Analyzing...

File Name: lg-n120.exe

SHA1: 90a57aa3572a8d36c7c6dd74269e68aa4c1f355f

MD5: 87038735ead0bed123fcccfcb79895e1

First Seen Date: 2017-05-23 20:47:56.255317 ( 2017-05-23 20:47:56.255317 )

Number of Clients Seen: 4

Last Analysis Date: 2017-05-23 20:47:56.255317 ( 2017-05-23 20:47:56.255317 )

Human Expert Analysis Result: No human expert analysis verdict given to this sample yet.

Analysis Summary

Analysis Type	Date	Verdict
Signature Based Detection	2017-05-23 20:47:56.255317	Malware
Static Analysis Overall Verdict	2017-05-23 20:47:56.255317	No Threat Found
Dynamic Analysis Overall Verdict	2017-05-23 20:47:56.255317	No Threat Found
Precise Detectors Overall Verdict	2017-05-23 20:47:56.255317	No Match

Static Analysis

Static Analysis Overall Verdict	Result
No Threat Found

Detector	Result
Optional Header LoaderFlags field is valued illegal	Clean
Non-ascii or empty section names detected	Clean
Illegal size of optional Header	Clean
Packer detection on signature database	Unknown
Based on the sections entropy check! file is possibly packed	Suspicious
Timestamp value suspicious	Clean
Header Checksum is zero!	Clean
Enrty point is outside the 1st(.code) section! Binary is possibly packed	Suspicious
Optional Header NumberOfRvaAndSizes field is valued illegal	Clean
Anti-vm present	Suspicious
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger	Clean
TLS callback functions array detected	Clean

Packer detection on signature database

BobSoft Mini Delphi -> BoB / BobSoft

Dynamic Analysis

Dynamic Analysis Overall Verdict	Result
No Threat Found

Suspicious Behaviors
Opens a file in a system directory
Uses a function clandestinely

Behavioral Information

QueryFilePath

C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll

C:\lg-n120.exe

C:\Windows\syswow64\MSCTF.dll

C:\Windows\syswow64\USER32.dll

LoadLibrary

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

ntdll.dll

kernel32.dll

C:\lg-n120.exe

API-MS-Win-Security-SDDL-L1-1-0.dll

WS2_32.dll

gdiplus.dll

C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll

comctl32.dll

UxTheme.dll

WindowsCodecs.dll

user32.dll

Secur32.dll

SHELL32.dll

ADVAPI32.dll

api-ms-win-downlevel-ole32-l1-1-0.dll

api-ms-win-downlevel-advapi32-l2-1-0.dll

urlmon.dll

winhttp.dll

propsys.dll

ole32.dll

ntmarta.dll

USER32.dll

ntshrui.dll

srvcli.dll

cscapi.dll

slc.dll

SHLWAPI.dll

IPHLPAPI.DLL

api-ms-win-downlevel-shlwapi-l2-1-0.dll

DNSAPI.dll

C:\Windows\system32\ole32.dll

C:\Windows\syswow64\MSCTF.dll

dhcpcsvc.DLL

OLEAUT32.DLL

API-MS-Win-Security-LSALookup-L1-1-0.dll

CRYPTBASE.dll

OLEAUT32.dll

ReadRegisteryKey

ClientID

SyncMode5

FEATURE_CLIENTAUTHCERTFILTER

FromCacheTimeout

SecureProtocols

DisableKeepAlive

IdnEnabled

PreConnectLimit

PreResolveLimit

SqmHttpStreamRandomUploadPoolSize

CacheMode

EnableHttp1_1

ProxyHttp1.1

EnableNegotiate

DisableBasicOverClearChannel

ClientAuthBuiltInUI

DisableReadRange

SocketSendBufferLength

SocketReceiveBufferLength

KeepAliveTimeout

MaxHttpRedirects

MaxConnectionsPerServer

MaxConnectionsPer1_0Server

MaxConnectionsPerProxy

ServerInfoTimeout

ConnectTimeOut

ConnectRetries

SendTimeOut

ReceiveTimeOut

DisableNTLMPreAuth

ScavengeCacheLowerBound

CertCacheNoValidate

ScavengeCacheFileLifeTime

ScavengeCacheFileLimit

HttpDefaultExpiryTimeSecs

FtpDefaultExpiryTimeSecs

LeashLegacyCookies

SendExtraCRLF

WpadSearchAllDomains

DontUseDNSLoadBalancing

ShareCredsWithWinHttp

DnsCacheEnabled

DnsCacheEntries

DnsCacheTimeout

WarnOnPost

WarnAlwaysOnPost

WarnOnZoneCrossing

WarnOnBadCertRecving

WarnOnPostRedirect

AlwaysDrainOnRedirect

WarnOnHTTPSToHTTPRedirect

TcpAutotuning

BadProxyExpiresTime

FrameTabWindow

FrameMerging

SessionMerging

AdminTabProcs

TabProcGrowth

AutoProxyDetectType

WpadOverride

DisableBranchCache

UseFirstAvailable

CombineFalseStartData

DisableFalseStartBlocklist

EnforceP3PValidity

DuoProtocols

EnableSpdyDebugAsserts

DefaultConnectionSettings

SystemSetupInProgress

ProxyEnable

ProxyServer

ProxyOverride

AutoConfigURL

AutoDetect

SavedLegacySettings

Disable

DataFilePath

Plane1

Plane2

Plane3

Plane4

Plane5

Plane6

Plane7

Plane8

Plane9

Plane10

Plane11

Plane12

Plane13

Plane14

Plane15

Plane16

WpadDecision

WpadDecisionTime

WpadExpirationDays

CreateRegisteryKey

Software\Auslogics\Google Analytics Package\1.x\Settings\

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad

CreateFile

C:\lg-n120.exe

\\.\Nsi

C:\Users\win7\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat

C:\

C:\Users\win7\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

C:\Users\win7\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000008.db

\\.\PIPE\srvsvc

C:\Users\win7\Desktop\Resume TweakBit Driver Updater Installation.lnk

C:\Windows\Fonts\staticcache.dat

C:\Windows\system32\rsaenh.dll

OpenRegisteryKey

Software\Embarcadero\Locales

Software\CodeGear\Locales

Software\Borland\Locales

Software\Borland\Delphi\Locales

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2FFDD819-5ACF-49D5-9F18-980B42E5DA66}_is1

SOFTWARE\TweakBit\Driver Updater\1.x\Settings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{62D64B30-6E10-4C49-95FE-EDD8F8165DED}_is1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache

Content

History

Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl

Software\Microsoft\Internet Explorer\Main\FeatureControl

FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

RETRY_HEADERONLYPOST_ONCONNECTIONRESET

FEATURE_MIME_HANDLING

FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611

FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY

FEATURE_INCLUDE_PORT_IN_SPN_KB908209

FEATURE_BUFFERBREAKING_818408

FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954

FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289

FEATURE_USE_CNAME_FOR_SPN_KB911149

FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274

FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK

FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS

FEATURE_DIGEST_NO_EXTRAS_IN_URI

FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608

FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477

FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545

FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615

FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730

FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Policies

Software

Software\Policies\Microsoft\Internet Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache

SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache

FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266

FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543

FEATURE_SCH_SEND_AUX_RECORD_KB_2618444

Software\Microsoft\Internet Explorer\Main

Software\Policies\Microsoft\Internet Explorer\Main

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad

Software\Policies\Microsoft\PeerDist\Service

Software\Microsoft\Windows NT\CurrentVersion\PeerDist\Service

System\Setup

SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0

SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback

Franklin Gothic Medium Cond

{69DC4768-446B-4F82-A6B0-63966A243064}

CreateMutex

<NULL>

2AC02BED-480E-4564-9122-78206DF1326C_stub_installer_TweakBit_Driver Updater

OpenMutex

Local\MSCTF.Asm.MutexDefault1

Precise Detectors Analysis Results

Detector Name	Date	Verdict	Reason
Uninstaller FP Detector	2017-05-23 20:47:32.726411	No Match	No match.
Yara Rule Static Malware Detector	2017-05-23 20:47:32.719908	No Match	No match.
Static Precise PUA Detector 1	2017-05-23 20:47:32.735170	No Match	NotDetected
Static Precise Virus Detector	2017-05-23 20:47:32.728137	No Match	NotDetected
Static Precise Trojan Detector	2017-05-23 20:47:32.727455	No Match	NotDetected
Malicious Url Detector	2017-05-23 20:47:56.233498	No Match	No match.