edzv-1.25.27.0-upd-setup.exe
This report is generated from a file or URL submitted to this webservice on December 13th 2017 10:30:55 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Accesses potentially sensitive information from local browsers
- Fingerprint
- Reads the active computer name
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
External Systems
-
Detected Emerging Threats Alert
- details
- Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Emerging Threats Alert
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 1/86 Antivirus vendors marked dropped file "System.dll" as malicious (classified as "Unsafe" with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Suspicious Indicators 18
-
Anti-Detection/Stealthyness
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "<Input Sample>" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
-
Environment Awareness
-
Reads the active computer name
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the active computer name
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/66 reputation engines marked "http://nsis.sf.net" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\nsk8D9C.tmp\custom_text.ini"
"<Input Sample>" read file "%TEMP%\nsk8D9C.tmp\custom_text_button.ini"
"<Input Sample>" read file "%TEMP%\nsk8D9C.tmp\custom_setting.ini"
"<Input Sample>" read file "C:\Users\desktop.ini"
"<Input Sample>" read file "%LOCALAPPDATA%\Microsoft\Windows\History\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Requested access to a system service
- details
-
"<Input Sample>" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_CONFIG" (0X1) access rights
"<Input Sample>" called "OpenService" to access the "WSearch" service - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"<Input Sample>" called "ControlService" and sent control code "0X24" to the service "WSearch"
"<Input Sample>" called "ControlService" and sent control code "0XDC" to the service "WSearch" - source
- API Call
- relevance
- 10/10
-
Reads configuration files
-
Installation/Persistance
-
Drops executable files
- details
-
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"nsWeb.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "1.25.0.0, ..., 1.25.26.0"
"1.25.27.0"
Heuristic match: "edzv-1.25.27.0-upd-setup.exe"
Heuristic match: "(1.25.27.0)"
Heuristic match: ":1.25.27.0"
Heuristic match: "<p class="INDEX_VER"> ( 1.25.27.0) ( 08.12.2017)</p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.25.26.0) ( 29.11.2017)</p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.25.25.0) ( 14.11.2017)</p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.25.24.0) ( 27.10.2017)</p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.25.23.0) ( 12.10.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.25.22.0) ( 28.09.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.25.21.0) ( 30.08.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.25.20.0) ( 11.08.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.25.19.0) ( 31.07.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.19.0) ( 31.07.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.18.0) ( 10.07.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.17.0) ( 22.06.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.16.0) ( 13.06.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.15.0) ( 31.05.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.14.0) ( 28.04.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.13.0) ( 14.04.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.12.0) ( 30.03.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.11.0) ( 10.03.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.10.0) ( 14.02.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.9.0) ( 31.01.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.8.0) ( 12.01.2017) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.7.0) ( 22.12.2016) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.6.0) ( 13.12.2016) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.5.0) ( 29.11.2016) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.4.0) ( 03.11.2016) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.3.0) ( 11.10.2016) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.2.0) ( 26.09.2016) </p>"
Heuristic match: "<p class="INDEX_VER"> ( 1.36.1.0) ( 20.09.2016) </p>"
Heuristic match: "D_BEGIN>01102015</D_BEGIN><D_END /></row><row num="253"><CODE>1.3.14.07</CODE><NAME>�" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Accesses potentially sensitive information from local browsers
- details
-
"<Input Sample>" had access to "%APPDATA%\Microsoft\Windows\Cookies\index.dat" (Type: "FileHandle")
"<Input Sample>" had access to "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat" (Type: "FileHandle")
"<Input Sample>" had access to "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017030120170302" (Type: "FileHandle")
"<Input Sample>" had access to "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017121320171214" (Type: "FileHandle")
"<Input Sample>" had access to "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017121320171214\index.dat" (Type: "FileHandle") - source
- Touched Handle
- relevance
- 7/10
-
Accesses potentially sensitive information from local browsers
-
System Destruction
-
Marks file for deletion
- details
-
"C:\dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe" marked "%TEMP%\nsa8D0E.tmp" for deletion
"C:\dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp" for deletion
"C:\dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017022820170301\index.dat" for deletion
"C:\dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017022820170301" for deletion
"C:\dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017030120170302\index.dat" for deletion
"C:\dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017030120170302" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\nsa8D0E.tmp" with delete access
"<Input Sample>" opened "%TEMP%\nsk8D9C.tmp" with delete access
"<Input Sample>" opened "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\MSHist012017022820170301\index.dat" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017022820170301\" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017030120170302\index.dat" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017030120170302\" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegCloseKey
RegOpenKeyExA
RegDeleteValueA
RegCreateKeyExA
RegEnumKeyA
GetFileAttributesA
CopyFileA
GetModuleFileNameA
LoadLibraryA
LoadLibraryExA
GetFileSize
CreateDirectoryA
DeleteFileA
GetCommandLineA
GetProcAddress
GetTempPathA
CreateThread
GetModuleHandleA
FindFirstFileA
WriteFile
GetTempFileNameA
FindNextFileA
CreateProcessA
Sleep
CreateFileA
GetTickCount
ShellExecuteA
FindWindowExA
VirtualProtect
VirtualAlloc - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 16
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
- Raw size of ".ndata" is zero
- source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE"; Key: "PATH"; Value: "00000000010000005800000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F006600740020004F00660066006900630065005C004F0066006600690063006500310034005C000000")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\DC583861887565C620EE25038FCDFFBCEC2AF9C852EC8015A185F5D90CD58271.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\DC583861887565C620EE25038FCDFFBCEC2AF9C852EC8015A185F5D90CD58271.EXE") - source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
-
External Systems
-
Detected Emerging Threats Alert
- details
- Detected alert "ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)" (SID: 2015744, Rev: 4, Severity: 3) categorized as "Misc activity"
- source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
- details
- 0/66 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Detected Emerging Threats Alert
-
General
-
Contains PDB pathways
- details
- "mi_exe_stub.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\nsa8D91.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp\custom_text.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp\custom_text_button.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp\custom_setting.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp\System.dll"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp\System.dll"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp\find_comp_error.bmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp\find_comp_ok.bmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp\blockError.bmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp\modern-header.bmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp\modern-wizard.bmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp\nsDialogs.dll"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsk8D9C.tmp\nsDialogs.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\!PrivacIE!SharedMemory!Mutex"
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!im6esd0!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!im6esd0!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!im6esd0!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\_!SHMSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!im6esd0!appdata!local!microsoft!windows!history!history.ie5!mshist012017121320171214!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
"Local\ZoneAttributeCacheCounterMutex"
"_!SHMSFTHISTORY!_"
"Local\c:!users!im6esd0!appdata!local!microsoft!windows!history!history.ie5!mshist012017121320171214!"
"Local\WininetConnectionMutex"
"Local\!PrivacIE!SharedMemory!Mutex"
"Local\WininetProxyRegistryMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "nsDialogs.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "nsWeb.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6C250000
- source
- Loaded Module
-
Scanning for window names
- details
-
"<Input Sample>" searching for class "MS_AutodialMonitor"
"<Input Sample>" searching for class "MS_WebCheckMonitor"
"<Input Sample>" searching for class "#32770"
"<Input Sample>" searching for class "HTML Application Host Window Class" - source
- API Call
- relevance
- 10/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"nsWeb.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"find_comp_ok.bmp" has type "PC bitmap Windows 3.x format 29 x 26 x 24"
"modern-header.bmp" has type "PC bitmap Windows 3.x format 150 x 57 x 24"
"custom_setting.ini" has type "ISO-8859 text with CRLF line terminators"
"modern-wizard.bmp" has type "PC bitmap Windows 3.x format 164 x 314 x 24"
"find_comp_error.bmp" has type "PC bitmap Windows 3.x format 29 x 26 x 24"
"Iådåëiê çìií òà äîïîâíåíü-install.htm" has type "HTML document Non-ISO extended-ASCII text with very long lines with CRLF line terminators"
"custom_text.ini" has type "ISO-8859 text with CRLF line terminators"
"blockError.bmp" has type "PC bitmap Windows 3.x format 450 x 227 x 24"
"custom_text_button.ini" has type "ASCII text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\oleaccrc.dll"
"<Input Sample>" touched file "C:\Windows\System32\en-US\ieframe.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\en-US\mlang.dll.mui"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\index.dat"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\desktop.ini"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017121320171214" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://nsis.sf.net/NSIS_Error"
Heuristic match: "%y`wzQ;M<.VN"
Heuristic match: "B$WLg}S(.MN"
Heuristic match: "~Z'S,Erh.aw"
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "http://www.usertrust.com1"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl05"
Pattern match: "http://ocsp.usertrust.com0"
Pattern match: "http://crl.thawte.com/ThawtePCA.crl0"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://th.symcb.com/th.crl0"
Pattern match: "https://www.thawte.com/cps0/"
Pattern match: "https://www.thawte.com/repository0W"
Pattern match: "http://th.symcd.com0&"
Pattern match: "http://th.symcb.com/th.crt0"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sv.symcb.com/sv.crl0W"
Pattern match: "http://sv.symcd.com0&"
Pattern match: "http://sv.symcb.com/sv.crt0"
Pattern match: "http://s2.symcb.com0"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa00"
Pattern match: "http://s1.symcb.com/pca3-g5.crl0"
Pattern match: "http://sfs.gov.ua/podatki-ta-zbori/zagalnoderjavni-podatki/podatok-na-dodanu-vartist/listi/2017-rik/318052.html"
Pattern match: "http://www.w3.org/2001/XMLSchema" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe.bin" was detected as "Nullsoft PiMP Stub -> SFX"
"nsWeb.dll" was detected as "Borland Delphi 3.0 (???)" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
edzv-1.25.27.0-upd-setup.exe
- Filename
- edzv-1.25.27.0-upd-setup.exe
- Size
- 8.5MiB (8944728 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271
- MD5
- dac8ec1706b9427e44920c5bb4e4979b
- SHA1
- 49869879e471639dbde9c8ef34147c29496277ea
- ssdeep
- 196608:EdjLQ/gtZJqQtdxS9TxtmZELMI1qSmXJTKXUFE:Ed/+UqQtdxQy811qSmZCME
- imphash
- 099c0646ea7282d232219f8807883be0
- authentihash
- 93a7fa30573694e044956bc8218747323023c394d34e41f6b554325fa8a6000c
- Compiler/Packer
- Nullsoft PiMP Stub -> SFX
- PDB Pathway
Version Info
- LegalCopyright
- . . , .
- FileVersion
- 1.25.27.0
- CompanyName
- -
- Comments
- [ ] 1.25.0.0, ..., 1.25.26.0 1.25.27.0
- FileDescription
- [] EDZV - [_]
- OriginalFilename
- edzv-1.25.27.0-upd-setup.exe
- Translation
- 0x0422 0x04e3
Classification (TrID)
- 94.8% (.EXE) NSIS - Nullsoft Scriptable Install System
- 3.4% (.EXE) Win32 Executable MS Visual C++ (generic)
- 0.7% (.DLL) Win32 Dynamic Link Library (generic)
- 0.5% (.EXE) Win32 Executable (generic)
- 0.2% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- Input Sample (PID: 2152)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://nsis.sf.net/nsis_error | Domain/IP reference | 00009956-00002152-52592-55-00402C72 |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
194.9.24.78 -> local:49163 (TCP) | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP | 2018959 |
194.9.24.78 -> local:49163 (TCP) | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) | 2015744 |
Extracted Strings
Extracted Files
-
Malicious 1
-
-
System.dll
- Size
- 11KiB (11264 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Unsafe" (1/86)
- Runtime Process
- dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe (PID: 2152)
- MD5
- c17103ae9072a06da581dec998343fc1
- SHA1
- b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
- dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
-
-
Clean 2
-
-
nsDialogs.dll
- Size
- 9.5KiB (9728 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/87
- Runtime Process
- dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe (PID: 2152)
- MD5
- c10e04dd4ad4277d5adc951bb331c777
- SHA1
- b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
- SHA256
- e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
-
nsWeb.dll
- Size
- 8.5KiB (8704 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/86
- Runtime Process
- dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe (PID: 2152)
- MD5
- 84bcf3c71e70d5a6e9dc07d70466bdc3
- SHA1
- 31603a1afc2d767a3392d363ff61533beaa25359
- SHA256
- 7d4da7469d00e98f863b78caece3f2b753e26d7ce0ca9916c0802c35d7d22bcf
-
-
Informative 9
-
-
blockError.bmp
- Size
- 300KiB (306958 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 450 x 227 x 24
- Runtime Process
- dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe (PID: 2152)
- MD5
- 4f6af2b87e737ba1d16476e8db674f49
- SHA1
- 3b8be0eb6780a642c553ee75b4cdda486a8a942c
- SHA256
- 9f9754edefe376f9fe0a543f078030619a3e3986cb55b4d284069354ccbb44a4
-
custom_setting.ini
- Size
- 752B (752 bytes)
- Type
- text
- Description
- ISO-8859 text, with CRLF line terminators
- Runtime Process
- dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe (PID: 2152)
- MD5
- 00ad98efe88686fb1bc07e66a5f3c939
- SHA1
- 20d302dfb2a8740201a590785e282977ede15742
- SHA256
- b1e23d8fb6e60ff7db02dfa172bbf95c1ff9244de94b80240c8dacf213df366f
-
custom_text.ini
- Size
- 424B (424 bytes)
- Type
- text
- Description
- ISO-8859 text, with CRLF line terminators
- Runtime Process
- dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe (PID: 2152)
- MD5
- 520530f5dc7cf9be73ee5921444fbfa1
- SHA1
- e84540cd96c0edb304d247a35380e91fc0fdd27f
- SHA256
- c0b9aa195b05a1e055d17b7597e3fd77febcd3127fcab27b5a0cff6094bf331d
-
custom_text_button.ini
- Size
- 474B (474 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe (PID: 2152)
- MD5
- 04930863a082d7b084677b0a263471d8
- SHA1
- 5a5d7074b38f82b46c7a2a9129fb07bf913cb77d
- SHA256
- 426f70fa9aabef14a8498dcf4de75bd1fe850563cc142e40a35fe51685850897
-
find_comp_error.bmp
- Size
- 2.3KiB (2342 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 29 x 26 x 24
- Runtime Process
- dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe (PID: 2152)
- MD5
- 773434497807df0c9a135bc7ad89c5dd
- SHA1
- 02b89ad91a0c3e73ed3a0d714cf87d3b3948bccd
- SHA256
- f6cb743e6d65d8c89a65c4a9423f3619745bdcf6348c056af17ae38ef9835aee
-
find_comp_ok.bmp
- Size
- 2.3KiB (2342 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 29 x 26 x 24
- Runtime Process
- dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe (PID: 2152)
- MD5
- 11f1f73ed8087b39c822e9c193d3293b
- SHA1
- 32be0fdd26fb29cd953564a4132ae9975cfedf08
- SHA256
- 7eddafcc24a0e3b651319ccdd866ff4f4317e113d6bedbf53b519fa8aab215e1
-
modern-header.bmp
- Size
- 25KiB (25818 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 150 x 57 x 24
- Runtime Process
- dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe (PID: 2152)
- MD5
- 90d698e73c3dded8e417422fe7765713
- SHA1
- 21504000743e9f9078edd52ab3df1851f5838a73
- SHA256
- 061e79a5f1bffe4250aa159de744717b6c6012bcd4c213a073af3218bd88c07c
-
modern-wizard.bmp
- Size
- 151KiB (154542 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 164 x 314 x 24
- Runtime Process
- dc583861887565c620ee25038fcdffbcec2af9c852ec8015a185f5d90cd58271.exe (PID: 2152)
- MD5
- 0265dcc088a822e457fc6e476c13eef3
- SHA1
- af9f318be956754ee85200a6aa9521220bc62abf
- SHA256
- 0393b1327be1e09ba07c15cac2ab8571c55ddb6baa6b8805a8c58f13c46aff55
-
IÃ¥dåëiê çìià òà äîïîâÃÃ¥Ãü-install.htm
- Size
- 102KiB (104613 bytes)
- Type
- html
- Description
- HTML document, Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
- MD5
- 2f1d1a8704bd73a60de70fc28a0ff42d
- SHA1
- 6054f4120863e00553869f2aa5633ac762cf666b
- SHA256
- 3c762730e8b2de8657524288a0cf31b40f71c83443a320bed256dbc25ccaf887
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Some low-level data is hidden, as this is only a slim report