|
Analyzing...
|
File Name: rutamapainstaller.exe
SHA1: 91fe50a6868d355a0a698df221fdd3b1a25c1d94
MD5: 49f29111b377f62fc3062a8226c31686
First Seen Date: 2017-09-01 20:57:30.425738 ( )
Number of Clients Seen: 4
Last Analysis Date: 2017-09-01 20:57:30.425738 ( )
Human Expert Analysis Result: No human expert analysis verdict given to this sample yet.
Analysis Summary
| Analysis Type | Date | Verdict | |
|---|---|---|---|
| Signature Based Detection | 2017-09-01 20:57:30.425738 | PUA | |
| Static Analysis Overall Verdict | 2017-09-01 20:57:30.425738 | No Threat Found | help |
| Dynamic Analysis Overall Verdict | 2017-09-01 20:57:30.425738 | No Threat Found | help |
| Precise Detectors Overall Verdict | 2017-09-01 20:57:30.425738 | No Match | help |
Static Analysis
| Static Analysis Overall Verdict | Result |
|---|---|
| No Threat Found | help |
| Detector | Result | |
|---|---|---|
| Optional Header LoaderFlags field is valued illegal | Clean | |
| Non-ascii or empty section names detected | Clean | |
| Illegal size of optional Header | Clean | |
| Packer detection on signature database | Unknown | help |
| Based on the sections entropy check! file is possibly packed | Clean | |
| Timestamp value suspicious | Suspicious | |
| Header Checksum is zero! | Suspicious | |
| Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
| Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
| Anti-vm present | Clean | |
| The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Suspicious | |
| TLS callback functions array detected | Clean | |
Dynamic Analysis
| Dynamic Analysis Overall Verdict | Result |
|---|---|
| No Threat Found | help |
| Suspicious Behaviors | |
|---|---|
| Creates a child process | |
| Creates file in a system directory | |
| Writes to address space of another process | |
| Uses a function clandestinely | |
| Reads memory of another process | |
| Opens a file in a system directory | |
Behavioral Information
13c
24c
25c
23c
120
20c
260
134
174
19c
C:\Users\win7\AppData\Local\Temp\is-AB80H.tmp\rutamapainstaller.tmp
C:\Windows\SysWOW64\taskkill.exe
C:\Windows\SysWOW64\ieframe.dll
C:\Windows\system32\PROPSYS.dll
C:\Windows\syswow64\MSCTF.dll
C:\Windows\syswow64\USER32.dll
.exe
program
file
ProcessID
EnablePrivateObjectHeap
Plane4
Plane5
Plane6
Plane7
Plane1
Plane2
Plane3
Plane8
Plane9
RegisteredOrganization
DisableSecuritySettingsCheck
ObjectLimit
Disable
IdentifierLimit
ContextLimit
DataFilePath
SystemSetupInProgress
FrameTabWindow
EnablePunycode
PendingFileRenameOperations2
Plane16
Plane14
Plane15
Plane12
Plane13
Plane10
Plane11
RegisteredOwner
TabProcGrowth
FrameMerging
CreateUriCacheSize
SpecialFoldersCacheSize
SessionMerging
PendingFileRenameOperations
AdminTabProcs
{"lDistanceToMove": "992a8", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "17f658", "hFile": "270"}
{"lDistanceToMove": "154b8", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "17f658", "hFile": "270"}
{"lDistanceToMove": "28248", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18b80c", "hFile": "270"}
{"lDistanceToMove": "30e00", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "17f658", "hFile": "270"}
{"lDistanceToMove": "28248", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "17f658", "hFile": "270"}
{"lDistanceToMove": "0", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18b800", "hFile": "270"}
{"lDistanceToMove": "34", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "17f658", "hFile": "270"}
{"lDistanceToMove": "154b8", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18b80c", "hFile": "270"}
{"lDistanceToMove": "0", "dwMoveMethod": "2", "lpDistanceToMoveHigh": "18f668", "hFile": "268"}
{"lDistanceToMove": "1ea00", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18f808", "hFile": "268"}
{"lDistanceToMove": "fffffc00", "dwMoveMethod": "2", "lpDistanceToMoveHigh": "0", "hFile": "27c"}
{"lDistanceToMove": "0", "dwMoveMethod": "1", "lpDistanceToMoveHigh": "18f680", "hFile": "268"}
{"lDistanceToMove": "0", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18b648", "hFile": "268"}
{"lDistanceToMove": "0", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "17f64c", "hFile": "270"}
{"lDistanceToMove": "30", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18f67c", "hFile": "268"}
{"lDistanceToMove": "25c00", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "17f658", "hFile": "270"}
{"lDistanceToMove": "34", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18b80c", "hFile": "270"}
{"lDistanceToMove": "bec00", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18b654", "hFile": "268"}
{"lDistanceToMove": "fffffc00", "dwMoveMethod": "2", "lpDistanceToMoveHigh": "0", "hFile": "190"}
{"dwCreationDisposition": "2", "path": "C:\\Windows\\SysWOW64\\is-J8HCT.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "3", "path": "C:\\Windows", "dwDesiredAccess": "100081", "dwShareMode": "7"}
{"dwCreationDisposition": "2", "path": "C:\\Windows\\SysWOW64\\is-RHB16.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "2", "path": "C:\\Users\\win7\\AppData\\Local\\Temp\\is-N24BO.tmp\\_isetup\\_setup64.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\System32", "dwDesiredAccess": "100081", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\Fonts\\staticcache.dat", "dwDesiredAccess": "80000000", "dwShareMode": "5"}
{"dwCreationDisposition": "1", "path": "C:\\Program Files\\RutaMapaInstaller\\unins000.dat", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "3", "path": "\\??\\C:\\Windows\\SysWOW64\\ieframe.dll", "dwDesiredAccess": "80", "dwShareMode": "7"}
{"dwCreationDisposition": "2", "path": "C:\\Program Files\\RutaMapaInstaller\\is-NOL4O.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "2", "path": "C:\\Windows\\system32\\is-5EE66.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\SysWOW64\\atl110.dll", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "3", "path": "C:\\rutamapainstaller.exe", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "2", "path": "C:\\Program Files\\RutaMapaInstaller\\is-MENPA.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "2", "path": "C:\\Windows\\SysWOW64\\is-NATN8.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\AppData\\Local\\Temp\\is-AB80H.tmp\\rutamapainstaller.tmp", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000008.db", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\System32\\taskkill.exe", "dwDesiredAccess": "20000", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "C:\\Program Files\\RutaMapaInstaller\\settings.ini", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "2", "path": "C:\\Program Files\\RutaMapaInstaller\\is-L8R07.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "2", "path": "C:\\Program Files\\RutaMapaInstaller\\x64\\is-T5E88.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "3", "path": "C:\\", "dwDesiredAccess": "100081", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\SysWOW64\\vcruntime140.dll", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "2", "path": "C:\\Program Files\\RutaMapaInstaller\\x64\\is-8LCIO.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\system32\\rsaenh.dll", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "dwDesiredAccess": "80000000", "dwShareMode": "3"}
{"dwCreationDisposition": "2", "path": "C:\\Windows\\system32\\is-ULVKT.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software"}
{"hKey": "1a8", "phkResult": "0", "lpSubKey": "FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001"}
{"hKey": "1a8", "phkResult": "0", "lpSubKey": "FEATURE_PROTOCOL_LOCKDOWN"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"}
{"hKey": "1a8", "phkResult": "0", "lpSubKey": "FEATURE_LOCALMACHINE_LOCKDOWN"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{B55B479C-5CA9-41BD-9611-24BD3F9C39EA}_is1"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software"}
{"hKey": "1a8", "phkResult": "0", "lpSubKey": "FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SYSTEM\\CurrentControlSet\\Control\\Session Manager"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "1a8", "phkResult": "0", "lpSubKey": "FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562"}
{"hKey": "13c", "phkResult": "0", "lpSubKey": "Tahoma"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "System\\Setup"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\WBEM\\CIMOM"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies"}
{"hKey": "238", "phkResult": "0", "lpSubKey": "Microsoft\\Internet Explorer\\Security"}
{"hKey": "1a8", "phkResult": "0", "lpSubKey": "FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "13c", "phkResult": "0", "lpSubKey": "Verdana"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "234", "phkResult": "0", "lpSubKey": "Microsoft\\Internet Explorer\\Security"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink"}
{"hKey": "1a8", "phkResult": "0", "lpSubKey": "FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915"}
{"hKey": "174", "phkResult": "0", "lpSubKey": "Tahoma"}
{"hKey": "13c", "phkResult": "0", "lpSubKey": "MS Sans Serif"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{B55B479C-5CA9-41BD-9611-24BD3F9C39EA}_is1"}
<NULL>
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
DefaultTabtip-MainUI
{"nNumberOfBytesToWrite": "e00", "lpOverlapped": "0", "lpBuffer": "17f698", "lpNumberOfBytesWritten": "17f64c", "hFile": "270"}
{"nNumberOfBytesToWrite": "248", "lpOverlapped": "0", "lpBuffer": "18b838", "lpNumberOfBytesWritten": "18b80c", "hFile": "270"}
{"nNumberOfBytesToWrite": "4000", "lpOverlapped": "0", "lpBuffer": "18b680", "lpNumberOfBytesWritten": "18b654", "hFile": "268"}
{"nNumberOfBytesToWrite": "14", "lpOverlapped": "0", "lpBuffer": "18f684", "lpNumberOfBytesWritten": "18f660", "hFile": "268"}
{"nNumberOfBytesToWrite": "2c00", "lpOverlapped": "0", "lpBuffer": "18b680", "lpNumberOfBytesWritten": "18b654", "hFile": "268"}
{"nNumberOfBytesToWrite": "8248", "lpOverlapped": "0", "lpBuffer": "17f698", "lpNumberOfBytesWritten": "17f64c", "hFile": "270"}
{"nNumberOfBytesToWrite": "8", "lpOverlapped": "0", "lpBuffer": "18f698", "lpNumberOfBytesWritten": "18f660", "hFile": "268"}
{"nNumberOfBytesToWrite": "39d8", "lpOverlapped": "0", "lpBuffer": "1e293a8", "lpNumberOfBytesWritten": "18f620", "hFile": "268"}
{"nNumberOfBytesToWrite": "14b8", "lpOverlapped": "0", "lpBuffer": "18b838", "lpNumberOfBytesWritten": "18b80c", "hFile": "270"}
{"nNumberOfBytesToWrite": "92a8", "lpOverlapped": "0", "lpBuffer": "17f698", "lpNumberOfBytesWritten": "17f64c", "hFile": "270"}
{"nNumberOfBytesToWrite": "54b8", "lpOverlapped": "0", "lpBuffer": "17f698", "lpNumberOfBytesWritten": "17f64c", "hFile": "270"}
{"nNumberOfBytesToWrite": "5c00", "lpOverlapped": "0", "lpBuffer": "17f698", "lpNumberOfBytesWritten": "17f64c", "hFile": "270"}
{"nNumberOfBytesToWrite": "4", "lpOverlapped": "0", "lpBuffer": "18f6a0", "lpNumberOfBytesWritten": "18f688", "hFile": "268"}
{"nNumberOfBytesToWrite": "1800", "lpOverlapped": "0", "lpBuffer": "4c31c4", "lpNumberOfBytesWritten": "18fdb8", "hFile": "120"}
{"nNumberOfBytesToWrite": "34", "lpOverlapped": "0", "lpBuffer": "17f698", "lpNumberOfBytesWritten": "17f64c", "hFile": "270"}
{"nNumberOfBytesToWrite": "10000", "lpOverlapped": "0", "lpBuffer": "17f698", "lpNumberOfBytesWritten": "17f64c", "hFile": "270"}
{"nNumberOfBytesToWrite": "34", "lpOverlapped": "0", "lpBuffer": "18b838", "lpNumberOfBytesWritten": "18b80c", "hFile": "270"}
{"nNumberOfBytesToWrite": "4000", "lpOverlapped": "0", "lpBuffer": "18b838", "lpNumberOfBytesWritten": "18b80c", "hFile": "270"}
{"nNumberOfBytesToWrite": "2d", "lpOverlapped": "0", "lpBuffer": "18f63c", "lpNumberOfBytesWritten": "18f620", "hFile": "268"}
"C:\Windows\System32\taskkill.exe" /f /im iexplore.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\RutaMapaInstaller\BHO.dll"
API-MS-Win-Security-LSALookup-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
C:\Windows\system32\Winsta.dll
C:\Windows\SysWOW64\taskkill.exe
ADVAPI32.dll
CRYPTBASE.dll
OLEAUT32.dll
ole32.dll
comctl32.dll
C:\Windows\system32\shfolder.dll
C:\Windows\system32\shell32.dll
UxTheme.dll
IMM32.dll
C:\Windows\system32\imageres.dll
C:\Windows\system32\shlwapi.dll
propsys.dll
C:\Windows\SysWOW64\ieframe.dll
kernel32.dll
SHELL32.dll
ntmarta.dll
advapi32.dll
Secur32.dll
API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0.DLL
SspiCli.dll
OLEAUT32.DLL
ntdll.dll
C:\Windows\system32\sfc.dll
SETUPAPI.dll
DEVRTL.dll
imageres.dll
Precise Detectors Analysis Results
| Detector Name | Date | Verdict | Reason | |
|---|---|---|---|---|
| Static Precise Adware Prepscram 1 | 2017-09-01 20:56:03.436158 | No Match | help | No match. |
| Static Precise Trojan Cryptor Detector 1 | 2017-09-01 20:56:03.452157 | No Match | help | No match. |
| Yara Rule Static Malware Detector | 2017-09-01 20:56:03.487096 | No Match | help | No match. |
| Static Precise PUA Detector 1 | 2017-09-01 20:56:03.483717 | No Match | help | NotDetected |
| Static Precise Virus Detector | 2017-09-01 20:56:03.470858 | No Match | help | NotDetected |
| Static Precise Trojan Detector | 2017-09-01 20:56:03.483582 | No Match | help | NotDetected |
| Static Precise PUA Detector 2 | 2017-09-01 20:56:03.488284 | No Match | help | No match. |
| Static Precise PUA Detector 3 | 2017-09-01 20:56:03.499821 | No Match | help | No match. |
| Static Precise Virus Hezhi Detector | 2017-09-01 20:56:03.581545 | No Match | help | No match. |
| Ransomware Chunk Detector | 2017-09-01 20:56:07.785682 | No Match | help | No match. |
| Static Precise Virus Detector 2 | 2017-09-01 20:56:03.487519 | No Match | help | NotDetected |
| Static Precise Trojan Detector 2 | 2017-09-01 20:56:03.494708 | No Match | help | NotDetected |
| Static Precise Trojan Detector 3 | 2017-09-01 20:56:03.501845 | No Match | help | NotDetected |
| Static Precise Adware InstallCore Detector 1 | 2017-09-01 20:56:03.511840 | No Match | help | NotDetected |
| Static Precise Trojan Generic Cryptor Detector 1 | 2017-09-01 20:56:03.502658 | No Match | help | NotDetected |
| Static Precise MD5 Detector | 2017-09-01 20:56:03.999233 | No Match | help | No match. |
| Malicious Url Detector | 2017-09-01 20:57:28.488371 | No Match | help | No match. |
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Additional File Information
| Property | Value |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
|---|