Analyzing...
|
File Name:   Syberia_3_Patch_Fix_K964HU.exe
SHA1:   d450d8d713a07381fb7a3bc5ae7e339d2323dc62
MD5:   ba0e30217ce63eecf1321461c9070cad
First Seen Date:  2017-11-01 04:50:02.844560 ( )
Number of Clients Seen:   5
Last Analysis Date:  2017-11-03 05:12:01.444215 ( )
Human Expert Analysis Result:   No human expert analysis verdict given to this sample yet.
Analysis Summary
Analysis Type | Date | Verdict | |
---|---|---|---|
Signature Based Detection | 2018-11-06 09:19:26.500592 | Malware | |
Static Analysis Overall Verdict | 2017-11-03 05:12:01.444215 | No Threat Found | help |
Precise Detectors Overall Verdict | 2017-11-03 05:12:01.444215 | No Match | help |
Static Analysis
Static Analysis Overall Verdict | Result |
---|---|
No Threat Found | help |
Detector | Result | |
---|---|---|
Optional Header LoaderFlags field is valued illegal | Clean | |
Non-ascii or empty section names detected | Clean | |
Illegal size of optional Header | Clean | |
Packer detection on signature database | Unknown | help |
Based on the sections entropy check! file is possibly packed | Clean | |
Timestamp value suspicious | Suspicious | |
Header Checksum is zero! | Clean | |
Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
Anti-vm present | Clean | |
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Suspicious | |
TLS callback functions array detected | Clean |
Dynamic Analysis
Dynamic Analysis Overall Verdict | Result |
---|---|
No Threat Found | help |
Suspicious Behaviors | |
---|---|
No suspicious activity found |
Behavioral Information
WpadSearchAllDomains
WarnOnZoneCrossing
DnsCacheEntries
DuoProtocols
DisableReadRange
DisableKeepAlive
ScavengeCacheFileLimit
EnableNegotiate
ClientAuthBuiltInUI
CacheMode
EnforceP3PValidity
BadProxyExpiresTime
ConnectRetries
ServerInfoTimeout
ProxyHttp1.1
SqmHttpStreamRandomUploadPoolSize
HttpDefaultExpiryTimeSecs
ProxyEnable
WarnOnPostRedirect
SendExtraCRLF
WaitToKillServiceTimeout
RegisteredOrganization
ConnectTimeOut
CommonFilesDir
DisableBranchCache
AlwaysDrainOnRedirect
DnsCacheEnabled
ScavengeCacheLowerBound
DontUseDNSLoadBalancing
DisableBasicOverClearChannel
DisableNTLMPreAuth
EnableSpdyDebugAsserts
FrameTabWindow
CertCacheNoValidate
MaxHttpRedirects
ShareCredsWithWinHttp
IdnEnabled
SecureProtocols
DefaultConnectionSettings
SystemSetupInProgress
AutoProxyDetectType
LeashLegacyCookies
WarnAlwaysOnPost
AutoConfigURL
MaxConnectionsPer1_0Server
WpadOverride
PreConnectLimit
ScavengeCacheFileLifeTime
SavedLegacySettings
RegisteredOwner
UseFirstAvailable
MaxConnectionsPerProxy
FtpDefaultExpiryTimeSecs
FEATURE_CLIENTAUTHCERTFILTER
KeepAliveTimeout
MaxConnectionsPerServer
FrameMerging
TcpAutotuning
TabProcGrowth
SocketReceiveBufferLength
DisableFalseStartBlocklist
WarnOnBadCertRecving
EnableHttp1_1
WarnOnHTTPSToHTTPRedirect
SocketSendBufferLength
SendTimeOut
PreResolveLimit
ProxyOverride
ReceiveTimeOut
FromCacheTimeout
ProgramFilesDir
ProxyServer
WarnOnPost
SyncMode5
AutoDetect
AdminTabProcs
CombineFalseStartData
SessionMerging
DnsCacheTimeout
RegCloseKey(114)
RegCloseKey() -> 0
RegCloseKey(120)
RegCloseKey(144)
RegCloseKey(150)
RegCloseKey(14c)
RegCloseKey(228)
RegCloseKey(244)
RegCloseKey(260)
RegCloseKey(264)
RegCloseKey(268)
RegCloseKey(26c)
RegCloseKey(274)
RegCloseKey(2a4)
RegCloseKey(29c)
RegCloseKey(2b4)
C:\Windows\system32\ole32.dll
C:\Windows\syswow64\MSCTF.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\system32\shell32.dll
ADVAPI32.dll
ole32.dll
comctl32.dll
C:\Windows\system32\shfolder.dll
C:\Windows\system32\Rstrtmgr.dll
C:\Windows\SysWOW64\bcryptprimitives.dll
C:\Users\win7\AppData\Local\Temp\is-4GURE.tmp\license.key
C:\Users\win7\AppData\Local\Temp\is-4GURE.tmp\license.ENU
C:\Users\win7\AppData\Local\Temp\is-4GURE.tmp\license.EN
ws2_32.dll
API-MS-Win-Security-SDDL-L1-1-0.dll
WS2_32.dll
kernel32.dll
ntdll.dll
Secur32.dll
SHELL32.dll
api-ms-win-downlevel-advapi32-l2-1-0.dll
api-ms-win-downlevel-ole32-l1-1-0.dll
winhttp.dll
IPHLPAPI.DLL
api-ms-win-downlevel-shlwapi-l2-1-0.dll
OLEAUT32.DLL
{"dwCreationDisposition": "2", "path": "C:\\Users\\win7\\AppData\\Local\\Temp\\is-4GURE.tmp\\license.key", "dwDesiredAccess": "40000000", "dwShareMode": "0"}
{"dwCreationDisposition": "2", "path": "C:\\Users\\win7\\AppData\\Local\\Temp\\is-4GURE.tmp\\_isetup\\_setup64.tmp", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "3", "path": "C:\\Syberia_3_Patch_Fix_K964HU.exe", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "2", "path": "C:\\Users\\win7\\AppData\\Local\\Temp\\is-4GURE.tmp\\KAV2.dll", "dwDesiredAccess": "c0000000", "dwShareMode": "0"}
{"dwCreationDisposition": "4", "path": "C:\\Users\\win7\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\counters.dat", "dwDesiredAccess": "c0000000", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "\\\\.\\Nsi", "dwDesiredAccess": "0", "dwShareMode": "3"}
RegSetValueExW(150,Owner,0,3,5b55c0,c)
RegSetValueExW(,,,,,) -> 0
RegSetValueExW(150,SessionHash,0,3,5b6160,20)
RegSetValueExW(14c,Sequence,0,4,18fe24,4)
RegSetValueExW(2a4,ProxyEnable,0,4,18de30,4)
RegSetValueExW(29c,SavedLegacySettings,0,3,5f1b68,b8)
{"lDistanceToMove": "e330", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18fba8", "hFile": "154"}
{"lDistanceToMove": "0", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "17f9ec", "hFile": "14c"}
{"lDistanceToMove": "0", "dwMoveMethod": "1", "lpDistanceToMoveHigh": "18fe74", "hFile": "114"}
{"lDistanceToMove": "22229", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18fe80", "hFile": "114"}
{"lDistanceToMove": "32200", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "17f9f8", "hFile": "14c"}
{"lDistanceToMove": "23eab", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18fe64", "hFile": "114"}
{"lDistanceToMove": "23e60", "dwMoveMethod": "0", "lpDistanceToMoveHigh": "18fe64", "hFile": "114"}
{"lDistanceToMove": "0", "dwMoveMethod": "1", "lpDistanceToMoveHigh": "18fe7c", "hFile": "114"}
150
144
2b4
244
264
29c
120
114
2a4
260
274
14c
26c
228
268
Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Inno
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\RestartManager"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "System\\CurrentControlSet\\Control"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "System\\Setup"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Borland\\Locales"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_HTTP_USERNAME_PASSWORD_DISABLE"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_USE_CNAME_FOR_SPN_KB911149"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Borland\\Delphi\\Locales"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_BUFFERBREAKING_818408"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_MIME_HANDLING"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Borland\\Locales"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_SCH_SEND_AUX_RECORD_KB_2618444"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_INCLUDE_PORT_IN_SPN_KB908209"}
{"hKey": "240", "phkResult": "0", "lpSubKey": "FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477"}
Local\MSCTF.Asm.MutexDefault1
{"nNumberOfBytesToWrite": "2200", "lpOverlapped": "0", "lpBuffer": "17fa38", "lpNumberOfBytesWritten": "17f9ec", "hFile": "14c"}
{"nNumberOfBytesToWrite": "1800", "lpOverlapped": "0", "lpBuffer": "4b2ac4", "lpNumberOfBytesWritten": "18fdb8", "hFile": "120"}
{"nNumberOfBytesToWrite": "10000", "lpOverlapped": "0", "lpBuffer": "17fa38", "lpNumberOfBytesWritten": "17f9ec", "hFile": "14c"}
C:\Users\win7\AppData\Local\Temp\is-7S6K8.tmp\Syberia_3_Patch_Fix_K964HU.tmp
C:\Users\win7\AppData\Local\Temp\is-4GURE.tmp\license.key
C:\Windows\syswow64\MSCTF.dll
C:\Windows\syswow64\USER32.dll
{"Reserved": "0", "hKey": "150", "lpData": "5b55c0", "dwType": "3", "lpValueName": "Owner", "cbData": "c"}
{"Reserved": "0", "hKey": "150", "lpData": "5b6160", "dwType": "3", "lpValueName": "SessionHash", "cbData": "20"}
{"Reserved": "0", "hKey": "2a4", "lpData": "18de30", "dwType": "4", "lpValueName": "ProxyEnable", "cbData": "4"}
{"Reserved": "0", "hKey": "29c", "lpData": "5f1b68", "dwType": "3", "lpValueName": "SavedLegacySettings", "cbData": "b8"}
{"Reserved": "0", "hKey": "14c", "lpData": "18fe24", "dwType": "4", "lpValueName": "Sequence", "cbData": "4"}
{"h_key": "80000001", "samDesired": "1", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "0", "dwOptions": "0", "lpClass": "", "phkResult": "18de34", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"}
{"h_key": "80000001", "samDesired": "2001f", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "18fde8", "dwOptions": "1", "lpClass": "<NULL>", "phkResult": "18fdec", "lpSubKey": "Software\\Microsoft\\RestartManager\\Session0000"}
{"h_key": "80000001", "samDesired": "1", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "0", "dwOptions": "0", "lpClass": "", "phkResult": "18dd14", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"}
{"h_key": "80000001", "samDesired": "2001f", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "18fdf8", "dwOptions": "1", "lpClass": "<NULL>", "phkResult": "18fdfc", "lpSubKey": "Software\\Microsoft\\RestartManager\\Session0000"}
{"h_key": "80000001", "samDesired": "2001f", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "18de38", "dwOptions": "0", "lpClass": "<NULL>", "phkResult": "18de3c", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"h_key": "80000001", "samDesired": "2001f", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "18fdc8", "dwOptions": "1", "lpClass": "<NULL>", "phkResult": "18fddc", "lpSubKey": "Software\\Microsoft\\RestartManager\\Session0000"}
{"h_key": "80000001", "samDesired": "2", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "0", "dwOptions": "0", "lpClass": "", "phkResult": "18ddd4", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"}
{"h_key": "80000001", "samDesired": "1", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "0", "dwOptions": "0", "lpClass": "", "phkResult": "18dd7c", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"}
{"h_key": "80000001", "samDesired": "1", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "0", "dwOptions": "0", "lpClass": "", "phkResult": "18de18", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"}
{"h_key": "80000001", "samDesired": "20006", "Reserved": "0", "lpSecurityAttributes": "0", "lpdwDisposition": "0", "dwOptions": "0", "lpClass": "", "phkResult": "18de34", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
Precise Detectors Analysis Results
Detector Name | Date | Verdict | Reason | |
---|---|---|---|---|
Static Precise PUA Detector 1 | 2017-11-03 05:11:58.529908 | No Match | help | NotDetected |
Static Precise Virus Detector | 2017-11-03 05:11:58.532837 | No Match | help | NotDetected |
Static Precise Trojan Detector | 2017-11-03 05:11:58.543289 | No Match | help | NotDetected |
Static Precise Adware InstallCore Detector 1 | 2017-11-03 05:11:58.631364 | No Match | help | NotDetected |
Static Precise Trojan Detector 2 | 2017-11-03 05:11:58.622632 | No Match | help | NotDetected |
Static Precise Trojan Detector 3 | 2017-11-03 05:11:58.540746 | No Match | help | NotDetected |
Static Precise Trojan Generic Cryptor Detector 1 | 2017-11-03 05:11:58.547535 | No Match | help | NotDetected |
Static Precise Virus Detector 2 | 2017-11-03 05:11:58.545509 | No Match | help | NotDetected |
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Additional File Information
Property | Value |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
---|