Edit tour
Windows
Analysis Report
vlc-3.0.20-win64.exe
Overview
General Information
Detection
Score: | 24 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Compliance
Score: | 50 |
Range: | 0 - 100 |
Signatures
Found API chain indicative of debugger detection
Writes a notice file (html or txt) to demand a ransom
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Explorer Process Tree Break
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
- System is w10x64
- vlc-3.0.20-win64.exe (PID: 6372 cmdline:
"C:\Users\ user\Deskt op\vlc-3.0 .20-win64. exe" MD5: 3D63E3A94C39A18F4DA866B896B41E80) - vlc-cache-gen.exe (PID: 5332 cmdline:
"C:\Progra m Files\Vi deoLAN\VLC \vlc-cache -gen.exe" C:\Program Files\Vid eoLAN\VLC\ plugins MD5: C314F48471D34BC89863326324D00B8B) - conhost.exe (PID: 2492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - regsvr32.exe (PID: 4584 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files\Vide oLAN\VLC\a xvlc.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 2088 cmdline:
/s "C:\Pr ogram File s\VideoLAN \VLC\axvlc .dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - explorer.exe (PID: 7032 cmdline:
"C:\Window s\explorer .exe" "C:\ Program Fi les\VideoL AN\VLC\vlc .exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
- explorer.exe (PID: 4304 cmdline:
C:\Windows \explorer. exe /facto ry,{75dff2 b7-6936-4c 06-a8bb-67 6a7b00b24b } -Embeddi ng MD5: 662F4F92FDE3557E86D110526BB578D5) - vlc.exe (PID: 3584 cmdline:
"C:\Progra m Files\Vi deoLAN\VLC \vlc.exe" MD5: 3740507A1DC4FF4CB5C6E52652C10C20)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Code function: | 4_2_0000000140008C90 | |
Source: | Code function: | 4_2_00000001400017B0 | |
Source: | Code function: | 4_2_00007FFDF23E9FD1 | |
Source: | Code function: | 4_2_00007FFDF24273B4 | |
Source: | Code function: | 4_2_00007FFDF2321B60 | |
Source: | Code function: | 4_2_00007FFDFBABDA74 | |
Source: | Code function: | 4_2_00007FFDFB8D4EC0 | |
Source: | Code function: | 4_2_00007FFDFB8BE2F0 | |
Source: | Code function: | 4_2_00007FFE11ECDE49 | |
Source: | Code function: | 4_2_00007FFE11EC71F0 | |
Source: | Code function: | 4_2_00007FFE11EDDAFC | |
Source: | Code function: | 11_2_00007FFDFB12DA74 | |
Source: | Code function: | 11_2_00007FFDFAF44EC0 | |
Source: | Code function: | 11_2_00007FFDFAF2E2F0 | |
Source: | Code function: | 11_2_00007FFE115555B1 | |
Source: | Code function: | 11_2_00007FFE1152CCF0 | |
Source: | Code function: | 11_2_00007FFE11570020 | |
Source: | Code function: | 11_2_00007FFE11BC36EA | |
Source: | Code function: | 11_2_00007FFE11BCB3A0 | |
Source: | Code function: | 11_2_00007FFE11BC2000 | |
Source: | Code function: | 11_2_00007FFE11BEC8F9 | |
Source: | Code function: | 11_2_00007FFE11BE6210 | |
Source: | Code function: | 11_2_00007FFE11BF655C | |
Source: | Code function: | 11_2_00007FFE11ECDE49 | |
Source: | Code function: | 11_2_00007FFE11EC71F0 | |
Source: | Code function: | 11_2_00007FFE11EDDAFC | |
Source: | Code function: | 11_2_00007FFE13386C00 | |
Source: | Code function: | 11_2_00007FFE133852A0 | |
Source: | Code function: | 11_2_00007FFE13391370 | |
Source: | Code function: | 11_2_00007FFE146333DA | |
Source: | Code function: | 11_2_00007FFE1463B284 | |
Source: | Code function: | 11_2_00007FFE14631E20 | |
Source: | Code function: | 11_2_00007FFE148D8089 | |
Source: | Code function: | 11_2_00007FFE148D1AF0 | |
Source: | Code function: | 11_2_00007FFE148E12A4 | |
Source: | Code function: | 11_2_00007FFE1A458589 | |
Source: | Code function: | 11_2_00007FFE1A4622E4 | |
Source: | Code function: | 11_2_00007FFE1A451FE0 |
Compliance |
---|
Source: | Static PE information: |
Source: | Window detected: |