|
Analyzing...
|
File Name: R3W4R3_6TCQL5.EXE
SHA1: 2d7c33e88ffc84b81adf3224a51d520fc856dd20
MD5: 499ce8d9670fe336160947c3cc37fba1
First Seen Date: 2017-08-31 20:50:01.954807 ( )
Number of Clients Seen: 2
Last Analysis Date: 2017-08-31 20:50:01.954807 ( )
Human Expert Analysis Result: No human expert analysis verdict given to this sample yet.
Analysis Summary
| Analysis Type | Date | Verdict | |
|---|---|---|---|
| Signature Based Detection | 2017-08-31 20:50:01.954807 | Malware | |
| Static Analysis Overall Verdict | 2017-08-31 20:50:01.954807 | No Threat Found | help |
| Dynamic Analysis Overall Verdict | 2017-08-31 20:50:01.954807 | No Threat Found | help |
| Precise Detectors Overall Verdict | 2017-08-31 20:50:01.954807 | No Match | help |
Static Analysis
| Static Analysis Overall Verdict | Result |
|---|---|
| No Threat Found | help |
| Detector | Result | |
|---|---|---|
| Optional Header LoaderFlags field is valued illegal | Clean | |
| Non-ascii or empty section names detected | Clean | |
| Illegal size of optional Header | Clean | |
| Packer detection on signature database | Unknown | help |
| Based on the sections entropy check! file is possibly packed | Clean | |
| Timestamp value suspicious | Suspicious | |
| Header Checksum is zero! | Clean | |
| Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
| Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
| Anti-vm present | Clean | |
| The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Suspicious | |
| TLS callback functions array detected | Clean | |
Dynamic Analysis
| Dynamic Analysis Overall Verdict | Result |
|---|---|
| No Threat Found | help |
| Suspicious Behaviors | |
|---|---|
| No suspicious activity found | |
Behavioral Information
{"h_key": "80000001", "samDesired": "1", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "0", "dwOptions": "0", "lpClass": "", "phkResult": "18de34", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"}
{"h_key": "80000001", "samDesired": "2001f", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "18fde8", "dwOptions": "1", "lpClass": "<NULL>", "phkResult": "18fdec", "lpSubKey": "Software\\Microsoft\\RestartManager\\Session0000"}
{"h_key": "80000001", "samDesired": "1", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "0", "dwOptions": "0", "lpClass": "", "phkResult": "18dd14", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"}
{"h_key": "80000001", "samDesired": "2001f", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "18fdf8", "dwOptions": "1", "lpClass": "<NULL>", "phkResult": "18fdfc", "lpSubKey": "Software\\Microsoft\\RestartManager\\Session0000"}
{"h_key": "80000001", "samDesired": "2001f", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "18de38", "dwOptions": "0", "lpClass": "<NULL>", "phkResult": "18de3c", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"h_key": "80000001", "samDesired": "2001f", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "18fdc8", "dwOptions": "1", "lpClass": "<NULL>", "phkResult": "18fddc", "lpSubKey": "Software\\Microsoft\\RestartManager\\Session0000"}
{"h_key": "80000001", "samDesired": "2", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "0", "dwOptions": "0", "lpClass": "", "phkResult": "18ddd4", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"}
{"h_key": "80000001", "samDesired": "1", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "0", "dwOptions": "0", "lpClass": "", "phkResult": "18dd7c", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"}
{"h_key": "80000001", "samDesired": "1", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "0", "dwOptions": "0", "lpClass": "", "phkResult": "18de18", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"}
{"h_key": "80000001", "samDesired": "20006", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "0", "dwOptions": "0", "lpClass": "", "phkResult": "18de34", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
150
144
2a0
244
264
2b0
120
114
260
274
14c
26c
228
268
2a8
C:\Users\win7\AppData\Local\Temp\is-TI64E.tmp\R3W4R3_6TCQL5.tmp
C:\Users\win7\AppData\Local\Temp\is-8HAF7.tmp\license.key
C:\Windows\syswow64\MSCTF.dll
C:\Windows\syswow64\USER32.dll
WpadSearchAllDomains
WarnOnZoneCrossing
DnsCacheEntries
DuoProtocols
DisableReadRange
DisableKeepAlive
ScavengeCacheFileLimit
EnableNegotiate
ClientAuthBuiltInUI
CacheMode
EnforceP3PValidity
BadProxyExpiresTime
ConnectRetries
ServerInfoTimeout
ProxyHttp1.1
SqmHttpStreamRandomUploadPoolSize
HttpDefaultExpiryTimeSecs
ProxyEnable
WarnOnPostRedirect
SendExtraCRLF
WaitToKillServiceTimeout
RegisteredOrganization
ConnectTimeOut
CommonFilesDir
DisableBranchCache
AlwaysDrainOnRedirect
DnsCacheEnabled
ScavengeCacheLowerBound
DontUseDNSLoadBalancing
DisableBasicOverClearChannel
DisableNTLMPreAuth
EnableSpdyDebugAsserts
FrameTabWindow
CertCacheNoValidate
MaxHttpRedirects
ShareCredsWithWinHttp
IdnEnabled
SecureProtocols
DefaultConnectionSettings
SystemSetupInProgress
AutoProxyDetectType
LeashLegacyCookies
WarnAlwaysOnPost
AutoConfigURL
MaxConnectionsPer1_0Server
WpadOverride
PreConnectLimit
ScavengeCacheFileLifeTime
SavedLegacySettings
RegisteredOwner
UseFirstAvailable
MaxConnectionsPerProxy
FtpDefaultExpiryTimeSecs
FEATURE_CLIENTAUTHCERTFILTER
KeepAliveTimeout
MaxConnectionsPerServer
FrameMerging
TcpAutotuning
TabProcGrowth
SocketReceiveBufferLength
DisableFalseStartBlocklist
WarnOnBadCertRecving
EnableHttp1_1
WarnOnHTTPSToHTTPRedirect
SocketSendBufferLength
SendTimeOut
PreResolveLimit
ProxyOverride
ReceiveTimeOut
FromCacheTimeout
ProgramFilesDir
ProxyServer
WarnOnPost
SyncMode5
AutoDetect
AdminTabProcs
CombineFalseStartData
SessionMerging
DnsCacheTimeout
{"Reserved": "0", "hKey": "2a0", "lpData": "5cf8a8", "dwType": "3", "lpValueName": "SavedLegacySettings", "cbData": "b8"}
{"Reserved": "0", "hKey": "150", "lpData": "595f70", "dwType": "3", "lpValueName": "SessionHash", "cbData": "20"}
{"Reserved": "0", "hKey": "150", "lpData": "5953d0", "dwType": "3", "lpValueName": "Owner", "cbData": "c"}
{"Reserved": "0", "hKey": "14c", "lpData": "18fe24", "dwType": "4", "lpValueName": "Sequence", "cbData": "4"}
{"Reserved": "0", "hKey": "2a8", "lpData": "18de30", "dwType": "4", "lpValueName": "ProxyEnable", "cbData": "4"}
{"lDistanceToMove": "0", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "17f9ec", "hFile": "14c"}
{"lDistanceToMove": "0", "dwMoveMethod": "1", "lpDistanceToMoveHigh": "18fe74", "hFile": "114"}
{"lDistanceToMove": "28340", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18fe64", "hFile": "114"}
{"lDistanceToMove": "32200", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "17f9f8", "hFile": "14c"}
{"lDistanceToMove": "0", "dwMoveMethod": "1", "lpDistanceToMoveHigh": "18fe7c", "hFile": "114"}
{"lDistanceToMove": "266f9", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18fe80", "hFile": "114"}
{"lDistanceToMove": "2838b", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18fe64", "hFile": "114"}
{"lDistanceToMove": "12800", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18fba8", "hFile": "154"}
{"dwCreationDisposition": "2", "path": "C:\\Users\\win7\\AppData\\Local\\Temp\\is-8HAF7.tmp\\license.key", "dwDesiredAccess": "40000000", "dwShareMode": "0"}
{"dwCreationDisposition": "2", "path": "C:\\Users\\win7\\AppData\\Local\\Temp\\is-8HAF7.tmp\\help.db", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "4", "path": "C:\\Users\\win7\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\counters.dat", "dwDesiredAccess": "c0000000", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "\\\\.\\Nsi", "dwDesiredAccess": "0", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "C:\\R3W4R3_6TCQL5.EXE", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "2", "path": "C:\\Users\\win7\\AppData\\Local\\Temp\\is-8HAF7.tmp\\_isetup\\_setup64.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\RestartManager"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "System\\CurrentControlSet\\Control"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "System\\Setup"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Borland\\Locales"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_HTTP_USERNAME_PASSWORD_DISABLE"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_USE_CNAME_FOR_SPN_KB911149"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Borland\\Delphi\\Locales"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_BUFFERBREAKING_818408"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_MIME_HANDLING"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Borland\\Locales"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_SCH_SEND_AUX_RECORD_KB_2618444"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_INCLUDE_PORT_IN_SPN_KB908209"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477"}
Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Inno
Local\MSCTF.Asm.MutexDefault1
{"nNumberOfBytesToWrite": "2200", "lpOverlapped": "0", "lpBuffer": "17fa38", "lpNumberOfBytesWritten": "17f9ec", "hFile": "14c"}
{"nNumberOfBytesToWrite": "1800", "lpOverlapped": "0", "lpBuffer": "4b2ac4", "lpNumberOfBytesWritten": "18fdb8", "hFile": "120"}
{"nNumberOfBytesToWrite": "10000", "lpOverlapped": "0", "lpBuffer": "17fa38", "lpNumberOfBytesWritten": "17f9ec", "hFile": "14c"}
C:\Windows\system32\ole32.dll
C:\Windows\syswow64\MSCTF.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\system32\shell32.dll
ADVAPI32.dll
ole32.dll
comctl32.dll
C:\Windows\system32\shfolder.dll
C:\Windows\system32\Rstrtmgr.dll
C:\Windows\SysWOW64\bcryptprimitives.dll
C:\Users\win7\AppData\Local\Temp\is-8HAF7.tmp\license.key
C:\Users\win7\AppData\Local\Temp\is-8HAF7.tmp\license.ENU
C:\Users\win7\AppData\Local\Temp\is-8HAF7.tmp\license.EN
ws2_32.dll
API-MS-Win-Security-SDDL-L1-1-0.dll
WS2_32.dll
kernel32.dll
ntdll.dll
Secur32.dll
SHELL32.dll
api-ms-win-downlevel-advapi32-l2-1-0.dll
api-ms-win-downlevel-ole32-l1-1-0.dll
winhttp.dll
IPHLPAPI.DLL
api-ms-win-downlevel-shlwapi-l2-1-0.dll
OLEAUT32.DLL
Precise Detectors Analysis Results
| Detector Name | Date | Verdict | Reason | |
|---|---|---|---|---|
| Static Precise Adware Prepscram 1 | 2017-08-31 20:48:10.959667 | No Match | help | No match. |
| Static Precise Trojan Cryptor Detector 1 | 2017-08-31 20:48:10.969017 | No Match | help | No match. |
| Yara Rule Static Malware Detector | 2017-08-31 20:48:10.968889 | No Match | help | No match. |
| Static Precise PUA Detector 1 | 2017-08-31 20:48:10.969894 | No Match | help | NotDetected |
| Static Precise Virus Detector | 2017-08-31 20:48:10.971168 | No Match | help | NotDetected |
| Static Precise Trojan Detector | 2017-08-31 20:48:10.979080 | No Match | help | NotDetected |
| Static Precise PUA Detector 2 | 2017-08-31 20:48:10.981216 | No Match | help | No match. |
| Static Precise PUA Detector 3 | 2017-08-31 20:48:10.984612 | No Match | help | No match. |
| Static Precise Virus Hezhi Detector | 2017-08-31 20:48:10.986853 | No Match | help | No match. |
| Ransomware Chunk Detector | 2017-08-31 20:48:12.791762 | No Match | help | No match. |
| Static Precise Virus Detector 2 | 2017-08-31 20:48:10.993859 | No Match | help | NotDetected |
| Static Precise Trojan Detector 2 | 2017-08-31 20:48:10.992888 | No Match | help | NotDetected |
| Static Precise Trojan Detector 3 | 2017-08-31 20:48:11.000024 | No Match | help | NotDetected |
| Static Precise Adware InstallCore Detector 1 | 2017-08-31 20:48:11.031500 | No Match | help | NotDetected |
| Static Precise Trojan Generic Cryptor Detector 1 | 2017-08-31 20:48:11.030595 | No Match | help | NotDetected |
| Static Precise MD5 Detector | 2017-08-31 20:48:11.749447 | No Match | help | No match. |
| Malicious Url Detector | 2017-08-31 20:50:01.924218 | No Match | help | No match. |
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Additional File Information
| Property | Value |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
|---|