Loading ...

Play interactive tourEdit tour

Analysis Report Splash.exe

Overview

General Information

Sample Name:Splash.exe
MD5:460e03083000e46e3a3ed830ceadc9aa
SHA1:67097bfa5ddd76f61fbf12c407b7723026b18151
SHA256:0bbefefbef496c425471fbe935c0e4990809e51e497df6ad41c40d9673a892ab

Most interesting Screenshot:

Detection

Score:27
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Contains functionality to detect sleep reduction / modifications
Contains functionality locales information (e.g. system language)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Startup

  • System is w10x64
  • Splash.exe (PID: 1080 cmdline: 'C:\Users\user\Desktop\Splash.exe' MD5: 460E03083000E46E3A3ED830CEADC9AA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00404F24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00404F24

Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0042017C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_0042017C
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0042FA58 GetKeyboardState,0_2_0042FA58

Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00432908 NtdllDefWindowProc_A,GetCapture,KiUserCallbackDispatcher,0_2_00432908
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0044CEA8 NtdllDefWindowProc_A,0_2_0044CEA8
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004421FC GetSubMenu,SaveDC,RestoreDC,72B7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_004421FC
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0042738C NtdllDefWindowProc_A,0_2_0042738C
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0044D650 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0044D650
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0044D700 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0044D700
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004421FC0_2_004421FC
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004473A00_2_004473A0
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0041B3AA0_2_0041B3AA
Source: C:\Users\user\Desktop\Splash.exeCode function: String function: 00403E4C appears 70 times
Source: C:\Users\user\Desktop\Splash.exeCode function: String function: 00405ED4 appears 61 times
Source: Splash.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Splash.exe, 00000000.00000002.855093740.00000000021A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs Splash.exe
Source: Splash.exe, 00000000.00000002.853916225.0000000000600000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Splash.exe
Source: classification engineClassification label: sus27.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0041D61C GetLastError,FormatMessageA,0_2_0041D61C
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004081FA GetDiskFreeSpaceA,0_2_004081FA
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004132A8 FindResourceA,0_2_004132A8
Source: C:\Users\user\Desktop\Splash.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Splash.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Splash.exeStatic file information: File size 1426944 > 1048576
Source: Splash.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x104c00

Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00425634 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00425634
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00439D64 push 00439DF1h; ret 0_2_00439DE9
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0041025E push 004102D6h; ret 0_2_004102CE
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00410260 push 004102D6h; ret 0_2_004102CE
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0041A2C0 push 0041A36Bh; ret 0_2_0041A363
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004102D8 push 00410380h; ret 0_2_00410378
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0041A2BE push 0041A36Bh; ret 0_2_0041A363
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0041A370 push 0041A400h; ret 0_2_0041A3F8
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0041046C push 00410498h; ret 0_2_00410490
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00412570 push ecx; mov dword ptr [esp], edx0_2_00412575
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004265FC push 00426655h; ret 0_2_0042664D
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0041A684 push 0041A6B0h; ret 0_2_0041A6A8
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00406760 push ecx; mov dword ptr [esp], eax0_2_00406761
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0043C734 push 0043C760h; ret 0_2_0043C758
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004287D0 push 004287FCh; ret 0_2_004287F4
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00428784 push 004287C6h; ret 0_2_004287BE
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00412798 push ecx; mov dword ptr [esp], edx0_2_0041279D
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0040C79C push ecx; mov dword ptr [esp], edx0_2_0040C7A1
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004128F8 push ecx; mov dword ptr [esp], edx0_2_004128FD
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004128B4 push ecx; mov dword ptr [esp], edx0_2_004128B9
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00406944 push 00406970h; ret 0_2_00406968
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0040697C push 004069A8h; ret 0_2_004069A0
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00414938 push ecx; mov dword ptr [esp], ecx0_2_0041493D
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00428938 push 00428964h; ret 0_2_0042895C
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0043AA94 push ecx; mov dword ptr [esp], edx0_2_0043AA98
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00410C34 push 00410C81h; ret 0_2_00410C79
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00406C8C push 00406CB8h; ret 0_2_00406CB0
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00410C8C push 00410CB8h; ret 0_2_00410CB0
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00442CB0 push 00442D1Bh; ret 0_2_00442D13
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00418D00 push ecx; mov dword ptr [esp], edx0_2_00418D02
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00402D08 push eax; ret 0_2_00402D44
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0043AD34 push ecx; mov dword ptr [esp], edx0_2_0043AD38

Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0044CF30 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_0044CF30
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00449F58 KiUserCallbackDispatcher,SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00449F58
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0043402C IsIconic,GetCapture,0_2_0043402C
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004348E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_004348E0
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00435160 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_00435160
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0044D650 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0044D650
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0044D700 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0044D700
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0042397C MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,0_2_0042397C
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00425634 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00425634

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004294BC0_2_004294BC
Source: C:\Users\user\Desktop\Splash.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_0044C4A0
Source: C:\Users\user\Desktop\Splash.exeAPI coverage: 8.2 %
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00404F24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00404F24
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_0041DBAC GetSystemInfo,0_2_0041DBAC

Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00425634 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00425634

Source: Splash.exe, 00000000.00000002.854853414.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: Splash.exe, 00000000.00000002.854853414.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: Splash.exe, 00000000.00000002.854853414.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Splash.exe, 00000000.00000002.854853414.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Splash.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_004050DC
Source: C:\Users\user\Desktop\Splash.exeCode function: GetLocaleInfoA,0_2_0040A9FC
Source: C:\Users\user\Desktop\Splash.exeCode function: GetLocaleInfoA,0_2_0040AA48
Source: C:\Users\user\Desktop\Splash.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_004051E8
Source: C:\Users\user\Desktop\Splash.exeCode function: GetLocaleInfoA,0_2_004059D2
Source: C:\Users\user\Desktop\Splash.exeCode function: GetLocaleInfoA,0_2_004059D4
Source: C:\Users\user\Desktop\Splash.exeCode function: GetLocaleInfoA,GetACP,0_2_0040BFE8
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_004094FC GetLocalTime,0_2_004094FC
Source: C:\Users\user\Desktop\Splash.exeCode function: 0_2_00439D64 GetVersion,0_2_00439D64

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API1Application Shimming1Process Injection1Virtualization/Sandbox Evasion1Input Capture11System Time Discovery1Application Deployment SoftwareInput Capture11Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsApplication Shimming1Process Injection1Network SniffingVirtualization/Sandbox Evasion1Remote ServicesClipboard Data1Exfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesApplication Window Discovery11Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSecurity Software Discovery11Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceFile and Directory Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery15Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.