MovaviVideoConverterSetupC.exe
This report is generated from a file or URL submitted to this webservice on June 2nd 2018 02:28:52 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
- Reads the active computer name
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 9
-
Environment Awareness
-
Contains ability to measure performance
- details
- rdtsc (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query CPU information
- details
- cpuid (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the active computer name
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Contains ability to measure performance
-
General
-
Reads configuration files
- details
- "<Input Sample>" read file "%USERPROFILE%\Desktop\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Drops executable files
- details
- "GeneralPlugin.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
System Destruction
-
Marks file for deletion
- details
-
"C:\MovaviVideoConverterSetupC.exe" marked "%TEMP%\nso1108.tmp" for deletion
"C:\MovaviVideoConverterSetupC.exe" marked "%TEMP%\nsg1560.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\nso1108.tmp" with delete access
"<Input Sample>" opened "%TEMP%\nsg1560.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
Input file contains API references not part of its Import Address Table (IAT)
- details
-
Found string "SHGetFolderPathW" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: SHFOLDER.DLL)
Found string "SHAutoComplete" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: SHLWAPI.DLL)
Found string "GetUserDefaultUILanguage" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNELBASE.DLL)
Found string "AdjustTokenPrivileges" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: ADVAPI32.DLL)
Found string "LookupPrivilegeValueW" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: ADVAPI32.DLL)
Found string "OpenProcessToken" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: ADVAPI32.DLL)
Found string "RegDeleteKeyExW" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: ADVAPI32.DLL)
Found string "MoveFileExW" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNEL32.DLL)
Found string "GetDiskFreeSpaceExW" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNELBASE.DLL)
Found string "Module32NextW" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNEL32.DLL)
Found string "Module32FirstW" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNEL32.DLL)
Found string "Process32NextW" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNEL32.DLL)
Found string "Process32FirstW" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNEL32.DLL)
Found string "CreateToolhelp32Snapshot" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNEL32.DLL)
Found string "DeleteFileW" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNELBASE.DLL)
Found string "FindFirstFileW" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNELBASE.DLL)
Found string "FindNextFileW" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNELBASE.DLL)
Found string "FindClose" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNELBASE.DLL)
Found string "SetFilePointer" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNELBASE.DLL)
Found string "MultiByteToWideChar" (Source: MovaviVideoConverterSetupC.exe.bin, API is part of module: KERNELBASE.DLL) - source
- File/Memory
- relevance
- 10/10
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Input file contains API references not part of its Import Address Table (IAT)
-
Informative 9
-
Environment Awareness
-
Reads the registry for installed applications
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MOVAVI VIDEO CONVERTER 18 PREMIUM\CONVERTER.EXE")
- source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/65 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\nsk1445.tmp"
"<Input Sample>" created file "%TEMP%\nsg1560.tmp\GeneralPlugin.dll" - source
- API Call
- relevance
- 1/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "GeneralPlugin.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
- "GeneralPlugin.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db"
"<Input Sample>" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui"
"<Input Sample>" touched file "%WINDIR%\Fonts\StaticCache.dat"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: ".`Uic<k*.ye"
Heuristic match: "]n8IK..Mz"
Heuristic match: "wK`q9f.GU"
Pattern match: "http://nsis.sf.net/NSIS_Error" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
MovaviVideoConverterSetupC.exe
- Filename
- MovaviVideoConverterSetupC.exe
- Size
- 44MiB (45742864 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- a948d4aa020fb1cd66e74f94592e1db5801d5fc7457aaf0cae21445a8cc824e2
- MD5
- ecfd02cc97185d7acf1119a890fb87e6
- SHA1
- cd43fedb588d2a574e6cfa79e4c73abe0de383ee
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.5% (.EXE) DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- MovaviVideoConverterSetupC.exe (PID: 3164)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://nsis.sf.net/nsis_error | Domain/IP reference | 00012211-00003164-38175-66-004031E3 |
Extracted Strings
Extracted Files
-
Clean 1
-
-
GeneralPlugin.dll
- Size
- 3.4MiB (3544080 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- MovaviVideoConverterSetupC.exe (PID: 3164)
- MD5
- 0d0b5eff0b16a31c9c27e73ea6ccfa3e
- SHA1
- ff94b9db8185e4a7009c25587a33a3b38ed4f8a7
- SHA256
- aa77b85d36ad22a1585bd84ce50908d6327e23005103dfc713f5c458cf5b02fa
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Network whitenoise filtering was applied
- No static analysis parsing on sample was performed
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)