ARSDossierComposerSetup_0065_w_template_v6.exe
This report is generated from a file or URL submitted to this webservice on June 1st 2020 14:56:52 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Spyware
- Found a string that may be used as part of an injection method
- Fingerprint
- Reads the active computer name
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/85 Antivirus vendors marked dropped file "pdftotext.exe" as malicious (classified as "Malware.Generic" with 1% detection rate)
2/84 Antivirus vendors marked dropped file "Uninstall.exe" as malicious (classified as "/Malicious" with 2% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Suspicious Indicators 18
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
-
Y|a
&aBr with unusual entropies 7.99906644709 - source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the active computer name
- details
- "ARSDossierComposerSetup_0065_w_template_v6.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "_p6il@kxjzrd.4"
Pattern match: "f@zyk_x.w7kf" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistance
-
Drops executable files
- details
-
"pdfium.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"Interop.AcroPDFLib.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"pdftotext.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"System.IO.Packaging.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"AxInterop.AcroPDFLib.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"pdfium.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"ARSDossierComposer.exe" has type "PE32 executable (GUI) Intel 80386 Mono/.Net assembly for MS Windows"
"WinControls.ListView.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly for MS Windows"
"pdfinfo.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"Uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"PdfiumViewer.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "1d,3.0.4.2.3.7"
Heuristic match: "0.0.6.5 (with template v6)" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "ARSDossierComposerSetup_0065_w_template_v6.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Opens file with deletion access rights
- details
-
"ARSDossierComposerSetup_0065_w_template_v6.exe" opened "%TEMP%\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\Commands.dat" with delete access
"ARSDossierComposerSetup_0065_w_template_v6.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\default.ifl" with delete access
"ARSDossierComposerSetup_0065_w_template_v6.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\Desktop.dat" with delete access
"ARSDossierComposerSetup_0065_w_template_v6.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\icon.dat" with delete access
"ARSDossierComposerSetup_0065_w_template_v6.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\Image_Left.jpg" with delete access
"ARSDossierComposerSetup_0065_w_template_v6.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\Image_Top.jpg" with delete access
"ARSDossierComposerSetup_0065_w_template_v6.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\licence.rtf" with delete access
"ARSDossierComposerSetup_0065_w_template_v6.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\OS.dat" with delete access
"ARSDossierComposerSetup_0065_w_template_v6.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\SC.dat" with delete access
"ARSDossierComposerSetup_0065_w_template_v6.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\Setup.cab" with delete access
"ARSDossierComposerSetup_0065_w_template_v6.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\Variables.dat" with delete access
"ARSDossierComposerSetup_0065_w_template_v6.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\" with delete access - source
- API Call
- relevance
- 7/10
-
Opens file with deletion access rights
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"pdftotext.exe" claimed CRC 1138346 while the actual is CRC 17883
"System.IO.Packaging.dll" claimed CRC 58768 while the actual is CRC 1138346
"pdfinfo.exe" claimed CRC 1069714 while the actual is CRC 1035985
"PdfiumViewer.dll" claimed CRC 138090 while the actual is CRC 139759 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
OpenProcessToken
GetUserNameW
RegOpenKeyExW
CopyFileW
GetModuleFileNameW
GetVersionExW
GetVersionExA
GetFileAttributesW
GetFileSize
LoadLibraryA
GetDriveTypeW
CreateDirectoryW
DeleteFileW
GetProcAddress
CreateThread
LoadLibraryW
FindNextFileW
GetTempPathW
FindFirstFileW
GetModuleHandleW
WriteFile
CreateFileW
CreateProcessW
Sleep
ShellExecuteExW
GetCursorPos
GetWindowThreadProcessId
GetModuleFileNameA
GetCommandLineW
UnhandledExceptionFilter
LoadLibraryExW
GetStartupInfoW
GetCommandLineA
FindFirstFileExA
FindNextFileA
TerminateProcess
GetModuleHandleExW
IsDebuggerPresent
RegDeleteValueW
RegEnumKeyExW
RegDeleteKeyW
ShellExecuteW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "ARSDossierComposerSetup_0065_w_template_v6.exe" wrote bytes "71112e027a3b2d02ab8b02007f950200fc8c0200729602006cc805001ecd2a027d262a02" to virtual address "0x74F207E4" (part of module "USER32.DLL")
- source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "ARSDossierComposerSetup_0065_w_template_v6.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Timestamp in PE header is very old or in the future
- details
-
"System.IO.Packaging.dll" claims program is from Thu Mar 7 08:28:02 2052
"ARSDossierComposer.exe" claims program is from Wed Jul 12 08:49:38 2062 - source
- Static Parser
- relevance
- 10/10
-
CRC value set in PE header does not match actual value
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 15
-
Environment Awareness
-
Queries volume information
- details
-
"ARSDossierComposerSetup_0065_w_template_v6.exe" queries volume information of "C:\" at 00172651-00001232-00000046-168213748522
"ARSDossierComposerSetup_0065_w_template_v6.exe" queries volume information of "%PROGRAMFILES%\(x86)\ARSDossierComposer\ARSDossierComposer.exe" at 00172651-00001232-00000046-168238181321 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
- "ARSDossierComposerSetup_0065_w_template_v6.exe" queries volume information of "C:\" at 00172651-00001232-00000046-168213748522
- source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"ARSDossierComposerSetup_0065_w_template_v6.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ARSDOSSIERCOMPOSER")
"ARSDossierComposerSetup_0065_w_template_v6.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ARSDOSSIERCOMPOSERSETUP_0065_W_TEMPLATE_V6.EXE")
"ARSDossierComposerSetup_0065_w_template_v6.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ARSDOSSIERCOMPOSERSETUP_0065_W_TEMPLATE_V6.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
General
-
Creates a writable file in a temporary directory
- details
-
"ARSDossierComposerSetup_0065_w_template_v6.exe" created file "%TEMP%\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\Setup.cab"
"ARSDossierComposerSetup_0065_w_template_v6.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\SC.dat"
"ARSDossierComposerSetup_0065_w_template_v6.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\Desktop.dat"
"ARSDossierComposerSetup_0065_w_template_v6.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\OS.dat"
"ARSDossierComposerSetup_0065_w_template_v6.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\default.ifl"
"ARSDossierComposerSetup_0065_w_template_v6.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\Image_Left.jpg"
"ARSDossierComposerSetup_0065_w_template_v6.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\Image_Top.jpg"
"ARSDossierComposerSetup_0065_w_template_v6.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\licence.rtf"
"ARSDossierComposerSetup_0065_w_template_v6.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\icon.dat"
"ARSDossierComposerSetup_0065_w_template_v6.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\Variables.dat"
"ARSDossierComposerSetup_0065_w_template_v6.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\IF{F82A4DD1-B770-427D-96C9-176EB5859ACC}\Commands.dat" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\IF"
"IF" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "System.IO.Packaging.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "WinControls.ListView.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "pdfinfo.exe" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "PdfiumViewer.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "ARSDossierComposerSetup_0065_w_template_v6.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 73D30000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched "Shortcut" (Path: "HKCU\WOW6432NODE\CLSID\{00021401-0000-0000-C000-000000000046}")
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched "UsersFiles" (Path: "HKCU\WOW6432NODE\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\SHELLFOLDER")
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched "Microsoft Windows Font Folder" (Path: "HKCR\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}")
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched "Task Bar Communication" (Path: "HKCU\WOW6432NODE\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Scanning for window names
- details
- "ARSDossierComposerSetup_0065_w_template_v6.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Connects to LPC ports
- details
- "ARSDossierComposerSetup_0065_w_template_v6.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"pdfium.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"ARS Dossier Composer.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Mon Jun 1 13:03:35 2020 mtime=Mon Jun 1 13:03:35 2020 atime=Mon Apr 13 19:56:00 2020 length=1592832 window=hide"
"Interop.AcroPDFLib.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"pdftotext.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"System.IO.Packaging.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"AxInterop.AcroPDFLib.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"pdfium.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"ARSDossierComposer.exe" has type "PE32 executable (GUI) Intel 80386 Mono/.Net assembly for MS Windows"
"WinControls.ListView.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly for MS Windows"
"pdfinfo.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"Uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"PdfiumViewer.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"xpdfrc" has type "ASCII text with no line terminators"
"uninstall.dat" has type "data"
"System.IO.Packaging.xml" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"icon.dat" has type "MS Windows icon resource - 9 icons 48x48 16 colors"
"EEC_M_SimpleDataObjects_v0.4.6.xsd" has type "XML 1.0 document UTF-8 Unicode text with very long lines with CRLF line terminators"
"EEC_M_HC_SimpleDataObjects_v1.0.3.xsd" has type "XML 1.0 document UTF-8 Unicode text with very long lines with CRLF line terminators"
"DossierDocTmp.dotx" has type "Microsoft Word 2007+"
"~_C_template.dotx" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\desktop.ini"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Windows\Fonts\desktop.ini"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Windows\SysWOW64\shell32.dll"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Windows\SysWOW64\en-US\shell32.dll.mui"
"ARSDossierComposerSetup_0065_w_template_v6.exe" touched file "C:\Windows\syswow64\en\SHELL32.DLL.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "Ph`3z[.fo"
Heuristic match: "'gM~!G.jo"
Heuristic match: "4Ww
,p.tz"
Heuristic match: "PKt%?~.JM"
Heuristic match: "i<=2B%e.tv"
Pattern match: "ns.adobe.com/xap/1.0/"
Heuristic match: "qB.BB"
Pattern match: "http://pharmrussia.com"
Pattern match: "http://www.w3.org/2001/XMLSchema" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "ARSDossierComposerSetup_0065_w_template_v6.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"0f718fe65763eab11d077889a94017b4b3668330f1c86af6c783e1a29b16f4c8.bin" was detected as "PureBasic 4.x -> Neil Hodgson"
"Interop.AcroPDFLib.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"pdftotext.exe" was detected as "VC8 -> Microsoft Corporation"
"System.IO.Packaging.dll" was detected as "Microsoft visual C# / Basic .NET"
"AxInterop.AcroPDFLib.dll" was detected as "Microsoft visual C# / Basic .NET"
"ARSDossierComposer.exe" was detected as "Morphine v1.2 (DLL)"
"WinControls.ListView.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"pdfinfo.exe" was detected as "VC8 -> Microsoft Corporation"
"Uninstall.exe" was detected as "PureBasic 4.x -> Neil Hodgson"
"PdfiumViewer.dll" was detected as "Microsoft visual C# / Basic .NET" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
ARSDossierComposerSetup_0065_w_template_v6.exe
- Filename
- ARSDossierComposerSetup_0065_w_template_v6.exe
- Size
- 22MiB (22908301 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
- Architecture
- WINDOWS
- SHA256
- 0f718fe65763eab11d077889a94017b4b3668330f1c86af6c783e1a29b16f4c8
- MD5
- b5d1269082485d4b08a46c59b141bcdc
- SHA1
- bffd151a6d13b01680f8134a6d1442eb12b8ef8a
- ssdeep
- 393216:SLlmDI9pipmruSkrUgKMTzhm2AnLU4BaW0CJFmda/zzi1lIzewH79:SRr98XSzgKMng2ALzBaNQQda/zz+qekx
- imphash
- 1033e7ad4ef699f506cce0c38fc5b07c
- authentihash
- b9a86f1b9ce3c5378e410924964e198c08ee1938bd4a587f0ec856f2b54afbd1
- Compiler/Packer
- PureBasic 4.x -> Neil Hodgson
Classification (TrID)
- 39.9% (.EXE) Win32 Executable MS Visual C++ (generic)
- 35.3% (.EXE) Win64 Executable (generic)
- 8.4% (.DLL) Win32 Dynamic Link Library (generic)
- 5.7% (.EXE) Win32 Executable (generic)
- 2.6% (.EXE) Win16/32 Executable Delphi generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 23 extracted file(s). The remaining 20 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
Uninstall.exe
- Size
- 117KiB (119808 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "/Malicious" (2/84)
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 7ae89c6074b7cf3d03081ea6616d873b
- SHA1
- 7294758911932ff6885521103baf631acbda21bc
- SHA256
- ae326f86aa8bbb88831b0339c820859467ef910daded5b430dc88da97d203772
-
pdftotext.exe
- Size
- 1MiB (1079296 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Malware.Generic" (1/85)
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 3f5188e918a0810b4248966971907b89
- SHA1
- 4a97b9cdfb809fe9fbc1b92dff4a40e9a083843a
- SHA256
- 78a2789965db6d716faecd62c384c8aa819c2f2f5470377596c8ab857fb59e87
-
-
Clean 4
-
-
PdfiumViewer.dll
- Size
- 113KiB (115712 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/85
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 82e7c3a1caad77137d7fa643e652a9bd
- SHA1
- 2c4114d52a151ef6a7b104e808bcf9a1564c6b1c
- SHA256
- 65f1fcbf4a836cf37a0e8ca32badc0fb81b9387014ce141cc05e5da711486ba8
-
System.IO.Packaging.dll
- Size
- 42KiB (42568 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/82
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 5a3a7cf57a7d5a3ab3b5ab4aae6e70ae
- SHA1
- bb63b5594a8f3320b1cd0619b95d652b85c0aa78
- SHA256
- d9e3ebe0c2086cac465a5550681e5a65fae1c27d675cb649e6d2c19936fb1d4f
-
WinControls.ListView.dll
- Size
- 956KiB (978432 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/82
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- cb8421f433f459330c2b27c08ada69d6
- SHA1
- 577246e5b21d1d45fd6519c0cb426795b668a07e
- SHA256
- de7a90a7252955b2a6590c3ca1d31f688226db83c51f2f3c1f2503cfb48a5af5
-
pdfinfo.exe
- Size
- 1012KiB (1036288 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/75
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 5e5b9b79dbb39acc46d3ed4d3db34370
- SHA1
- ad3493b5c50fc595b3066509c4800774d7d21463
- SHA256
- c2033bc328723b32366128b71607398f171a3b6ea514d3a495b19e64386b6500
-
-
Informative 17
-
-
ARSDossierComposer.exe
- Size
- 1.5MiB (1592832 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- de8db4af27604c87c835f899b87d7a51
- SHA1
- fe60c9b2777c90493865282d2e5a7722603db322
- SHA256
- 56725b214663a25cd7d6a366c157880a19de41db1e76c3885c73925d8f74b99b
-
ARSDossierComposerUserGuide.pdf
- Size
- 5MiB (5222400 bytes)
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- f2884abbbacfc104ed107c68f1cdada2
- SHA1
- 7c434e96e1a736f4d3d5d81e13dbf02a118102bb
- SHA256
- 740a960644050f62270da7df6c674f0665520add2ef0bcadf158607552b549a7
-
AxInterop.AcroPDFLib.dll
- Size
- 8KiB (8192 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 42d08937f8b8519c86838f4d8f6102e2
- SHA1
- fa8fd4bdb5d7604a49ed663ef0386934d22c32a4
- SHA256
- 5e536c4f9d9dc24bdd25a18a927f91c0c7cf4500972b2810a23cc66b00ec3d65
-
DocNumNeed.xml
- Size
- 17KiB (17178 bytes)
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- c42b96da8680945d9b87b74b4462910e
- SHA1
- 7a00570114b61f9d96e0635972513691681b8407
- SHA256
- 0e8cf3cb91cfad9a66aebd5074aae25e28f316938c76a9f5229d25d69538422d
-
ResolutionByDocNum.xml
- Size
- 168KiB (171763 bytes)
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 23bf9d21acec3272ae0a8db3d7dd645b
- SHA1
- 9eae453f3cde5f709d4fd830247b11848edcb298
- SHA256
- a1f67586a0e4c2fc5af0798529b77b49ea051438ccab34329323175a07ca283c
-
Interop.AcroPDFLib.dll
- Size
- 12KiB (11776 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- ff1f1dcd1ec8596623bd36ff7104929c
- SHA1
- 29b3aac654523261ea2df3bb06c8010ee7ae7561
- SHA256
- 3ee74c5cb0e78f06f25877add019b222995664cce9da7d24c95a069964103b32
-
KOI8-R.unicodeMap
- Size
- 904B (904 bytes)
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 26f14f90a9c2b3cadc94f4ab6922e9f5
- SHA1
- 42477004c5a02d49c27ee5d15a4557907b188731
- SHA256
- e46b7a351dd44b17670a671dfe21c54b328c15a183d8333817dc820d4a6cf226
-
PdfiumViewer.xml
- Size
- 61KiB (61998 bytes)
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 9f750ca7265b3f5f53f5f5282043ffdd
- SHA1
- 1acbd4d9a87559b0a8910055f014d4a27fe01078
- SHA256
- 4c6020a3c1cd3957ee2fcab487101ca5ed63c8352cec7343852f12fdec506af9
-
System.IO.Packaging.xml
- Size
- 85KiB (86891 bytes)
- Type
- text
- Description
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 0a54f198f931a60cbe15bc61ac0043b6
- SHA1
- 2606b98ff3e411e945eb5435da595ebcabc423e3
- SHA256
- e6596413726280906700211e2c04bcaeb33db09f1ad89bb138084b8fea5b8521
-
TemplateEAEUDossier_v5.xml
- Size
- 1.3MiB (1312426 bytes)
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- ad6e226c0309801373ae20d5b623a9cf
- SHA1
- 2616e845860d170dc6515e4c5dddc5447e0ccc20
- SHA256
- eb846d1955bffe406de55d4e4e4fe684eebc511b1daea1e8c909ef655963f012
-
TemplateEAEUDossier_v6.xml
- Size
- 1.7MiB (1765312 bytes)
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 343783e87e21c501f2fad370c8915121
- SHA1
- d533bf69bc372ac28982ae03e9d2a8b39382573b
- SHA256
- 0d0f97352b71a31a775d9c723115aa31187df60443f7be3651e99da7bc02c9c5
-
DossierDocTmp.dotx
- Size
- 25KiB (25295 bytes)
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 142c9f984b4bdd7c0e1a5643edc514fd
- SHA1
- 1286600e5eead3b378502437b23d8db870982ef4
- SHA256
- 455a8065b563a81135fd648d25874f21c2207945b1c0c318fb33fe598604e79b
-
ToC_template.dotx
- Size
- 24KiB (24253 bytes)
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 0c4876732e4ad71a90ed7836f5bfe754
- SHA1
- 4194befa0afece4df679e6ef9a71eb07cb164a2c
- SHA256
- 7a5687eb68e03d034e090818040f238d2770e6702e27b6369ca8a46660b34291
-
uninstall.dat
- Size
- 2.8KiB (2885 bytes)
- Type
- data
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 2ded75b423da568e184a43fd68df3b2a
- SHA1
- 3a1e26328647183b475d576dc1f69cbb8644b705
- SHA256
- 581e40e52740d693e44a7810f8424b74fef14267a2c8f03b2cc2238b85e1342b
-
pdfium.dll
- Size
- 5MiB (5222400 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 890cb99e212e90ea992341b8dee56ea1
- SHA1
- 68ec50619e0a14a5c7ed9c4a196dfc0c77847dda
- SHA256
- a3b5ec62da7400608da3c9d8cf4675beb4a4f4d5c9aadef953becec61826be16
-
ARS Dossier Composer.lnk
- Size
- 1.1KiB (1129 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Jun 1 13:03:35 2020, mtime=Mon Jun 1 13:03:35 2020, atime=Mon Apr 13 19:56:00 2020, length=1592832, window=hide
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- 82e1e6d013691328e25b92e9b77a008b
- SHA1
- d02d68c343f9afc61840ad39e1e67cb915164941
- SHA256
- 1757987dec05ec4099c228cdd9167a0caa10f1d15595e736f41e9f566d7af90a
-
~_C_template.dotx
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- ARSDossierComposerSetup_0065_w_template_v6.exe (PID: 1232)
- MD5
- ecbb48da846d4d4e400f97888e4649c4
- SHA1
- 65dc0cfd96d53f9f34ae4e590f46bd55085137ca
- SHA256
- 53ea8e86e77b681c63240e60dad2d47302c418bd37c0c89f54d72e38874fda2a
-
Notifications
-
Runtime
- Extracted file "pdfium.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/a3b5ec62da7400608da3c9d8cf4675beb4a4f4d5c9aadef953becec61826be16/analysis/1591023832/")
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "static-6" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report