Loading ...

Play interactive tourEdit tour

Analysis Report mandiant_ioc_finder.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:208470
Start date:14.02.2020
Start time:16:09:10
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 38s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:mandiant_ioc_finder.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:SUS
Classification:sus22.evad.winEXE@2/1@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 100% (good quality ratio 50%)
  • Quality average: 50%
  • Quality standard deviation: 50%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Execution Graph export aborted for target mandiant_ioc_finder.exe, PID 1744 because there are no executed function

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold220 - 100falsesuspicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface2Hooking1Hooking1Process Injection1Hooking1System Time Discovery1Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection1Binary PaddingNetwork SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSystem Information Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Signature Overview

Click to jump to signature section


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: mandiant_ioc_finder.exeString found in binary or memory: http://apache.org/xml/UknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
Source: mandiant_ioc_finder.exeString found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: mandiant_ioc_finder.exeString found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHxmlxml
Source: mandiant_ioc_finder.exeString found in binary or memory: http://exslt.org/common
Source: mandiant_ioc_finder.exeString found in binary or memory: http://exslt.org/commonxsl:sort
Source: mandiant_ioc_finder.exeString found in binary or memory: http://home.netscape.com/NC-rdf#
Source: mandiant_ioc_finder.exeString found in binary or memory: http://icl.com/saxon
Source: mandiant_ioc_finder.exeString found in binary or memory: http://icl.com/saxonFound
Source: mandiant_ioc_finder.exeString found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: mandiant_ioc_finder.exeString found in binary or memory: http://relaxng.org/ns/structure/1.0allocating
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/BatchResult.xsd
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/BatchResult.xsd%hshttp://schemas.mandiant.com/2011/07/batchresul
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/batchresult.xsd
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/eventlogitem.xsdapplication/xmlhttp://schemas.mandiant.com/2011/
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/formhistoryitem.xsdformhistoryhttp://schemas.mandiant.com/2011/0
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/hookitem.xsdw32kernel-hookdetectionhttp://schemas.mandiant.com/2
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/issuelist.xsd
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/issuelist.xsdhttp://schemas.mandiant.com/2011/07/issues.xsdIssue
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/issues.xsd
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/mir.w32ports.xsdPort
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/mir.w32processes.xsdZwQueryInformationThreadZwQueryInformationPr
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/mir.w32services.xsdbad
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/mir.w32system.xsdSystemInfoItemdirectorymachinetotalphysicalavai
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/mir.w32tasks.xsdExecProgramSha256sumExecProgramSha1sumExecProgra
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/mir.w32useraccounts.xsdFailed
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/prefetchitem.xsdw32prefetch
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/processitem.xsdw32processes-APIWinsta.dllWinStationGetProcessSid
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/registryitem.xsdapplication/xmlhttp://schemas.mandiant.com/2011/
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/registryitem.xsdw32registryraw1.4.36.0http://schemas.mandiant.co
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/routeentryitem.xsdw32network-routehttp://schemas.mandiant.com/20
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/serviceitem.xsdw32services
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/systeminfoitem.xsdw32systemCurrentBuildNumberInstallDateProductN
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/systemrestoreitem.xsd1.4.41.0w32systemrestore
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/taskitem.xsdw32tasks$
Source: mandiant_ioc_finder.exeString found in binary or memory: http://schemas.mandiant.com/2011/07/useritem.xsdw32useraccounts1.4.36.0Error
Source: mandiant_ioc_finder.exeString found in binary or memory: http://wibu.com/us/
Source: mandiant_ioc_finder.exeString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: mandiant_ioc_finder.exeString found in binary or memory: http://www.jclark.com/xt
Source: mandiant_ioc_finder.exeString found in binary or memory: http://www.jclark.com/xtnode-sethttp://xmlsoft.org/XSLT/namespacexsltNewAttrVTPtr
Source: mandiant_ioc_finder.exeString found in binary or memory: http://www.mandiant.com/schemas/FileItem.xsd1.4.27.0http://schemas.mandiant.com/2011/07/portitem.xsd
Source: mandiant_ioc_finder.exeString found in binary or memory: http://www.mandiant.com/schemas/issue.xsdgeneratorgeneratorVersionitemSchemaLocationhrefIssuesThere
Source: mandiant_ioc_finder.exeString found in binary or memory: http://www.netscape.com/newsref/std/cookie_spec.html
Source: mandiant_ioc_finder.exeString found in binary or memory: http://www.openssl.org/support/faq.html
Source: mandiant_ioc_finder.exeString found in binary or memory: http://www.openssl.org/support/faq.html.
Source: mandiant_ioc_finder.exeString found in binary or memory: http://www.oreans.com
Source: mandiant_ioc_finder.exeString found in binary or memory: http://www.winimage.com/zLibDll
Source: mandiant_ioc_finder.exeString found in binary or memory: http://www.winimage.com/zLibDllr
Source: mandiant_ioc_finder.exeString found in binary or memory: http://xmlsoft.org/XSLT/
Source: mandiant_ioc_finder.exeString found in binary or memory: http://xmlsoft.org/XSLT/namespace
Source: mandiant_ioc_finder.exeString found in binary or memory: http://xmlsoft.org/XSLT/xsltExtFunctionTest:
Source: mandiant_ioc_finder.exeString found in binary or memory: http://xqilla.sourceforge.net/FunctionsX

System Summary:

barindex
PE file contains executable resources (Code or Archives)Show sources
Source: mandiant_ioc_finder.exeStatic PE information: Resource name: COMPRESSED_FILE type: Zip archive data, at least v2.0 to extract
Source: mandiant_ioc_finder.exeStatic PE information: Resource name: COMPRESSED_FILE type: Zip archive data, at least v2.0 to extract
Source: mandiant_ioc_finder.exeStatic PE information: Resource name: MKTOOLS type: PE32 executable (native) Intel 80386, for MS Windows
Source: mandiant_ioc_finder.exeStatic PE information: Resource name: MKTOOLS_X64 type: PE32+ executable (native) x86-64, for MS Windows
Sample file is different than original file name gathered from version infoShow sources
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: Failed to find any change.log files in %sInvalid record type %i in change.log file %wsInvalid entry type %i in change.log file %wsBackupFileNameNewFileNameOriginalFileNameOriginalShortFileNameOriginalVolumePathDebugInfoTimeStampDebugInfoProcessNameDebugInfoThreadIdDebugInfoProcessIdAclChangeSecurityIDAclChangeUsernameProcessNameChangeLogEntrySequenceNumberChangeLogFileNameSystemRestoreItemMalformed header in change.log file %wsEmpty change.log file %wsFailed to read data from %wschange.logFailed to search for registry hive files_REGISTRY_snapshotFailed to read binary data from rp.log!ParseRestorePointFolderNo rp.log for restore point %ws!rp.log" vs mandiant_ioc_finder.exe
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: CommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersionPrivateBuildSpecialBuildGetLogicalPathWriteFileItemByPathRAWWriteFileItemByHandleRAWWriteFileItemByPathAPIWriteFileItemByHandleAPIFileDigitalSignatureRAWFileSeekRAWrdbFindFilesRAWFileHashRAWbitParsePEFileRAWFileReadRAW vs mandiant_ioc_finder.exe
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: %lu%02x%I64u%I64iInvalid underlying type %iLuaVoidLuaVoid__tostring__gcCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersionPrivateBuildSpecialBuildFileOpenAPIDLLFileCloseAPIFileReadAPIParsePEFileAPIFindFirstFilesAPIFindNextFilesAPIFindFilesCloseAPIFileSeekAPIFileDigitalSignatureAPIFileHashAPI*FileGetInfoByHandleAPIFileGetInfoByPathAPIFileSetOptionFileGetOptionFileOpenRAW%s*FileCloseRAWFileReadRAW*ParsePEFileRAWFileHashRAW%s*FindFilesRAWFileSeekRAW:FileDigitalSignatureRAWWriteFileItemByHandleAPIWriteFileItemByPathAPIWriteFileItemByHandleRAWWriteFileItemByPathRAWGetLogicalPath vs mandiant_ioc_finder.exe
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: %lu%02x%I64u%I64iInvalid underlying type %iLuaVoidLuaVoid__tostring__gcCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersionPrivateBuildSpecialBuildGetLogicalPathWriteFileItemByPathRAWWriteFileItemByHandleRAWWriteFileItemByPathAPIWriteFileItemByHandleAPIFileDigitalSignatureRAWFileSeekRAW\FindFilesRAWFileHashRAW\ParsePEFileRAWFileReadRAW\FileCloseRAWFileOpenRAW:FileGetOptionFileSetOptionFileGetInfoByPathAPIFileGetInfoByHandleAPIFileHashAPIFileDigitalSignatureAPIFileSeekAPIFindFilesCloseAPIFindNextFilesAPIFindFirstFilesAPIParsePEFileAPIFileReadAPIFileCloseAPIFileOpenAPIntdllNtCloseNtOpenFileNtQueryInformationFileNtQuerySymbolicLinkObjectNtOpenSymbolicLinkObjectNtQueryVolumeInformationFileRtlInitUnicodeString\Device\Harddisk\Device\Harddisk\Device\HarddiskVolumePartition\Device\HarddiskVolume\\.\Volume\\?\Volume\\.\\Global??\\Global??\Error calling NtQueryInformationFile for FileFsFullSizeInformationNT_DLL_CALLBACK_ERRORA:Error opening partitionPARTITION_OPEN_ERRORError calling DeviceIoControlIOCTL_ERRORError opening partitionPARTITION_OPEN_ERRORError calling NtQueryVolumeInformationFile for FileFsVolumeInformationGetPhysicalPartitionInfoError calling NtQueryVolumeInformationFile for FileFsAttributeInformationGetPhysicalPartitionInfoError calling NtQueryVolumeInformationFile for FileFsFullSizeInformationGetPhysicalPartitionInfoError calling NtQueryInformationFile on FileFsVolumeInformationGetPhysicalPartitionInfoError calling NtQueryInformationFile on FileFsDeviceInformationGetPhysicalPartitionInfoError enumerating volume:GENERAL_ERROR\\.\PhysicalDrive%dError allocating memoryMEMORY_ERROR\Device\Harddisk%d\Partition%d" vs mandiant_ioc_finder.exe
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: %lu%02x%I64u%I64iInvalid underlying type %iLuaVoidLuaVoid__tostring__gcCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersionPrivateBuildSpecialBuildACCELERATORANICURSOR0ANIICONBITMAPCURSORDIALOGDLGINCLUDEFONTFONTDIRGROUP_CURSORGROUP_ICONHTMLICONMANIFESTMENUMESSAGETABLEPLUGPLAYRCDATASTRINGVERSIONVXD%lu%lu%lu%lu0x%04x%04xDirectory format unrecognized - invalid directory countparse_resource_directory_entryVERSIONUnable to read resource data of size %i at offset %i with resource base %iparse_resource_directory_entryInvalid number of resources - malformed headerparse_resource_directory%ws: Unable to parse named resource directory entry #%i in directory '%ws' at offset %i with resource base %iparse_resource_directory%ws: Unable to parse id resource directory entry #%i in directory '%ws' at offset %i with resource base %iparse_resource_directoryFileSystemServiceFailed to parse the resources for file '%ws'parse_versinfo_rawVERSIONUnable to parse the RT_VERSION info block for file '%ws'parse_versinfo_rawVERSIONNo version information is available for file '%ws'parse_versinfo_rawFileSystemServiceNo version information is available for file '%ws'parse_versinfo_api\VarFileInfo\Translation0x%04x%04x\StringFileInfo\%04x%04x\%sInvalid FileReader_scramparse_pefileFailed to allocate memory for pefileparse_pefileFailed to allocate memory for DOS headerparse_pefileFailed to identify DOS headerparse_pefileFailed to allocate memory for NT headerparse_pefileparse_pe32 failedparse_pefileFailed to identify NT64 headerparse_pefileparse_pe64 failedparse_pefileInvalid pefileparse_pe32Invalid FileReader_scramparse_pe32Invalid pefileparse_pe64Invalid FileReader_scramparse_pe64Invalid pefileload_section_tableInvalid FileReader_scramload_section_tableInvalid number (%d) of sections in header, maximum allowed is %dload_section_tableInvalid number (%d) of sections in header, maximum allowed is %dload_section_tablesection sanity check failedload_section_tableFailed to read section headerload_section_tableInvalid number (%d) of sections in header, actual count is %dload_section_tableInvalid pefileparse_importsInvalid FileReader_scramparse_importsInvalid pefileparse_exportsInvalid FileReader_scramparse_exportsInvalid number of exportsparse_exportsInvalid number of exportsparse_exportsread functionRVAs failedparse_exportsread nameRVAs failedparse_exportsread ordinalTable failedparse_exportsInvalid pefileget_thunkInvalid FileReader_scramget_thunkInvalid pefilerva_to_vaInvalid pefileva_to_rvaInvalid pefileseek_to_rvaInvalid pefileraw_to_rvaInvalid pefileseek_to_rvaInvalid FileReader_scramseek_to_rvaInvalid pefileread_from_rvaInvalid FileReader_scramread_from_rvaInvalid FileReader_scramread_stringfile read failedread_string" vs mandiant_ioc_finder.exe
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: %lu%02x%I64u%I64iInvalid underlying type %iLuaVoidLuaVoid__tostring__gcCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersionPrivateBuildSpecialBuildPEInfoDllDllTypeExecutableTypeTypeExecutableTypeSubsystem%xBaseAddressBaseAddress%4.4d-%2.2d-%2.2dT%2.2d:%2.2d:%2.2dZPETimeStampPEChecksumPEFileRaw%xPEFileAPI PEComputedAPI Could not map the file.MapFileAndCheckSumCould not map a view of the file. MapFileAndCheckSumCould not open the file %wsMapFileAndCheckSumCould not convert the file name to Unicode.MapFileAndCheckSumUnknown error codeMapFileAndCheckSumPEChecksumExtraneousBytesVersionInfoListVersionInfoItemLanguageProductNameProductVersionCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenamePrivateBuildSpecialBuildVersionInfoItemVersionInfoListResourceInfoListResourceInfoItemNameTypeSizeLanguageDataResourceInfoItemResourceInfoListPEInfoFailed to read from entry pointReportPackerSignature Failed to seek to raw entrypointReportPackerSignature DetectedEntryPointSignatureNamePackerTypeDetectedEntryPointSignatureDetectedEntryPointSignatureNamePackerTypeDetectedEntryPointSignatureSectionsNumberOfSectionsActualNumberOfSectionsSectionNameResourceTypeNoneTypeSizeInBytesReadWriteExecuteCodeDetectedCharacteristicsFailed to read section at rvaCN=ReportPEEntropyEntropyAverageValueEntropySectionsFailed to allocation memory for section size %dReportPEEntropyInvalid section size, can not be used alloc section size %dReportPEEntropySectionPEInfoPeakEntropyPeakCodeEntropyEpJumpCodesEpJumpCodesEpJumpCodesFailed to read dwRVAscanJumpFailed to read dwJumpTargetRVAscanJump0x%02xDepthCN=OpcodesDetectedAnomaliessection_starts_unalignedstringchecksum_is_zerostringcontains_eof_datastringincorrect_image_sizestringcorrupted_importsstringempty_section_namestringnon_ascii_section_namestringoverlapping_headersstringoversized_optional_headerstringoversized_sectionstringinvalid_entry_pointstringchecksum_mismatchstringDetectedAnomaliesImportedModulesModuleNameNumberOfFunctionsImportedFunctions%s:%4.4xstringstringModuleImportedFunctionsImportedModulesExports%4.4d-%2.2d-%2.2dT%2.2d:%2.2d:%2.2dZExportsTimeStampNumberOfFunctionsNumberOfNamesDllNameExportedFunctionsstringOrdinal:%4.4xstringExportedFunctionsExportsUnknownNativeWindows_GUIWindows_CUIOS2_CUIPOSIX_CUINative_Win9x_DriverWindows_CE_GUIEFI_ApplicationEFI_Boot_Service_DriverEFI_Runtime_DriverEFI_ROMXBOXUndefinedUndefinedReportDigitalSignatureDigitalSignaturetrueSignatureExistsfalseSignatureExiststrueSignatureVerifiedfalseSignatureVerifiedDescriptionCertificateSubjectCertificateIssuerDigitalSignatureCertificateIssuerCertificateSubjecttrueSignatureExiststrueSignatureVerifiedThe file is signed and the signature was verified.DescriptiontrueSignatureExistsfalseSignatureVerifiedAn unknown error occured trying to verify the signature.DescriptionfalseSignatureExistsfalseSignatureVerifiedThe file is not signed.Descri
Source: mandiant_ioc_finder.exeBinary or memory string: Failed to find any change.log files in %sInvalid record type %i in change.log file %wsInvalid entry type %i in change.log file %wsBackupFileNameNewFileNameOriginalFileNameOriginalShortFileNameOriginalVolumePathDebugInfoTimeStampDebugInfoProcessNameDebugInfoThreadIdDebugInfoProcessIdAclChangeSecurityIDAclChangeUsernameProcessNameChangeLogEntrySequenceNumberChangeLogFileNameSystemRestoreItemMalformed header in change.log file %wsEmpty change.log file %wsFailed to read data from %wschange.logFailed to search for registry hive files_REGISTRY_snapshotFailed to read binary data from rp.log!ParseRestorePointFolderNo rp.log for restore point %ws!rp.log" vs mandiant_ioc_finder.exe
Source: mandiant_ioc_finder.exeBinary or memory string: CommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersionPrivateBuildSpecialBuildGetLogicalPathWriteFileItemByPathRAWWriteFileItemByHandleRAWWriteFileItemByPathAPIWriteFileItemByHandleAPIFileDigitalSignatureRAWFileSeekRAWrdbFindFilesRAWFileHashRAWbitParsePEFileRAWFileReadRAW vs mandiant_ioc_finder.exe
Source: mandiant_ioc_finder.exeBinary or memory string: %lu%02x%I64u%I64iInvalid underlying type %iLuaVoidLuaVoid__tostring__gcCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersionPrivateBuildSpecialBuildFileOpenAPIDLLFileCloseAPIFileReadAPIParsePEFileAPIFindFirstFilesAPIFindNextFilesAPIFindFilesCloseAPIFileSeekAPIFileDigitalSignatureAPIFileHashAPI*FileGetInfoByHandleAPIFileGetInfoByPathAPIFileSetOptionFileGetOptionFileOpenRAW%s*FileCloseRAWFileReadRAW*ParsePEFileRAWFileHashRAW%s*FindFilesRAWFileSeekRAW:FileDigitalSignatureRAWWriteFileItemByHandleAPIWriteFileItemByPathAPIWriteFileItemByHandleRAWWriteFileItemByPathRAWGetLogicalPath vs mandiant_ioc_finder.exe
Source: mandiant_ioc_finder.exeBinary or memory string: %lu%02x%I64u%I64iInvalid underlying type %iLuaVoidLuaVoid__tostring__gcCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersionPrivateBuildSpecialBuildGetLogicalPathWriteFileItemByPathRAWWriteFileItemByHandleRAWWriteFileItemByPathAPIWriteFileItemByHandleAPIFileDigitalSignatureRAWFileSeekRAW\FindFilesRAWFileHashRAW\ParsePEFileRAWFileReadRAW\FileCloseRAWFileOpenRAW:FileGetOptionFileSetOptionFileGetInfoByPathAPIFileGetInfoByHandleAPIFileHashAPIFileDigitalSignatureAPIFileSeekAPIFindFilesCloseAPIFindNextFilesAPIFindFirstFilesAPIParsePEFileAPIFileReadAPIFileCloseAPIFileOpenAPIntdllNtCloseNtOpenFileNtQueryInformationFileNtQuerySymbolicLinkObjectNtOpenSymbolicLinkObjectNtQueryVolumeInformationFileRtlInitUnicodeString\Device\Harddisk\Device\Harddisk\Device\HarddiskVolumePartition\Device\HarddiskVolume\\.\Volume\\?\Volume\\.\\Global??\\Global??\Error calling NtQueryInformationFile for FileFsFullSizeInformationNT_DLL_CALLBACK_ERRORA:Error opening partitionPARTITION_OPEN_ERRORError calling DeviceIoControlIOCTL_ERRORError opening partitionPARTITION_OPEN_ERRORError calling NtQueryVolumeInformationFile for FileFsVolumeInformationGetPhysicalPartitionInfoError calling NtQueryVolumeInformationFile for FileFsAttributeInformationGetPhysicalPartitionInfoError calling NtQueryVolumeInformationFile for FileFsFullSizeInformationGetPhysicalPartitionInfoError calling NtQueryInformationFile on FileFsVolumeInformationGetPhysicalPartitionInfoError calling NtQueryInformationFile on FileFsDeviceInformationGetPhysicalPartitionInfoError enumerating volume:GENERAL_ERROR\\.\PhysicalDrive%dError allocating memoryMEMORY_ERROR\Device\Harddisk%d\Partition%d" vs mandiant_ioc_finder.exe
Source: mandiant_ioc_finder.exeBinary or memory string: %lu%02x%I64u%I64iInvalid underlying type %iLuaVoidLuaVoid__tostring__gcCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersionPrivateBuildSpecialBuildACCELERATORANICURSOR0ANIICONBITMAPCURSORDIALOGDLGINCLUDEFONTFONTDIRGROUP_CURSORGROUP_ICONHTMLICONMANIFESTMENUMESSAGETABLEPLUGPLAYRCDATASTRINGVERSIONVXD%lu%lu%lu%lu0x%04x%04xDirectory format unrecognized - invalid directory countparse_resource_directory_entryVERSIONUnable to read resource data of size %i at offset %i with resource base %iparse_resource_directory_entryInvalid number of resources - malformed headerparse_resource_directory%ws: Unable to parse named resource directory entry #%i in directory '%ws' at offset %i with resource base %iparse_resource_directory%ws: Unable to parse id resource directory entry #%i in directory '%ws' at offset %i with resource base %iparse_resource_directoryFileSystemServiceFailed to parse the resources for file '%ws'parse_versinfo_rawVERSIONUnable to parse the RT_VERSION info block for file '%ws'parse_versinfo_rawVERSIONNo version information is available for file '%ws'parse_versinfo_rawFileSystemServiceNo version information is available for file '%ws'parse_versinfo_api\VarFileInfo\Translation0x%04x%04x\StringFileInfo\%04x%04x\%sInvalid FileReader_scramparse_pefileFailed to allocate memory for pefileparse_pefileFailed to allocate memory for DOS headerparse_pefileFailed to identify DOS headerparse_pefileFailed to allocate memory for NT headerparse_pefileparse_pe32 failedparse_pefileFailed to identify NT64 headerparse_pefileparse_pe64 failedparse_pefileInvalid pefileparse_pe32Invalid FileReader_scramparse_pe32Invalid pefileparse_pe64Invalid FileReader_scramparse_pe64Invalid pefileload_section_tableInvalid FileReader_scramload_section_tableInvalid number (%d) of sections in header, maximum allowed is %dload_section_tableInvalid number (%d) of sections in header, maximum allowed is %dload_section_tablesection sanity check failedload_section_tableFailed to read section headerload_section_tableInvalid number (%d) of sections in header, actual count is %dload_section_tableInvalid pefileparse_importsInvalid FileReader_scramparse_importsInvalid pefileparse_exportsInvalid FileReader_scramparse_exportsInvalid number of exportsparse_exportsInvalid number of exportsparse_exportsread functionRVAs failedparse_exportsread nameRVAs failedparse_exportsread ordinalTable failedparse_exportsInvalid pefileget_thunkInvalid FileReader_scramget_thunkInvalid pefilerva_to_vaInvalid pefileva_to_rvaInvalid pefileseek_to_rvaInvalid pefileraw_to_rvaInvalid pefileseek_to_rvaInvalid FileReader_scramseek_to_rvaInvalid pefileread_from_rvaInvalid FileReader_scramread_from_rvaInvalid FileReader_scramread_stringfile read failedread_string" vs mandiant_ioc_finder.exe
Source: mandiant_ioc_finder.exeBinary or memory string: %lu%02x%I64u%I64iInvalid underlying type %iLuaVoidLuaVoid__tostring__gcCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersionPrivateBuildSpecialBuildPEInfoDllDllTypeExecutableTypeTypeExecutableTypeSubsystem%xBaseAddressBaseAddress%4.4d-%2.2d-%2.2dT%2.2d:%2.2d:%2.2dZPETimeStampPEChecksumPEFileRaw%xPEFileAPI PEComputedAPI Could not map the file.MapFileAndCheckSumCould not map a view of the file. MapFileAndCheckSumCould not open the file %wsMapFileAndCheckSumCould not convert the file name to Unicode.MapFileAndCheckSumUnknown error codeMapFileAndCheckSumPEChecksumExtraneousBytesVersionInfoListVersionInfoItemLanguageProductNameProductVersionCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenamePrivateBuildSpecialBuildVersionInfoItemVersionInfoListResourceInfoListResourceInfoItemNameTypeSizeLanguageDataResourceInfoItemResourceInfoListPEInfoFailed to read from entry pointReportPackerSignature Failed to seek to raw entrypointReportPackerSignature DetectedEntryPointSignatureNamePackerTypeDetectedEntryPointSignatureDetectedEntryPointSignatureNamePackerTypeDetectedEntryPointSignatureSectionsNumberOfSectionsActualNumberOfSectionsSectionNameResourceTypeNoneTypeSizeInBytesReadWriteExecuteCodeDetectedCharacteristicsFailed to read section at rvaCN=ReportPEEntropyEntropyAverageValueEntropySectionsFailed to allocation memory for section size %dReportPEEntropyInvalid section size, can not be used alloc section size %dReportPEEntropySectionPEInfoPeakEntropyPeakCodeEntropyEpJumpCodesEpJumpCodesEpJumpCodesFailed to read dwRVAscanJumpFailed to read dwJumpTargetRVAscanJump0x%02xDepthCN=OpcodesDetectedAnomaliessection_starts_unalignedstringchecksum_is_zerostringcontains_eof_datastringincorrect_image_sizestringcorrupted_importsstringempty_section_namestringnon_ascii_section_namestringoverlapping_headersstringoversized_optional_headerstringoversized_sectionstringinvalid_entry_pointstringchecksum_mismatchstringDetectedAnomaliesImportedModulesModuleNameNumberOfFunctionsImportedFunctions%s:%4.4xstringstringModuleImportedFunctionsImportedModulesExports%4.4d-%2.2d-%2.2dT%2.2d:%2.2d:%2.2dZExportsTimeStampNumberOfFunctionsNumberOfNamesDllNameExportedFunctionsstringOrdinal:%4.4xstringExportedFunctionsExportsUnknownNativeWindows_GUIWindows_CUIOS2_CUIPOSIX_CUINative_Win9x_DriverWindows_CE_GUIEFI_ApplicationEFI_Boot_Service_DriverEFI_Runtime_DriverEFI_ROMXBOXUndefinedUndefinedReportDigitalSignatureDigitalSignaturetrueSignatureExistsfalseSignatureExiststrueSignatureVerifiedfalseSignatureVerifiedDescriptionCertificateSubjectCertificateIssuerDigitalSignatureCertificateIssuerCertificateSubjecttrueSignatureExiststrueSignatureVerifiedThe file is signed and the signature was verified.DescriptiontrueSignatureExistsfalseSignatureVerifiedAn unknown error occured trying to verify the signature.DescriptionfalseSignatureExistsfalseSignatureVerifiedThe file is not signed.Descri
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: mandiant_ioc_finder.exeBinary string: \DosDevices\Mandiant_Process_Illumination\Device\Mandiant_Process_IlluminationRSDS
Source: mandiant_ioc_finder.exeBinary string: \Device\PhysicalMemoryCSDVersionCurrentVersionf.
Source: mandiant_ioc_finder.exeBinary string: \DosDevices\Mandiant_Tools\Device\Mandiant_Tools0R
Source: mandiant_ioc_finder.exeBinary string: IoCreateDeviceSecureIoValidateDeviceIoControlAccessPropertiesClassNoDisplayClassNoUseClassSecurityDeviceTypeDeviceCharacteristicsExclusive\Registry\Machine\System\CurrentControlSet\Control\Class{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}GXGWGRGASDWOWDRCA\DosDevices\Mandiant_Tools\Device\Mandiant_Tools0R
Source: mandiant_ioc_finder.exeBinary string: \Device\PhysicalMemory
Source: mandiant_ioc_finder.exeBinary string: :\device\harddiskvolumesystem32\%SystemDrive%\Windows\%SystemRoot%\\SystemRoot\Error expanding environment variables\??\.dll .exe "
Source: mandiant_ioc_finder.exeBinary string: Found object tagPAE is enabledPAE is not enabled.dataFindWin2000KdVersionAlgorithm found PsLoadedModuleList but no matching PsActiveProcessHeadFindVistaKPCRHandleListProcess at 0x%016I64x with vHandleTable 0x%016I64x A = %x B = %x C = %xEnumerateHandlesProcess at 0x%016I64x with HandleTable 0x%016I64x A = %x B = %x C = %xHandleIndexAccessMaskObjectAddressUnable to determine key name. CM_KEY_CONTROL_BLOCK at 0x%xUnable to determine process name. Object Header at 0x%xBitmask indicates that address object for port %d is invalid stateBitmask indicates that address object for port %d is valid but state is notUnable to determine file name for File Object at 0x%xIndex = 0x%x OBJECT_HEADER * = 0x%xUnable to translate or map Object type name information at 0x%xGetCMKCBHeadUnable to determine parent CMKCB. Object at 0x%xInvalid length of key %dInvalid KeyNameGetKeyName\required buffer size (%d) is greater than buffer size (%d)Need a greater buffer size.Unable to determine key name. Object at 0x%xUnable to translate or map Object type name information at 0x%016I64xUnable to determine key name. Object at 0x%016I64xUnable to determine key name. Object Header at 0x%016I64xUnable to determine process name. Object Header at 0x%016I64xUnable to determine file name for File Object at 0x%016I64xIndex = 0x%x OBJECT_HEADER * = 0x%016I64xHandleCountPointerCountDirectorySymbolicLinkTokenJobThreadUserAPCReserveIoCompletionReserveDebugObjectEventEventPairMutantCallbackSemaphoreTimerProfileKeyedEventWindowsStationDesktopTpWorkerFactoryAdapterControllerDeviceIoCompletionFileTmTmTmTxTmRmTmEnSessionKeyALPCPortPowerRequestWmiGuidEtwRegistrationEtwConsumerFilterConnectionPortFilterCommunicationPortPcwObjectUnknownUnable to translate or map Object Type name information at 0x%xUnable to translate or map Object Type at 0x%xUnable to translate or map Object Header Name Info at 0x%xUnable to translate or map Object Type name information at 0x%016I64xUnable to translate or map Object Type at 0x%016I64xUnable to translate or map Object Header Name Info at 0x%016I64xUnable to process Object at 0x%016I64x\Device\%ws%wsFailed to open %ws
Source: mandiant_ioc_finder.exeBinary string: \Device\\.\A:CloseRawFile: bad parameters.GetRawFileSize: invalid file handleSetRawFilePointer: Invalid MoveMethod parameter. Allowed options are: FILE_BEGIN, FILE_CURRENT, and FILE_ENDSetRawFilePointer: attempt to set file pointer beyond end of fileSetRawFilePointer: negative offset is not valid with FILE_BEGINSetRawFilePointer: bad parametersVerifyDigitalSignature: Failed to open %sVerifyDigitalSignature: CrypteCATAdminAcquireContext failedRawFindFiles: Failed to compile regular expression.RawFindFiles: Unable to open volume.RawFindFiles: File has invalid parent volume.GetFatFileMetadata: bad parametersGetFatFileMetadata: failed to allocate memory for nameGetFatFileMetadata: failed to allocate memoryGetFatFileMetadata: invalid fsi in file objectGetNtfsFileMetadata: bad parametersGetNtfsFileMetadata: failed to allocate memoryGetNtfsFileMetadata: invalid fsi in file object for %ws%wsGetRawFileMetadata: bad parametersGetRawFileMetadata: Unsupported filesystemNumStreamsForRawFile: bad file pointerGetStreamNameByIndex: bad parametersGetStreamNameByIndex: stream index not foundGetStreamNameByIndex: insufficient buffer length for stream nameGetStreamDetailsByName: bad parametersGetStreamDetailsByName: stream name not foundGetStreamDetailsByName: failed to convert stream name to UTF8InitializeDSFunctions: Failed to get function pointers needed for digital signature verificationWinVerifyTrustCryptCATCatalogInfoFromContextCryptCATAdminReleaseCatalogContextCryptCATAdminEnumCatalogFromHashCryptCATAdminCalcHashFromFileHandleCryptCATAdminReleaseContextCryptCATAdminAcquireContextInitializeDSFunctions: Failed to load wintrust.dllwintrust.dllOpenRawFileEx: bad volume handleOpenRawFileEx: Failed to read inode for fileOpenRawFileEx: Failed to read inode for file.OpenRawFileByInode: unable to open volume.OpenRawFileEx: bad parameters.ADS index could not be foundOpenRawFileByInode: Failed to read inode for file.OpenRawFileByInode: File has invalid parent volume.OpenRawFileByInode: Unable to open volume.OpenRawFileEx: bad parametersOpenRawFile: bad parametersOpenRawFile: failed to find file for path.OpenRawFile: File has invalid parent volume.OpenRawFile: Unable to open volume."
Source: mandiant_ioc_finder.exeBinary string: %lu%02x%I64u%I64iInvalid underlying type %iLuaVoidLuaVoid__tostring__gcCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersionPrivateBuildSpecialBuildGetLogicalPathWriteFileItemByPathRAWWriteFileItemByHandleRAWWriteFileItemByPathAPIWriteFileItemByHandleAPIFileDigitalSignatureRAWFileSeekRAW\FindFilesRAWFileHashRAW\ParsePEFileRAWFileReadRAW\FileCloseRAWFileOpenRAW:FileGetOptionFileSetOptionFileGetInfoByPathAPIFileGetInfoByHandleAPIFileHashAPIFileDigitalSignatureAPIFileSeekAPIFindFilesCloseAPIFindNextFilesAPIFindFirstFilesAPIParsePEFileAPIFileReadAPIFileCloseAPIFileOpenAPIntdllNtCloseNtOpenFileNtQueryInformationFileNtQuerySymbolicLinkObjectNtOpenSymbolicLinkObjectNtQueryVolumeInformationFileRtlInitUnicodeString\Device\Harddisk\Device\Harddisk\Device\HarddiskVolumePartition\Device\HarddiskVolume\\.\Volume\\?\Volume\\.\\Global??\\Global??\Error calling NtQueryInformationFile for FileFsFullSizeInformationNT_DLL_CALLBACK_ERRORA:Error opening partitionPARTITION_OPEN_ERRORError calling DeviceIoControlIOCTL_ERRORError opening partitionPARTITION_OPEN_ERRORError calling NtQueryVolumeInformationFile for FileFsVolumeInformationGetPhysicalPartitionInfoError calling NtQueryVolumeInformationFile for FileFsAttributeInformationGetPhysicalPartitionInfoError calling NtQueryVolumeInformationFile for FileFsFullSizeInformationGetPhysicalPartitionInfoError calling NtQueryInformationFile on FileFsVolumeInformationGetPhysicalPartitionInfoError calling NtQueryInformationFile on FileFsDeviceInformationGetPhysicalPartitionInfoError enumerating volume:GENERAL_ERROR\\.\PhysicalDrive%dError allocating memoryMEMORY_ERROR\Device\Harddisk%d\Partition%d"
Source: mandiant_ioc_finder.exeBinary string: rHTTPGETPOSTHEADPUT%s %sscript<html><body>Hello</body></html>http://deactivatedissolverestartimmediateinvalid vector<T> subscript{CC432A32-3D02-46c9-9E40-989ADE9D854D}Unable to allocate memory.utf8yesnoprompt%02xError writing log entry from module.\AFFStreamLib\targets\AFFStreamLib\AFFPageBuffer.cpppagedstOffset + cpyCount <= fBufferSize%02XExpect:wbSoftware\Microsoft\Windows NT\CurrentVersionHardware\Description\System\CentralProcessor\0LsaEnumerateLogonSessionsLsaGetLogonSessionDataLsaFreeReturnBuffer64-bitunknownmultilineonelineRFC2253dump_unknownspace_eqoidalignlnamesnamenofnamedn_revsep_multilinesep_semi_plus_spacesep_comma_plus_spacesep_comma_pluscompatdump_derdump_nostrdump_allshow_typeignore_typeuse_quoteesc_msbesc_ctrlesc_2253ext_dumpext_parseext_errorext_defaultno_attributesno_auxno_sigdumpno_extensionsno_pubkeyno_issuerno_subjectno_validityno_signameno_serialno_versionno_headerca_defaultcompatibleP12file:stdinnonecopy/%s.%sxsdhttp://schemas.mandiant.com/2011/07/useritem.xsdw32useraccounts1.4.36.0Error writing parameter '%s': value was NULL or empty.w32securitySecuritySystemServicew32security service not found.w32security service could not be loaded.Failed to load interface for required service module securityw32security: Error getting SecuritySystem interface.itemListhttp://schemas.mandiant.com/2011/07/mir.w32useraccounts.xsdFailed to allocate memory for accounts.Alloc ErrorFatal ErrorAllocation error. The account list is too large.UserItemUsernameUserToSID failed to get SID %ws. Call returned: %wsUserToSID ErrorSecurityIDSecurityTypefullnameGetVariablesForUser failed to get variables for user %ws. Call returned: %wsGetVariablesForUser ErrordescriptionhomedirectoryscriptpathFailed to allocate memory for user groups.%ws: %wsUserToGroup ErrorAllocation error. The user group list is too large for: %ws.grouplistgroupnameGetUserLastLogin failed to get user information %ws. Call returned: %wsGetUserLastLogin ErrorLastLoginIsAccountDisabled failed to determine user status %ws. Call returned: %wsIsAccountDisabled ErrorlockedoutIsAccountLockedOut failed to determine user status %ws. Call returned: %wsIsAccountLockedOut ErrorpasswordrequiredIsPasswordRequired failed to determine user status %ws. Call returned: %wsIsPasswordRequired ErrorPT%dSuserpasswordageGetPasswordAgeForUser failed to determine user password age %ws. Call returned: %wsGetPasswordAgeForUser ErrorReceived unknown dataType or NULL valueProcessDataCallbackAgentManager returned -1 on callback, terminating audit.Execute the command immediately without waiting for existing audits to finish.1.4.29.01.3.23.0http://www.mandiant.com/schemas/FileItem.xsd1.4.27.0http://schemas.mandiant.com/2011/07/portitem.xsdw32portsntdll.dllZwQuerySystemInformationSeDebugPrivilegeTCPUDPCLOSEDLISTENINGSYN_SENTSYN_RECEIVEDESTABLISHEDFIN_WAIT_1FIN_WAIT_2CLOSE_WAITLAST_ACKTIME_WAITDELETING_TCBUNKNOWN%d.%d.%d.%dPortItempidprocessstatelocalIPremoteIPlocalPortremotePortprotocoliphlpapi.dllAllocateAndGetTcpExTa
Classification labelShow sources
Source: classification engineClassification label: sus22.evad.winEXE@2/1@0/0
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5584:120:WilError_01
PE file has an executable .text section and no other executable sectionShow sources
Source: mandiant_ioc_finder.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\mandiant_ioc_finder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
SQL strings found in memory and binary dataShow sources
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Sample might require command line argumentsShow sources
Source: mandiant_ioc_finder.exeString found in binary or memory: xmlnsxmlns:http://www.w3.org/2000/xmlns/http://apache.org/xml/messages/XMLErrorshttp://www.w3.org/XML/1998/namespacehttp://www.w3.org/TR/REC-xmlyes[dtd]ampltgtquotaposWFXMLScannerIGXMLScannerSGXMLScannerDGXMLScannerXSAXMLScanner<![CDATA[]]>ArrayIndexOutofBoundsExceptionEmptyStackExceptionIllegalArgumentExceptionInvalidCastExceptionIOExceptionNoSuchElementExceptionNullPointerExceptionXMLPlatformExceptionRuntimeExceptionTranscodingExceptionUnexpectedEOFExceptionUnsupportedEncodingExceptionUTFDataFormatExceptionNetAccessorExceptionMalformedURLExceptionNumberFormatExceptionParseExceptionInvalidDatatypeFacetExceptionInvalidDatatypeValueExceptionSchemaDateTimeExceptionXPathExceptionXSerializationExceptionXMLXIncludeException-INF-0INFNaNnullhttp://xml.org/sax/features/validationhttp://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://apache.org/xml/features/validation/dynamicen_UShttp://apache.org/xml/features/validation/schemahttp://apache.org/xml/features/validation/schema-full-checkinghttp://apache.org/xml/features/validating/load-schemahttp://apache.org/xml/features/validation/identity-constraint-checkinghttp://apache.org/xml/features/nonvalidating/load-external-dtdhttp://apache.org/xml/features/continue-after-fatal-error-1http://apache.org/xml/features/validation-error-as-fatalhttp://apache.org/xml/features/calculate-src-ofshttp://apache.org/xml/features/standard-uri-conformanthttp://apache.org/xml/features/dom-has-psvi-infohttp://apache.org/xml/features/generate-synthetic-annotationshttp://apache.org/xml/features/validate-annotationscommentshttp://apache.org/xml/properties/schema/external-schemaLocationhttp://apache.org/xml/properties/security-managerhttp://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationhttp://apache.org/xml/properties/scannerNamehttp://apache.org/xml/parser-use-DOMDocument-from-Implementationhttp://apache.org/xml/parser-entity-resolverhttp://apache.org/xml/features/dom/user-adopts-DOMDocumenthttp://apache.org/xml/features/validation/cache-grammarFromParsehttp://apache.org/xml/features/validation/use-cachedGrammarInParsehttp://apache.org/xml/features/validation/ignoreCachedDTDhttp://apache.org/xml/features/schema/ignore-annotationshttp://apache.org/xml/features/disable-default-entity-resolutionhttp://apache.org/xml/features/validation/schema/skip-dtd-validationhttp://apache.org/xml/features/validation/schema/handle-multiple-importshttp://apache.org/xml/properties/low-water-markcanonical-formcdata-sectionscharset-overrides-xml-encodingcheck-character-normalizationdatatype-normalizationdisallow-doctyeelement-content-whitespaceentitieserror-handlerinfosetignore-unknown-character-denormalizationnamespacesnamespace-declarationsnormalize-charactersresource-resolverschema-locationschema-typesplit-cdata-sectionssupported-media-types-onlyvalidatevalidate-if-schemawell-formedhttp://www.w3.org/2001/XMLSchemahttp://www.w3.org/TR/REC-xmlcanonical-formdiscard-defaullt-contententitiesformat-p
Source: mandiant_ioc_finder.exeString found in binary or memory: 0123456789ABCDEFUnknown error.NoticeInfoDebugSystemDebugAppDebugComABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=r0123456789abcdefScriptXSD: %s%s\%s%c%c\\.\Global\%sUnable to open a handle to the device (\\.\%s\*..Win32ServiceStopping service OpenSCManager failed: OpenService failed: OpenService: QueryServiceStatusEx failed: ).There was a timeout while waiting for the service (pending) to stop (current state = ControlService failed: There was a timeout while waiting for the service to stop (current state = Starting service Starting service succeeded (already running).Timeout waiting for service to stop.Starting service failed: Starting service succeeded.Starting service failed (timeout).Current State :Exit Code: Check Point: Wait Hint: Service start has completed.Adding service Creating service: There was a timeout while waiting for the service to be deleted.CreateService failed: ' already is installed.The service 'Description was successfully installed on the system.Service on the system.There was an error installing service The install has completed.Removing service DeleteService failed: DeleteService: was successfully removed from the system. from the system.There was an error removing service Could not remove service The uninstall has completed.The uninstall has completed.-auditissuefilterlevel-serversslcaching-newuri-pausebeforestart-repeat-expiration-disableservice-notimestamp-help-dissolve-cleanup-regencreds-memcert-regencert-allow-allowmultiple-fw-noauthn-nosslauthn-nossl-settings-service-compression-bind-f-servicedisplay-servicename-start-u-?autoserviceAgentManagerService)(Installing and starting MIR Agent driver.Failed to start the MIR Agent driver. MIR Agent will continue to run, but some audits may not function correctly.Failed to install the MIR Agent driver. MIR Agent will continue to run, but some audits may not function correctly.The Agent Manager was unable to communicate with its device driver (Lock not properly initialized.Acquire lock timeout.Acquire lock timeout:Lock.Acquire() ERROR!) ERROR!: Lock.Release(Lock.Release() ERROR!: Failed to validate the command script.Script validated against schema.There was an error reading the XML document for validation.XML reader must not be null.
Source: mandiant_ioc_finder.exeString found in binary or memory: 0123456789ABCDEFUnknown error.NoticeInfoDebugSystemDebugAppDebugComABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=r0123456789abcdefScriptXSD: %s%s\%s%c%c\\.\Global\%sUnable to open a handle to the device (\\.\%s\*..Win32ServiceStopping service OpenSCManager failed: OpenService failed: OpenService: QueryServiceStatusEx failed: ).There was a timeout while waiting for the service (pending) to stop (current state = ControlService failed: There was a timeout while waiting for the service to stop (current state = Starting service Starting service succeeded (already running).Timeout waiting for service to stop.Starting service failed: Starting service succeeded.Starting service failed (timeout).Current State :Exit Code: Check Point: Wait Hint: Service start has completed.Adding service Creating service: There was a timeout while waiting for the service to be deleted.CreateService failed: ' already is installed.The service 'Description was successfully installed on the system.Service on the system.There was an error installing service The install has completed.Removing service DeleteService failed: DeleteService: was successfully removed from the system. from the system.There was an error removing service Could not remove service The uninstall has completed.The uninstall has completed.-auditissuefilterlevel-serversslcaching-newuri-pausebeforestart-repeat-expiration-disableservice-notimestamp-help-dissolve-cleanup-regencreds-memcert-regencert-allow-allowmultiple-fw-noauthn-nosslauthn-nossl-settings-service-compression-bind-f-servicedisplay-servicename-start-u-?autoserviceAgentManagerService)(Installing and starting MIR Agent driver.Failed to start the MIR Agent driver. MIR Agent will continue to run, but some audits may not function correctly.Failed to install the MIR Agent driver. MIR Agent will continue to run, but some audits may not function correctly.The Agent Manager was unable to communicate with its device driver (Lock not properly initialized.Acquire lock timeout.Acquire lock timeout:Lock.Acquire() ERROR!) ERROR!: Lock.Release(Lock.Release() ERROR!: Failed to validate the command script.Script validated against schema.There was an error reading the XML document for validation.XML reader must not be null.
Source: mandiant_ioc_finder.exeString found in binary or memory: id-cmc-addExtensions
Source: mandiant_ioc_finder.exeString found in binary or memory: set-addPolicy
Source: mandiant_ioc_finder.exeString found in binary or memory: [GP-Install v5.0.3.32]
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\mandiant_ioc_finder.exe 'C:\Users\user\Desktop\mandiant_ioc_finder.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
PE / OLE file has a valid certificateShow sources
Source: mandiant_ioc_finder.exeStatic PE information: certificate valid
Source: mandiant_ioc_finder.exeStatic PE information: certificate valid
PE file exports many functionsShow sources
Source: mandiant_ioc_finder.exeStatic PE information: More than 320 > 100 exports found
PE file has a big code sizeShow sources
Source: mandiant_ioc_finder.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
PE file has a high image base, often used for DLLsShow sources
Source: mandiant_ioc_finder.exeStatic PE information: Image base 0x140000000 > 0x60000000
Submission file is bigger than most known malware samplesShow sources
Source: mandiant_ioc_finder.exeStatic file information: File size 14690632 > 1048576
PE file has a big raw sectionShow sources
Source: mandiant_ioc_finder.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x88b400
Source: mandiant_ioc_finder.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x310600
PE file imports many functionsShow sources
Source: mandiant_ioc_finder.exeStatic PE information: More than 200 imports for KERNEL32.dll
PE file contains a debug data directoryShow sources
Source: mandiant_ioc_finder.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\mandiantmaster-june6\processauditmodule\sys\i386\mkpl.pdb source: mandiant_ioc_finder.exe
Source: Binary string: D:\Source\Mandiant\Apollo\Agent-1.0.22.1\MemoryAuditModule\Sys\i386\mktools.pdb source: mandiant_ioc_finder.exe
Source: Binary string: g:\agenttrunk\mktools\amd64\mktools.pdb source: mandiant_ioc_finder.exe
Source: Binary string: c:\gitsrc\litmus\windows_console\x64\release\mandiant_ioc_finder.pdb source: mandiant_ioc_finder.exe
Source: Binary string: g:\agenttrunk\mktools\i386\mktools.pdb source: mandiant_ioc_finder.exe
Source: Binary string: g:\agenttrunk\mktools\i386\mktools.pdbN source: mandiant_ioc_finder.exe

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: mandiant_ioc_finder.exeStatic PE information: real checksum: 0xe0e856 should be:

Hooking and other Techniques for Hiding and Protection:

barindex
May modify the system service descriptor table (often done to hook functions)Show sources
Source: mandiant_ioc_finder.exe, 00000000.00000002.1112795588.000000014095B000.00000002.00020000.sdmpBinary or memory string: KeServiceDescriptorTable
Source: mandiant_ioc_finder.exeBinary or memory string: KeServiceDescriptorTable

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: mandiant_ioc_finder.exeBinary or memory string: WNNC_NET_VMWARE
Source: mandiant_ioc_finder.exeBinary or memory string: CLSID_Internet://@\{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}{208D2C60-3AEA-1069-A2D7-08002B30309D}CLSID_NetworkPlaces..\{46e06680-4bf0-11d1-83ee-00a0c90dc849}CLSID_NetworkDomain..\{c0542a90-4bf0-11d1-83ee-00a0c90dc849}CLSID_NetworkServer\{54a754c0-4bf1-11d1-83ee-00a0c90dc849}CLSID_NetworkShare{20D04FE0-3AEA-1069-A2D8-08002B30309D}CLSID_MyComputer{871C5380-42A0-1069-A2EA-08002B30309D}CLSID_Internet{F3364BA0-65B9-11CE-A9BA-00AA004AE837}CLSID_ShellFSFolder\{645FF040-5081-101B-9F08-00AA002F954E}CLSID_RecycleBin{21EC2020-3AEA-1069-A2DD-08002B30309D}CLSID_ControlPanel{450D8FBA-AD25-11D0-98A8-0800361B1103}CLSID_MyDocumentsWNNC_NET_AVIDWNNC_NET_DOCUSPACEWNNC_NET_MANGOSOFTWNNC_NET_SERNETWNNC_NET_RIVERFRONT1WNNC_NET_RIVERFRONT2WNNC_NET_DECORBWNNC_NET_PROTSTORWNNC_NET_FJ_REDIRWNNC_NET_DISTINCTWNNC_NET_TWINSWNNC_NET_RDR2SAMPLE\WNNC_NET_CSCWNNC_NET_3IN1WNNC_NET_EXTENDNETWNNC_NET_STACWNNC_NET_FOXBATWNNC_NET_YAHOOWNNC_NET_EXIFSWNNC_NET_DAVWNNC_NET_KNOWAREWNNC_NET_OBJECT_DIREWNNC_NET_MASFAXWNNC_NET_HOB_NFSWNNC_NET_SHIVAWNNC_NET_IBMALWNNC_NET_LOCKWNNC_NET_TERMSRVWNNC_NET_SRTWNNC_NET_QUINCYWNNC_NET_OPENAFSWNNC_NET_AVID1WNNC_NET_DFSWNNC_NET_KWNPWNNC_NET_ZENWORKSWNNC_NET_DRIVEONWEB\WNNC_NET_VMWAREWNNC_NET_RSFXWNNC_NET_MFILESWNNC_NET_MS_NFSWNNC_NET_GOOGLEUnknownSW_SHOWNORMALSW_SHOWMAXIMIZEDSW_SHOWMINNOACTIVEUnknownDRIVE_UNKNOWNDRIVE_NO_ROOT_DIRDRIVE_REMOVABLEDRIVE_FIXEDDRIVE_REMOTEDRIVE_CDROMDRIVE_RAMDISKUnknown"

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\mandiant_ioc_finder.exeCode function: 0_2_00000001403EC130 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00000001403EC130

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
mandiant_ioc_finder.exe0%VirustotalBrowse
mandiant_ioc_finder.exe0%MetadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://xmlsoft.org/XSLT/xsltExtFunctionTest:0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/taskitem.xsdw32tasks$0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/prefetchitem.xsdw32prefetch0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/serviceitem.xsdw32services0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/BatchResult.xsd0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/eventlogitem.xsdapplication/xmlhttp://schemas.mandiant.com/2011/0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/systemrestoreitem.xsd1.4.41.0w32systemrestore0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/issuelist.xsd0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/mir.w32ports.xsdPort0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/mir.w32processes.xsdZwQueryInformationThreadZwQueryInformationPr0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/BatchResult.xsd%hshttp://schemas.mandiant.com/2011/07/batchresul0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/formhistoryitem.xsdformhistoryhttp://schemas.mandiant.com/2011/00%Avira URL Cloudsafe
http://www.oreans.com0%VirustotalBrowse
http://www.oreans.com0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/registryitem.xsdw32registryraw1.4.36.0http://schemas.mandiant.co0%Avira URL Cloudsafe
http://www.mandiant.com/schemas/FileItem.xsd1.4.27.0http://schemas.mandiant.com/2011/07/portitem.xsd0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/systeminfoitem.xsdw32systemCurrentBuildNumberInstallDateProductN0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/issuelist.xsdhttp://schemas.mandiant.com/2011/07/issues.xsdIssue0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/mir.w32tasks.xsdExecProgramSha256sumExecProgramSha1sumExecProgra0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/processitem.xsdw32processes-APIWinsta.dllWinStationGetProcessSid0%Avira URL Cloudsafe
http://icl.com/saxonFound0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/mir.w32services.xsdbad0%Avira URL Cloudsafe
http://exslt.org/common0%VirustotalBrowse
http://exslt.org/common0%URL Reputationsafe
http://schemas.mandiant.com/2011/07/mir.w32useraccounts.xsdFailed0%Avira URL Cloudsafe
http://exslt.org/commonxsl:sort0%Avira URL Cloudsafe
http://www.mandiant.com/schemas/issue.xsdgeneratorgeneratorVersionitemSchemaLocationhrefIssuesThere0%Avira URL Cloudsafe
http://wibu.com/us/0%Avira URL Cloudsafe
http://xmlsoft.org/XSLT/0%VirustotalBrowse
http://xmlsoft.org/XSLT/0%URL Reputationsafe
http://xmlsoft.org/XSLT/namespace0%VirustotalBrowse
http://xmlsoft.org/XSLT/namespace0%URL Reputationsafe
http://schemas.mandiant.com/2011/07/useritem.xsdw32useraccounts1.4.36.0Error0%Avira URL Cloudsafe
http://relaxng.org/ns/structure/1.0allocating0%VirustotalBrowse
http://relaxng.org/ns/structure/1.0allocating0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/hookitem.xsdw32kernel-hookdetectionhttp://schemas.mandiant.com/20%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/routeentryitem.xsdw32network-routehttp://schemas.mandiant.com/200%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/issues.xsd0%Avira URL Cloudsafe
http://www.jclark.com/xt0%VirustotalBrowse
http://www.jclark.com/xt0%URL Reputationsafe
http://www.jclark.com/xtnode-sethttp://xmlsoft.org/XSLT/namespacexsltNewAttrVTPtr0%Avira URL Cloudsafe
http://schemas.mandiant.com/2011/07/batchresult.xsd0%Avira URL Cloudsafe
http://icl.com/saxon0%VirustotalBrowse
http://icl.com/saxon0%URL Reputationsafe
http://schemas.mandiant.com/2011/07/registryitem.xsdapplication/xmlhttp://schemas.mandiant.com/2011/0%Avira URL Cloudsafe
http://relaxng.org/ns/structure/1.00%VirustotalBrowse
http://relaxng.org/ns/structure/1.00%URL Reputationsafe
http://schemas.mandiant.com/2011/07/mir.w32system.xsdSystemInfoItemdirectorymachinetotalphysicalavai0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.