Loading ...

Play interactive tourEdit tour

Analysis Report kse-542-setup.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:173097
Start date:11.09.2019
Start time:20:47:16
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 53s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:kse-542-setup.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean5.winEXE@1/13@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 80.9% (good quality ratio 78.4%)
  • Quality average: 85.2%
  • Quality standard deviation: 23.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold50 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold30 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementStartup Items1Access Token Manipulation1Masquerading1Credential DumpingSecurity Software Discovery11Application Deployment SoftwareClipboard Data1Data Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionRegistry Run Keys / Startup Folder1Startup Items1Access Token Manipulation1Network SniffingFile and Directory Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDLL Side-Loading1Input CaptureSystem Information Discovery22Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_004062A3 FindFirstFileA,FindClose,0_2_004062A3
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405768
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_004026FE FindFirstFileA,0_2_004026FE

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: kse.exe.0.drString found in binary or memory: http://fsf.org/
Source: kse-542-setup.exe, 00000000.00000002.4694130395.0000000000712000.00000004.00000001.sdmpString found in binary or memory: http://keystore-explorer.org
Source: kse-542-setup.exe, 00000000.00000003.4693010222.0000000000731000.00000004.00000001.sdmp, Uninstall.lnk.0.drString found in binary or memory: http://keystore-explorer.org/
Source: kse-542-setup.exe, 00000000.00000003.4693010222.0000000000731000.00000004.00000001.sdmpString found in binary or memory: http://keystore-explorer.orgP?uWV
Source: kse-542-setup.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: kse-542-setup.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: kse.exe.0.drString found in binary or memory: http://tigert.com
Source: kse.exe.0.drString found in binary or memory: http://www.apache.org/licenses/
Source: kse.exe.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: kse.exe.0.drString found in binary or memory: http://www.bouncycastle.org)
Source: kse.exe.0.drString found in binary or memory: http://www.gnu.org/licenses/
Source: kse.exe.0.drString found in binary or memory: http://www.gnu.org/philosophy/why-not-lgpl.html

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_00405205 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405205

System Summary:

barindex
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040320C
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_00404A440_2_00404A44
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_00406F540_2_00406F54
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_0040677D0_2_0040677D
PE file contains strange resourcesShow sources
Source: kse-542-setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: kse-542-setup.exe, 00000000.00000002.4695874188.0000000002A70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs kse-542-setup.exe
Source: kse-542-setup.exe, 00000000.00000002.4694450394.0000000002180000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs kse-542-setup.exe
Source: kse-542-setup.exe, 00000000.00000002.4696152560.0000000002B70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs kse-542-setup.exe
Source: kse-542-setup.exe, 00000000.00000002.4696152560.0000000002B70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs kse-542-setup.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeFile read: C:\Users\user\Desktop\kse-542-setup.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean5.winEXE@1/13@0/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040320C
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_004044D1 GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004044D1
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar,0_2_004020D1
Creates files inside the program directoryShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Program Files (x86)\KeyStore ExplorerJump to behavior
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KeyStore ExplorerJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsd91EB.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: kse-542-setup.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Users\user\Desktop\kse-542-setup.exeAutomated click: Next >
Source: C:\Users\user\Desktop\kse-542-setup.exeAutomated click: Next >
Source: C:\Users\user\Desktop\kse-542-setup.exeAutomated click: Next >
Source: C:\Users\user\Desktop\kse-542-setup.exeAutomated click: Install
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: kse-542-setup.exeStatic file information: File size 10453846 > 1048576
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: kse-542-setup.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_0042054E push ecx; retn 0003h0_2_00420550

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Program Files (x86)\KeyStore Explorer\uninstall.exeJump to dropped file
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsi9259.tmp\InstallOptions.dllJump to dropped file
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsi9259.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsi9259.tmp\nsDialogs.dllJump to dropped file
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsi9259.tmp\WinShell.dllJump to dropped file
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsi9259.tmp\UserInfo.dllJump to dropped file
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Program Files (x86)\KeyStore Explorer\kse.exeJump to dropped file

Boot Survival:

barindex
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KeyStore ExplorerJump to behavior
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KeyStore Explorer\Uninstall.lnkJump to behavior
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KeyStore Explorer\Visit Website.lnkJump to behavior
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KeyStore Explorer\Licenses.lnkJump to behavior
Source: C:\Users\user\Desktop\kse-542-setup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KeyStore Explorer\KeyStore Explorer.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\kse-542-setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kse-542-setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kse-542-setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kse-542-setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kse-542-setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeFile Volume queried: C:\Program Files (x86) FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\kse-542-setup.exeFile Volume queried: C:\Program Files (x86) FullSizeInformationJump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeDropped PE file which has not been started: C:\Program Files (x86)\KeyStore Explorer\uninstall.exeJump to dropped file
Source: C:\Users\user\Desktop\kse-542-setup.exeDropped PE file which has not been started: C:\Program Files (x86)\KeyStore Explorer\kse.exeJump to dropped file
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_004062A3 FindFirstFileA,FindClose,0_2_004062A3
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405768
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_004026FE FindFirstFileA,0_2_004026FE
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: kse-542-setup.exeBinary or memory string: Qemuf
Program exit pointsShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeAPI call chain: ExitProcess graph end nodegraph_0-3326

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\kse-542-setup.exeSystem information queried: KernelDebuggerInformationJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\kse-542-setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\kse-542-setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\kse-542-setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\kse-542-setup.exeCode function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040320C

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 173097 Sample: kse-542-setup.exe Startdate: 11/09/2019 Architecture: WINDOWS Score: 5 4 kse-542-setup.exe 9 69 2->4         started        file3 7 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 4->7 dropped 9 C:\Users\user\AppData\Local\...\WinShell.dll, PE32 4->9 dropped 11 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 4->11 dropped 13 4 other files (none is malicious) 4->13 dropped

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
kse-542-setup.exe2%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\KeyStore Explorer\uninstall.exe3%VirustotalBrowse
C:\Program Files (x86)\KeyStore Explorer\uninstall.exe3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\nsi9259.tmp\InstallOptions.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsi9259.tmp\InstallOptions.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\nsi9259.tmp\System.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsi9259.tmp\System.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\nsi9259.tmp\UserInfo.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsi9259.tmp\UserInfo.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\nsi9259.tmp\WinShell.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsi9259.tmp\WinShell.dll0%MetadefenderBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.bouncycastle.org)0%Avira URL Cloudsafe
http://tigert.com0%VirustotalBrowse
http://tigert.com0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
C:\Users\user\AppData\Local\Temp\nsi9259.tmp\InstallOptions.dllSearchPrime_MTI5NDg_1.0.0.6_Chrome.exeGet hashmaliciousBrowse
    C:\Users\user\AppData\Local\Temp\nsi9259.tmp\System.dllBoopl011159.jseGet hashmaliciousBrowse
      cEsXWcUxX6.exeGet hashmaliciousBrowse
        26BL copy.exeGet hashmaliciousBrowse
          33New order.exeGet hashmaliciousBrowse
            SK004-78373527282.exeGet hashmaliciousBrowse
              31Urgent Order.exeGet hashmaliciousBrowse
                3PO.exeGet hashmaliciousBrowse
                  http://dl.driverpack.io/17-online/DriverPack-17-Online.exeGet hashmaliciousBrowse
                    DriverPack-17-Online_1049590282.1557142911.exeGet hashmaliciousBrowse
                      cmrDocument.docGet hashmaliciousBrowse
                        RSEBBScan0023.docGet hashmaliciousBrowse
                          king.exeGet hashmaliciousBrowse
                            SearchPrime_MTI5NDg_1.0.0.6_Chrome.exeGet hashmaliciousBrowse
                              Order New FMR-826 INV&PL.docGet hashmaliciousBrowse
                                http://ec.rk-store.net/blog/wp-admin/champ.exeGet hashmaliciousBrowse
                                  52new order.exeGet hashmaliciousBrowse
                                    RFQ 78596PE 11451.exeGet hashmaliciousBrowse

                                      Screenshots

                                      Thumbnails

                                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.