Analysis Report
Overview
General Information |
---|
Analysis ID: | 64922 |
Start time: | 21:32:46 |
Start date: | 04/05/2015 |
Overall analysis duration: | 0h 2m 46s |
Report type: | full |
Sample file name: | virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 (Office 2003 SP1, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36) |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 1 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
HCA enabled: | true |
HCA success: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 76 | 0 - 100 | Report FP / FN |
Signature Overview |
---|
AV Detection: |
---|
Yara signature match | Show sources |
Source: 5dac7ebf.exe.dr | Yara output: | ||
Source: FastUserSwitchingCompatibility.dll.dr | Yara output: | ||
Source: 5dac7ebf.exe.dr | Yara output: | ||
Source: 00000001.00000002.4324852324.005F8000.00000080.sdmp | Yara output: | ||
Source: 5dac7ebf.exe.dr | Yara output: | ||
Source: FastUserSwitchingCompatibility.dll.dr | Yara output: | ||
Source: 00000001.00000000.4310439242.005F8000.00000080.sdmp | Yara output: | ||
Source: FastUserSwitchingCompatibility.dll.dr | Yara output: | ||
Source: virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Yara output: | ||
Source: 00000002.00000000.4312316940.00C07000.00000080.sdmp | Yara output: | ||
Source: 00000002.00000002.4313928312.00C07000.00000040.sdmp | Yara output: | ||
Source: FastUserSwitchingCompatibility.dll.dr | Yara output: | ||
Source: 5dac7ebf.exe.dr | Yara output: | ||
Source: 5dac7ebf.exe.dr | Yara output: | ||
Source: 00000001.00000001.4311024977.005F8000.00000080.sdmp | Yara output: | ||
Source: FastUserSwitchingCompatibility.dll.dr | Yara output: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Contains functionality for read data from the clipboard | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Code function: | 1_2_00404CEA |
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: 5dac7ebf.exe | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: reg.exe | String found in binary or memory: | ||
Source: virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | String found in binary or memory: |
Downloads files | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | File created: |
Boot Survival: |
---|
Creates or modifies windows services | Show sources |
Source: C:\5dac7ebf.exe | Registry key created: |
Persistence and Installation Behavior: |
---|
Drops PE files | Show sources |
Source: C:\5dac7ebf.exe | File created: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | File created: |
Drops PE files to the windows directory (C:\Windows) | Show sources |
Source: C:\5dac7ebf.exe | File created: |
Creates a Windows Service pointing to an executable in C:\Windows | Show sources |
Source: C:\5dac7ebf.exe | Key value created or modified: |
Data Obfuscation: |
---|
Sample is packed with UPX | Show sources |
Source: initial sample | Static PE information: | ||
Source: initial sample | Static PE information: |
Binary may include packed or encrypted code | Show sources |
Source: initial sample | Static PE information: |
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Code function: | 1_2_00405CF5 |
Entry point lies outside standard sections | Show sources |
Source: initial sample | Static PE information: |
PE file contains an invalid checksum | Show sources |
Source: initial sample | Static PE information: |
PE file contains sections with non-standard names | Show sources |
Source: initial sample | Static PE information: |
Spreading: |
---|
Contains functionality to enumerate / list files inside a directory | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Code function: | 1_2_0040668F |
Enumerates the file system | Show sources |
Source: C:\Windows\System32\ie4uinit.exe | File opened: | ||
Source: C:\Windows\System32\ie4uinit.exe | File opened: | ||
Source: C:\Windows\System32\ie4uinit.exe | File opened: | ||
Source: C:\Windows\System32\ie4uinit.exe | File opened: | ||
Source: C:\Windows\System32\ie4uinit.exe | File opened: | ||
Source: C:\Windows\System32\ie4uinit.exe | File opened: |
System Summary: |
---|
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: |
Contains functionality to check free disk space | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Code function: | 1_2_00404141 |
Creates files inside the user directory | Show sources |
Source: C:\5dac7ebf.exe | File created: |
Creates temporary files | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | File created: |
Reads ini files | Show sources |
Source: C:\Windows\System32\ie4uinit.exe | File read: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process created: | ||
Source: C:\Program Files\Internet Explorer\iexplore.exe | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Key value queried: |
Writes ini files | Show sources |
Source: C:\Windows\System32\ie4uinit.exe | File written: |
Contains functionality to shutdown / reboot the system | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Code function: | 1_2_0040354B |
Creates files inside the system directory | Show sources |
Source: C:\5dac7ebf.exe | File created: |
Deletes Windows files | Show sources |
Source: C:\Windows\System32\reg.exe | File deleted: |
PE file contains strange resources | Show sources |
Source: initial sample | Static PE information: | ||
Source: initial sample | Static PE information: | ||
Source: initial sample | Static PE information: |
Spawns drivers | Show sources |
Source: unknown | Driver loaded: |
PE file has an invalid certificate | Show sources |
Source: initial sample | Static PE information: |
Uses reg.exe to modify the Windows registry | Show sources |
Source: unknown | Process created: |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: 5dac7ebf.exe | Binary or memory string: |
Anti Debugging: |
---|
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Code function: | 1_2_00405CF5 |
Contains functionality to read the PEB | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Code function: | 1_2_005F8000 | |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Code function: | 1_1_005F8000 |
Malware Analysis System Evasion: |
---|
Contains functionality to enumerate / list files inside a directory | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Code function: | 1_2_0040668F |
Queries a list of all running processes | Show sources |
Source: C:\5dac7ebf.exe | Process information queried: |
Enumerates the file system | Show sources |
Source: C:\Windows\System32\ie4uinit.exe | File opened: | ||
Source: C:\Windows\System32\ie4uinit.exe | File opened: | ||
Source: C:\Windows\System32\ie4uinit.exe | File opened: | ||
Source: C:\Windows\System32\ie4uinit.exe | File opened: | ||
Source: C:\Windows\System32\ie4uinit.exe | File opened: | ||
Source: C:\Windows\System32\ie4uinit.exe | File opened: |
Found dropped PE file which has not been started or loaded | Show sources |
Source: C:\5dac7ebf.exe | Dropped PE file which has not been started: |
Found large amount of non-executed APIs | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | API coverage: |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Process information set: | ||
Source: C:\Windows\System32\ie4uinit.exe | Process information set: | ||
Source: C:\Windows\System32\ie4uinit.exe | Process information set: | ||
Source: C:\Windows\System32\ie4uinit.exe | Process information set: | ||
Source: C:\Windows\System32\ie4uinit.exe | Process information set: | ||
Source: C:\Windows\System32\ie4uinit.exe | Process information set: |
Hooks files or directories query functions (used to hide files and directories) | Show sources |
Source: system | IAT, EAT, inline or SSDT hook detected: |
Hooks processes query functions (used to hide processes) | Show sources |
Source: system | IAT, EAT, inline or SSDT hook detected: |
Hooks registry keys query functions (used to hide registry keys) | Show sources |
Source: system | IAT, EAT, inline or SSDT hook detected: |
Modifies the prolog of kernel mode functions (kernel mode inline hooks) | Show sources |
Source: system | Kernel code has chanced: |
Modifies the system service dispatch table (places SSDT hooks) | Show sources |
Source: system | SSDT hook detected: |
Lowering of HIPS / PFW / Operating System Security Settings: |
---|
AV process strings found (often used to terminate AV products) | Show sources |
Source: 5dac7ebf.exe | Binary or memory string: | ||
Source: 5dac7ebf.exe | Binary or memory string: | ||
Source: 5dac7ebf.exe | Binary or memory string: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query windows version | Show sources |
Source: C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | Code function: | 1_2_00405DA6 |
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: C:\Windows\System32\ie4uinit.exe | Qeruies volume information: | ||
Source: C:\Windows\System32\ie4uinit.exe | Qeruies volume information: |
Yara Overview |
---|
Source | Match |
---|---|
5dac7ebf.exe.dr | _ASPack_v212_ |
FastUserSwitchingCompatibility.dll.dr | _epp_ASPack_v211d_ |
5dac7ebf.exe.dr | _epp_ASPack_v212_ |
00000001.00000002.4324852324.005F8000.00000080.sdmp | _ASPack_v212_ |
5dac7ebf.exe.dr | _epp_PESHiELD_v02__v02b__v02b2_ |
FastUserSwitchingCompatibility.dll.dr | _ASProtect_V2X_DLL__Alexey_Solodovnikov_ |
00000001.00000000.4310439242.005F8000.00000080.sdmp | _ASPack_v212_ |
FastUserSwitchingCompatibility.dll.dr | _epp_ASPack_v212_ |
virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe | _ASPack_v212_ |
00000002.00000000.4312316940.00C07000.00000080.sdmp | _ASPack_v212_ |
00000002.00000002.4313928312.00C07000.00000040.sdmp | _ASPack_v212_ |
FastUserSwitchingCompatibility.dll.dr | _epp_PESHiELD_v02__v02b__v02b2_ |
5dac7ebf.exe.dr | _epp_ASPack_v211d_ |
5dac7ebf.exe.dr | _ASProtect_V2X_DLL__Alexey_Solodovnikov_ |
00000001.00000001.4311024977.005F8000.00000080.sdmp | _ASPack_v212_ |
FastUserSwitchingCompatibility.dll.dr | _ASPack_v212_ |
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
| |
| |
| |
| |
| |
| |
|
Contacted Domains/Contacted IPs |
---|
Static File Info |
---|
General | |
---|---|
File type: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
TrID: |
|
File name: | virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe |
File size: | 225792 |
MD5: | 6f6d18dd0b2c54d34c44ff0a274399e0 |
SHA1: | 3d9b01048504fb6e5e482884a9b42946a7a6d2cf |
SHA256: | 45bd56102f6b224a627937dc2f32b00985cf19c0a4102bbe6ecfed8379fc820c |
SHA512: | 1ddc356658ad10ed093230f15d064901c824f07ae7f2f47755915655a5258f51138bf2213f5b250d66602dab46c5ee091ddfbfd8eb349e72a1e23f46f814b5d4 |
File Icon |
---|
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x5f8000 |
Entrypoint Section: | .UPX |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui 50 |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4AA7AC4B [Wed Sep 9 13:23:23 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Authenticode Signature |
---|
Signature Valid: | false |
Signature Issuer: | |
Signature Timestamp: | |
Signature Validation Error: | 2148204800 |
Not Before, Not After | |
Subject Chain |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 0000008Ch |
mov eax, dword ptr fs:[00000030h] |
mov dword ptr [ebp-28h], eax |
mov dword ptr [ebp-18h], 0000E000h |
mov dword ptr [ebp-3Ch], 355C3A43h |
mov dword ptr [ebp-38h], 37636164h |
mov dword ptr [ebp-34h], 2E666265h |
mov dword ptr [ebp-30h], 00657865h |
mov eax, dword ptr [ebp-28h] |
mov eax, dword ptr [eax+0Ch] |
mov eax, dword ptr [eax+1Ch] |
mov dword ptr [ebp-1Ch], eax |
mov eax, dword ptr [ebp-1Ch] |
mov eax, dword ptr [eax] |
mov dword ptr [ebp-1Ch], eax |
mov eax, dword ptr [ebp-1Ch] |
mov eax, dword ptr [eax+08h] |
mov dword ptr [ebp-0Ch], eax |
mov eax, dword ptr [ebp-0Ch] |
mov eax, dword ptr [eax+3Ch] |
mov ecx, dword ptr [ebp-0Ch] |
mov edx, dword ptr [ebp-0Ch] |
add edx, dword ptr [ecx+eax+78h] |
mov dword ptr [ebp-24h], edx |
mov eax, dword ptr [ebp-24h] |
mov ecx, dword ptr [ebp-0Ch] |
add ecx, dword ptr [eax+20h] |
mov dword ptr [ebp-50h], ecx |
mov eax, dword ptr [ebp-24h] |
mov ecx, dword ptr [ebp-0Ch] |
add ecx, dword ptr [eax+24h] |
mov dword ptr [ebp-44h], ecx |
mov eax, dword ptr [ebp-24h] |
mov ecx, dword ptr [ebp-0Ch] |
add ecx, dword ptr [eax+1Ch] |
mov dword ptr [ebp-48h], ecx |
mov dword ptr [ebp-74h], 50746547h |
mov dword ptr [ebp-70h], 41636F72h |
mov dword ptr [ebp-6Ch], 65726464h |
mov dword ptr [ebp-68h], 00007373h |
and dword ptr [ebp-78h], 00000000h |
jmp 00007F90ECD79B49h |
mov eax, dword ptr [ebp-78h] |
inc eax |
mov dword ptr [ebp-78h], eax |
mov eax, dword ptr [ebp-24h] |
mov ecx, dword ptr [ebp-78h] |
cmp ecx, dword ptr [eax+18h] |
jnc 00007F90ECD79BD0h |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1f771c | 0x214 | .rsrc |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1d4000 | 0x2371c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x1aa88b0 | 0x2108 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Xored PE | ZLIB Complexity | File Type | Characteristics |
---|---|---|---|---|---|---|---|---|
UPX0 | 0x1000 | 0x1ce000 | 0x0 | 0.0 | False | 0 | empty | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
UPX1 | 0x1cf000 | 0x5000 | 0x5000 | 7.82231638058 | False | 0.944921875 | data | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x1d4000 | 0x24000 | 0x23a00 | 6.3385403468 | False | 0.578453947368 | data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.UPX | 0x1f8000 | 0xf000 | 0xe400 | 7.50170873655 | False | 0.856599506579 | data | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country | Nbr Of Functions | Xored PE |
---|---|---|---|---|---|---|---|
RT_ICON | 0x1d43ec | 0x10828 | data | English | United States | 0 | False |
RT_ICON | 0x1e4c18 | 0xc1e8 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0 | False |
RT_ICON | 0x1f0e04 | 0x25a8 | data | English | United States | 0 | False |
RT_ICON | 0x1f33b0 | 0x10a8 | data | English | United States | 0 | False |
RT_ICON | 0x1f445c | 0xea8 | data | English | United States | 0 | False |
RT_ICON | 0x1f5308 | 0x8a8 | data | English | United States | 0 | False |
RT_ICON | 0x1f5bb4 | 0x668 | data | English | United States | 0 | False |
RT_ICON | 0x1f6220 | 0x568 | GLS_BINARY_LSB_FIRST | English | United States | 0 | False |
RT_ICON | 0x1f678c | 0x468 | GLS_BINARY_LSB_FIRST | English | United States | 0 | False |
RT_ICON | 0x1f6bf8 | 0x2e8 | data | English | United States | 0 | False |
RT_ICON | 0x1f6ee4 | 0x128 | GLS_BINARY_LSB_FIRST | English | United States | 0 | False |
RT_DIALOG | 0x1d0fe0 | 0x10c | data | English | United States | 0 | False |
RT_DIALOG | 0x1d10f0 | 0x1ec | data | English | United States | 0 | False |
RT_DIALOG | 0x1d12e0 | 0xe4 | data | English | United States | 0 | False |
RT_DIALOG | 0x1d13c8 | 0xda | data | English | United States | 0 | False |
RT_GROUP_ICON | 0x1f7010 | 0xa0 | MS Windows icon resource - 11 icons, 48x48, 16-colors | English | United States | 0 | False |
RT_VERSION | 0x1f70b4 | 0x29c | data | 0 | False | ||
RT_MANIFEST | 0x1f7354 | 0x3c8 | XML document text | English | United States | 0 | False |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.DLL | LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess |
ADVAPI32.dll | RegEnumKeyW |
COMCTL32.dll | |
GDI32.dll | SetBkMode |
ole32.dll | CoTaskMemFree |
SHELL32.dll | ShellExecuteW |
USER32.dll | GetDC |
VERSION.dll | VerQueryValueW |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | 2012 Sogou.com Inc. All rights reserved. |
FileVersion | 6.5.0.8721 |
CompanyName | Sogou.com Inc. |
Comments | |
ProductName | |
ProductVersion | 6.5.0.8721 |
FileDescription | |
Translation | 0x0000 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
No network behavior found |
---|
Hooks - Code Manipulation Behavior |
---|
SSDT |
---|
Function Name | New Address |
---|---|
NtQueryVolumeInformationFile | 828A67AF |
NtQueryDirectoryFile | 8288402E |
NtProtectVirtualMemory | 8289278F |
NtAllocateVirtualMemory | 82879D68 |
NtMapViewOfSection | 8289672F |
NtSystemDebugControl | 828D5A2E |
NtDeviceIoControlFile | 828C38A1 |
NtLoadDriver | 82815A94 |
NtUnloadDriver | 82909D2B |
NtCreateFile | 8289F5AE |
NtOpenFile | 82881E2D |
NtDeleteFile | 827E85AE |
NtSetInformationFile | 828A6C43 |
NtWriteFile | 828BF404 |
NtReadFile | 828B2143 |
NtReadVirtualMemory | 828AFCE3 |
NtWriteVirtualMemory | 828AFBD3 |
NtCreateMutant | 828603F8 |
NtCreateProcess | 8292C9E9 |
NtSetInformationProcess | 828889B3 |
NtSuspendProcess | 8292E4F3 |
NtResumeProcess | 8292E551 |
NtCreateUserProcess | 828BE520 |
NtCreateProcessEx | 8292CA34 |
NtTerminateProcess | 828AAED6 |
NtCreateKey | 82850EAB |
NtDeleteKey | 8283B8D2 |
NtDeleteValueKey | 8282D2DB |
NtSetValueKey | 8285A4A8 |
NtQueryValueKey | 8289A7D3 |
NtNotifyChangeKey | 82849E5F |
NtEnumerateValueKey | 828B9386 |
NtEnumerateKey | 828B6F20 |
NtCreateSection | 828731EB |
NtOpenSection | 828B9B3B |
NtSetSystemInformation | 8289E4B8 |
NtQuerySystemInformation | 8287FFF1 |
NtQueryInformationProcess | 82886961 |
NtCreateThread | 8292C7F2 |
NtCreateThreadEx | 828C05FD |
NtSetContextThread | 8292E05F |
NtQueueApcThread | 8284BCF2 |
NtDelayExecution | 82878C75 |
NtTerminateThread | 828C883A |
NtResumeThread | 828C0824 |
NtSuspendThread | 828E53F4 |
NtQuerySystemTime | 828C6FFD |
NtAdjustPrivilegesToken | 828D50FF |
NtRequestWaitReplyPort | 8288DC60 |
NtCreateSymbolicLinkObject | 82851876 |
NtSetSecurityObject | 828516A7 |
NtFsControlFile | 828A5B89 |
NtQueryInformationToken | 828A24C5 |
NtQueryDefaultUILanguage | 827F2E5C |
NtQueryDefaultLocale | 828C7092 |
NtSetSystemPowerState | 82971E4A |
NtShutdownSystem | 82953419 |
NtRaiseHardError | 82826FE6 |
NtClose | 82894706 |
NtQueryAttributesFile | 828A7E88 |
IRP Handler |
---|
Handler Function | Driver | Address | Type |
---|---|---|---|
IRP_MJ_SET_VOLUME_INFORMATION | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_QUERY_QUOTA | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_PNP | \Driver\3AAA263B | 82703225 | new |
IRP_MJ_CREATE_MAILSLOT | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_POWER | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_DEVICE_CONTROL | \Driver\3AAA263B | 94F032E5 | new |
IRP_MJ_READ | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_DIRECTORY_CONTROL | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_QUERY_VOLUME_INFORMATION | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_SET_SECURITY | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_WRITE | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_LOCK_CONTROL | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_CLEANUP | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_CLOSE | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_INTERNAL_DEVICE_CONTROL | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_CREATE | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_CREATE_NAMED_PIPE | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_DEVICE_CHANGE | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_SET_INFORMATION | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_QUERY_EA | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_FILE_SYSTEM_CONTROL | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_FLUSH_BUFFERS | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_SET_EA | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_SYSTEM_CONTROL | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_QUERY_SECURITY | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_SET_QUOTA | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_QUERY_INFORMATION | \Driver\3AAA263B | 94F03612 | new |
IRP_MJ_SHUTDOWN | \Driver\3AAA263B | 94F03612 | new |
New Device |
---|
Driver | Device | Attached to (upper) | Attached to (lower) |
---|---|---|---|
\Driver\3AAA263B | \Device\FISINF | unknown | unknown |
Kernel Modules |
---|
Module: ntoskrnl.exe |
---|
Function Name | Hook Type | New Data |
---|---|---|
KeInsertQueueApc | INLINE | 0xE9 0x90 0x00 0x00 0x07 0x78 |
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 21:33:13 |
Start date: | 04/05/2015 |
Path: | C:\virussign.com_6f6d18dd0b2c54d34c44ff0a274399e0.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x400000 |
File size: | 225792 bytes |
MD5 hash: | 6F6D18DD0B2C54D34C44FF0A274399E0 |
General |
---|
Start time: | 21:33:14 |
Start date: | 04/05/2015 |
Path: | C:\5dac7ebf.exe |
Wow64 process (32bit): | false |
Commandline: | C:\5dac7ebf.exe |
Imagebase: | 0x76ec0000 |
File size: | 57344 bytes |
MD5 hash: | 7B8215016A01816BD7612AE3B09B023D |
General |
---|
Start time: | 21:33:14 |
Start date: | 04/05/2015 |
Path: | C:\Windows\System32\reg.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x430000 |
File size: | 62464 bytes |
MD5 hash: | D69A9ABBB0D795F21995C2F48C1EB560 |
General |
---|
Start time: | 21:33:14 |
Start date: | 04/05/2015 |
Path: | C:\Windows\System32\reg.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x75740000 |
File size: | 62464 bytes |
MD5 hash: | D69A9ABBB0D795F21995C2F48C1EB560 |
General |
---|
Start time: | 21:33:15 |
Start date: | 04/05/2015 |
Path: | C:\Windows\System32\reg.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x754b0000 |
File size: | 62464 bytes |
MD5 hash: | D69A9ABBB0D795F21995C2F48C1EB560 |
General |
---|
Start time: | 21:33:15 |
Start date: | 04/05/2015 |
Path: | C:\WINDOWS\system32\3AAA263B.sys |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x9a0000 |
File size: | 7888 bytes |
MD5 hash: | 4D7DF3DAF2EE2605FC194649C7B9C7CA |
General |
---|
Start time: | 21:33:15 |
Start date: | 04/05/2015 |
Path: | C:\Windows\System32\reg.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x75740000 |
File size: | 62464 bytes |
MD5 hash: | D69A9ABBB0D795F21995C2F48C1EB560 |
General |
---|
Start time: | 21:33:17 |
Start date: | 04/05/2015 |
Path: | C:\Program Files\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0xb40000 |
File size: | 815288 bytes |
MD5 hash: | 363BC25BACB34E9D40441968B1B3D5BE |
General |
---|
Start time: | 21:33:18 |
Start date: | 04/05/2015 |
Path: | C:\Windows\System32\ie4uinit.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\System32\ie4uinit.exe -ShowQLIcon |
Imagebase: | 0xb60000 |
File size: | 684544 bytes |
MD5 hash: | 73AFBF165241EB4502CD15107AA12CBA |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 5.1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 28.3% |
Total number of Nodes: | 668 |
Total number of Limit Nodes: | 25 |
Executed Functions |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|