Loading ...

Play interactive tourEdit tour

Analysis Report WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:151576
Start date:12.07.2019
Start time:11:22:33
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:SUS
Classification:sus39.winEXE@10/46@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 95.8%)
  • Quality average: 85.1%
  • Quality standard deviation: 25.1%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 187
  • Number of non-executed functions: 150
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold390 - 100falsesuspicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold00 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample searches for specific file, try point organization specific fake files to the analysis machine
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting1Startup Items1Startup Items1Masquerading21Credential DumpingSystem Time Discovery2Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaExecution through API1New Service1Process Injection11Software Packing11Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationRegistry Run Keys / Startup Folder1New Service1Process Injection11Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesSecurity Software Discovery21Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessScripting1Account ManipulationFile and Directory Discovery13Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information21Brute ForceSystem Information Discovery33Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Program Files (x86)\WatchBP Analyzer Home\HidComInst.exeAvira: Label: TR/Dropper.Gen
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 1.2.irsetup.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 1.1.irsetup.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.1.WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 1.0.irsetup.exe.400000.0.unpackJoe Sandbox ML: detected

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004C8AA6 FindFirstFileA,FindClose,1_2_004C8AA6
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_00408DBC __EH_prolog,FindFirstFileA,FindClose,1_2_00408DBC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_00408E3A __EH_prolog,GetFileAttributesA,lstrcpy,FindFirstFileA,FindClose,1_2_00408E3A
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_00408F73 __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,FindFirstFileA,FindClose,lstrcpy,1_2_00408F73
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004C3C5F __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,FindFirstFileA,FindClose,lstrcpy,1_2_004C3C5F
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0043C870 __EH_prolog,FindFirstFileA,FindFirstFileA,InterlockedIncrement,FindNextFileA,FindClose,FindFirstFileA,InterlockedIncrement,FindNextFileA,FindClose,1_2_0043C870
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0043D18B __EH_prolog,FindFirstFileA,InterlockedIncrement,FindNextFileA,FindClose,1_2_0043D18B
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0040927B __EH_prolog,FindFirstFileA,FindFirstFileA,InterlockedIncrement,FindNextFileA,FindClose,FindFirstFileA,InterlockedIncrement,FindNextFileA,FindClose,1_2_0040927B
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0047F41C __EH_prolog,GetLogicalDriveStringsA,GetDriveTypeA,1_2_0047F41C

Networking:

barindex
Connects to country known for bullet proof hostersShow sources
Source: unknownNetwork traffic detected: IP: 1.0.3.0 China
Urls found in memory or binary dataShow sources
Source: irsetup.exe, 00000001.00000002.702561028.000000000050E000.00000040.00020000.sdmpString found in binary or memory: ftp://https://http://%sInternetGetProxyInfoInternetInitializeAutoProxyDlljsproxy.dllDetectAutoProxyU
Source: PDFDocScoutImgAddon.dll.1.drString found in binary or memory: http://bytescout.com0
Source: pdflib.dll.1.drString found in binary or memory: http://gnuwin32.sourceforge.net
Source: PDFDocScout.dll.1.drString found in binary or memory: http://pdfdocscout.com/
Source: PDFDocScout.dll.1.drString found in binary or memory: http://ww.bytescout.com
Source: PDFDocScout.dll.1.drString found in binary or memory: http://www.borland.com
Source: PDFDocScout.dll.1.drString found in binary or memory: http://www.borland.comU
Source: irsetup.exe, irsetup.exe, 00000001.00000002.702561028.000000000050E000.00000040.00020000.sdmpString found in binary or memory: http://www.indigorose.com/route.php?pid=suf60buy
Source: pdflib.dll.1.drString found in binary or memory: http://www.pdflib.com

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004C5492 NtdllDefWindowProc_A,1_2_004C5492
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004C582A NtdllDefWindowProc_A,1_2_004C582A
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004C583A NtdllDefWindowProc_A,1_2_004C583A
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_00422046: __EH_prolog,SetFileAttributesA,CreateFileA,DeviceIoControl,CloseHandle,1_2_00422046
Creates driver filesShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\HidCom.sysJump to behavior
Creates files inside the system directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Windows\WatchBP Analyzer Home\Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2616:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004A07101_2_004A0710
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004C5AA01_2_004C5AA0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0043E59A1_2_0043E59A
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004940801_2_00494080
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004A44D01_2_004A44D0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004946BD1_2_004946BD
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004949B21_2_004949B2
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_00468AF31_2_00468AF3
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_00494C1B1_2_00494C1B
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_00494D7B1_2_00494D7B
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004B50381_2_004B5038
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0049D2A01_2_0049D2A0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004BDEE91_2_004BDEE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_00405FD51_2_00405FD5
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004063461_2_00406346
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004B23201_2_004B2320
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0049E4901_2_0049E490
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: String function: 004C3301 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: String function: 004ACA28 appears 988 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: String function: 004C0A21 appears 150 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: String function: 004680AE appears 70 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: String function: 004C43DF appears 99 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: String function: 004664F2 appears 152 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: String function: 0048A5F0 appears 263 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: String function: 004C4144 appears 964 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: String function: 004C425F appears 119 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: String function: 004AD04E appears 79 times
PE file contains strange resourcesShow sources
Source: WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irsetup.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irsetup.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irsetup.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uninstall.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uninstall.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uninstall.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe, 00000000.00000002.705734471.000000000040B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesuf70_launch.exe vs WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe
Source: WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeBinary or memory string: OriginalFilenamesuf70_launch.exe vs WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe
Source: WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeBinary or memory string: OriginalFilenamesuf70_rt.exe vs WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeFile read: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: pdfdocscout.dllJump to behavior
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: WatchBP Analyzer Home.exe.1.drBinary string: ,SCan't register device notification: c:\Microlife\WatchBP_Home_7Dayc:\MicrolifeHIDDeviceExistGetFeatureSetFeatureCloseHIDDeviceOpenNextHIDDeviceOpenFirstHIDDeviceHIDApi.dllInitialize Excel COM fail.Unknown error 0x%0lXIDispatch error #%dError loading bitmap!CLSID\{00024500-0000-0000-C000-000000000046}\Device\HidCom2\Device\HidCom1\Device\HidCom0HARDWARE\DEVICEMAP\SERIALCOMMNull%d (%d)%s%d%02d:%02d%d/%d/%d%s/%s/%sDmode.xlsDmodeINSERT INTO Dmode (Field1,Field2,Field3,Field4,Field5) VALUES ('Evening','---','INSERT INTO Dmode (Field1,Field2,Field3,Field4,Field5) VALUES ('Morning','---','INSERT INTO Dmode (Field1,Field2,Field3,Field4,Field5) VALUES ('All','---','INSERT INTO Dmode (Field1) VALUES ('untagged readings not included')INSERT INTO Dmode (Field1) VALUES ('minimun 12 readings needed')INSERT INTO Dmode (Field1) VALUES ('Average')INSERT INTO Dmode (Field1) VALUES ('Average without 1st day')INSERT INTO Dmode (Field1,Field2,Field3,Field4,Field5,Field6) VALUES ('*INSERT INTO Dmode (Field1,Field2,Field3,Field4,F
Source: RemoveDeviceXP.exe.1.drBinary string: \Device\HidCom2
Source: RemoveDeviceXP.exe.1.drBinary string: \Device\HidCom0
Source: RemoveDevice2000.exe.1.drBinary string: \drivers\HidCom.sys.PNF\hidcom.INFPortNameProgramFilesDirsoftware\microsoft\windows\currentversionProductNamesoftware\microsoft\windows NT\currentversion\Device\HidCom0HARDWARE\DEVICEMAP\SERIALCOMMprintf.cformat != NULLi386\chkesp.cThe value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.
Source: RemoveDeviceXP.exe.1.drBinary string: \Device\HidCom1
Source: HidCom.sys.1.drBinary string: \Device\HidCom%dh
Source: RemoveDeviceXP.exe.1.drBinary string: \hidcom.INFPortNameProgramFilesDirsoftware\microsoft\windows\currentversionProductNamesoftware\microsoft\windows NT\currentversion\Device\HidCom2\Device\HidCom1\Device\HidCom0HARDWARE\DEVICEMAP\SERIALCOMMError in opening a file..wC:\RemovalLog.txtprintf.cformat != NULLi386\chkesp.cThe value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention. fclose.cstr != NULL*mode != _T('\0')mode != NULL*file != _T('\0')fopen.cfile != NULL
Classification labelShow sources
Source: classification engineClassification label: sus39.winEXE@10/46@0/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0048C940 GetLastError,FormatMessageA,1_2_0048C940
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeCode function: 0_2_0040142B lstrlenA,GetCurrentDirectoryA,GetTempPathA,lstrlenA,lstrlenA,lstrcpyA,lstrlenA,lstrcatA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,DeleteFileA,RemoveDirectoryA,RemoveDirectoryA,GetFileAttributesA,wsprintfA,wsprintfA,DeleteFileA,CreateDirectoryA,CreateDirectoryA,lstrcpyA,lstrcpyA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpyA,CreateDirectoryA,SetCurrentDirectoryA,lstrcpyA,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcatA,GetDiskFreeSpaceA,lstrcpyA,SetCurrentDirectoryA,0_2_0040142B
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004C817A LockResource,1_2_004C817A
Creates files inside the program directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\Jump to behavior
Creates files inside the user directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WatchBP Analyzer Home\Jump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeFile created: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0Jump to behavior
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\WatchBP Analyzer Home\RegisterPDFDocScout.bat''
PE file has an executable .text section and no other executable sectionShow sources
Source: WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line argumentsShow sources
Source: WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeString found in binary or memory: ^HN/adD@
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe 'C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe __IRAOFF:543245 '__IRAFN:C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\WatchBP Analyzer Home\RegisterPDFDocScout.bat''
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s PDFDocScout.dll
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe 'LogonUI.exe' /flags:0x0 /state0:0xa385d855 /state1:0x41c64e6d
Source: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeProcess created: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe __IRAOFF:543245 '__IRAFN:C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\WatchBP Analyzer Home\RegisterPDFDocScout.bat''Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s PDFDocScout.dllJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile written: C:\Program Files (x86)\WatchBP Analyzer Home\language.iniJump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeAutomated click: Next >
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeStatic file information: File size 11839725 > 1048576
Binary contains paths to debug symbolsShow sources
Source: Binary string: D:\Old_NB_Data\program\program\REemoveDevice\Debug\RemoveDeviceXP.pdb source: RemoveDeviceXP.exe.1.dr
Source: Binary string: E:\8168\VC98\crtbld\crt\src\build\intel\dll_pdb\msvcp60d.pdb source: MSVCP60D.DLL.1.dr
Source: Binary string: E:\8168\VC98\MFC\MFC\src\MFCD42UD.pdb source: MFCD42UD.DLL.1.dr
Source: Binary string: E:\8168\VC98\MFC\MFC\src\MFCD42D.pdb source: MFCD42D.DLL.1.dr
Source: Binary string: E:\8168\VC98\MFC\MFC\src\MFC42UD.pdb source: MFC42UD.DLL.1.dr
Source: Binary string: D:\program\REemoveDevice_20071002XP\REemoveDevice\Debug\RemoveDevice2000.pdb source: RemoveDevice2000.exe.1.dr
Source: Binary string: D:\Old_NB_Data\program\program\dll\Win32DLL\Win32DLL\Debug\Win32DLL.pdb source: Win32DLL.dll.1.dr
Source: Binary string: E:\8168\VC98\crtbld\crt\src\build\intel\dll_pdb\msvcrtd.pdb source: MSVCRTD.DLL.1.dr
Source: Binary string: x:\My_projects\CODE\delphi\PDFDocScout\PDFDocScoutImageAddon\src\PDFDocScoutImageAddon_src6nov2006\Release\PDFDocScoutImgAddon.pdb source: PDFDocScoutImgAddon.dll.1.dr
Source: Binary string: N:\Davis\HidComDrv\objfre_w2K_x86\i386\HidCom.pdb source: HidCom.sys.1.dr
Source: Binary string: E:\8168\VC98\MFC\MFC\src\MFCO42D.pdb source: MFCO42D.DLL.1.dr
Source: Binary string: x:\My_projects\CODE\delphi\PDFDocScout\PDFDocScoutImageAddon\src\PDFDocScoutImageAddon_src6nov2006\Release\PDFDocScoutImgAddon.pdbDp source: PDFDocScoutImgAddon.dll.1.dr
Source: Binary string: 5E:\8168\VC98\MFC\MFC\src\MFC42D.pdb source: MFC42D.DLL.1.dr
Source: Binary string: D:\WatchBPHomeSetup\HomeSource\WatchBP_Home_Multi_V1030_20160115_Y16D711\Debug\WatchBP Analyzer Home.pdb source: irsetup.exe, 00000001.00000003.667926599.00000000026EA000.00000004.00000001.sdmp, WatchBP Analyzer Home.exe.1.dr
Source: Binary string: MFC42.pdb source: mfc42.dll.1.dr
Source: Binary string: E:\8168\VC98\MFC\MFC\src\MFCO42UD.pdb source: MFCO42UD.DLL.1.dr
Source: Binary string: 5E:\8168\VC98\MFC\MFC\src\MFC42UD.pdb source: MFC42UD.DLL.1.dr
Source: Binary string: E:\8168\VC98\MFC\MFC\src\MFC42D.pdb source: MFC42D.DLL.1.dr

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeCode function: 0_2_00404DB2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00404DB2
Registers a DLLShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s PDFDocScout.dll
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeCode function: 0_2_00401BD0 push eax; ret 0_2_00401BFE
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004ACA28 push eax; ret 1_2_004ACA46
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004AD100 push eax; ret 1_2_004AD12E
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Sample is not signed and drops a device driverShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\HidCom.sysJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\PDFDocScout.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\WatchBP Analyzer Home.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\msado15.dllJump to dropped file
Source: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeFile created: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\RemoveDeviceXP.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\RemoveDevice2000.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\pdflib.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\MSVCP60D.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\MFC42UD.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\mfc42.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\MFCD42D.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\Win32DLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\MFCO42D.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\PDFDocScoutImgAddon.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\HIDApi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Windows\WatchBP Analyzer Home\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\MFCO42UD.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\MFCD42UD.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\HidComInst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\HidCom.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Program Files (x86)\WatchBP Analyzer Home\MSVCRTD.DLLJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Windows\WatchBP Analyzer Home\uninstall.exeJump to dropped file

Boot Survival:

barindex
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WatchBP Analyzer Home\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WatchBP Analyzer Home\WatchBP Analyzer Home.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WatchBP Analyzer Home\Uninstall WatchBP Analyzer Home.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WatchBP Analyzer Home\WatchBP Analyzer Home Operation Manual.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0040354E LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0040354E
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeWindow / User API: threadDelayed 605Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeWindow / User API: threadDelayed 470Jump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\WatchBP Analyzer Home.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\msado15.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\RemoveDeviceXP.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\pdflib.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\RemoveDevice2000.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\MSVCP60D.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\MFC42UD.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\mfc42.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\MFCD42D.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\Win32DLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\PDFDocScoutImgAddon.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\MFCO42D.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\HIDApi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\MFCO42UD.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\MFCD42UD.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\HidComInst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\HidCom.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\WatchBP Analyzer Home\MSVCRTD.DLLJump to dropped file
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004C8AA6 FindFirstFileA,FindClose,1_2_004C8AA6
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_00408DBC __EH_prolog,FindFirstFileA,FindClose,1_2_00408DBC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_00408E3A __EH_prolog,GetFileAttributesA,lstrcpy,FindFirstFileA,FindClose,1_2_00408E3A
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_00408F73 __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,FindFirstFileA,FindClose,lstrcpy,1_2_00408F73
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004C3C5F __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,FindFirstFileA,FindClose,lstrcpy,1_2_004C3C5F
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0043C870 __EH_prolog,FindFirstFileA,FindFirstFileA,InterlockedIncrement,FindNextFileA,FindClose,FindFirstFileA,InterlockedIncrement,FindNextFileA,FindClose,1_2_0043C870
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0043D18B __EH_prolog,FindFirstFileA,InterlockedIncrement,FindNextFileA,FindClose,1_2_0043D18B
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0040927B __EH_prolog,FindFirstFileA,FindFirstFileA,InterlockedIncrement,FindNextFileA,FindClose,FindFirstFileA,InterlockedIncrement,FindNextFileA,FindClose,1_2_0040927B
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_0047F41C __EH_prolog,GetLogicalDriveStringsA,GetDriveTypeA,1_2_0047F41C
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: regsvr32.exe, 0000000A.00000002.680451283.0000000000A20000.00000002.00000001.sdmp, LogonUI.exe, 0000000B.00000002.922146167.00000235684B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: regsvr32.exe, 0000000A.00000002.680451283.0000000000A20000.00000002.00000001.sdmp, LogonUI.exe, 0000000B.00000002.922146167.00000235684B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: regsvr32.exe, 0000000A.00000002.680451283.0000000000A20000.00000002.00000001.sdmp, LogonUI.exe, 0000000B.00000002.922146167.00000235684B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: regsvr32.exe, 0000000A.00000002.680451283.0000000000A20000.00000002.00000001.sdmp, LogonUI.exe, 0000000B.00000002.922146167.00000235684B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\LogonUI.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeCode function: 0_2_00404DB2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00404DB2
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_00496D50 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlReAllocateHeap,1_2_00496D50
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004B45F7 SetUnhandledExceptionFilter,1_2_004B45F7
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004B4609 SetUnhandledExceptionFilter,1_2_004B4609

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s PDFDocScout.dllJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: LogonUI.exe, 0000000B.00000002.923909528.0000023569270000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: LogonUI.exe, 0000000B.00000002.923909528.0000023569270000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: LogonUI.exe, 0000000B.00000002.923909528.0000023569270000.00000002.00000001.sdmpBinary or memory string: Progman
Source: LogonUI.exe, 0000000B.00000002.923909528.0000023569270000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: GetLocaleInfoA,1_2_004BC0FA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: __EH_prolog,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,1_2_004020F0
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004AF7DA GetLocalTime,GetSystemTime,GetTimeZoneInformation,1_2_004AF7DA
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeCode function: 1_2_004B6E71 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,1_2_004B6E71
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exeCode function: 0_2_00401E64 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,0_2_00401E64

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 151576 Sample: WatchBP_Home_Analyzer_V1.0.... Startdate: 12/07/2019 Architecture: WINDOWS Score: 39 36 Antivirus or Machine Learning detection for dropped file 2->36 8 WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe 2 2->8         started        12 LogonUI.exe 3 2->12         started        process3 dnsIp4 34 1.0.3.0 unknown China 8->34 24 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 8->24 dropped 14 irsetup.exe 10 64 8->14         started        file5 process6 file7 26 C:\Program Files (x86)\...\HidComInst.exe, PE32 14->26 dropped 28 C:\Program Files (x86)\...\HidCom.sys, PE32 14->28 dropped 30 C:\Windows\...\uninstall.exe, PE32 14->30 dropped 32 17 other files (none is malicious) 14->32 dropped 38 Sample is not signed and drops a device driver 14->38 18 cmd.exe 1 14->18         started        signatures8 process9 process10 20 conhost.exe 18->20         started        22 regsvr32.exe 18->22         started       

Simulations

Behavior and APIs

TimeTypeDescription
11:23:35API Interceptor3x Sleep call for process: WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe1%virustotalBrowse
WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe0%metadefenderBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\WatchBP Analyzer Home\HidComInst.exe100%AviraTR/Dropper.Gen
C:\Program Files (x86)\WatchBP Analyzer Home\HIDApi.dll0%virustotalBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\HIDApi.dll0%metadefenderBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\HidCom.sys0%virustotalBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MFC42UD.DLL0%virustotalBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MFC42UD.DLL0%metadefenderBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MFCD42D.DLL0%virustotalBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MFCD42D.DLL0%metadefenderBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MFCD42UD.DLL0%virustotalBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MFCD42UD.DLL0%metadefenderBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MFCO42D.DLL0%virustotalBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MFCO42D.DLL0%metadefenderBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MFCO42UD.DLL0%virustotalBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MFCO42UD.DLL0%metadefenderBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MSVCP60D.DLL0%virustotalBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MSVCP60D.DLL0%metadefenderBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MSVCRTD.DLL0%virustotalBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\MSVCRTD.DLL0%metadefenderBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\PDFDocScout.dll0%virustotalBrowse
C:\Program Files (x86)\WatchBP Analyzer Home\PDFDocScoutImgAddon.dll0%virustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
1.2.irsetup.exe.400000.0.unpack100%AviraHEUR/AGEN.1004669Download File
1.2.irsetup.exe.400000.0.unpack100%Joe Sandbox MLDownload File
1.1.irsetup.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.1.WatchBP_Home_Analyzer_V1.0.3.0_Multilingual.exe.400000.0.unpack100%Joe Sandbox MLDownload File
1.0.irsetup.exe.400000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.borland.com0%virustotalBrowse
http://www.borland.com0%Avira URL Cloudsafe
http://pdfdocscout.com/0%Avira URL Cloudsafe
http://www.borland.comU0%Avira URL Cloudsafe
http://bytescout.com00%Avira URL Cloudsafe
ftp://https://http://%sInternetGetProxyInfoInternetInitializeAutoProxyDlljsproxy.dllDetectAutoProxyU0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownrequest.docGet hashmaliciousBrowse
  • 192.168.0.44
FERK444259.docGet hashmaliciousBrowse
  • 192.168.0.44
b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
  • 192.168.0.40
Setup.exeGet hashmaliciousBrowse
  • 192.168.0.40
base64.pdfGet hashmaliciousBrowse
  • 192.168.0.40
file.pdfGet hashmaliciousBrowse
  • 192.168.0.40
Spread sheet 2.pdfGet hashmaliciousBrowse
  • 192.168.0.40
request_08.30.docGet hashmaliciousBrowse
  • 192.168.0.44
P_2038402.xlsxGet hashmaliciousBrowse
  • 192.168.0.44
48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
  • 192.168.0.22
seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
  • 192.168.0.40
Adm_Boleto.via2.comGet hashmaliciousBrowse
  • 192.168.0.40
QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
  • 192.168.0.40
pptxb.pdfGet hashmaliciousBrowse
  • 192.168.0.40

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.