Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:35023
Start time:17:39:11
Joe Sandbox Product:CloudBasic
Start date:24.10.2017
Overall analysis duration:0h 5m 57s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:install_flash_player.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:27
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal88.evad.spre.rans.winEXE@33/5@0/3
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 100
  • Number of non-executed functions: 75
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 98.3% (good quality ratio 94.5%)
  • Quality average: 81%
  • Quality standard deviation: 26.4%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Connection to analysis system has been lost
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold880 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Windows\dispci.exevirustotal: Detection: 10%Perma Link
Antivirus detection for submitted fileShow sources
Source: install_flash_player.exevirustotal: Detection: 5%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00805507 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,3_2_00805507
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00805A73 GetSystemInfo,__alldiv,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,UnmapViewOfFile,3_2_00805A73
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00806299 CreateEventW,CreateThread,WaitForSingleObject,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,CloseHandle,LocalFree,3_2_00806299
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_008015A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,3_2_008015A7
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00805BC4 GetSystemInfo,__alldiv,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,memcpy,FlushViewOfFile,LocalFree,CryptDestroyHash,UnmapViewOfFile,3_2_00805BC4
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00805D0A CryptDuplicateKey,CreateFileW,GetFileSizeEx,__alldiv,CreateFileMappingW,MapViewOfFile,CryptEncrypt,FlushViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CryptDestroyKey,SetEvent,3_2_00805D0A
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00805613 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportPublicKeyInfo,LocalFree,LocalFree,3_2_00805613
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0080554A CryptAcquireContextW,GetLastError,CryptGenRandom,CryptReleaseContext,3_2_0080554A
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0080559B CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,LocalAlloc,CryptSetKeyParam,LocalFree,3_2_0080559B
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00806246 CryptCreateHash,CryptHashData,CryptGetHashParam,3_2_00806246
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_008056D8 CryptEncrypt,CryptEncrypt,LocalAlloc,memcpy,CryptEncrypt,LocalFree,3_2_008056D8
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00806085 CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash,3_2_00806085
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00805780 CryptBinaryToStringW,CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,3_2_00805780

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_008015A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,3_2_008015A7
Clears the journal logShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: unknownProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Clears the windows event logShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_008021DC GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,htons,send,recv,memset,GetProcessHeap,HeapAlloc,htons,send,recv,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_008021DC
Urls found in memory or binary dataShow sources
Source: rundll32.exeString found in binary or memory: http://192.168.2.1/hm
Source: install_flash_player.exe, cscc.dat.3.dr, infpub.dat.1.drString found in binary or memory: http://crl.thawte.com/thawtetimestampingca.crl0
Source: rundll32.exe, dispci.exe.3.dr, cscc.dat.3.drString found in binary or memory: http://diskcryptor.net/
Source: install_flash_player.exe, cscc.dat.3.dr, infpub.dat.1.drString found in binary or memory: http://ocsp.thawte.com0
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: http://rb.symcb.com/rb.crl0w
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: http://rb.symcb.com/rb.crt0
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: http://rb.symcd.com0&
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: http://s.symcd.com0
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: http://s.symcd.com06
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: http://sf.symcb.com/sf.crl0w
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: http://sf.symcd.com0&
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: install_flash_player.exe, cscc.dat.3.dr, infpub.dat.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: install_flash_player.exe, cscc.dat.3.dr, infpub.dat.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: install_flash_player.exe, cscc.dat.3.dr, infpub.dat.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: https://d.symcb.com/cps0%
Source: infpub.dat.1.drString found in binary or memory: https://d.symcb.com/rpa0
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: install_flash_player.exe, infpub.dat.1.drString found in binary or memory: https://d.symcb.com/rpa06

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00809534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,3_2_00809534
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\5D2F.tmp
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\dispci.exe
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\cscc.dat
Source: C:\Users\user\Desktop\install_flash_player.exeFile created: C:\Windows\infpub.dat
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\5D2F.tmp
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\dispci.exe
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\cscc.dat
Source: C:\Users\user\Desktop\install_flash_player.exeFile created: C:\Windows\infpub.dat
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\5D2F.tmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00809016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,3_2_00809016
PE file contains an invalid checksumShow sources
Source: 5D2F.tmp.3.drStatic PE information: real checksum: 0x114bd should be: 0x1e635
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\5D2F.tmpCode function: 12_2_010659E5 push ecx; ret 12_2_010659F8

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00805E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,3_2_00805E9F
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Contains functionality to enumerate network shares of other devicesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00809534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError, \\%s\admin$3_2_00809534
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00809B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError, \\%s\admin$3_2_00809B63

System Summary:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: install_flash_player.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: dcrypt.pdbp source: rundll32.exe, cscc.dat.3.dr
Source: Binary string: wdigest.pdb source: 5D2F.tmp
Source: Binary string: dcrypt.pdb source: rundll32.exe, cscc.dat.3.dr
Source: Binary string: wdigest.pdbJ6JtT6Jt^6Jth6Jt@6Jt|6Jt source: 5D2F.tmp
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: cscc.dat.3.drBinary string: configFlags\Device\dcrypt\DosDevices\dcryptdump_hiber_%s\$dcsys$$dcsys$\Device\CdRom%s\$DC_TRIM_%x$$dcsys$_fail_%xNTFSFATFAT32exFATH
Binary contains paths to development resourcesShow sources
Source: dispci.exe.3.drBinary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted%lS OK
Source: install_flash_player.exe, rundll32.exe, infpub.dat.1.drBinary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERM
Classification labelShow sources
Source: classification engineClassification label: mal88.evad.spre.rans.winEXE@33/5@0/3
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00807CC5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetLastError,3_2_00807CC5
Contains functionality to create servicesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00801368
Source: C:\Windows\System32\rundll32.exeCode function: wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,3_2_00809534
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_008084EE CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,3_2_008084EE
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00808313 FindResourceW,LoadResource,LockResource,SizeofResource,GetProcessHeap,GetProcessHeap,HeapAlloc,RtlAllocateHeap,memcpy,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_00808313
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00809534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,3_2_00809534
Found command line outputShow sources
Source: C:\Windows\System32\schtasks.exeConsole Write: ...........v..0.....E.R.R.O.R.:. ..............................v...............v..........i.....G..u................p...
Source: C:\Windows\System32\schtasks.exeConsole Write: ...........v..0.....(...0.......a\................................-...........................j.H.......X....."v..gl....
Source: C:\Windows\System32\schtasks.exeConsole Write: ...........v..0.....P...d...0...`b..........................`.....................!...............!...............!.G..u
Source: C:\Windows\System32\schtasks.exeConsole Write: ...........v..0.....t.......0...`c..........................`.....*.T.,.H.,.....t.............................U.....G..u
Source: C:\Windows\System32\shutdown.exeConsole Write: ........h.>.........A. .s.y.s.t.e.m. .s.h.u.t.d.o.w.n. .i.s. .i.n. .p.r.o.g.r.e.s.s...(.1.1.1.5.).......P.........>.6...
PE file has an executable .text section and no other executable sectionShow sources
Source: install_flash_player.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\install_flash_player.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: install_flash_player.exeVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\install_flash_player.exe 'C:\Users\user\Desktop\install_flash_player.exe'
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN rhaegal
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 4211196566 && exit'
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 17:57:00
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 4211196566 && exit'
Source: unknownProcess created: C:\Windows\5D2F.tmp 'C:\Windows\5D2F.tmp' \\.\pipe\{C83E46AA-57BB-48B8-9737-E609B9163618}
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 17:57:00
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: unknownProcess created: C:\Windows\System32\shutdown.exe C:\Windows\system32\shutdown.exe /r /t 0 /f
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: unknownProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN drogon
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe unknown
Source: C:\Users\user\Desktop\install_flash_player.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 4211196566 && exit'
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 17:57:00
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\5D2F.tmp 'C:\Windows\5D2F.tmp' \\.\pipe\{C83E46AA-57BB-48B8-9737-E609B9163618}
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN drogon
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 4211196566 && exit'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 17:57:00
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\schtasks.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: infpub.dat.1.drStatic PE information: Section: .rsrc ZLIB complexity 0.995711959814
Contains functionality to call native functionsShow sources
Source: C:\Windows\5D2F.tmpCode function: 12_2_0106184E NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,LocalAlloc,NtQuerySystemInformation,LocalFree,12_2_0106184E
Source: C:\Windows\5D2F.tmpCode function: 12_2_01061D4C GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,12_2_01061D4C
Contains functionality to delete servicesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00809534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,3_2_00809534
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00809B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError,3_2_00809B63
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00808A23 InitiateSystemShutdownExW,ExitWindowsEx,ExitProcess,3_2_00808A23
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\install_flash_player.exeFile created: C:\Windows\infpub.dat
Creates mutexesShow sources
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\935174343AD6FDE5
Deletes Windows filesShow sources
Source: C:\Windows\System32\rundll32.exeFile deleted: C:\Windows\infpub.dat
Enables security privilegesShow sources
Source: C:\Windows\System32\wevtutil.exeProcess token adjusted: Security
PE file contains strange resourcesShow sources
Source: install_flash_player.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: install_flash_player.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: install_flash_player.exeBinary or memory string: OriginalFilenameFlashUtil.exev+ vs install_flash_player.exe
Source: install_flash_player.exeBinary or memory string: OriginalFilenameFlashUtil.exev+ vs install_flash_player.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\install_flash_player.exeFile read: C:\Users\user\Desktop\install_flash_player.exe
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\shutdown.exeSection loaded: secur32.dll
Contains functionality to create processes via WMIShow sources
Source: install_flash_player.exeBinary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERM
Uses shutdown.exe to shutdown or reboot the systemShow sources
Source: unknownProcess created: C:\Windows\System32\shutdown.exe C:\Windows\system32\shutdown.exe /r /t 0 /f

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00806FFE GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,3_2_00806FFE
Contains functionality to create a new security descriptorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0080841D GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateToken,AllocateAndInitializeSid,CheckTokenMembership,TerminateProcess,FreeSid,CloseHandle,CloseHandle,CloseHandle,3_2_0080841D

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\install_flash_player.exeCode function: 1_2_01091499 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_01091499
Source: C:\Windows\5D2F.tmpCode function: 12_2_01064D59 SetUnhandledExceptionFilter,12_2_01064D59
Source: C:\Windows\5D2F.tmpCode function: 12_2_0106601E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0106601E
Source: C:\Windows\5D2F.tmpCode function: 12_2_01064B37 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_01064B37
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\rundll32.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Windows\5D2F.tmpCode function: 12_2_0106601E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0106601E
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00809016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,3_2_00809016
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\install_flash_player.exeCode function: 1_2_01091690 GetProcessHeap,1_2_01091690
Enables debug privilegesShow sources
Source: C:\Windows\System32\rundll32.exeProcess token adjusted: Debug
Source: C:\Windows\5D2F.tmpProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00805E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,3_2_00805E9F
Contains functionality to query system informationShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00805A73 GetSystemInfo,__alldiv,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,UnmapViewOfFile,3_2_00805A73
Program exit pointsShow sources
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-4966
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-4878
Queries a list of all running processesShow sources
Source: C:\Windows\System32\rundll32.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 2000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 500
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 1000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 300000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 900000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 3000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 500
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Windows\System32\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-5724
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\5D2F.tmp
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\dispci.exe
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\cscc.dat
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\rundll32.exe TID: 3348Thread sleep time: -2000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3440Thread sleep time: -4000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3456Thread sleep time: -1000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3532Thread sleep time: -300000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3348Thread sleep time: -900000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3348Thread sleep time: -3000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3440Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\LogonUI.exe TID: 3784Thread sleep time: -60000s >= -60s
Found evasive API chain (may stop execution after checking computer name)Show sources
Source: C:\Windows\System32\rundll32.exeEvasive API call chain: GetComputerName,DecisionNodes,ExitProcessgraph_3-4955

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\5D2F.tmpCode function: 12_2_010625AC GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_010625AC

Language, Device and Operating System Detection:

barindex
Contains functionality to create pipes for IPCShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00806FFE GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,3_2_00806FFE
Contains functionality to query local / system timeShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00808192 GetLocalTime,GetSystemDirectoryW,PathAppendW,wsprintfW,3_2_00808192
Contains functionality to query time zone informationShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_008057E5 LocalAlloc,GetSystemDefaultLCID,GetTimeZoneInformation,memcpy,NetWkstaGetInfo,memcpy,memcpy,NetApiBufferFree,LocalAlloc,memcpy,LocalFree,LocalFree,3_2_008057E5
Contains functionality to query windows versionShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00801531 GetVersion,3_2_00801531
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 35023 Sample:  install_flash_playe... Startdate:  24/10/2017 Architecture:  WINDOWS Score:  88 1 install_flash_playe... 1 main->1      started     18 shutdown.exe main->18      started     25 LogonUI.exe main->25      started     9823reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 9823sig Clears the journal log 9813sig Clears the windows event log 9833sig Contains functionality to enumerate network shares of other devices 9824sig Clears the journal log 9827sig Clears the journal log 9829sig Clears the journal log 98215sig Clears the journal log 98224sig Clears the journal log d1e285265 192.168.2.1, 80 unknown unknown d1e285266 192.168.2.2, unknown unknown d1e285267 192.168.2.0, unknown unknown d1e12524 cscc.dat, PE32 d1e12551 dispci.exe, PE32 d1e12578 5D2F.tmp, PE32 3 rundll32.exe 1 3 1->3      started     3->9823reducedSig 3->9823sig 3->9813sig 3->9833sig 3->d1e285265 3->d1e285266 3->d1e285267 3->d1e12524 dropped 3->d1e12551 dropped 3->d1e12578 dropped 4reduced Processes exeeded maximum capacity for this level. 1 process has been hidden. 3->4reduced      started     4 cmd.exe 3->4      started     7 cmd.exe 3->7      started     9 cmd.exe 3->9      started     15 cmd.exe 3->15      started     24 cmd.exe 3->24      started     4->9824sig 6 schtasks.exe 4->6      started     7->9827sig 10 schtasks.exe 7->10      started     9->9829sig 13 schtasks.exe 9->13      started     15->98215sig 17 wevtutil.exe 15->17      started     24->98224sig process1 process3 dnsIp3 fileCreated3 signatures3 process4 signatures4 process6 fileCreated1

Simulations

Behavior and APIs

TimeTypeDescription
17:39:47API Interceptor1x Sleep call for process: rundll32.exe modified from: 900000ms to: 500ms
17:39:47API Interceptor1x Sleep call for process: rundll32.exe modified from: 300000ms to: 500ms
17:39:48Task SchedulerRun new task: drogon path: C:\Windows\system32\shutdown.exe s>/r /t 0 /f
17:57:03API Interceptor1x Sleep call for process: LogonUI.exe modified from: 60000ms to: 500ms

Antivirus Detection

Initial Sample

SourceDetectionCloudLink
install_flash_player.exe6%virustotalBrowse

Dropped Files

SourceDetectionCloudLink
C:\Windows\cscc.dat0%virustotalBrowse
C:\Windows\cscc.dat0%metadefenderBrowse
C:\Windows\dispci.exe11%virustotalBrowse

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Startup

  • System is w7
  • install_flash_player.exe (PID: 3316 cmdline: 'C:\Users\user\Desktop\install_flash_player.exe' MD5: FBBDC39AF1139AEBBA4DA004475E8839)