|
Analyzing...
|
File Name: windows_live_essentials_2011_full_installer.exe
SHA1: ea56c0a48e0616bea0679ce0f30f0d6a2758e4e5
MD5: 362cce493239d63e15d1ab5433e25f32
First Seen Date: 2017-08-10 20:47:08.478863 ( )
Number of Clients Seen: 4
Last Analysis Date: 2019-06-06 14:09:38.719619 ( )
Human Expert Analysis Date: 2019-06-06 14:09:12.768162 ( )Human Expert Analysis Result: PUA
Analysis Summary
| Analysis Type | Date | Verdict | |
|---|---|---|---|
| Signature Based Detection | 2019-06-04 01:36:20.920301 | Malware | |
| Static Analysis Overall Verdict | 2019-06-06 14:09:38.719619 | No Threat Found | help |
| Dynamic Analysis Overall Verdict | 2019-06-06 14:09:38.719619 | No Threat Found | help |
| Precise Detectors Overall Verdict | 2019-06-06 14:09:38.719619 | PUA | |
| Human Expert Analysis Overall Verdict | 2019-06-06 14:09:12.768162 | PUA | |
Static Analysis
| Static Analysis Overall Verdict | Result |
|---|---|
| No Threat Found | help |
| Detector | Result | |
|---|---|---|
| Optional Header LoaderFlags field is valued illegal | Clean | |
| Non-ascii or empty section names detected | Clean | |
| Illegal size of optional Header | Clean | |
| Packer detection on signature database | Unknown | help |
| Based on the sections entropy check! file is possibly packed | Suspicious | |
| Timestamp value suspicious | Clean | |
| Header Checksum is zero! | Clean | |
| Enrty point is outside the 1st(.code) section! Binary is possibly packed | Suspicious | |
| Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
| Anti-vm present | Clean | |
| The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Clean | |
| TLS callback functions array detected | Clean | |
Packer detection on signature database
UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]
Dynamic Analysis
| Dynamic Analysis Overall Verdict | Result |
|---|---|
| No Threat Found | help |
| Suspicious Behaviors | |
|---|---|
| Creates a child process | |
| Uses a function clandestinely | |
| Logs user key strokes | |
| Reads memory of another process | |
| Opens a file in a system directory | |
| Has no visible windows | |
Behavioral Information
13c
24c
140
304
29c
288
110
298
268
308
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll
C:\windows_live_essentials_2011_full_installer.exe
C:\Windows\system32\DUser.dll
C:\Windows\system32\PROPSYS.dll
C:\Windows\syswow64\shlwapi.DLL
C:\Windows\syswow64\MSCTF.dll
C:\Windows\syswow64\USER32.dll
.exe
program
file
Plane4
Plane5
Plane6
Plane7
Plane1
Plane2
Plane3
Plane8
Plane9
Disable
FrameTabWindow
DataFilePath
SystemSetupInProgress
EnablePunycode
DisableSecuritySettingsCheck
Plane16
Plane14
Plane15
Plane12
Plane13
Plane10
Plane11
Install
InstallLanguage
TabProcGrowth
FrameMerging
CreateUriCacheSize
SpecialFoldersCacheSize
SwapMouseButtons
SessionMerging
AdminTabProcs
{"lDistanceToMove": "fffffc00", "dwMoveMethod": "2", "lpDistanceToMoveHigh": "0", "hFile": "25c"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7", "dwDesiredAccess": "100081", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\desktop.ini", "dwDesiredAccess": "80000000", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\Favorites\\desktop.ini", "dwDesiredAccess": "80000000", "dwShareMode": "7"}
{"dwCreationDisposition": "2", "path": "C:\\Users\\win7\\AppData\\Local\\Temp\\DMR\\dmr_72.exe", "dwDesiredAccess": "c0000000", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\Links\\desktop.ini", "dwDesiredAccess": "80000000", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "dwDesiredAccess": "80000000", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "C:\\windows_live_essentials_2011_full_installer.exe", "dwDesiredAccess": "80000000", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\AppData\\Local\\Temp\\DMR\\dmr_72.exe", "dwDesiredAccess": "20000", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\Saved Games\\desktop.ini", "dwDesiredAccess": "80000000", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\Downloads\\desktop.ini", "dwDesiredAccess": "80000000", "dwShareMode": "7"}
{"dwCreationDisposition": "4", "path": "C:\\Users\\win7\\AppData\\Local\\Temp\\DMR\\mkkqzmurcpwnajhv.dat", "dwDesiredAccess": "c0000000", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "\\??\\C:\\Windows\\System32\\shdocvw.dll", "dwDesiredAccess": "80", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\Contacts\\desktop.ini", "dwDesiredAccess": "80000000", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\", "dwDesiredAccess": "100081", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\Videos\\desktop.ini", "dwDesiredAccess": "80000000", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\Searches\\desktop.ini", "dwDesiredAccess": "80000000", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000008.db", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\Fonts\\staticcache.dat", "dwDesiredAccess": "80000000", "dwShareMode": "5"}
{"dwCreationDisposition": "3", "path": "C:\\Users", "dwDesiredAccess": "100081", "dwShareMode": "7"}
{"hKey": "308", "phkResult": "0", "lpSubKey": "Tahoma"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software"}
{"hKey": "260", "phkResult": "0", "lpSubKey": "Microsoft\\Internet Explorer\\Security"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\AutoIt v3\\AutoIt"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software"}
{"hKey": "250", "phkResult": "0", "lpSubKey": "FEATURE_LOCALMACHINE_LOCKDOWN"}
{"hKey": "250", "phkResult": "0", "lpSubKey": "FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink"}
{"hKey": "250", "phkResult": "0", "lpSubKey": "FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "250", "phkResult": "0", "lpSubKey": "FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full"}
{"hKey": "250", "phkResult": "0", "lpSubKey": "FEATURE_PROTOCOL_LOCKDOWN"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "System\\Setup"}
{"hKey": "250", "phkResult": "0", "lpSubKey": "FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Policies"}
{"hKey": "250", "phkResult": "0", "lpSubKey": "FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Control Panel\\Mouse"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Client"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\"}
{"hKey": "80000001", "phkResult": "0", "lpSubKey": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Net Framework Setup\\NDP\\v2.0.50727"}
{"hKey": "264", "phkResult": "0", "lpSubKey": "Microsoft\\Internet Explorer\\Security"}
<NULL>
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\MSCTF.Asm.MutexDefault1
{"nNumberOfBytesToWrite": "85208", "lpOverlapped": "0", "lpBuffer": "840020", "lpNumberOfBytesWritten": "56fb04", "hFile": "13c"}
{"nNumberOfBytesToWrite": "a1", "lpOverlapped": "0", "lpBuffer": "9281e8", "lpNumberOfBytesWritten": "56fcc4", "hFile": "13c"}
"C:\Users\win7\AppData\Local\Temp\DMR\dmr_72.exe" -install -54426307 -chipderedesign -832177df51344fb294bcf0737b9becc6 - -BLUB2 -mkkqzmurcpwnajhv -1692
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
MPR.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
USERENV.dll
UxTheme.dll
VERSION.dll
WININET.dll
WINMM.dll
WSOCK32.dll
kernel32.dll
C:\windows_live_essentials_2011_full_installer.exe
comctl32.dll
IMM32.dll
gdiplus.dll
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll
WindowsCodecs.dll
user32.dll
gdi32.dll
propsys.dll
ntmarta.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
C:\Windows\System32\shdocvw.dll
PROPSYS.dll
Secur32.dll
API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0.DLL
api-ms-win-downlevel-advapi32-l2-1-0.dll
ntdll.dll
DUser.dll
C:\Windows\system32\DUser.dll
dwmapi.dll
C:\Windows\system32\xmllite.dll
imageres.dll
C:\Windows\system32\ole32.dll
C:\Windows\syswow64\MSCTF.dll
OLEAUT32.DLL
GetAsyncKeyState
OpenProcess
ReadProcessMemory
WriteProcessMemory
CreateProcessW
InternetReadFile
ShellExecuteExW
ShellExecuteW
IsDebuggerPresent
Precise Detectors Analysis Results
| Detector Name | Date | Verdict | Reason | |
|---|---|---|---|---|
| Static Precise Adware Prepscram 1 | 2017-08-10 20:45:26.283000 | No Match | help | No match. |
| Static Precise Trojan Cryptor Detector 1 | 2017-08-10 20:45:26.299562 | No Match | help | No match. |
| Yara Rule Static Malware Detector | 2017-08-10 20:45:26.304732 | No Match | help | No match. |
| Static Precise PUA Detector 1 | 2017-08-10 20:45:26.298741 | PUA | Application.Win32.DownloadSponsor@1 | |
| Static Precise Virus Detector | 2017-08-10 20:45:26.313388 | No Match | help | NotDetected |
| Static Precise Trojan Detector | 2017-08-10 20:45:26.314174 | No Match | help | NotDetected |
| Static Precise PUA Detector 2 | 2017-08-10 20:45:26.338546 | No Match | help | No match. |
| Static Precise PUA Detector 3 | 2017-08-10 20:45:26.338942 | No Match | help | No match. |
| Static Precise Virus Hezhi Detector | 2017-08-10 20:45:26.336142 | No Match | help | No match. |
| Ransomware Chunk Detector | 2017-08-10 20:45:32.640583 | No Match | help | No match. |
| Static Precise Virus Detector 2 | 2017-08-10 20:45:26.348084 | No Match | help | NotDetected |
| Static Precise Trojan Detector 2 | 2017-08-10 20:45:26.355245 | No Match | help | NotDetected |
| Static Precise Trojan Detector 3 | 2017-08-10 20:45:26.365128 | No Match | help | NotDetected |
| Static Precise Adware InstallCore Detector 1 | 2017-08-10 20:45:26.363257 | No Match | help | NotDetected |
| Static Precise Trojan Generic Cryptor Detector 1 | 2017-08-10 20:45:26.370646 | No Match | help | NotDetected |
| Malicious Url Detector | 2017-08-10 20:47:08.405465 | No Match | help | No match. |
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Human Expert Analysis Results
Analysis Start Date: 2019-06-06 12:21:28.925308 ( )
Analysis End Date: 2019-06-06 14:09:12.768162 ( )
File Upload Date: 2019-06-06 11:02:11.859324 ( )
Update Date: 2019-06-06 14:09:37.326387 ( )
Human Expert Analyst Feedback:
Verdict: PUA
Malware Family:
Malware Type: 0
Additional File Information
| Property | Value |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
|---|