|
Analyzing...
|
File Name: Purchase-Order.exe
SHA1: b52b6f9644e2c47e7026f6e42e47bbcdf5e65936
MD5: 22fd9178159e556d3f9a75988673dcc6
First Seen Date: 2017-01-03 11:38:09.374136 ( )
Number of Clients Seen: 3
Last Analysis Date: 2017-01-03 11:38:09.374136 ( )
Human Expert Analysis Result: No human expert analysis verdict given to this sample yet.
Analysis Summary
| Analysis Type | Date | Verdict | |
|---|---|---|---|
| Signature Based Detection | 2017-01-03 11:38:09.374136 | Malware | |
| Static Analysis Overall Verdict | 2017-01-03 11:38:09.374136 | Highly Suspicious | |
| Dynamic Analysis Overall Verdict | 2017-01-03 11:38:09.374136 | Highly Suspicious | |
Static Analysis
| Static Analysis Overall Verdict | Result |
|---|---|
| Highly Suspicious |
| Detector | Result | |
|---|---|---|
| Optional Header LoaderFlags field is valued illegal | Clean | |
| Non-ascii or empty section names detected | Clean | |
| Illegal size of optional Header | Clean | |
| Packer detection on signature database | Unknown | help |
| Based on the sections entropy check! file is possibly packed | Suspicious | |
| Timestamp value suspicious | Clean | |
| Header Checksum is zero! | Suspicious | |
| Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
| Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
| Anti-vm present | Clean | |
| The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Clean | |
| TLS callback functions array detected | Clean | |
Packer detection on signature database
Microsoft Visual C# / Basic .NET
.NET executable
Dynamic Analysis
| Dynamic Analysis Overall Verdict | Result |
|---|---|
| Highly Suspicious |
| Suspicious Behaviors | |
|---|---|
| Opens a file in a system directory | |
| Modifies Windows Service Keys | |
| Has no visible windows | |
| Uses a function clandestinely | |
Behavioral Information
Global\CLR_CASOFF_MUTEX
Global\.net clr networking
C:\Purchase-Order.exe
C:\Windows\SYSTEM32\MSCOREE.DLL
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
file
InstallRoot
CLRLoadLogDir
OnlyUseLatestCLR
GCStressStart
GCStressStartAtJit
DisableConfigCache
CacheLocation
DownloadCacheQuotaInKB
EnableLog
LoggingLevel
ForceLog
LogFailures
VersioningLog
LogResourceBinds
UseLegacyIdentityFormat
DisableMSIPeek
NoClientChecks
DevOverrideEnable
LatestIndex
NIUsageMask
ILUsageMask
DisplayName
ConfigMask
ConfigString
MVID
EvalationData
Status
ILDependencies
NIDependencies
MissingDependencies
Modules
SIG
LastModTime
mscorlib
Latest
index1
LegacyPolicyTimeStamp
Microsoft.VisualBasic
System
System.Xml
System.Configuration
System.Web
System.Management
System.Runtime.Remoting
System.Deployment
System.Drawing
System.Windows.Forms
System.Runtime.Serialization.Formatters.Soap
Accessibility
System.Security
Debugger
Microsoft.JScript
System.Configuration.Install
ProcessID
EnablePrivateObjectHeap
ContextLimit
ObjectLimit
IdentifierLimit
DbgJITDebugLaunchSetting
DbgManagedDebugger
InstallationType
System.Data.SqlXml
Library
IsMultiInstance
First Counter
CategoryOptions
FileMappingSize
Counter Names
LegacyWPADSupport
sYearMonth
ProductName
Software\Microsoft\Fusion\GACChangeNotification\Default
rstrui.exe
AvastSvc.exe
avconfig.exe
AvastUI.exe
avscan.exe
instup.exe
mbam.exe
mbamgui.exe
mbampt.exe
mbamscheduler.exe
mbamservice.exe
hijackthis.exe
spybotsd.exe
ccuac.exe
avcenter.exe
avguard.exe
avgnt.exe
avgui.exe
avgcsrvx.exe
avgidsagent.exe
avgrsx.exe
avgwdsvc.exe
egui.exe
zlclient.exe
bdagent.exe
keyscrambler.exe
avp.exe
wireshark.exe
ComboFix.exe
MSASCui.exe
MpCmdRun.exe
msseces.exe
MsMpEng.exe
C:\Purchase-Order.exe.config
C:\Purchase-Order.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index1c2.dat
C:\Windows\system32\l_intl.nls
C:\Windows\assembly\pubpol1.dat
C:\Windows\system32\rsaenh.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Users\win7\AppData\Local\Temp\2f95c97d-2596-ca72-ebaf-2ff3c86f1166
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config
\\.\Nsi
Software\Microsoft\.NETFramework\Policy\
v2.0
Software\Microsoft\.NETFramework
Upgrades
Standards
AppPatch
Software\Microsoft\.NETFramework\Policy\Standards
v2.0.50727
Software\Microsoft\Fusion
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Purchase-Order.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
Internet
LocalIntranet
Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3979321414-2393373014-2172761192-1000
Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
index1c2
NI\181938c6\7950e2c5
NI\181938c6\7950e2c5\16
IL\7950e2c5\4b5f28af\5f
NI\467fbfe8\397c31e8
Software\Microsoft\StrongName
Software\Microsoft\Fusion\PublisherPolicy\Default
policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
NI\1c22df2f\4f99a7c9
NI\1c22df2f\4f99a7c9\66
IL\c991064\5086dba8\51
IL\6dc7d4c0\c47ad54\56
IL\3ced59c5\48d69eb2\54
IL\f6e8397\628bc3e2\47
IL\2b1a4e4\3822b536\f
IL\24bf93f6\708deaf7\46
IL\4f99a7c9\191b956f\66
NI\30bc7c4f\3f50fe4f\18
IL\424bd4d8\324708cb\5c
IL\19ab8d57\c91dbb2\5e
IL\3f50fe4f\265c633d\60
policy.2.0.System__b77a5c561934e089
policy.2.0.System.Xml__b77a5c561934e089
policy.2.0.System.Configuration__b03f5f7f11d50a3a
policy.2.0.System.Web__b03f5f7f11d50a3a
policy.2.0.System.Management__b03f5f7f11d50a3a
policy.2.0.System.Runtime.Remoting__b77a5c561934e089
policy.2.0.System.Deployment__b03f5f7f11d50a3a
policy.2.0.System.Drawing__b03f5f7f11d50a3a
policy.2.0.System.Windows.Forms__b77a5c561934e089
SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
NI\61e7e666\c991064
NI\61e7e666\c991064\a
IL\475dce40\1c022996\5b
IL\2dd6ac50\553abeb3\58
IL\41c04c7e\4bf62c79\50
NI\3cca06a0\6dc7d4c0\b
policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
policy.2.0.Accessibility__b03f5f7f11d50a3a
policy.2.0.System.Security__b03f5f7f11d50a3a
rstrui.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
<NULL>
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
AvastSvc.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe
avconfig.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe
AvastUI.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe
avscan.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe
instup.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe
mbam.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
mbamgui.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe
mbampt.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe
mbamscheduler.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe
mbamservice.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe
hijackthis.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
spybotsd.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
ccuac.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe
avcenter.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe
avguard.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe
avgnt.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe
avgui.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe
avgcsrvx.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe
avgidsagent.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe
avgrsx.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe
avgwdsvc.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe
egui.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
zlclient.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe
bdagent.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe
keyscrambler.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
wireshark.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe
ComboFix.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe
MSASCui.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
MpCmdRun.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
msseces.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
MsMpEng.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe
NI\5a8de2c3\2b1a4e4
NI\5a8de2c3\2b1a4e4\57
IL\73843e06\61f4f6f6\3e
IL\141dfd70\41a2a33b\d
policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a
policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
Software\Microsoft\WBEM\CIMOM
Software\Microsoft\Windows NT\CurrentVersion
NI\159a66b8\424bd4d8
NI\159a66b8\424bd4d8\17
NI\6faf58\19ab8d57
NI\6faf58\19ab8d57\15
IL\75638fee\27002c8f\5a
policy.2.0.System.Data.SqlXml__b77a5c561934e089
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\.NETFramework
System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
Control Panel\International
SOFTWARE\Microsoft\Windows NT\CurrentVersion
<NULL>
c5cca1fe-71eb-4da3-a219-68acb20e45ee
Global\.net clr networking
RasPbFile
ADVAPI32.dll
SHLWAPI.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
mscoree.dll
ntdll
advapi32.dll
shell32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
ole32.dll
kernel32.dll
AdvApi32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\908ba9e296e92b4e14bdc2437edac603\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\12dc10e5c0e8d176cf21a16a6fc5fc3b\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5a401fd2a7689ff13fb54182953f9c40\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6949c4470a81970ec3de0a575d93babc\System.Windows.Forms.ni.dll
C:\Purchase-Order.exe
CRYPTSP.dll
CRYPTBASE.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
bcrypt.dll
ntmarta.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\99cdfef98595ed91f14936cf52a49c54\System.Management.ni.dll
API-MS-Win-Security-LSALookup-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
OLEAUT32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\oleaut32.dll
oleaut32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\OLEAUT32.dll
gdi32.dll
user32.dll
SspiCli.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ws2_32.dll
ws2_32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\007fc007edc388d9806dff94ee04f129\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d49908aa93a23c84847b1f8b1b667860\System.Xml.ni.dll
API-MS-Win-Security-SDDL-L1-1-0.dll
WS2_32.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\rasapi32.dll
rasapi32.dll
RASMAN.DLL
rtutils.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
API-MS-WIN-Service-Management-L1-1-0.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\winhttp.dll
winhttp.dll
RPCRT4.dll
IPHLPAPI.DLL
ntdll.dll
NSI.dll
CFGMGR32.dll
API-MS-WIN-Service-Management-L2-1-0.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\iphlpapi.dll
iphlpapi.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2072.1353843
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2072.1353843
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2072.1353859
OpenProcess
OpenProcessW
Precise Detectors Analysis Results
No Detector Result Received
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Additional File Information
| Property | Value |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
|---|