FEEC40E0EA9DA89C0131D386DED00443AA4399BEFBFF5E5FE7990158B2E27139
This report is generated from a file or URL submitted to this webservice on February 25th 2020 09:40:09 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Possibly tries to evade analysis by sleeping many times
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/71 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Suspicious Indicators 16
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>.exe" at 00016641-00003052-00000105-2049830341
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "<Input Sample>.exe" is allocating memory with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
- UPX1 with unusual entropies 7.9989953104
- source
- Static Parser
- relevance
- 10/10
-
PE file is packed with UPX
- details
-
"feec40e0ea9da89c0131d386ded00443aa4399befbff5e5fe7990158b2e27139.bin" has a section named "UPX0"
"feec40e0ea9da89c0131d386ded00443aa4399befbff5e5fe7990158b2e27139.bin" has a section named "UPX1" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Possibly tries to evade analysis by sleeping many times
- details
- "<Input Sample>.exe" (Thread ID: 1148) slept "520" times (threshold: 500)
- source
- API Call
- relevance
- 10/10
-
Reads the active computer name
- details
- "<Input Sample>.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to evade analysis by sleeping many times
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/72 reputation engines marked "http://www.w3.org/2001/xmlschema-instance" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
Network Related
-
Detected increased number of ARP broadcast requests (network device lookup)
- details
- Attempt to find devices in networks: "192.168.240.1/32, 192.168.240.17/32, 192.168.240.28/32, 192.168.240.31/32, 192.168.240.33/32, 192.168.240.38/31, 192.168.240.88/32, 192.168.240.90/31, 192.168.240.100/32, 192.168.240.112/32, 192.168.240.208/32, 192.168.240.210/32, 192.168.240.213/32, 192.168.240.216/32, 192.168.240.218/32, 192.168.240.225/32, 192.168.240.249/32, ..."
- source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1046 (Show technique in the MITRE ATT&CK™ matrix)
-
Detected increased number of ARP broadcast requests (network device lookup)
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
Unusual Characteristics
-
Entrypoint in PE header is within an uncommon section
- details
- "feec40e0ea9da89c0131d386ded00443aa4399befbff5e5fe7990158b2e27139.bin" has an entrypoint in section "UPX1"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
VirtualProtect
GetProcAddress
VirtualAlloc
LoadLibraryA
ShellExecuteW
InternetOpenW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>.exe" wrote bytes "706a1a6b000000002bd0a37300000000d028196b909d1a6b00000000" to virtual address "0x6B298000" (part of module "WPFGFX_V0400.DLL")
"<Input Sample>.exe" wrote bytes "48122075" to virtual address "0x75218364" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "b84013c86effe0" to virtual address "0x75201248" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "b8c015c86effe0" to virtual address "0x752011F8" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "f8110000" to virtual address "0x752012CC" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "f8112075" to virtual address "0x7521834C" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "f8112075" to virtual address "0x752183C4" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "f8112075" to virtual address "0x75218368" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "f8110000" to virtual address "0x75201408" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "f8112075" to virtual address "0x752183E0" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "68130000" to virtual address "0x77681680" (part of module "WS2_32.DLL")
"<Input Sample>.exe" wrote bytes "48122075" to virtual address "0x75218348" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "48120000" to virtual address "0x7520139C" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "3f1e28e6" to virtual address "0x6E00F314" (part of module "CLR.DLL")
"<Input Sample>.exe" wrote bytes "6012c86e" to virtual address "0x7591E324" (part of module "WININET.DLL")
"<Input Sample>.exe" wrote bytes "c04e4a7720544b77e0654b77b5384c770000000000d0557600000000c5ea55760000000088ea557600000000e968657582284c77ee294c7700000000d2696575000000007dbb55760000000009be657500000000ba18557600000000" to virtual address "0x75F41000" (part of module "NSI.DLL")
"<Input Sample>.exe" wrote bytes "48122075" to virtual address "0x752183C0" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "48122075" to virtual address "0x752183DC" (part of module "SSPICLI.DLL")
"<Input Sample>.exe" wrote bytes "b83012c86effe0" to virtual address "0x77681368" (part of module "WS2_32.DLL")
"<Input Sample>.exe" wrote bytes "48120000" to virtual address "0x752012DC" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "<Input Sample>.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Entrypoint in PE header is within an uncommon section
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 13
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
- Raw size of "UPX0" is zero
- source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Queries volume information
- details
-
"<Input Sample>.exe" queries volume information of "%WINDIR%\Fonts\segoeui.ttf" at 00016641-00003052-0000010C-15445570830
"<Input Sample>.exe" queries volume information of "C:\Windows\Fonts\segoeui.ttf" at 00016641-00003052-0000010C-15458969208
"<Input Sample>.exe" queries volume information of "C:\Windows\Fonts\segoeuil.ttf" at 00016641-00003052-0000010C-15471517598
"<Input Sample>.exe" queries volume information of "C:\Windows\Fonts\segoeuil.ttf" at 00016641-00003052-0000010C-15478958489
"<Input Sample>.exe" queries volume information of "C:\Windows\Fonts\segoeuil.ttf" at 00016641-00003052-0000010C-16025497584
"<Input Sample>.exe" queries volume information of "C:\Windows\Fonts\segoeui.ttf" at 00016641-00003052-0000010C-16044834656
"<Input Sample>.exe" queries volume information of "C:\Windows\Fonts\segoeui.ttf" at 00016641-00003052-0000010C-343825473062
"<Input Sample>.exe" queries volume information of "C:\Windows\Fonts\segoeuil.ttf" at 00016641-00003052-0000010C-380684009446
"<Input Sample>.exe" queries volume information of "C:\Windows\Fonts\segoeuil.ttf" at 00016641-00003052-0000010C-380790653808 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/23 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__"
"\Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__"
"Local\__DDrawCheckExclMode__"
"Local\__DDrawExclMode__" - source
- Created Mutant
- relevance
- 3/10
-
Loads the .NET runtime environment
- details
- "<Input Sample>.exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\77f338d420d067a26b2d34f47445fc51\mscorlib.ni.dll" at 685B0000
- source
- Loaded Module
-
Overview of unique CLSIDs touched in registry
- details
-
"<Input Sample>.exe" touched "XML DOM Document 6.0" (Path: "HKCU\CLSID\{88D96A05-F192-11D4-A65F-0040963251E5}")
"<Input Sample>.exe" touched "TF_TransitoryExtensionUIEntry" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\INPROCSERVER32") - source
- Registry Access
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=thawte SHA256 Code Signing CA, O="thawte
Inc.", C=US" (SHA1: A7:71:08:50:36:2B:C7:97:4A:5A:0C:53:46:49:AC:57:4E:B8:78:C3; see report for more information)
The input sample is signed with a certificate issued by "CN=thawte Primary Root CA, OU="c 2006 thawte
Inc. - For authorized use only", OU=Certification Services Division, O="thawte
Inc.", C=US" (SHA1: D0:0C:FD:BF:46:C9:8A:83:8B:C1:0D:C4:E0:97:AE:01:52:C4:61:BC; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Creates mutants
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"<Input Sample>.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\bf505bb2c2b60e7a40740888cd2c3172\System.Xml.ni.dll.aux"
"<Input Sample>.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll"
"<Input Sample>.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"<Input Sample>.exe" touched file "C:\Windows\System32\oleaccrc.dll"
"<Input Sample>.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config"
"<Input Sample>.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\77f338d420d067a26b2d34f47445fc51\mscorlib.ni.dll.aux"
"<Input Sample>.exe" touched file "C:\Windows\assembly\pubpol205.dat"
"<Input Sample>.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\54adbf3fd89770dd0f7e61f1c5823cdc\WindowsBase.ni.dll.aux"
"<Input Sample>.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\7aa0dcace3b5d10b626540709537d280\System.Core.ni.dll.aux"
"<Input Sample>.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System\0b2f69b43a576b9edcc807a30872bd91\System.ni.dll.aux"
"<Input Sample>.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\sortdefault.nlp"
"<Input Sample>.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ce9750286ad44cbfb2acf176df9df0a2\System.Configuration.ni.dll.aux"
"<Input Sample>.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\61997ac9f806072fb75af8033727b6c7\PresentationFramework.ni.dll.aux"
"<Input Sample>.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\9752357055e43d6d371415c8b8ad1361\PresentationCore.ni.dll.aux"
"<Input Sample>.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\d04df0f7a9db0da32f65fc2870c68ce9\System.Xaml.ni.dll.aux"
"<Input Sample>.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\20f3ac1f0fb2aa88939595d9e192c759\PresentationFramework.Aero.ni.dll.aux" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2016/WindowsSettings"
Pattern match: "https://go.devexpress.com/Install-19.2.6-DXperience.aspx;DevExpressNETComponentsSetup-19.2.6.exe"
Pattern match: "http://www.w3.org/2001/XMLSchema-instance"
Pattern match: "https://github.com/`*"
Pattern match: "https://go.devexpress.com/Install-19.2.6-DevExtreme.aspx;DevExpressDevExtremeSetup-19.2.6.exe"
Pattern match: "https://go.devexpress.com/Install-19.2.8-CodeRush.aspx;DevExpress.CodeRush-19.2.8.exe"
Pattern match: "http://tl.symcb.com/tl.crl0"
Pattern match: "https://www.thawte.com/cps0/"
Pattern match: "https://www.thawte.com/repository0W"
Pattern match: "http://tl.symcd.com0&"
Pattern match: "http://tl.symcb.com/tl.crt0"
Pattern match: "http://t2.symcb.com0"
Pattern match: "http://t1.symcb.com/ThawtePCA.crl0"
Pattern match: "https://www.devexpress.com/0"
Pattern match: "www.digicert.com110/"
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "http://crl3.digicert.com/sha2-assured-ts.crl02"
Pattern match: "http://crl4.digicert.com/sha2-assured-ts.crl0"
Pattern match: "http://ocsp.digicert.com0O"
Pattern match: "cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0"
Pattern match: "www.digicert.com1$0"
Pattern match: "http://ocsp.digicert.com0C"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "feec40e0ea9da89c0131d386ded00443aa4399befbff5e5fe7990158b2e27139.bin" was detected as "UPX v1.25 (Delphi) Stub"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
FEEC40E0EA9DA89C0131D386DED00443AA4399BEFBFF5E5FE7990158B2E27139
- Filename
- FEEC40E0EA9DA89C0131D386DED00443AA4399BEFBFF5E5FE7990158B2E27139
- Size
- 564KiB (577944 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- Architecture
- WINDOWS
- SHA256
- feec40e0ea9da89c0131d386ded00443aa4399befbff5e5fe7990158b2e27139
- MD5
- 341545845c55c9495bb0d715f99d2fa7
- SHA1
- 3a22e13a89d27e11a73ac82727a46a88949dec8d
- ssdeep
- 12288:1wSrnhKec9Ob2NV6/SdUcf19tvmeiYoSHP3dtC2287sCHvM:1RX92NV6/SdUsv0aP3CoBU
- imphash
- e99728c84bb420080cd5bcdd0d7993ed
- authentihash
- 9e4a0486178be7b994308d978f89f960d7d48dfbfc0a3340afe25b1001f2123e
- Compiler/Packer
- UPX v1.25 (Delphi) Stub
Version Info
- LegalCopyright
- -
- InternalName
- -
- FileVersion
- 1.0.0.0
- CompanyName
- Developer Express Inc.
- LegalTrademarks
- -
- Comments
- -
- ProductName
- -
- ProductVersion
- 1.0.0.0
- FileDescription
- -
- OriginalFilename
- -
- Translation
- 0x0409 0x04e4
Classification (TrID)
- 37.1% (.EXE) UPX compressed Win32 Executable
- 36.4% (.EXE) Win32 EXE Yoda's Crypter
- 9.0% (.DLL) Win32 Dynamic Link Library (generic)
- 6.1% (.EXE) Win32 Executable (generic)
- 2.8% (.EXE) Win16/32 Executable Delphi generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (6.8KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Developer Express Incorporated, O=Developer Express Incorporated, L=Glendale, ST=California, C=US | CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US Serial: 472cbe08691cd73813a51dd6453876d3 |
01/15/2020 00:00:00 01/20/2023 23:59:59 |
33:D8:48:15:64:DD:0C:AA:B6:CF:34:12:81:88:B6:A2 A7:71:08:50:36:2B:C7:97:4A:5A:0C:53:46:49:AC:57:4E:B8:78:C3 |
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US | CN=thawte Primary Root CA, OU="c 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US Serial: 71a0b73695ddb1afc23b2b9a18ee54cb |
12/10/2013 00:00:00 12/09/2023 23:59:59 |
87:19:53:A9:8D:41:50:C3:3C:69:A0:C5:AE:9A:68:C6 D0:0C:FD:BF:46:C9:8A:83:8B:C1:0D:C4:E0:97:AE:01:52:C4:61:BC |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- Input Sample (PID: 3052) 1/84
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-47" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "network-32" are available in the report
- Some low-level data is hidden, as this is only a slim report