Analyzing...
|
File Name:   Malware_6.exe
SHA1:   17724c6d89fbaca8fdd8449f86cb43740df84bf5
MD5:   fd98d875d9068ea21e38d59e5aa97383
First Seen Date:  2015-11-11 18:29:29.287000 ( )
Number of Clients Seen:   4
Last Analysis Date:  2016-01-01 07:34:34.398802 ( )
Human Expert Analysis Result:   No human expert analysis verdict given to this sample yet.
Analysis Summary
Analysis Type | Date | Verdict | |
---|---|---|---|
Signature Based Detection | 2016-01-01 07:34:34.398802 | Malware | |
Static Analysis Overall Verdict | 2016-01-01 07:34:34.398802 | No Threat Found | help |
Dynamic Analysis Overall Verdict | 2016-01-01 07:34:34.398802 | Highly Suspicious |
Static Analysis
Static Analysis Overall Verdict | Result |
---|---|
No Threat Found | help |
Detector | Result | |
---|---|---|
Optional Header LoaderFlags field is valued illegal | Clean | |
Non-ascii or empty section names detected | Clean | |
Illegal size of optional Header | Clean | |
Packer detection on signature database | Unknown | help |
Based on the sections entropy check! file is possibly packed | Clean | |
Timestamp value suspicious | Clean | |
Header Checksum is zero! | Suspicious | |
Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
Anti-vm present | Clean | |
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Suspicious | |
TLS callback functions array detected | Clean |
Anti-debug calls
FindWindowExA
Dynamic Analysis
Dynamic Analysis Overall Verdict | Result |
---|---|
Highly Suspicious |
Suspicious Behaviors | |
---|---|
Has no visible windows | |
Opens a file in a system directory | |
Uses a function clandestinely | |
Downloads data from internet |
Behavioral Information
cc000c
C:\Users\win7\AppData\Local\Temp\nsu1F4E.tmp\nsRandom.dll
SHFOLDER
api-ms-win-downlevel-advapi32-l2-1-0.dll
wininet.dll
C:\Windows\system32\uxtheme.dll
advapi32.dll
IPHLPAPI.DLL
comctl32.dll
ole32.dll
C:\Users\win7\AppData\Local\Temp\nsu1F4E.tmp\nsRandom.ENU
propsys.dll
CRYPTBASE.dll
oleaut32.dll
Secur32.dll
C:\Users\win7\AppData\Local\Temp\nsu1F4E.tmp\Base64.dll
OLEAUT32.dll
UxTheme.dll
DNSAPI.dll
OLEAUT32.DLL
SHELL32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
Comctl32.dll
urlmon.dll
C:\Users\win7\AppData\Local\Temp\nsu1F4E.tmp\nsRandom.EN
winhttp.dll
C:\Users\win7\AppData\Local\Temp\nsu1F4E.tmp\System.dll
C:\Users\win7\AppData\Local\Temp\nsu1F4E.tmp\inetc.dll
C:\Windows\syswow64\MSCTF.dll
WS2_32.dll
C:\Windows\system32\ws2_32
KERNEL32.DLL
ADVAPI32.dll
ntmarta.dll
dhcpcsvc.DLL
dwmapi.dll
api-ms-win-downlevel-shlwapi-l2-1-0.dll
api-ms-win-downlevel-ole32-l1-1-0.dll
user32.dll
API-MS-Win-Security-LSALookup-L1-1-0.dll
C:\Windows\system32\ole32.dll
IdnEnabled
SavedLegacySettings
Plane8
DisableReadRange
WpadDetectedUrl
DisableFalseStartBlocklist
Plane12
EnableHttp1_1
WarnOnPostRedirect
ScavengeCacheLowerBound
WpadOverride
ProxyOverride
ScavengeCacheFileLifeTime
SessionMerging
DisableSecuritySettingsCheck
EnablePunycode
SendTimeOut
DefaultConnectionSettings
TabProcGrowth
Plane3
Plane2
ConnectTimeOut
DisableNTLMPreAuth
DontUseDNSLoadBalancing
CreateUriCacheSize
DisableBasicOverClearChannel
UseFirstAvailable
AdminTabProcs
Plane13
SyncMode5
MaxConnectionsPer1_0Server
Plane4
MaxConnectionsPerServer
WpadSearchAllDomains
WarnOnHTTPSToHTTPRedirect
ReceiveTimeOut
FrameMerging
CombineFalseStartData
SocketSendBufferLength
FrameTabWindow
CertCacheNoValidate
WpadDecision
CacheMode
DnsCacheEntries
AutoConfigURL
KeepAliveTimeout
ProxyHttp1.1
SystemSetupInProgress
DataFilePath
ServerInfoTimeout
Plane14
SecureProtocols
DuoProtocols
Plane9
DisableKeepAlive
WpadDecisionReason
EnableSpdyDebugAsserts
Plane15
ConnectRetries
ScavengeCacheFileLimit
DnsCacheTimeout
PreConnectLimit
PreResolveLimit
SocketReceiveBufferLength
LeashLegacyCookies
AutoDetect
WarnOnZoneCrossing
TcpAutotuning
WpadDhcp
WpadDecisionTime
WpadDns
ShareCredsWithWinHttp
Plane10
WarnOnBadCertRecving
Plane5
MaxConnectionsPerProxy
HttpDefaultExpiryTimeSecs
AutoProxyDetectType
ProxyServer
FtpDefaultExpiryTimeSecs
ProgramFilesDir
AlwaysDrainOnRedirect
FromCacheTimeout
Plane7
Plane16
WarnAlwaysOnPost
ProxyEnable
EnforceP3PValidity
WarnOnPost
Plane11
EnableNegotiate
Plane6
SqmHttpStreamRandomUploadPoolSize
WpadExpirationDays
BadProxyExpiresTime
Disable
ClientAuthBuiltInUI
SendExtraCRLF
Plane1
DisableBranchCache
FEATURE_CLIENTAUTHCERTFILTER
DnsCacheEnabled
MaxHttpRedirects
Software\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
52-54-00-12-35-02
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
{69DC4768-446B-4F82-A6B0-63966A243064}
C:\Users\win7\AppData\Local\Temp\nsy2A4B.tmp
C:\Users\win7\AppData\Local\Temp\nso1F2D.tmp
C:\Users\win7\AppData\Local\Temp\nsu1F4E.tmp\Base64.dll
C:\Users\win7\AppData\Local\Temp\nsu1F4E.tmp\System.dll
1.zip
C:\Users\win7\AppData\Local\Temp\nsu1F4E.tmp\inetc.dll
C:\sample
C:\Users\win7\AppData\Local\Temp\nsu1F4E.tmp\nsRandom.dll
C:\Users\win7\AppData\Local\Temp\1.zip
C:\Windows\Fonts\staticcache.dat
C:\Users\win7\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db
C:\Windows\system32\rsaenh.dll
33.tmp
C:\Windows
C:\Users\win7\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H0G27RVV\cityjson[1].txt
C:\
C:\Users\win7\AppData\Local\Temp\1.gif
C:\Users\win7\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\win7\Desktop\desktop.ini
C:\Users\win7\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
\\.\Nsi
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
{69DC4768-446B-4F82-A6B0-63966A243064}
FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
FEATURE_LOCALMACHINE_LOCKDOWN
FEATURE_USE_CNAME_FOR_SPN_KB911149
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
t s
Software\Microsoft\Internet Explorer\Main\FeatureControl
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Software
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Software\Microsoft\Windows\CurrentVersion\Internet Settings
FEATURE_MIME_HANDLING
FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
Software\Microsoft\Windows\CurrentVersion\Uninstall\UIDesigner
Microsoft\Internet Explorer\Security
Software\Policies\Microsoft\Internet Explorer\Main
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
Software\Policies\Microsoft\Internet Explorer
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
FEATURE_ZONE_ELEVATION
Software\Microsoft\Internet Explorer\Main
FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
System\Setup
MIME\Database\Content Type\text/json
FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
Software\Policies\Microsoft\PeerDist\Service
FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
Software\Borland\Locales
History
FEATURE_BUFFERBREAKING_818408
MIME\Database\Content Type\text/json; charset=gbk
FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228
FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
Cookies
FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
Software\Policies
FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
Content
SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
Segoe UI
Software\Borland\Delphi\Locales
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608
Software\Microsoft\Windows NT\CurrentVersion\PeerDist\Service
Software\Microsoft\Windows\CurrentVersion
FEATURE_DIGEST_NO_EXTRAS_IN_URI
FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
RETRY_HEADERONLYPOST_ONCONNECTIONRESET
FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
t "1"
1
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
<NULL>
Local\MSCTF.Asm.MutexDefault1
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
C:\sample
C:\Windows\syswow64\USER32.dll
C:\Users\win7\AppData\Local\Temp\nsu1F4E.tmp\nsRandom.dll
C:\Windows\syswow64\MSCTF.dll
C:\Users\win7\AppData\Local\Temp\nsu1F4E.tmp
C:\Users\win7\AppData\Local\Temp\nsz1F1D.tmp
C:\Users\win7\AppData\Local\Temp\1.zip
Precise Detectors Analysis Results
No Detector Result Received
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Additional File Information
Property | Value |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
---|