Windows Analysis Report
ws_ftp le 508.exe

Overview

General Information

Sample name:	ws_ftp le 508.exe
Analysis ID:	1438423
MD5:	64a58dd55cc3af76fea415ebdbec7af9
SHA1:	3ca099902c524527fecfb7f5e2bbc5d0e7c4a76b
SHA256:	9d23f416f03f351c8441fbe390893cacf00c3ec09beb7a8947023847d2428d2b
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found evasive API chain (date check)

PE file contains executable resources (Code or Archives)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\SFS5D46.tmp

ReversingLabs: Detection: 22%

Multi AV Scanner detection for submitted file

Source: ws_ftp le 508.exe

ReversingLabs: Detection: 22%

Uses 32bit PE files

Source: ws_ftp le 508.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ws_ftp le 508.exe

Code function: 0_2_004012CE sprintf,FindFirstFileA,

0_2_004012CE

Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr	String found in binary or memory: HTTP://www.ipswitch.com
Source: SFS5D46.tmp.0.dr	String found in binary or memory: http://www.ipswitch.com
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr	String found in binary or memory: http://www.ipswitch.com/downloads/ws_ftp_PRO.html
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr	String found in binary or memory: http://www.ipswitch.com/products/ws_ftp/
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr	String found in binary or memory: http://www.ipswitch.com/products/ws_ftp/DLG_NOT_AUTHRemoveDIRWS_FTPINSTOPTSWS_FTPWS_FTP.exe%s
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr	String found in binary or memory: http://www.ipswitch.comopenHTTP://www.ipswitch.comWS_FTPhttp://www.ipswitch.com/downloads/ws_ftp_PRO
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr	String found in binary or memory: https://buy.ipswitch.com/cgi-ole/buypro.showform/wsftppro/?000001767Ipswitch

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SFS5D75.tmp

Code function: 2_2_00406259 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,

2_2_00406259

Detected potential crypto function

Source: C:\Users\user\Desktop\SFS5D75.tmp

Code function: 2_2_0040AA00

2_2_0040AA00

PE file contains executable resources (Code or Archives)

Source: SFS5D75.tmp.1.dr	Static PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 4039 bytes
Source: SFS5D75.tmp.1.dr	Static PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 368128 bytes
Source: SFS5D75.tmp.1.dr	Static PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 428032 bytes
Source: SFS5D75.tmp.1.dr	Static PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 246726 bytes
Source: SFS5D75.tmp.1.dr	Static PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 2455 bytes
Source: SFS5D75.tmp.1.dr	Static PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 102912 bytes
Source: SFS5D75.tmp.1.dr	Static PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 6699 bytes
Source: SFS5D75.tmp.1.dr	Static PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 12118 bytes
Source: SFS5D75.tmp.1.dr	Static PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 14354 bytes
Source: SFS5D75.tmp.1.dr	Static PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 10008 bytes
Source: SFS5D75.tmp.1.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Uses 32bit PE files

Source: ws_ftp le 508.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.winEXE@5/2@0/0

Source: C:\Users\user\Desktop\SFS5D75.tmp

Code function: 2_2_00406259 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,

2_2_00406259

Source: C:\Users\user\Desktop\SFS5D75.tmp

Code function: 2_2_004086E4 StretchDIBits,GlobalUnlock,FreeResource,ReleaseDC,ValidateRect,

2_2_004086E4

Source: C:\Users\user\Desktop\ws_ftp le 508.exe

File created: C:\Users\user\Desktop\SFS5D46.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SFS5D75.tmp

File created: C:\Users\user\AppData\Local\Temp\WFT5DD2.tmp

Jump to behavior

Source: ws_ftp le 508.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SFS5D75.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\ws_ftp le 508.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ws_ftp le 508.exe

ReversingLabs: Detection: 22%

Source: C:\Users\user\Desktop\ws_ftp le 508.exe

File read: C:\Users\user\Desktop\ws_ftp le 508.exe

Jump to behavior

Source: C:\Users\user\Desktop\SFS5D75.tmp

Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

Source: unknown	Process created: C:\Users\user\Desktop\ws_ftp le 508.exe "C:\Users\user\Desktop\ws_ftp le 508.exe"
Source: C:\Users\user\Desktop\ws_ftp le 508.exe	Process created: C:\Users\user\Desktop\SFS5D46.tmp "C:\Users\user\Desktop\SFS5D46.tmp"
Source: C:\Users\user\Desktop\SFS5D46.tmp	Process created: C:\Users\user\Desktop\SFS5D75.tmp "C:\Users\user\Desktop\SFS5D75.tmp"
Source: C:\Users\user\Desktop\ws_ftp le 508.exe	Process created: C:\Users\user\Desktop\SFS5D46.tmp "C:\Users\user\Desktop\SFS5D46.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D46.tmp	Process created: C:\Users\user\Desktop\SFS5D75.tmp "C:\Users\user\Desktop\SFS5D75.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\ws_ftp le 508.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ws_ftp le 508.exe	Section loaded: fddint.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D46.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D46.tmp	Section loaded: fddint.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: lz32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmp	Section loaded: textshaping.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SFS5D75.tmp

Window detected: Number of UI elements: 11

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ws_ftp le 508.exe

Code function: 0_2_004014D6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcessId,FreeLibrary,GetModuleFileNameA,_getcwd,_chdir,_chdir,strcat,LoadLibraryA,GetProcAddress,remove,FreeLibrary,_chdir,memset,GetVersion,strlen,strlen,MoveFileA,strcpy,??2@YAPAXI@Z,strcpy,strcat,strcat,CreateProcessA,??3@YAXPAX@Z,CreateProcessA,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,remove,

0_2_004014D6

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ws_ftp le 508.exe	Code function: 0_2_00401800 push eax; ret		0_2_0040182E
Source: C:\Users\user\Desktop\SFS5D75.tmp	Code function: 2_2_004092D0 push eax; ret		2_2_004092FE

Drops PE files

Source: C:\Users\user\Desktop\ws_ftp le 508.exe	File created: C:\Users\user\Desktop\SFS5D46.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\SFS5D46.tmp	File created: C:\Users\user\Desktop\SFS5D75.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\SFS5D75.tmp

Code function: 2_2_0040481A MessageBoxA,GetVersionExA,GetSystemDirectoryA,wsprintfA,GetSystemDirectoryA,wsprintfA,GetSystemDirectoryA,wsprintfA,GetSystemDirectoryA,wsprintfA,GetProfileStringA,lstrlenA,MessageBoxA,MessageBoxA,MessageBoxA,GetProfileStringA,MessageBoxA,GetProfileIntA,wsprintfA,lstrlenA,wsprintfA,lstrlenA,wsprintfA,lstrlenA,CreateDialogParamA,GetDlgItem,GetDlgItem,lstrcpyA,GetDlgItem,GetDlgItem,GetDlgItem,wsprintfA,wsprintfA,wsprintfA,MessageBoxA,GetDlgItem,GetDlgItem,wsprintfA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetDlgItem,SetWindowTextA,SetActiveWindow,DestroyWindow,GetProfileStringA,wsprintfA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,wsprintfA,wsprintfA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,wsprintfA,wsprintfA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,wsprintfA,lstrcpyA,wsprintfA,MessageBoxA,wsprintfA,WritePrivateProfileStringA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,wsprintfA,WriteProfileStringA,MessageBoxA,

2_2_0040481A

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\SFS5D75.tmp

Evasive API call chain: GetSystemTime,DecisionNodes

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\SFS5D75.tmp	Code function: 2_2_004098C0 GetSystemTime followed by cmp: cmp word ptr [00412c9ah], cx and CTI: jne 0040992Bh	2_2_004098C0
Source: C:\Users\user\Desktop\SFS5D75.tmp	Code function: 2_2_004098C0 GetSystemTime followed by cmp: cmp word ptr [00412c98h], ax and CTI: jne 0040992Bh	2_2_004098C0
Source: C:\Users\user\Desktop\SFS5D75.tmp	Code function: 2_2_004098C0 GetSystemTime followed by cmp: cmp word ptr [00412c96h], ax and CTI: jne 0040992Bh	2_2_004098C0
Source: C:\Users\user\Desktop\SFS5D75.tmp	Code function: 2_2_004098C0 GetSystemTime followed by cmp: cmp word ptr [00412c92h], ax and CTI: jne 0040992Bh	2_2_004098C0
Source: C:\Users\user\Desktop\SFS5D75.tmp	Code function: 2_2_004098C0 GetSystemTime followed by cmp: cmp word ptr [00412c90h], ax and CTI: jne 0040992Bh	2_2_004098C0

Source: C:\Users\user\Desktop\ws_ftp le 508.exe

Code function: 0_2_004012CE sprintf,FindFirstFileA,

0_2_004012CE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ws_ftp le 508.exe

0_2_004014D6

Source: SFS5D75.tmp, 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr	Binary or memory string: 5Program Manager Group
Source: SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp	Binary or memory string: WFT\OSNTWSInstalAPP_MAINWS_FTP Limited Edition Install (32)IPSWITCHWS_FTP LE HelpWS_FTP LE Release NotesUninstall WS_FTP LEWS_FTP Icon PlacementWS_FTP Explorer HelpWS_BMP%s (.)\|.\|WS_FTP95.exeDLG_GETSRCDIRDLG_BROWSEaws_ftp\WS_FTPDLG_GETDIRPROGMAN/\\[DeleteItem("%s")]/\\[DeleteItem("%s")][AddItem("%s","%s",,,,,%s)]WS_FTP[DeleteGroup(%s)][CreateGroup(%s)]PROGMANGroups
Source: SFS5D75.tmp, 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr	Binary or memory string: Please enter the name of the Program Manager group for this software:
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr	Binary or memory string: Ipswitch0Software\Microsoft\Windows\CurrentVersionRunOnceRunServicesOnceRunOnceRunServicesOnce%uSeShutdownPrivilegeWFT\OSNTWSInstalAPP_MAINWS_FTP Limited Edition Install (32)IPSWITCHWS_FTP LE HelpWS_FTP LE Release NotesUninstall WS_FTP LEWS_FTP Icon PlacementWS_FTP Explorer HelpWS_BMP%s (.)\|.\|WS_FTP95.exeDLG_GETSRCDIRDLG_BROWSEaws_ftp\WS_FTPDLG_GETDIRPROGMAN/\\[DeleteItem("%s")]/\\[DeleteItem("%s")][AddItem("%s","%s",,,,,%s)]WS_FTP[DeleteGroup(%s)][CreateGroup(%s)]PROGMANGroups
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp	Binary or memory string: PROGMAN

Source: C:\Users\user\Desktop\SFS5D75.tmp

Code function: 2_2_004098C0 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

2_2_004098C0

Source: C:\Users\user\Desktop\SFS5D75.tmp

Code function: 2_2_004098C0 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

2_2_004098C0

Source: C:\Users\user\Desktop\ws_ftp le 508.exe

0_2_004014D6

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1438423
Product:	CloudBasic
Start time:	17:52:47
Start date:	08.05.2024
Sample:	ws_ftp le 508.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	64a58dd55cc3af76fea415ebdbec7af9
SHA1:	3ca099902c524527fecfb7f5e2bbc5d0e7c4a76b
SHA256:	9d23f416f03f351c8441fbe390893cacf00c3ec09beb7a8947023847d2428d2b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Desktop\SFS5D46.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	EC184194C54DBAB8D0D84CEF50C3189A	DA7BCDA14A77659042EFFBF909A4ECE23D71A5BE	E00D900CFE979ABE531F353112372F472F305387F361A87AC0E07C6269B1FC5A
C:\Users\user\Desktop\SFS5D75.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	6993AF44351EE82C42D77CCF5D550A29	5E14F5084710C1856DE15747F9ABDE647FD81D6A	88D64F61C68CDB3A3A875A18393B23E32ED6DEEB4C4071CB851B91E9B5B6A661

Windows Analysis Report
ws_ftp le 508.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report ws_ftp le 508.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
ws_ftp le 508.exe