Edit tour
Windows
Analysis Report
AssinadorSERPRO4.2.1.exe
Overview
General Information
Detection
Score: | 13 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Signatures
Modifies the hosts file
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
- System is w10x64_ra
- AssinadorSERPRO4.2.1.exe (PID: 4796 cmdline:
C:\Users\u ser\Deskto p\Assinado rSERPRO4.2 .1.exe MD5: E23DBA0669F1825C4B8DD709984DE72D) - AssinadorSERPRO4.2.1.tmp (PID: 4508 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-G5S H8.tmp\Ass inadorSERP RO4.2.1.tm p" /SL5="$ 50374,5279 4110,87603 2,C:\Users \user\Desk top\Assina dorSERPRO4 .2.1.exe" MD5: A769168BAF50492809461689FBB8F08D)
- rundll32.exe (PID: 7056 cmdline:
C:\Windows \System32\ rundll32.e xe C:\Wind ows\System 32\shell32 .dll,SHCre ateLocalSe rverRunDll {9aa46009 -3ce0-458a -a354-7156 10a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
- OpenWith.exe (PID: 4888 cmdline:
C:\Windows \system32\ OpenWith.e xe -Embedd ing MD5: E4A834784FA08C17D47A1E72429C5109) - notepad.exe (PID: 5744 cmdline:
"C:\Window s\system32 \NOTEPAD.E XE" C:\Win dows\Syste m32\driver s\etc\host s MD5: 27F71B12CB585541885A31BE22F61C83)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Static PE information: |
Source: | Window detected: |