BMW_CIC_FSC_Generator.exe
This report is generated from a file or URL submitted to this webservice on September 13th 2020 04:18:42 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.31 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
- Detected a large number of ARP broadcast requests (network device lookup)
- Network Behavior
- Contacts 4 domains and 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/71 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Network Related
-
Detected a large number of ARP broadcast requests (network device lookup)
- details
- Attempt to find devices in networks: "169.254.34.222/32, 169.254.90.85/32, 169.254.123.156/32, 169.254.156.162/32, 192.168.240.1/32, 192.168.240.2/31, 192.168.240.4/31, 192.168.240.6/32, 192.168.240.18/31, 192.168.240.30/32, 192.168.240.49/32, 192.168.240.50/32, 192.168.240.52/30, 192.168.240.56/32, 192.168.240.64/32, 192.168.240.67/32, 192.168.240.71/32, 192.168.240.79/32, 192.168.240.90/32, 192.168.240.95/32, 192.168.240.104/32, 192.168.240.108/30, 192.168.240.115/32, 192.168.240.116/32, 192.168.240.125/32, 192.168.240.142/31, 192.168.240.146/31, 192.168.240.149/32, 192.168.240.150/32, 192.168.240.152/31, 192.168.240.158/32, 192.168.240.162/31, 192.168.240.166/31, 192.168.240.168/32, 192.168.240.170/32, 192.168.240.172/32, 192.168.240.178/32, 192.168.240.195/32, 192.168.240.196/32, 192.168.240.200/32, 192.168.240.211/32, 192.168.240.212/32, 192.168.240.214/32, 192.168.240.224/32, 192.168.240.230/31, 192.168.240.232/30, 192.168.240.236/32, 192.168.240.238/32, 192.168.241.60/32, 192.168.241.62/32, 192.168.241.88/32, 192.168.241.116/31, 192.168.241.142/32, 192.168.241.200/32, 192.168.243.38/32, 192.168.243.55/32, 192.168.243.106/32, 192.168.243.110/32, 192.168.243.135/32, 192.168.243.177/32, 192.168.243.194/32, 192.168.243.209/32, 192.168.243.227/32"
- source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1016 (Show technique in the MITRE ATT&CK™ matrix)
-
Detected a large number of ARP broadcast requests (network device lookup)
-
Suspicious Indicators 22
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "BMW_CIC_FSC_Generator.exe" at 00063943-00002488-00000105-5500705
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- UPX1 with unusual entropies 7.933588167
- source
- Static Parser
- relevance
- 10/10
-
PE file is packed with UPX
- details
-
"bd203d4e2cfbe129d016010063784d5b15fb299fa4c77bd378fb931d3e65dfea.bin" has a section named "UPX0"
"bd203d4e2cfbe129d016010063784d5b15fb299fa4c77bd378fb931d3e65dfea.bin" has a section named "UPX1"
"bd203d4e2cfbe129d016010063784d5b15fb299fa4c77bd378fb931d3e65dfea.bin" has a section named "UPX2" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the active computer name
- details
- "BMW_CIC_FSC_Generator.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "BMW_CIC_FSC_Generator.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ETPRO USER_AGENTS Observed Suspicious UA (Mozilla/5.0)" (SID: 2842116, Rev: 1, Severity: 2) categorized as "Potentially Bad Traffic"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "dcr@t.q4c"
Pattern match: "lay@noxx.tk" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistence
-
Monitors specific registry key for changes
- details
-
"BMW_CIC_FSC_Generator.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: 0)
"BMW_CIC_FSC_Generator.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: 0)
"BMW_CIC_FSC_Generator.exe" monitors "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" (Filter: 15; Subtree: 1)
"BMW_CIC_FSC_Generator.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" (Filter: 15; Subtree: 1)
"BMW_CIC_FSC_Generator.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" (Filter: 15; Subtree: 1) - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Monitors specific registry key for changes
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 208.113.168.217 on port 80 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
- ATT&CK ID
- T1043 (Show technique in the MITRE ATT&CK™ matrix)
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/5.0
- source
- Network Traffic
- relevance
- 10/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "BMW_CIC_FSC_Generator.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Opens file with deletion access rights
- details
- "BMW_CIC_FSC_Generator.exe" opened "C:\Lookup.xml" with delete access
- source
- API Call
- relevance
- 7/10
-
Opens file with deletion access rights
-
Unusual Characteristics
-
Entrypoint in PE header is within an uncommon section
- details
- "bd203d4e2cfbe129d016010063784d5b15fb299fa4c77bd378fb931d3e65dfea.bin" has an entrypoint in section "UPX1"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
VirtualProtect
GetProcAddress
LoadLibraryA
NetShareEnum
bind - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"BMW_CIC_FSC_Generator.exe" wrote bytes "f8110000" to virtual address "0x74EC12CC" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "f811ec74" to virtual address "0x74ED834C" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "a0114f6e" to virtual address "0x7586E324" (part of module "WININET.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "1099cb7500000000b53818779051177700000000e0c5f176fdfef176ee29187700000000" to virtual address "0x6EC31000" (part of module "KSUSER.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "f8110000" to virtual address "0x74EC1408" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "b890124f6effe0" to virtual address "0x74EC1248" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "4812ec74" to virtual address "0x74ED8348" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "f811ec74" to virtual address "0x74ED8368" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "f811ec74" to virtual address "0x74ED83C4" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "4812ec74" to virtual address "0x74ED8364" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "c04e167720541777e0651777b53818770000000000d0f17600000000c5eaf1760000000088eaf17600000000e9681d7582281877ee29187700000000d2691d75000000007dbbf1760000000009be1d7500000000ba18f17600000000" to virtual address "0x76CC1000" (part of module "NSI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "4812ec74" to virtual address "0x74ED83C0" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "f811ec74" to virtual address "0x74ED83E0" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "48120000" to virtual address "0x74EC139C" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "48120000" to virtual address "0x74EC12DC" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "b880114f6effe0" to virtual address "0x75D81368" (part of module "WS2_32.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "4812ec74" to virtual address "0x74ED83DC" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "a0114f6e" to virtual address "0x705B4028" (part of module "WEBIO.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "b810154f6effe0" to virtual address "0x74EC11F8" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "68130000" to virtual address "0x75D81680" (part of module "WS2_32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "BMW_CIC_FSC_Generator.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Timestamp in PE header is very old or in the future
- details
- "bd203d4e2cfbe129d016010063784d5b15fb299fa4c77bd378fb931d3e65dfea.bin" claims program is from Sun Dec 10 18:14:31 2023
- source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
-
Hiding 5 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 14
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
- Raw size of "UPX0" is zero
- source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Queries volume information
- details
-
"BMW_CIC_FSC_Generator.exe" queries volume information of "%WINDIR%\Fonts\tahoma.ttf" at 00063943-00002488-0000010C-122415003
"BMW_CIC_FSC_Generator.exe" queries volume information of "C:\RSAKeys.txt" at 00063943-00002488-0000010C-122700572
"BMW_CIC_FSC_Generator.exe" queries volume information of "%WINDIR%\Fonts\segoeui.ttf" at 00063943-00002488-0000010C-127267330
"BMW_CIC_FSC_Generator.exe" queries volume information of "%WINDIR%\Fonts\tahomabd.ttf" at 00063943-00002488-0000010C-170944663 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
General
-
Contacts domains
- details
-
"www.cicfsc.com"
"_ldap._tcp.dc._msdcs.scl3.dc"
"isatap.scl3.dc"
"wpad.scl3.dc" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "208.113.168.217:80"
- source
- Network Traffic
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\MidiMapper_modLongMessage_RefCnt"
"Local\MidiMapper_modLongMessage_RefCnt" - source
- Created Mutant
- relevance
- 3/10
-
GETs files from a webserver
- details
-
"GET /RSAKeys.txt HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
User-Agent: Mozilla/5.0
Host: www.cicfsc.com"
"GET /Lookup.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
User-Agent: Mozilla/5.0
Host: www.cicfsc.com" - source
- Network Traffic
- relevance
- 5/10
-
Overview of unique CLSIDs touched in registry
- details
-
"BMW_CIC_FSC_Generator.exe" touched "Enhanced Storage Icon Overlay Handler Class" (Path: "HKCU\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\INPROCSERVER32")
"BMW_CIC_FSC_Generator.exe" touched "Sharing Overlay (Private)" (Path: "HKCU\CLSID\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\INPROCSERVER32")
"BMW_CIC_FSC_Generator.exe" touched "CrossProcessClientOutput Class" (Path: "HKCU\CLSID\{CD773740-B187-4974-A1D5-E0FF91372277}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistence
-
Connects to LPC ports
- details
- "BMW_CIC_FSC_Generator.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"Lookup.xml" has type "XML 1.0 document ASCII text with very long lines with CRLF line terminators"
"RSAKeys.txt" has type "ASCII text with no line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"BMW_CIC_FSC_Generator.exe" touched file "%WINDIR%\System32\imageres.dll"
"BMW_CIC_FSC_Generator.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"BMW_CIC_FSC_Generator.exe" touched file "%WINDIR%\Media\Windows Exclamation.wav"
"BMW_CIC_FSC_Generator.exe" touched file "%WINDIR%\System32\wdmaud.drv"
"BMW_CIC_FSC_Generator.exe" touched file "%WINDIR%\System32\en-US\wdmaud.drv.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "Lay@nOXX.TK"
Heuristic match: "99DZa99y.ky"
Heuristic match: "kjXj9jDjbjajKjGj5j_jH.kw"
Pattern match: "6a2a.aFa/aOa"
Pattern match: "www.cicfsc.com"
Pattern match: "http://www.w3.org/2001/XMLSchema-instance" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "BMW_CIC_FSC_Generator.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "BMW_CIC_FSC_Generator.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "bd203d4e2cfbe129d016010063784d5b15fb299fa4c77bd378fb931d3e65dfea.bin" was detected as "UPX -> www.upx.sourceforge.net"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
BMW_CIC_FSC_Generator.exe
- Filename
- BMW_CIC_FSC_Generator.exe
- Size
- 7.2MiB (7600128 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
- Architecture
- WINDOWS
- SHA256
- bd203d4e2cfbe129d016010063784d5b15fb299fa4c77bd378fb931d3e65dfea
- MD5
- 6e213e8828e39f57deb1ab167637dd4b
- SHA1
- c97f3bae0f3a4c586744bd7cd00804771c0d2a39
- ssdeep
- 98304:5+KnAfVBFGDh49O5Bn6GxHzpGHFcefEP7riab4iNif16OJ4/2Xh4hUjG:dAfVvR9O5BnPxHzpGGyEPKfTJGK4huG
- imphash
- b6f453e10ce1e8ddb4e270aaa9ad8074
- authentihash
- 1900743e2bdcc360d4242b40409dd9e13c4b44992f5b8569cd0cf0a0d021e8d2
- Compiler/Packer
- UPX -> www.upx.sourceforge.net
Classification (TrID)
- 71.9% (.EXE) UPX compressed Win32 Executable
- 11.9% (.EXE) Win32 Executable (generic)
- 5.3% (.EXE) OS/2 Executable (generic)
- 5.3% (.EXE) Generic Win/DOS Executable
- 5.3% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- BMW_CIC_FSC_Generator.exe (PID: 2488) 1/71
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
_ldap._tcp.dc._msdcs.scl3.dc | - | - | - |
isatap.scl3.dc | - | - | - |
wpad.scl3.dc | - | - | - |
www.cicfsc.com
OSINT |
208.113.168.217
TTL: 14399 |
DREAMHOST
Organization: Proxy Protection LLC Name Server: NS1.DREAMHOST.COM Creation Date: Tue, 26 Dec 2017 01:42:07 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
208.113.168.217 |
80
TCP |
bmw_cic_fsc_generator.exe PID: 2488 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
208.113.168.217:80 (www.cicfsc.com) | GET | www.cicfsc.com/RSAKeys.txt | GET /RSAKeys.txt HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
User-Agent: Mozilla/5.0
Host: www.cicfsc.com More Details |
208.113.168.217:80 (www.cicfsc.com) | GET | www.cicfsc.com/Lookup.xml | GET /Lookup.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
User-Agent: Mozilla/5.0
Host: www.cicfsc.com More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 208.113.168.217:80 (TCP) | Potentially Bad Traffic | ETPRO USER_AGENTS Observed Suspicious UA (Mozilla/5.0) | 2842116 |
local -> 208.113.168.217:80 (TCP) | Potentially Bad Traffic | ETPRO USER_AGENTS Observed Suspicious UA (Mozilla/5.0) | 2842116 |
Extracted Strings
Extracted Files
-
Informative 2
-
-
Lookup.xml
- Size
- 787KiB (806092 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- BMW_CIC_FSC_Generator.exe (PID: 2488)
- MD5
- 6dcc492687c9f1752a5c788b41e9450b
- SHA1
- 0168b575125a33b684bc0a3d5518b7a189a6ea0d
- SHA256
- 8ed1b552b35fd2ec722ea9c9bd0690c3e125fd20fba42bffe0f7c691856e3e28
-
RSAKeys.txt
- Size
- 13B (13 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators
- Runtime Process
- BMW_CIC_FSC_Generator.exe (PID: 2488)
- MD5
- d85c8d73deaf827ba7a6648c053e6f6c
- SHA1
- 39ad958b9fe8b697295daae8ec1ff3309cb544ac
- SHA256
- c4b04ec225d5065988d5abbf6785135a93c80ead1dc43b1717cf325bebccee3b
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all Falcon MalQuery lookups completed in time
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "network-32" are available in the report
- Some low-level data is hidden, as this is only a slim report