Analyzing...

File Name: updatemolo.exe

SHA1: 8a397aaf4d1b15d51bc5b7383421c151f42d33a4

MD5: f8af9b8b54de954db0d00931422f0051

First Seen Date: 2016-07-24 17:35:32.845530 ( 2016-07-24 17:35:32.845530 )

Number of Clients Seen: 7

Last Analysis Date: 2016-07-24 17:35:32.845530 ( 2016-07-24 17:35:32.845530 )

Human Expert Analysis Result: No human expert analysis verdict given to this sample yet.

Analysis Summary

Analysis Type	Date	Verdict
Signature Based Detection	2016-07-24 17:35:32.845530	Clean
Static Analysis Overall Verdict	2016-07-24 17:35:32.845530	Highly Suspicious
Dynamic Analysis Overall Verdict	2016-07-24 17:35:32.845530	Highly Suspicious

Static Analysis

Static Analysis Overall Verdict	Result
Highly Suspicious

Detector	Result
Optional Header LoaderFlags field is valued illegal	Clean
Non-ascii or empty section names detected	Clean
Illegal size of optional Header	Clean
Packer detection on signature database	Unknown
Based on the sections entropy check! file is possibly packed	Suspicious
Timestamp value suspicious	Clean
Header Checksum is zero!	Clean
Enrty point is outside the 1st(.code) section! Binary is possibly packed	Clean
Optional Header NumberOfRvaAndSizes field is valued illegal	Clean
Anti-vm present	Clean
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger	Clean
TLS callback functions array detected	Clean

Packer detection on signature database

Microsoft Visual C# / Basic .NET

.NET executable

Dynamic Analysis

Dynamic Analysis Overall Verdict	Result
Highly Suspicious

Suspicious Behaviors
Opens a file in a system directory
Uses a function clandestinely
Has no visible windows

Behavioral Information

QueryFilePath

C:\sample

C:\Windows\SYSTEM32\MSCOREE.DLL

C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

C:\Windows\system32\RichEd20.dll

C:\Windows\syswow64\CRYPT32.dll

C:\Windows\system32\cryptnet.dll

LowerChar

http

ReadRegisteryKey

InstallRoot

CLRLoadLogDir

OnlyUseLatestCLR

GCStressStart

GCStressStartAtJit

DisableConfigCache

CacheLocation

DownloadCacheQuotaInKB

EnableLog

LoggingLevel

ForceLog

LogFailures

VersioningLog

LogResourceBinds

UseLegacyIdentityFormat

DisableMSIPeek

NoClientChecks

DevOverrideEnable

LatestIndex

NIUsageMask

ILUsageMask

DisplayName

ConfigMask

ConfigString

MVID

EvalationData

Status

ILDependencies

NIDependencies

MissingDependencies

Modules

SIG

LastModTime

mscorlib

CreateRegisteryKey

Software\Microsoft\Fusion\GACChangeNotification\Default

CreateFile

C:\sample.config

C:\sample

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config

C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch

C:\Windows\assembly\NativeImages_v2.0.50727_32\index1c2.dat

C:\Windows\system32\rsaenh.dll

\\.\Nsi

C:\Users\win7\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\win7\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\win7\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BCC5425735D67C042376F8936CB8126

OpenRegisteryKey

Software\Microsoft\.NETFramework\Policy\

v2.0

Software\Microsoft\.NETFramework

Upgrades

Standards

AppPatch

Software\Microsoft\.NETFramework\Policy\Standards

v2.0.50727

Software\Microsoft\Fusion

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sample

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets

Internet

LocalIntranet

Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3979321414-2393373014-2172761192-1000

Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy

Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32

index1c2

NI\181938c6\7950e2c5

NI\181938c6\7950e2c5\16

IL\7950e2c5\4b5f28af\5f

Software\Microsoft\Cryptography\Wintrust\Config

System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}

CreateMutex

<NULL>

OpenMutex

Global\CLR_CASOFF_MUTEX

LoadLibrary

ADVAPI32.dll

SHLWAPI.dll

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

mscoree.dll

ntdll

advapi32.dll

shell32.dll

C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll

imm32.dll

RichEd20.dll

mscorsec.dll

CRYPTSP.dll

CRYPTBASE.dll

WINTRUST.DLL

C:\Windows\syswow64\CRYPT32.dll

imagehlp.dll

USER32.dll

ncrypt.dll

C:\Windows\SysWOW64\bcryptprimitives.dll

bcrypt.dll

USERENV.dll

API-MS-Win-Security-SDDL-L1-1-0.dll

cryptnet.dll

C:\Windows\system32\cryptnet.dll

SensApi.dll

WINHTTP.dll

winhttp.dll

WS2_32.dll

kernel32.dll

SspiCli.dll

RPCRT4.dll

IPHLPAPI.DLL

ntdll.dll

ole32.dll

NSI.dll

CFGMGR32.dll

API-MS-WIN-Service-Management-L1-1-0.dll

API-MS-WIN-Service-Management-L2-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

profapi.dll

DNSAPI.dll

API-MS-Win-Security-LSALookup-L1-1-0.dll

Precise Detectors Analysis Results

No Detector Result Received

Advance Heuristics

No Advanced Heuristic Analysis Result Received

Additional File Information

Vendor Validation

Certificate Validation

PE Headers

Property	Value

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	MD5

PE Imports

PE Exports

PE Resources

Loading...