BMW_CIC_FSC_Generator.exe
This report is generated from a file or URL submitted to this webservice on December 24th 2020 21:11:16 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.45.3 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Network Behavior
- Contacts 1 domain and 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- 722bcfb5832a70ef53ebbc86df873e1d03ab20181806a274d8ea843390257fc2
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/69 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Suspicious Indicators 17
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- UPX1 with unusual entropies 7.93576830459
- source
- Static Parser
- relevance
- 10/10
-
PE file is packed with UPX
- details
-
"aaa7b2ac87331aaf46e395a228b81b3699ee72d67b9ca4d236c2167c0f65c2a0.bin" has a section named "UPX0"
"aaa7b2ac87331aaf46e395a228b81b3699ee72d67b9ca4d236c2167c0f65c2a0.bin" has a section named "UPX1"
"aaa7b2ac87331aaf46e395a228b81b3699ee72d67b9ca4d236c2167c0f65c2a0.bin" has a section named "UPX2" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the active computer name
- details
- "BMW_CIC_FSC_Generator.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "BMW_CIC_FSC_Generator.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ETPRO USER_AGENTS Observed Suspicious UA (Mozilla/5.0)" (SID: 2842116, Rev: 1, Severity: 2) categorized as "Potentially Bad Traffic"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
Installation/Persistence
-
Monitors specific registry key for changes
- details
-
"BMW_CIC_FSC_Generator.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: 0)
"BMW_CIC_FSC_Generator.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: 0) - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Monitors specific registry key for changes
-
Network Related
-
Found potential IP address in binary/memory
- details
- Heuristic match: ".#.%.'.).+.-./.1.3.5.7.9.;.=.?.A"
- source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 208.113.168.217 on port 80 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
- ATT&CK ID
- T1043 (Show technique in the MITRE ATT&CK™ matrix)
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/5.0
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "BMW_CIC_FSC_Generator.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
Unusual Characteristics
-
Entrypoint in PE header is within an uncommon section
- details
- "aaa7b2ac87331aaf46e395a228b81b3699ee72d67b9ca4d236c2167c0f65c2a0.bin" has an entrypoint in section "UPX1"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
VirtualProtect
GetProcAddress
LoadLibraryA
NetShareEnum
bind - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"BMW_CIC_FSC_Generator.exe" wrote bytes "f8110000" to virtual address "0x74CC12CC" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "a011c46e" to virtual address "0x70884028" (part of module "WEBIO.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "f811cc74" to virtual address "0x74CD834C" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "f8110000" to virtual address "0x74CC1408" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "b89012c46effe0" to virtual address "0x74CC1248" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "4812cc74" to virtual address "0x74CD8348" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "f811cc74" to virtual address "0x74CD8368" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "f811cc74" to virtual address "0x74CD83C4" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "4812cc74" to virtual address "0x74CD8364" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "1099dd7600000000b538f8769051f77600000000e0c50c76fdfe0c76ee29f87600000000" to virtual address "0x6E8A1000" (part of module "KSUSER.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "c04ef6762054f776e065f776b538f8760000000000d00c7600000000c5ea0c760000000088ea0c7600000000e968fa748228f876ee29f87600000000d269fa74000000007dbb0c760000000009befa7400000000ba180c7600000000" to virtual address "0x762B1000" (part of module "NSI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "4812cc74" to virtual address "0x74CD83C0" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "f811cc74" to virtual address "0x74CD83E0" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "fae6f376e1a6f8762e71f876ee29f87685e2f3766da0f87626e4f376d16df876003df676804bf67600000000ad3716768b2d1676b641167600000000" to virtual address "0x742D1000" (part of module "WSHTCPIP.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "48120000" to virtual address "0x74CC139C" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "48120000" to virtual address "0x74CC12DC" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "4812cc74" to virtual address "0x74CD83DC" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "b81015c46effe0" to virtual address "0x74CC11F8" (part of module "SSPICLI.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "68130000" to virtual address "0x76161680" (part of module "WS2_32.DLL")
"BMW_CIC_FSC_Generator.exe" wrote bytes "b88011c46effe0" to virtual address "0x76161368" (part of module "WS2_32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "BMW_CIC_FSC_Generator.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Entrypoint in PE header is within an uncommon section
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 12
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
- Raw size of "UPX0" is zero
- source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent" (SID: 2027390, Rev: 3, Severity: 3) categorized as "Unknown Traffic"
Detected alert "ET INFO Windows OS Submitting USB Metadata to Microsoft" (SID: 2025275, Rev: 3, Severity: 3) categorized as "Misc activity" - source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contacts domains
- details
- "www.cicfsc.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "208.113.168.217:80"
- source
- Network Traffic
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\MidiMapper_modLongMessage_RefCnt"
"Local\MidiMapper_modLongMessage_RefCnt" - source
- Created Mutant
- relevance
- 3/10
-
GETs files from a webserver
- details
-
"GET /RSAKeys.txt HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
User-Agent: Mozilla/5.0
Host: www.cicfsc.com"
"GET /Lookup.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
User-Agent: Mozilla/5.0
Host: www.cicfsc.com" - source
- Network Traffic
- relevance
- 5/10
-
Overview of unique CLSIDs touched in registry
- details
-
"BMW_CIC_FSC_Generator.exe" touched "Enhanced Storage Icon Overlay Handler Class" (Path: "HKCU\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\INPROCSERVER32")
"BMW_CIC_FSC_Generator.exe" touched "Sharing Overlay (Private)" (Path: "HKCU\CLSID\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\INPROCSERVER32")
"BMW_CIC_FSC_Generator.exe" touched "CrossProcessClientOutput Class" (Path: "HKCU\CLSID\{CD773740-B187-4974-A1D5-E0FF91372277}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistence
-
Dropped files
- details
-
"Lookup.xml" has type "XML 1.0 document ASCII text with very long lines with CRLF line terminators"
"RSAKeys.txt" has type "ASCII text with no line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"BMW_CIC_FSC_Generator.exe" touched file "%WINDIR%\System32\imageres.dll"
"BMW_CIC_FSC_Generator.exe" touched file "%WINDIR%\System32\en-US\user32.dll.mui" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "[K8F?.GH"
Heuristic match: "`t[<i.nP"
Heuristic match: "jvy/0.zM"
Heuristic match: "X9-57
.cm"
Pattern match: "aEa6a2a.aFa/aOa"
Heuristic match: "s>dsr|us4Vxs.bz"
Heuristic match: ".BMW_CIC_V_()H#.ID"
Pattern match: "www.cicfsc.com"
Pattern match: "http://www.w3.org/2001/XMLSchema-instance" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "BMW_CIC_FSC_Generator.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "aaa7b2ac87331aaf46e395a228b81b3699ee72d67b9ca4d236c2167c0f65c2a0.bin" was detected as "UPX -> www.upx.sourceforge.net"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
BMW_CIC_FSC_Generator.exe
- Filename
- BMW_CIC_FSC_Generator.exe
- Size
- 7.3MiB (7692288 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
- Architecture
- WINDOWS
- SHA256
- aaa7b2ac87331aaf46e395a228b81b3699ee72d67b9ca4d236c2167c0f65c2a0
- MD5
- 2499f3e9ab2e77fa1414fb8093660a3a
- SHA1
- 3ad34c897290de5436a53881d2aeee414ba9a268
- ssdeep
- 196608:H1x4b3kp293DlvuYNleQ2KSRVdzjHoIHMQG:Vxm3kpiR2EwPzgoM
- imphash
- b6f453e10ce1e8ddb4e270aaa9ad8074
- authentihash
- 553878ed986965cfc5b28a082861b91ee7e3517df02437afbcf88c1f310ab5c2
- Compiler/Packer
- UPX -> www.upx.sourceforge.net
Classification (TrID)
- 71.9% (.EXE) UPX compressed Win32 Executable
- 11.9% (.EXE) Win32 Executable (generic)
- 5.3% (.EXE) OS/2 Executable (generic)
- 5.3% (.EXE) Generic Win/DOS Executable
- 5.3% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- BMW_CIC_FSC_Generator.exe (PID: 1020) 1/69
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
www.cicfsc.com
OSINT |
208.113.168.217
TTL: 899 |
DREAMHOST
Name Server: NS1.DREAMHOST.COM Creation Date: Tue, 26 Dec 2017 01:42:07 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
208.113.168.217 |
80
TCP |
bmw_cic_fsc_generator.exe PID: 1020 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
208.113.168.217:80 (www.cicfsc.com) | GET | www.cicfsc.com/RSAKeys.txt | GET /RSAKeys.txt HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
User-Agent: Mozilla/5.0
Host: www.cicfsc.com More Details |
208.113.168.217:80 (www.cicfsc.com) | GET | www.cicfsc.com/Lookup.xml | GET /Lookup.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
User-Agent: Mozilla/5.0
Host: www.cicfsc.com More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 208.113.168.217:80 (TCP) | Potentially Bad Traffic | ETPRO USER_AGENTS Observed Suspicious UA (Mozilla/5.0) | 2842116 |
local -> 208.113.168.217:80 (TCP) | Potentially Bad Traffic | ETPRO USER_AGENTS Observed Suspicious UA (Mozilla/5.0) | 2842116 |
local -> 184.84.68.43:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 184.84.68.43:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 20.189.118.208:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 184.84.68.43:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 20.189.118.208:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 20.189.118.208:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 184.84.68.43:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 20.189.118.208:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 20.189.118.208:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
Extracted Strings
Extracted Files
-
Informative 2
-
-
Lookup.xml
- Size
- 789KiB (807939 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- BMW_CIC_FSC_Generator.exe (PID: 1020)
- MD5
- 90f071c699bff6261b741315d6b84762
- SHA1
- aa42a2be059f17f931066b2dcb68c044e41e81dd
- SHA256
- 0fd0192dd3b5ed51609e66201f5992a5b8cb778a9a5e0442e71cd9064b2ecf1e
-
RSAKeys.txt
- Size
- 13B (13 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators
- Runtime Process
- BMW_CIC_FSC_Generator.exe (PID: 1020)
- MD5
- 9e06636df9e98f15b55b9ea322ef41c3
- SHA1
- 8a4c25539b00245f61c124c61ba1730e9d32fdbd
- SHA256
- 08187c53cd768612b13f3baaa1a948b7bf815af7921ef4685b1bee3e3efc8894
-