CloudSignageStudioSetup.exe
This report is generated from a file or URL submitted to this webservice on March 15th 2019 16:07:03 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
-
Contains ability to open the clipboard
Sets a global windows hook to intercept mouse events - Persistence
- Writes data to a remote process
- Fingerprint
-
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
Possibly tries to evade analysis by sleeping many times
Tries to sleep for a long time (more than two minutes) - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
Anti-Detection/Stealthyness
-
Terminates other processes using tskill/taskkill
- details
- Process "taskkill.exe" with commandline "taskkill /f /im "SignageStudio.exe"" (Show Process)
- source
- Monitored Target
- relevance
- 9/10
-
Terminates other processes using tskill/taskkill
-
Environment Awareness
-
Sets a global windows hook to intercept mouse events
- details
- "SignageStudio.exe" set a windows hook with filter "WH_MOUSE_LL"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Sets a global windows hook to intercept mouse events
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"CloudSignageStudioSetup.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SignageStudio.86EE3EEE54D7DB049D16E358CDC443F088917621.1"
"CloudSignageStudioSetup.exe" allocated memory in "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\SignageStudio\Uninstall.lnk" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"CloudSignageStudioSetup.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\(x86)\SignageStudio\SignageStudio.exe" (Handle: 572)
"CloudSignageStudioSetup.exe" wrote 52 bytes to a remote process "%PROGRAMFILES%\(x86)\SignageStudio\SignageStudio.exe" (Handle: 572)
"CloudSignageStudioSetup.exe" wrote 4 bytes to a remote process "%PROGRAMFILES%\(x86)\SignageStudio\SignageStudio.exe" (Handle: 572)
"CloudSignageStudioSetup.exe" wrote 8 bytes to a remote process "%PROGRAMFILES%\(x86)\SignageStudio\SignageStudio.exe" (Handle: 572)
"cmd.exe" wrote 32 bytes to a remote process "%WINDIR%\SysWOW64\taskkill.exe" (Handle: 128)
"cmd.exe" wrote 52 bytes to a remote process "%WINDIR%\SysWOW64\taskkill.exe" (Handle: 128)
"cmd.exe" wrote 4 bytes to a remote process "%WINDIR%\SysWOW64\taskkill.exe" (Handle: 128)
"cmd.exe" wrote 8 bytes to a remote process "%WINDIR%\SysWOW64\taskkill.exe" (Handle: 128) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from CloudSignageStudioSetup.exe (PID: 2148) (Show Stream)
ExitWindowsEx@USER32.DLL from CloudSignageStudioSetup.exe (PID: 2148) (Show Stream)
ExitWindowsEx@USER32.DLL from CloudSignageStudioSetup.exe (PID: 2148) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains native function calls
- details
- NtdllDefWindowProc_A@NTDLL.DLL from CloudSignageStudioSetup.exe (PID: 2148) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 27
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"taskkill.exe" at 00012265-00003544-00000033-70673752237
"SignageStudio.exe" at 00012702-00003840-00000033-93759728036 - source
- API Call
- relevance
- 6/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "SignageStudio.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .data with unusual entropies 7.80368870706
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Contains ability to query CPU information
- details
-
cpuid from SignageStudio.exe (PID: 3840) (Show Stream)
cpuid (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to evade analysis by sleeping many times
- details
- "SignageStudio.exe" (Thread ID: 3700) slept "520" times (threshold: 500)
- source
- API Call
- relevance
- 10/10
-
Reads the active computer name
- details
-
"CloudSignageStudioSetup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"taskkill.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"SignageStudio.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"taskkill.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"SignageStudio.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to sleep for a long time (more than two minutes)
- details
- "SignageStudio.exe" sleeping for "1566804069" milliseconds
- source
- API Call
- relevance
- 10/10
-
Contains ability to query CPU information
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/66 reputation engines marked "http://nsis.sf.net" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Opened the service control manager
- details
- "SignageStudio.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Opened the service control manager
-
Installation/Persistance
-
Drops executable files
- details
-
"InstallOptions.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"NPSWF64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"adl.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"NPSWF32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"WebKit.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Adobe AIR.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"uninst.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"AdobeCP15.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"SignageStudio.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"CaptiveAppEntry.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "<Config showErrorAlert="0" cloud="1"><Node ip="127.0.0.1" port="8555" /></Config>"
"28.0.0.125" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Contains ability to open the clipboard
- details
- OpenClipboard@USER32.DLL from CloudSignageStudioSetup.exe (PID: 2148) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1115 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to open the clipboard
-
System Destruction
-
Marks file for deletion
- details
- "C:\CloudSignageStudioSetup.exe" marked "%APPDATA%\SignageStudio.86EE3EEE54D7DB049D16E358CDC443F088917621.1\Local Store\#SharedObjects\eri.sxx" for deletion
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"CloudSignageStudioSetup.exe" opened "%TEMP%\nsr7E3E.tmp" with delete access
"CloudSignageStudioSetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsh7FC6.tmp" with delete access
"CloudSignageStudioSetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsh7FC6.tmp\InstallOptions.dll" with delete access
"CloudSignageStudioSetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsh7FC6.tmp\ioSpecial.ini" with delete access
"CloudSignageStudioSetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsh7FC6.tmp\modern-wizard.bmp" with delete access
"CloudSignageStudioSetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsh7FC6.tmp\" with delete access
"SignageStudio.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\SignageStudio.86EE3EEE54D7DB049D16E358CDC443F088917621.1\Local Store\#SharedObjects\eri.sol" with delete access
"SignageStudio.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\SignageStudio.86EE3EEE54D7DB049D16E358CDC443F088917621.1\Local Store\#SharedObjects\eri.sxx" with delete access
"SignageStudio.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\SignageStudio.86EE3EEE54D7DB049D16E358CDC443F088917621.1\Local Store\#SharedObjects\SignageApplication.sol" with delete access
"SignageStudio.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\SignageStudio.86EE3EEE54D7DB049D16E358CDC443F088917621.1\Local Store\#SharedObjects\SignageApplication.sxx" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"SignageStudio.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"SignageStudio.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"SignageStudio.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"SignageStudio.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"SignageStudio.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "SignageStudio.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"NPSWF64.dll" claimed CRC 93892 while the actual is CRC 56651
"adl.exe" claimed CRC 122169 while the actual is CRC 93892
"NPSWF32.dll" claimed CRC 14636579 while the actual is CRC 122169
"Adobe AIR.dll" claimed CRC 21606351 while the actual is CRC 5265505
"Adobe AIR.dll" claimed CRC 20488556 while the actual is CRC 5286990
"uninst.exe" claimed CRC 37236071 while the actual is CRC 5289017
"AdobeCP15.dll" claimed CRC 3562854 while the actual is CRC 77394
"SignageStudio.exe" claimed CRC 114144 while the actual is CRC 3562854
"NPSWF32.dll" claimed CRC 78694 while the actual is CRC 167283
"CaptiveAppEntry.exe" claimed CRC 114144 while the actual is CRC 78694 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetModuleHandleA
ShellExecuteA
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
GetTickCount
Sleep
ShellExecuteW
LoadLibraryA
GetModuleFileNameW
GetFileAttributesW
GetModuleFileNameA
GetCommandLineW
GetCommandLineA
GetProcAddress
LoadLibraryW
WriteFile
GetStartupInfoA
GetModuleHandleW
CreateFileW
CreateFileA
VirtualAlloc
RegDeleteKeyA
RegCloseKey
RegOpenKeyExA
RegDeleteValueA
RegCreateKeyExA
RegEnumKeyA
GetFileAttributesA
CopyFileA
LoadLibraryExA
GetFileSize
CreateDirectoryA
DeleteFileA
GetTempPathA
CreateThread
FindFirstFileA
GetTempFileNameA
FindNextFileA
CreateProcessA
FindWindowExA
RegCreateKeyA
CertDeleteCertificateFromStore
ExitThread
GetVersionExA
GetCursorPos
HttpSendRequestA
HttpQueryInfoA
InternetCloseHandle
InternetOpenA
InternetReadFile
InternetConnectA
InternetQueryOptionA
InternetCrackUrlA
recv
send
accept
WSAStartup
connect
closesocket
socket
GetVersionExW
FindWindowA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"CloudSignageStudioSetup.exe" wrote bytes "7111be017a3bbd01ab8b02007f950200fc8c0200729602006cc805001ecdba017d26ba01" to virtual address "0x75D507E4" (part of module "USER32.DLL")
"CloudSignageStudioSetup.exe" wrote bytes "d0558e76647397760000000051c1587594985875ee9c587575dc5a75273e5a750fb35e750000000085481e7669871e760f772076d9171e76ead71f76a9341e76f8111e7620141e760c111e76f5161e7654141e76ff101e7632141e7600000000" to virtual address "0x74031000" (part of module "SHFOLDER.DLL")
"cmd.exe" wrote bytes "7111be017a3bbd01ab8b02007f950200fc8c0200729602006cc805001ecdba017d26ba01" to virtual address "0x75D507E4" (part of module "USER32.DLL")
"taskkill.exe" wrote bytes "7111be017a3bbd01ab8b02007f950200fc8c0200729602006cc805001ecdba017d26ba01" to virtual address "0x75D507E4" (part of module "USER32.DLL")
"taskkill.exe" wrote bytes "c0df8d771cf98c77ccf88c770d648e7700000000c0111e7600000000fc3e1e7600000000e0131e760000000094575c7625e08d77c6e08d7700000000bc6a5b7600000000cf311e760000000093195c76000000002c321e7600000000" to virtual address "0x75CA1000" (part of module "NSI.DLL")
"SignageStudio.exe" wrote bytes "d83a1775" to virtual address "0x75180258" (part of module "SSPICLI.DLL")
"SignageStudio.exe" wrote bytes "b4361775" to virtual address "0x75180278" (part of module "SSPICLI.DLL")
"SignageStudio.exe" wrote bytes "b8c015dd73ffe0" to virtual address "0x751736B4" (part of module "SSPICLI.DLL")
"SignageStudio.exe" wrote bytes "b4361775" to virtual address "0x7518025C" (part of module "SSPICLI.DLL")
"SignageStudio.exe" wrote bytes "d83a1775" to virtual address "0x751801FC" (part of module "SSPICLI.DLL")
"SignageStudio.exe" wrote bytes "0efc907781ed8f77ae868e77c6e08d77effd90772d168f77c0fc8c77da8f977760149177478d8e77a8e28d7760898e7700000000ad3716768b2d1676b641167600000000" to virtual address "0x71E71000" (part of module "IMAGERES.DLL")
"SignageStudio.exe" wrote bytes "c0df8d771cf98c77ccf88c770d648e7700000000c0111e7600000000fc3e1e7600000000e0131e760000000094575c7625e08d77c6e08d7700000000bc6a5b7600000000cf311e760000000093195c76000000002c321e7600000000" to virtual address "0x75CA1000" (part of module "NSI.DLL")
"SignageStudio.exe" wrote bytes "d83a1775" to virtual address "0x75180274" (part of module "SSPICLI.DLL")
"SignageStudio.exe" wrote bytes "b84013dd73ffe0" to virtual address "0x75173AD8" (part of module "SSPICLI.DLL")
"SignageStudio.exe" wrote bytes "d83a0200" to virtual address "0x75174E38" (part of module "SSPICLI.DLL")
"SignageStudio.exe" wrote bytes "d83a0200" to virtual address "0x75174D78" (part of module "SSPICLI.DLL")
"SignageStudio.exe" wrote bytes "6012dd73" to virtual address "0x75ABE324" (part of module "WININET.DLL")
"SignageStudio.exe" wrote bytes "7111be017a3bbd01ab8b02007f950200fc8c0200729602006cc805001ecdba017d26ba01" to virtual address "0x75D507E4" (part of module "USER32.DLL")
"SignageStudio.exe" wrote bytes "b4360200" to virtual address "0x75174EA4" (part of module "SSPICLI.DLL")
"SignageStudio.exe" wrote bytes "68130000" to virtual address "0x76161680" (part of module "WS2_32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"CloudSignageStudioSetup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"SignageStudio.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 33
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from SignageStudio.exe (PID: 3840) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from SignageStudio.exe (PID: 3840) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from SignageStudio.exe (PID: 3840) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from SignageStudio.exe (PID: 3840) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
PE file contains zero-size sections
- details
- Raw size of ".ndata" is zero
- source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.DLL from SignageStudio.exe (PID: 3840) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from CloudSignageStudioSetup.exe (PID: 2148) (Show Stream)
GetVersion@KERNEL32.DLL from CloudSignageStudioSetup.exe (PID: 2148) (Show Stream)
GetVersion@KERNEL32.DLL from CloudSignageStudioSetup.exe (PID: 2148) (Show Stream)
GetVersionExW@KERNEL32.DLL from SignageStudio.exe (PID: 3840) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
- GetUserDefaultUILanguage@KERNEL32.DLL from SignageStudio.exe (PID: 3840) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceA@KERNEL32.DLL from CloudSignageStudioSetup.exe (PID: 2148) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from CloudSignageStudioSetup.exe (PID: 2148) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from CloudSignageStudioSetup.exe (PID: 2148) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
- Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-00000120h], 0Ah" and "je 0126155Ch" from SignageStudio.exe (PID: 3840) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.DLL from SignageStudio.exe (PID: 3840) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"CloudSignageStudioSetup.exe" queries volume information of "C:\" at 00010298-00002148-00000046-84171809622
"CloudSignageStudioSetup.exe" queries volume information of "%PROGRAMFILES%\(x86)\SignageStudio\SignageStudio.exe" at 00010298-00002148-00000046-84224954060
"CloudSignageStudioSetup.exe" queries volume information of "C:\" at 00010298-00002148-00000046-84913750318
"CloudSignageStudioSetup.exe" queries volume information of "C:\Program Files (x86)\SignageStudio\SignageStudio.exe" at 00010298-00002148-00000046-84915158753
"SignageStudio.exe" queries volume information of "C:\Program Files (x86)\SignageStudio\META-INF\AIR\application.xml" at 00012702-00003840-00000046-98521543110
"SignageStudio.exe" queries volume information of "C:\Program Files (x86)\SignageStudio\StudioLoginAir.swf" at 00012702-00003840-00000046-100275405414
"SignageStudio.exe" queries volume information of "C:\Program Files (x86)\SignageStudio\StudioLoginAir.swf" at 00012702-00003840-00000046-103743557629
"SignageStudio.exe" queries volume information of "C:\Program Files (x86)\SignageStudio\config.xml" at 00012702-00003840-00000046-124028190535 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"CloudSignageStudioSetup.exe" queries volume information of "C:\" at 00010298-00002148-00000046-84171809622
"CloudSignageStudioSetup.exe" queries volume information of "C:\" at 00010298-00002148-00000046-84913750318 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"CloudSignageStudioSetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CLOUDSIGNAGESTUDIOSETUP.EXE")
"CloudSignageStudioSetup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CLOUDSIGNAGESTUDIOSETUP.EXE")
"CloudSignageStudioSetup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SIGNAGESTUDIO.86EE3EEE54D7DB049D16E358CDC443F088917621.1") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/68 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
- "E:\r\ws\St_Make\code\build\win\results\Release\info\CaptiveAppEntry.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"CloudSignageStudioSetup.exe" created file "%TEMP%\nsh7FC6.tmp\ioSpecial.ini"
"CloudSignageStudioSetup.exe" created file "%TEMP%\nsh7FC6.tmp\modern-wizard.bmp"
"CloudSignageStudioSetup.exe" created file "%TEMP%\nsh7FC6.tmp\InstallOptions.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\DirectSound DllMain mutex (0x00000F00)"
"\Sessions\1\BaseNamedObjects\MacromediaMutexOmega"
"\Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__"
"\Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__"
"MacromediaMutexOmega"
"Local\__DDrawCheckExclMode__"
"Local\ZonesCacheCounterMutex"
"Local\DirectSound DllMain mutex (0x00000F00)"
"Local\__DDrawExclMode__"
"Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "InstallOptions.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "NPSWF64.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "adl.exe" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "WebKit.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "uninst.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"), Antivirus vendors marked dropped file "AdobeCP15.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "SignageStudio.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "NPSWF32.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "CaptiveAppEntry.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "CloudSignageStudioSetup.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 73F60000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"CloudSignageStudioSetup.exe" touched "Shortcut" (Path: "HKCU\WOW6432NODE\CLSID\{00021401-0000-0000-C000-000000000046}")
"CloudSignageStudioSetup.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"CloudSignageStudioSetup.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"CloudSignageStudioSetup.exe" touched "Microsoft Multiple AutoComplete List Container" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"CloudSignageStudioSetup.exe" touched "Microsoft Shell Folder AutoComplete List" (Path: "HKCU\WOW6432NODE\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TREATAS")
"CloudSignageStudioSetup.exe" touched "Microsoft AutoComplete" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"CloudSignageStudioSetup.exe" touched "Microsoft TipAutoCompleteClient Control" (Path: "HKCU\WOW6432NODE\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\TREATAS")
"taskkill.exe" touched "WBEM Locator" (Path: "HKCU\WOW6432NODE\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}")
"taskkill.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\WOW6432NODE\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}")
"taskkill.exe" touched "PSFactoryBuffer" (Path: "HKCR\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}")
"taskkill.exe" touched "Microsoft WBEM Call Context" (Path: "HKCU\WOW6432NODE\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\TREATAS")
"taskkill.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\WOW6432NODE\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"taskkill.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\WOW6432NODE\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
"taskkill.exe" touched "Microsoft WBEM WbemClassObject Marshalling proxy" (Path: "HKCU\WOW6432NODE\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\TREATAS")
"SignageStudio.exe" touched "Multi Language Support" (Path: "HKCU\WOW6432NODE\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}")
"SignageStudio.exe" touched "MMDeviceEnumerator class" (Path: "HKCU\WOW6432NODE\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}")
"SignageStudio.exe" touched "Shell Drag and Drop helper" (Path: "HKCR\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{4657278A-411B-11D2-839A-00C04FD918D0}")
"SignageStudio.exe" touched "Enhanced Storage Icon Overlay Handler Class" (Path: "HKCU\WOW6432NODE\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\INPROCSERVER32")
"SignageStudio.exe" touched "Sharing Overlay (Private)" (Path: "HKCU\WOW6432NODE\CLSID\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\INPROCSERVER32")
"SignageStudio.exe" touched "NetworkListManager" (Path: "HKCU\WOW6432NODE\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Runs shell commands
- details
- "cmd /c taskkill /f /im "SignageStudio.exe"" on 2019-3-15.17:09:31.818
- source
- Monitored Target
- relevance
- 5/10
-
Sample shows a variety of benign indicators
- details
- The input file/all extracted files were not detected as malicious and the input file is signed with a validated certificate
- source
- Indicator Combinations
- relevance
- 10/10
-
Scanning for window names
- details
- "CloudSignageStudioSetup.exe" searching for class "#32770"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Sets a windows hook
- details
- "SignageStudio.exe" sets a global windows hook with filter "WH_MOUSE_LL"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "cmd /c taskkill /f /im "SignageStudio.exe"" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /f /im "SignageStudio.exe"" (Show Process)
Spawned process "SignageStudio.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "cmd.exe" with commandline "cmd /c taskkill /f /im "SignageStudio.exe"" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /f /im "SignageStudio.exe"" (Show Process)
Spawned process "SignageStudio.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.1=Westlake Village, OID.2.5.4.15=Private Organization, SERIALNUMBER=C3028771, C=US, S=California, L=Westlake Village, O=Media Signage Inc., CN=Media Signage Inc." (SHA1: 35:08:EC:20:96:99:6F:4E:8A:90:F3:38:BD:AA:B3:45:F7:E5:0B:71: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA - G2" (SHA1: 5B:8F:88:C8:0A:73:D3:5F:76:CD:41:2A:9E:74:E9:16:59:4D:FA:67: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O="VeriSign
Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign
Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5" (SHA1: 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5: (sha1RSA(RSA)); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"CloudSignageStudioSetup.exe" connecting to "\ThemeApiPort"
"SignageStudio.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"StudioLoginAir.swf" has type "data"
"InstallOptions.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"NPSWF64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"adl.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"SignageStudio.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Mon Oct 29 06:41:56 2018 mtime=Fri Mar 15 16:10:13 2019 atime=Mon Oct 29 06:41:56 2018 length=146432 window=hide"
"NPSWF32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"WebKit.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Adobe AIR.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"uninst.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"AdobeCP15.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"SignageStudio.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Uninstall.lnk" has type "MS Windows shortcut Item id list present Has Relative path Has Working directory ctime=Mon Jan 1 00:00:00 1601 mtime=Mon Jan 1 00:00:00 1601 atime=Mon Jan 1 00:00:00 1601 length=0 window=hide"
"defaultImage.svg" has type "SVG Scalable Vector Graphics image"
"CaptiveAppEntry.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"COPYING" has type "UTF-8 Unicode text with CRLF line terminators"
"COPYING-MPL-1.1" has type "ASCII text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"CloudSignageStudioSetup.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"CloudSignageStudioSetup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"CloudSignageStudioSetup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"CloudSignageStudioSetup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db"
"CloudSignageStudioSetup.exe" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"CloudSignageStudioSetup.exe" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"CloudSignageStudioSetup.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"CloudSignageStudioSetup.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"CloudSignageStudioSetup.exe" touched file "C:\Windows\SysWOW64\cmd.exe"
"CloudSignageStudioSetup.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu"
"CloudSignageStudioSetup.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
"CloudSignageStudioSetup.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SignageStudio"
"CloudSignageStudioSetup.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SignageStudio\SignageStudio.lnk"
"CloudSignageStudioSetup.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SignageStudio\Uninstall.lnk"
"CloudSignageStudioSetup.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"CloudSignageStudioSetup.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"CloudSignageStudioSetup.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db"
"CloudSignageStudioSetup.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu"
"CloudSignageStudioSetup.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://nsis.sf.net/NSIS_Error"
Heuristic match: "P/fgs<.mg"
Heuristic match: "^_+<!U}.tM"
Heuristic match: "8K/;{8K.gh"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "http://s.symcb.com/pca3-g5.crl0"
Pattern match: "http://s.symcd.com0_"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sw.symcb.com/sw.crl0"
Pattern match: "http://sw.symcd.com0"
Pattern match: "http://sw1.symcb.com/sw.crt0"
Pattern match: "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"
Heuristic match: "ww.mycompany.com"
Pattern match: "http://www.w3.org/2001/04/xmlenc#sha256"
Pattern match: "http://www.mycompany.com"
Pattern match: "www.adobe.com/go/getair_pl"
Pattern match: "http://www.adobe.com/go/getair_nl"
Pattern match: "www.adobe.com/go/getair"
Pattern match: "www.adobe.com/go/getair_cn"
Pattern match: "http://www.adobe.com/go/getair_ru"
Pattern match: "http://www.adobe.com/go/getair_kr"
Pattern match: "http://www.adobe.com/go/getair_jp"
Pattern match: "http://www.adobe.com/go/getair_it"
Pattern match: "http://www.adobe.com/go/getair"
Pattern match: "http://www.mozilla.org/MPL/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "SignageStudio.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"CloudSignageStudioSetup.exe" opened "\Device\KsecDD"
"taskkill.exe" opened "\Device\KsecDD"
"SignageStudio.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"adl.exe" was detected as "Visual C++ 2008 Release -> Microsoft"
"uninst.exe" was detected as "Nullsoft PiMP Stub -> SFX"
"SignageStudio.exe" was detected as "VC8 -> Microsoft Corporation"
"NPSWF32.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"CaptiveAppEntry.exe" was detected as "VC8 -> Microsoft Corporation" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
CloudSignageStudioSetup.exe
- Filename
- CloudSignageStudioSetup.exe
- Size
- 35MiB (37170656 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- 92de5e8b0ae106318b1e4ec6144515c178ae60dc326bb8acf4ea2fe7c1a329e6
- MD5
- 5a03c6e56f051a8f92dcd7f1e11fac22
- SHA1
- 84ff0547658bf85d9045b8a33f34c624b98f41bd
Classification (TrID)
- 98.7% (.EXE) NSIS - Nullsoft Scriptable Install System
- 0.5% (.EXE) Win32 Executable (generic)
- 0.2% (.EXE) OS/2 Executable (generic)
- 0.2% (.EXE) Generic Win/DOS Executable
- 0.2% (.EXE) DOS Executable Generic
File Certificates
Certificate chain was successfully validated.
Download Certificate File (7.5KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.1=Westlake Village, OID.2.5.4.15=Private Organization, SERIALNUMBER=C3028771, C=US, S=California, L=Westlake Village, O=Media Signage Inc., CN=Media Signage Inc. | OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.1=Westlake Village, OID.2.5.4.15=Private Organization, SERIALNUMBER=C3028771, C=US, S=California, L=Westlake Village, O=Media Signage Inc., CN=Media Signage Inc. Serial: 3bb924ff1f1865732f42343bd4aa0ce3 |
07/05/2017 01:00:00 07/05/2020 00:59:59 |
35:08:EC:20:96:99:6F:4E:8A:90:F3:38:BD:AA:B3:45:F7:E5:0B:71: (1.2.840.113549.1.1.11) |
C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA - G2 | C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA - G2 Serial: 191a32cb759c97b8cfac118dd5127f49 |
03/04/2014 01:00:00 03/04/2024 00:59:59 |
5B:8F:88:C8:0A:73:D3:5F:76:CD:41:2A:9E:74:E9:16:59:4D:FA:67: (1.2.840.113549.1.1.11) |
C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5 | C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5 Serial: 18dad19e267de8bb4a2158cdcc6b3b4a |
11/08/2006 01:00:00 07/17/2036 00:59:59 |
4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5: (sha1RSA(RSA)) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
CloudSignageStudioSetup.exe
(PID: 2148)
-
cmd.exe
cmd /c taskkill /f /im "SignageStudio.exe"
(PID: 2768)
- taskkill.exe taskkill /f /im "SignageStudio.exe" (PID: 3544)
- SignageStudio.exe (PID: 3840)
-
cmd.exe
cmd /c taskkill /f /im "SignageStudio.exe"
(PID: 2768)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.w3.org/graphics/svg/1.1/dtd/svg11.dtd | Domain/IP reference | 00010298-00002148-46762-35-00402E5B |
http://nsis.sf.net/nsis_error | Domain/IP reference | 00010298-00002148-46762-56-00402C22 |
Extracted Strings
Extracted Files
Displaying 23 extracted file(s). The remaining 15 file(s) are available in the full version and XML/JSON reports.
-
Clean 9
-
-
adl.exe
- Size
- 104KiB (106624 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/90
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- 4ac4561b3774ff454f3bc9f8d2dcfd24
- SHA1
- ee25fd9806ddac9ab978b7fe03e835c0c1ad6a79
- SHA256
- f53f22105104306e099b17a506261ff7742108cd7a2a35def9ba69e4f4f3f492
-
AdobeCP15.dll
- Size
- 3.3MiB (3509376 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- 04bd32a6a178779e07531797c7894400
- SHA1
- 005e3081be238d845e2e14f50c5786a24e176062
- SHA256
- 713aac9b26f517d8ebda60d5b7b37c78d8af42e8e123ac998545ff7835653718
-
CaptiveAppEntry.exe
- Size
- 62KiB (62976 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/93
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- bb28018c1c27c5700c304450361488ff
- SHA1
- f2452c4b5cb0b0527c63847d73cd14bc35d02e61
- SHA256
- 5c25dacd33dfdebce39c3b7eb74b07d7410fe3f081aa30fc11e8b946ae011372
-
NPSWF32.dll
- Size
- 45KiB (46064 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/88
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- 53e58195b7127ed47b58c4621cdef31b
- SHA1
- a6ea26892b17cc6c8e49b824e9830142a36c6f68
- SHA256
- 24a06cf052409b1c41d90aebf69ee2a2a9c3295bf6b91fafcebe0d839b58afa7
-
NPSWF64.dll
- Size
- 39KiB (39424 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/88
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- 930abe45a4af0c3a7ec59587df6a3e20
- SHA1
- 2823eb8b53da7798c28152acc4d52d96bad2e454
- SHA256
- 1afe3cf9a9003ceb939fec4351ebca4b9cf661c3586532cbc29d0354a604a0ab
-
WebKit.dll
- Size
- 4.7MiB (4883952 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- de8e8181fbc5a8ee6046c58bebb3789a
- SHA1
- 93d9b46037286dbbc9cdd478a0d2a817e5f02bf2
- SHA256
- 7e1233280d5760fa98cbea4b540f6f4e6519bb077d5273146189ab227a9f7c9c
-
SignageStudio.exe
- Size
- 143KiB (146432 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- SignageStudio.exe (PID: 3840)
- MD5
- eccbd8f12f2039410fcc65d47be01231
- SHA1
- 71ff928d1e43f7c6b123c1e981b8ec2565cc375e
- SHA256
- d554c31bd18e97328de1e44def5ed46eb325f9dc33733b9b2b44496adab75235
-
uninst.exe
- Size
- 50KiB (50979 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- AV Scan Result
- 0/71
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- e8b37f58f88a77d018528b42f8e401fd
- SHA1
- 2294dea3f2a0354be94916a90ac0afd153b8f4a4
- SHA256
- bd0f94ae6b1e33591f06702e4c8c4621b02433aee0d56e023750247445763664
-
InstallOptions.dll
- Size
- 15KiB (14848 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/87
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- 325b008aec81e5aaa57096f05d4212b5
- SHA1
- 27a2d89747a20305b6518438eff5b9f57f7df5c3
- SHA256
- c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
-
-
Informative 14
-
-
Uninstall.lnk
- Size
- 832B (832 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hide
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- c3be528f7eb1763550263f44d09b26db
- SHA1
- d17f85b9926a73e09922771ad5f021c333ddea1f
- SHA256
- 38cb358f1a52a511796e3d4f3f321ecaafdc9639d1a039f4d645ee5beafa533b
-
SignageApplication.sxx
- Size
- 71B (71 bytes)
- Runtime Process
- SignageStudio.exe (PID: 3840)
- MD5
- 205aace62a2e28f87e9bd0a8acbf9cbb
- SHA1
- 42e1ea666e2492c6f9bde008997e63500a47c249
- SHA256
- 2ab2b90b45fb9a0755a57d8b16c7e669d0198b0e4bdce9485f6df32e217c17fd
-
eri.sxx
- Size
- 25B (25 bytes)
- Runtime Process
- SignageStudio.exe (PID: 3840)
- MD5
- 1928f16aa1411ec0c1c96ac64c6a4da6
- SHA1
- e87dbc9e6daf8eb92560953ceadebdd716cc52da
- SHA256
- ef07938b9a8a3ec6a29c9e65566f3577cdba9dc721551036171488357c65db31
-
Adobe AIR.dll
- Size
- 5MiB (5231818 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- SignageStudio.exe (PID: 3840)
- MD5
- ea624150fb9ce1c4831432408b64fcbc
- SHA1
- 6d6f979e4215132f98ec235a0d7533dfefb7a4bf
- SHA256
- 84a58879cb11a675b82e3846fdcdf7ddd0869a0d67efa1a039bc8198f25a027e
-
Adobe AIR.vch
- Size
- 1.8MiB (1887427 bytes)
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- b5fdcb3d6ae7d52b2de035545e79d085
- SHA1
- e9f5a7829fe1c349472171a437025c8be8085011
- SHA256
- d45ba9be22f4143396ca3d359df39cbc8c66d1043bd951f1fca5ce304ff78bae
-
COPYING-LGPL-2.1
- Size
- 26KiB (27043 bytes)
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- 86ce596bc517e1d7c5fe6149c75b1bdf
- SHA1
- 01a50bc2cba30010116c6db30a2bce318a7a40de
- SHA256
- 6f900e8acd64a5451373d39271cdb4ff55e073855574b0b1ad99a86c728545a5
-
COPYING-MPL-1.1
- Size
- 26KiB (26225 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- 1b8b981cbb6b2b3f93c43b1915bdf812
- SHA1
- 992f31454b275eb1b85c802c278363d847c301b2
- SHA256
- fa01277004aff314888151ea523bdf390992892e13523984f221695d48c7455b
-
COPYING
- Size
- 1.6KiB (1609 bytes)
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- ef5a4e944085278eb1a7b7a881cceaf6
- SHA1
- f42c3e7ec4cd0349c9a44178811eb0da809b68fe
- SHA256
- 4fdcde2e1f6aeb1df3d767a8330aff6ed6e6c0031d3c8ea72e95620613b4f827
-
application.xml
- Size
- 5.9KiB (6040 bytes)
- Runtime Process
- SignageStudio.exe (PID: 3840)
- MD5
- 63f0c0e9d2e907c8c39d106aa44ac3a6
- SHA1
- f76dfde12ec9702ca13a7d45e9582a1c9731d86c
- SHA256
- 018d6a5c07a5c38ce5cf18edce60117af2b7455a7a2f718a8576df7255299755
-
hash
- Size
- 32B (32 bytes)
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- 211ca3499c072686505339b1b8bff366
- SHA1
- 39c174bb87b79cb8821e0a6f91b790b533a12820
- SHA256
- 2432eee07a7da1af23d2f9a58286098d486ccff374399d5a54597488d84a650e
-
signatures.xml
- Size
- 88KiB (90332 bytes)
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- 73b3dbc4995e590253936f757b9d3982
- SHA1
- fd766eede4a48120190d7df43f9d9cdf45580071
- SHA256
- b1f95901a84226912daeccd136939c0c2bdabfc9bdceb72bf4d954bdff7c0dfb
-
StudioLoginAir.swf
- Size
- 2MiB (2081102 bytes)
- Type
- data
- Runtime Process
- SignageStudio.exe (PID: 3840)
- MD5
- 4923cd70b9d47d56080cda11690d5b6e
- SHA1
- 6fbc6330f1b54c214a4c1e63e849650714f0f5ee
- SHA256
- dbe84a5ccd884d998c319a7744e4026d0c762ee9b335575b3808ec307c025917
-
config.xml
- Size
- 81B (81 bytes)
- Runtime Process
- SignageStudio.exe (PID: 3840)
- MD5
- 7c98ae87d570fdfcc899327ecac624b5
- SHA1
- a7691fdbc6c306562475c2a041163016cc4e17b0
- SHA256
- 64c34318e0977bf5b8e33a1561334c0c33cf32a7deb0e45933b3d09f38358fa8
-
SignageStudio.lnk
- Size
- 1.1KiB (1085 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Oct 29 06:41:56 2018, mtime=Fri Mar 15 16:10:13 2019, atime=Mon Oct 29 06:41:56 2018, length=146432, window=hide
- Runtime Process
- CloudSignageStudioSetup.exe (PID: 2148)
- MD5
- 05d47129323a98d9db8514b5dfdf58d7
- SHA1
- 64a0d4320b5009c91a5fd73bd1bba36d8b292432
- SHA256
- 5669587ab113f1b4f33f7fd825d4713a1ca5d59b588f0f2ae67e5f34fddf62f7
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "Adobe AIR.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/84a58879cb11a675b82e3846fdcdf7ddd0869a0d67efa1a039bc8198f25a027e/analysis/1552666462/")
- Extracted file "NPSWF32.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/6bbf62c66771fc0a0530b4a358b50ba1739a55654ebd0178adb9dacec2d77b77/analysis/1552666454/")
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-47" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report