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"netscp.exe" created file "%WINDIR%\Temp\qfz58tjp.out"
"netscp.exe" created file "%WINDIR%\Temp\qfz58tjp.err"
"netscp.exe" created file "%WINDIR%\Temp\qfz58tjp.tmp"
"netscp.exe" created file "%WINDIR%\Temp\qfz58tjp.0.cs"
"netscp.exe" created file "%WINDIR%\Temp\qfz58tjp.dll"
"netscp.exe" created file "%WINDIR%\Temp\qfz58tjp.cmdline"
"csc.exe" created file "%WINDIR%\Temp\CSCBD3C.tmp"
"csc.exe" created file "%WINDIR%\Temp\qfz58tjp.dll"
"cvtres.exe" created file "%WINDIR%\Temp\RESBD3D.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\RasPbFile"
"RasPbFile"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads the .NET runtime environment
- details
-
"<Input Sample>.exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\36eaccfde177c2e7b93b8dbdde4e012a\mscorlib.ni.dll" at 68C20000
"netscp.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll" at 650C0000
"csc.exe" loaded module "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll" at 019E0000 - source
- Loaded Module
-
Overview of unique CLSIDs touched in registry
- details
-
"netscp.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"netscp.exe" touched "Network" (Path: "HKCU\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\SHELLFOLDER")
"netscp.exe" touched "Recycle Bin" (Path: "HKCU\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\SHELLFOLDER")
"netscp.exe" touched "Control Panel" (Path: "HKCU\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\SHELLFOLDER")
"netscp.exe" touched "UsersFiles" (Path: "HKCU\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\SHELLFOLDER")
"netscp.exe" touched "UsersLibraries" (Path: "HKCU\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\SHELLFOLDER")
"netscp.exe" touched "CLSID_SearchFolder" (Path: "HKCU\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\SHELLFOLDER")
"netscp.exe" touched "Microsoft OneNote Namespace Extension for Windows Desktop Search" (Path: "HKCU\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\SHELLFOLDER")
"netscp.exe" touched "IE History and Feeds Shell Data Source for Windows Search" (Path: "HKCU\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\SHELLFOLDER")
"netscp.exe" touched "@%PROGRAMFILES%\(x86)\Microsoft Office\Office15\MAPISHELL.DLL,-110" (Path: "HKCU\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\SHELLFOLDER")
"netscp.exe" touched "Public Folder" (Path: "HKCU\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\SHELLFOLDER")
"netscp.exe" touched "Control Panel command object for Start menu and desktop" (Path: "HKCU\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\SHELLFOLDER")
"netscp.exe" touched "@%systemroot%\system32\mssvp.dll,-110" (Path: "HKCU\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\SHELLFOLDER")
"netscp.exe" touched "DXP" (Path: "HKCU\CLSID\{8FD8B88D-30E1-4F25-AC2B-553D3D65F0EA}\SHELLFOLDER")
"netscp.exe" touched "CLSID_SearchHome" (Path: "HKCU\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\SHELLFOLDER")
"netscp.exe" touched "Windows Search Service Media Center Namespace Extension Handler" (Path: "HKCU\CLSID\{98D99750-0B8A-4C59-9151-589053683D73}\SHELLFOLDER")
"netscp.exe" touched "Other Users Folder" (Path: "HKCU\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\SHELLFOLDER")
"netscp.exe" touched "@%systemroot%\system32\mssvp.dll,-112" (Path: "HKCU\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\SHELLFOLDER")
"netscp.exe" touched "CLSID_StartMenuProviderFolder" (Path: "HKCU\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\SHELLFOLDER")
"netscp.exe" touched "CLSID_StartMenuPathCompleteProviderFolder" (Path: "HKCU\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\SHELLFOLDER") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "netscp.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "netscp.exe" (Show Process) was launched with modified environment variables: "Path, LOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP"
Process "netscp.exe" (Show Process) was launched with missing environment variables: "LOGONSERVER, PROMPT, HOMEPATH, HOMEDRIVE" - source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
- "/C "%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" -u" on 2021-5-17.19:03:52.483
- source
- Monitored Target
- relevance
- 5/10
- ATT&CK ID
- T1059 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
- "netscp.exe" searching for class "MouseZ"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/C "%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" -u" (Show Process)
Spawned process "netscp.exe" with commandline "-u" (Show Process)
Spawned process "sc.exe" with commandline "create "Network Connectivity Manager" binpath= "%ALLUSERSPROFILE ..." (Show Process), Spawned process "sc.exe" with commandline "create "Network Connectivity Manager" binpath= %ALLUSERSPROFILE% ..." (Show Process), Spawned process "sc.exe" with commandline "description "Network Connectivity Manager" "Manage networked dev ..." (Show Process)
Spawned process "sc.exe" with commandline "config "Network Connectivity Manager" start= auto" (Show Process)
Spawned process "sc.exe" with commandline "start "Network Connectivity Manager"" (Show Process)
Spawned process "netscp.exe" with commandline "-u" (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%WINDIR%\TEMP\qfz58tjp.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%WINDIR%\TEMP\RESBD3D.tmp" ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "cmd.exe" with commandline "/C "%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" -u" (Show Process)
Spawned process "netscp.exe" with commandline "-u" (Show Process)
Spawned process "sc.exe" with commandline "create "Network Connectivity Manager" binpath= "%ALLUSERSPROFILE ..." (Show Process), Spawned process "sc.exe" with commandline "create "Network Connectivity Manager" binpath= %ALLUSERSPROFILE% ..." (Show Process), Spawned process "sc.exe" with commandline "description "Network Connectivity Manager" "Manage networked dev ..." (Show Process)
Spawned process "sc.exe" with commandline "config "Network Connectivity Manager" start= auto" (Show Process)
Spawned process "sc.exe" with commandline "start "Network Connectivity Manager"" (Show Process)
Spawned process "netscp.exe" with commandline "-u" (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%WINDIR%\TEMP\qfz58tjp.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%WINDIR%\TEMP\RESBD3D.tmp" ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistence
-
Chained signature (with api-8700...). Detects file write then launch as executable
- details
- Chained signature (with api-8700...). Detects file write then launch as executable
- source
- API Call
- relevance
- 8/10
-
Connects to LPC ports
- details
-
"<Input Sample>.exe" connecting to "\ThemeApiPort"
"netscp.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"netscp.exe" has type "PE32 executable (GUI) Intel 80386 Mono/.Net assembly for MS Windows"
"service.exe" has type "PE32 executable (console) Intel 80386 Mono/.Net assembly for MS Windows"
"qfz58tjp.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"MainModule.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"desktop.ini" has type "empty"
"qfz58tjp.0.cs" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"
"SQP4H9Z2_A.tmp" has type "data"
"gn.tmp" has type "ASCII text with no line terminators"
"TimerModule.tmd" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"qfz58tjp.cmdline" has type "UTF-8 Unicode (with BOM) text with very long lines with no line terminators"
"WebServiceConnector.tmd" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"qfz58tjp.out" has type "UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"c4febf31-f8bd-g26b.tmp" has type "ASCII text with CRLF line terminators"
"tfg.tmp" has type "ASCII text with no line terminators"
"CSCBD3C.tmp" has type "MSVC .res"
"RESBD3D.tmp" has type "80386 COFF executable not stripped - version 25189" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>.exe" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"<Input Sample>.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"<Input Sample>.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"<Input Sample>.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"<Input Sample>.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"<Input Sample>.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"<Input Sample>.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"<Input Sample>.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\96f7edb07b12303f0ec2595c7f3778c7\System.Configuration.ni.dll.aux"
"<Input Sample>.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\31fae3290fad30c31c98651462d22724\System.Core.ni.dll.aux"
"<Input Sample>.exe" touched file "C:\Windows\Fonts\micross.ttf"
"<Input Sample>.exe" touched file "C:\Windows\Fonts\segoeui.ttf"
"<Input Sample>.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"<Input Sample>.exe" touched file "C:\Windows\Fonts\seguisb.ttf"
"<Input Sample>.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls" - source
- API Call
- relevance
- 7/10
-
Chained signature (with api-8700...). Detects file write then launch as executable
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://192.168.56.101/checkupdate.asmx"
Pattern match: "http://tempuri.org/"
Pattern match: "http://tempuri.org/GetServerTime"
Pattern match: "http://tempuri.org/T"
Pattern match: "http://tempuri.org/TU"
Pattern match: "http://tempuri.org/GetFileList"
Pattern match: "http://tempuri.org/GetFile"
Pattern match: "http://tempuri.org/CheckFileMD5"
Pattern match: "http://tempuri.org/UploadFile"
Pattern match: "http://www.w3.org/1999/02/22-rdf-syntax-ns#"
Pattern match: "http://www.w3.org/2001/XMLSchema-instance"
Pattern match: "http://www.microsoft.com"
Heuristic match: "microsoftactiveservices.com"
Pattern match: "http://tempuri.org/:GetFileResponse"
Pattern match: "http://tempuri.org/:UploadFileResponse"
Pattern match: "http://tem"
Pattern match: "http://microsoftactiveservices.com/checkupdate.asmx"
Heuristic match: "Microsoft.NET"
Pattern match: "http://tempuri.org/:GetFileResult"
Pattern match: "http://tempuri.org/:UploadFileResult"
Pattern match: "http://tempuri.org/:string"
Pattern match: "http://tempuri.org/:GetFileListResult"
Pattern match: "http://tempuri.org/:GetFileListResponse"
Pattern match: "http://tempuri.org/:CheckFileMD5Result"
Pattern match: "http://tempuri.org/:CheckFileMD5Response"
Pattern match: "http://tempuri.org/:GetServerTimeResult"
Pattern match: "http://tempuri.org/:GetServerTimeResponse" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
-
"<Input Sample>.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"netscp.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>.exe" opened "\Device\KsecDD"
"netscp.exe" opened "\Device\KsecDD"
"csc.exe" opened "\Device\KsecDD"
"cvtres.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
File Details
1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179
- Filename
- 1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179
- Size
- 9.8MiB (10230272 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179
- MD5
- 9ef9ec11c9f83dde38556feaf88b2a29
- SHA1
- 16cb87795304c438d7929c248db5422a2905265d
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 11 processes in total (System Resource Monitor).
-
Input Sample
(PID: 3504)
48/69
-
cmd.exe
/C "%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" -u
(PID: 1792)
-
netscp.exe
-u
(PID: 2972)
55/72
- sc.exe create "Network Connectivity Manager" binpath= "%ALLUSERSPROFILE%\Microsoft FXcop\service.exe" displayname= "Network Connectivity Manager" (PID: 3052)
- sc.exe create "Network Connectivity Manager" binpath= %ALLUSERSPROFILE%\Microsoft FXcop\service.exe" displayname= "Network Connectivity Manager (PID: 3188)
- sc.exe description "Network Connectivity Manager" "Manage networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. If this service is stopped, SSDP-based devices will not be discovered. If this service is disabled, any services that explicitly depend on it will fail to start" (PID: 3476)
- sc.exe config "Network Connectivity Manager" start= auto (PID: 3484)
- sc.exe start "Network Connectivity Manager" (PID: 3084)
-
netscp.exe
-u
(PID: 2972)
55/72
-
cmd.exe
/C "%ALLUSERSPROFILE%\Microsoft FXcop\netscp.exe" -u
(PID: 1792)
-
netscp.exe
-u
(PID: 3676)
55/72
-
csc.exe
/noconfig /fullpaths @"%WINDIR%\TEMP\qfz58tjp.cmdline"
(PID: 3884)
- cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%WINDIR%\TEMP\RESBD3D.tmp" "%WINDIR%\Temp\CSCBD3C.tmp" (PID: 1976)
-
csc.exe
/noconfig /fullpaths @"%WINDIR%\TEMP\qfz58tjp.cmdline"
(PID: 3884)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
microsoftactiveservices.com
OSINT |
- |
GMO INTERNET, INC.
Name Server: NS11.VALUE-DOMAIN.COM Creation Date: 2016-05-28T00:00:00 |
- |
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Malicious 5
-
-
MainModule.dll
- Size
- 92KiB (94208 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- Labeled as "Gen:Variant.Johnnie" (49/70)
- Runtime Process
- 1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179.exe (PID: 3504)
- MD5
- 0405adfc8739025ba88c746c8edebfb8
- SHA1
- 1fdb30eb4978bfab58b01e3712fdeee54c0f294f
- SHA256
- af8deedc78097c387926bb95ebd6ab2a870349794f452f35f84132b0dbe12e09
-
netscp.exe
- Size
- 29KiB (29184 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- Labeled as "Backdoor.Tnzbt" (55/72)
- Runtime Process
- 1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179.exe (PID: 3504)
- MD5
- e7428dec7deb041692d6575e069c1cf0
- SHA1
- 07668b44784286d55a6ac03ccf6a114ec961a59e
- SHA256
- b99cddd428e78ede109c7bd3683c374ac6010a15c0633939511e39c1ed99f621
-
service.exe
- Size
- 9KiB (9216 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- Labeled as "Trojan.Zapchast" (41/70)
- Runtime Process
- 1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179.exe (PID: 3504)
- MD5
- 4e483762f555b078976a1ddf3fc3e532
- SHA1
- cc592b0b9b534ed6dc4011f0ca6ea3a49b827d2f
- SHA256
- ad5fbf8e381d92225aa6c022e2bbc175be0e33138b5fa4bbb508b970b33bbc1e
-
TimerModule.tmd
- Size
- 11KiB (11264 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- Labeled as "Trojan.Zapchast" (54/70)
- Runtime Process
- 1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179.exe (PID: 3504)
- MD5
- 41eeae4158152f49ab64601c4358a7a1
- SHA1
- 7696cc377f5cd939fce0c76e73cbc90779b1c486
- SHA256
- dc21a2189f9e2d63872c0b5ee7ec75316799c60eb018ba9b98398b69efe45365
-
WebServiceConnector.tmd
- Size
- 37KiB (37376 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- Labeled as "Trojan.MSIL.Agent" (49/70)
- Runtime Process
- 1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179.exe (PID: 3504)
- MD5
- c440ec0a8cf7341b746160a684c51741
- SHA1
- f70739505bc14da259aacd37fc8966c230965ba8
- SHA256
- d8c7aef47bac024188d929e749e90ac172fd51b8f6e16dec4b6635dc2ffa85ef
-
-
Informative Selection 4
-
-
CSCBD3C.tmp
- Size
- 652B (652 bytes)
- Type
- unknown
- Description
- MSVC .res
- Runtime Process
- csc.exe (PID: 3884)
- MD5
- 33040b24a5b7938c1eed193566946232
- SHA1
- 2b9924be64f45d73a299700d202dc7e6caf0ab2d
- SHA256
- 082e60926c66509d4b1aa0cff7b8814af30af42b8f1f29ab305a1862a9efd6ef
-
RESBD3D.tmp
- Size
- 1.1KiB (1164 bytes)
- Type
- unknown
- Description
- 80386 COFF executable not stripped - version 25189
- Runtime Process
- csc.exe (PID: 3884)
- MD5
- 0605c4de9c61ae6b951316de1f8f03b9
- SHA1
- dbd6d4429ad1109a2cee66524203c3be9933fdc2
- SHA256
- 1fe94c42d1b46b351dac7271ca066310e58afb035c175e15172b5e0c9930eead
-
qfz58tjp.cmdline
- Size
- 544B (544 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
- Runtime Process
- netscp.exe (PID: 3676)
- MD5
- 171abd3901528b89b79187112f98180f
- SHA1
- 4fe67ee20f7584a19c84903a4805c5769702d379
- SHA256
- b91f1f98e315806914d2fce213137e2ab41dd04514a3b80fe3083cdebeae5471
-
desktop.ini
- Size
- Unknown (0 bytes)
- Type
- empty
- Runtime Process
- netscp.exe (PID: 2972)
-
-
Informative 7
-
-
c4febf31-f8bd-g26b.tmp
- Size
- 1.1KiB (1164 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- 1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179.exe (PID: 3504)
- MD5
- afde095f8d5f1ddc9c3a2e8b8ba63d5f
- SHA1
- 26bd63a752a61f4ff1a6afed01db9c81a019e83e
- SHA256
- 66549f25cf9cc473cdc7c604999cd55363a6c19d014404338f62dc64c2b804de
-
gn.tmp
- Size
- 5B (5 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators
- Runtime Process
- 1578a4c641f0c7913cdf08267d1a88ac384d586c453b922670be380b7e67a179.exe (PID: 3504)
- MD5
- 7071624591279edcbb0c6c12fa720647
- SHA1
- a2fed768c396dac1d27f9a12757052958bfca735
- SHA256
- 68981943b89878bbad0cfc6a7786f272cfbbd0dc51e173debf9c0e8d1c3dbaad
-
tfg.tmp
- Size
- 4B (4 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators
- Runtime Process
- netscp.exe (PID: 3676)
- MD5
- b6160f5c5b610f640dce61d94fa66b5b
- SHA1
- 01df22c6afc5d75bcbd044062c58c8027c7a1af4
- SHA256
- acad3d51c47aadb914f76aaedc871fd16e9cb85dbe08fa92900895dd813e9f43
-
SQP4H9Z2_A.tmp
- Size
- 16B (16 bytes)
- Type
- data
- Runtime Process
- netscp.exe (PID: 3676)
- MD5
- 656dfe141e8993f6623a92f831682e70
- SHA1
- 3da57fec411f645fa0b5de1fdc8744d0281e0746
- SHA256
- 9f2f267f446e70d5b088a8f5e4de638f11376b42d677648685f3a4e837454734
-
qfz58tjp.out
- Size
- 825B (825 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
- Runtime Process
- netscp.exe (PID: 3676)
- MD5
- d07d999cb16153720b4e2f445ebbe4a6
- SHA1
- d9d9bbe7bf8b475b4a6e677cc267d46971a41bcb
- SHA256
- 152fecbc2cb0c808c26fc73423bb3426b2786a17e06ddabc0cba22d418b1d070
-
qfz58tjp.0.cs
- Size
- 45KiB (46293 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- netscp.exe (PID: 3676)
- MD5
- b52d130d45e5809dfaafbfec541574b4
- SHA1
- a051182e52e9d92700ad5c91cee24501c1e3dda3
- SHA256
- 8291e0b9d7e3ac22d32ead566011d81025ec2b2a41c5d3560d61b873764effe7
-
qfz58tjp.dll
- Size
- 32KiB (32768 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- Runtime Process
- netscp.exe (PID: 3676)
- MD5
- 79b74274654f4f4b88267703b5b490d0
- SHA1
- 21b993af93b066891aadcf871e90f09ecd4cea9b
- SHA256
- d8ba65d5385bf3b8f90a0055d516fd2288a97bf684611299f6a2ae626099ef87
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-1" are available in the report
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report