Edit tour
Windows
Analysis Report
bitrecover-eml-to-pdf-wizard.exe
Overview
General Information
Detection
Score: | 24 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 20% |
Compliance
Score: | 51 |
Range: | 0 - 100 |
Signatures
Installs new ROOT certificates
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
- System is w10x64
- bitrecover-eml-to-pdf-wizard.exe (PID: 2128 cmdline:
"C:\Users\ user\Deskt op\bitreco ver-eml-to -pdf-wizar d.exe" MD5: 359250C1F24628516457451768236637) - bitrecover-eml-to-pdf-wizard.tmp (PID: 2132 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-GS5 U5.tmp\bit recover-em l-to-pdf-w izard.tmp" /SL5="$10 440,747533 01,739328, C:\Users\u ser\Deskto p\bitrecov er-eml-to- pdf-wizard .exe" MD5: 9DC81EA31610361FCFE670EA7EE92C56) - vcredist2010.exe (PID: 7060 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-46S 4F.tmp\vcr edist2010. exe" /pass ive /nores tart MD5: F45ADE105F9C4FE754976C820230A9E5) - Setup.exe (PID: 2300 cmdline:
c:\adf3c20 5d9b19c48c 6c1d481d9d 6\Setup.ex e /passiv e /noresta rt MD5: 2AF2C1A78542975B12282ACA4300D515) - EMLTOPDFWizard.exe (PID: 5628 cmdline:
"C:\Progra m Files (x 86)\BitRec over\EML t o PDF Wiza rd\EMLTOPD FWizard.ex e" MD5: 2184C492140EC7B8E84C048B080566A4)
- msiexec.exe (PID: 5432 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Code function: | 5_2_01004F6B | |
Source: | Code function: | 5_2_010045EB | |
Source: | Code function: | 6_2_6BCB189E | |
Source: | Code function: | 6_2_6BC97EBB | |
Source: | Code function: | 6_2_6BC97E4C | |
Source: | Code function: | 6_2_6BC97E7C | |
Source: | Code function: | 6_2_6BC97E2A | |
Source: | Code function: | 6_2_6BC97E3B |
Source: | Binary or memory string: | memstr_164a3a70-1 |
Compliance |
---|
Source: | Static PE information: |
Source: | Window detected: |