Analysis Report ciscovideoguard.exe

Overview

General Information

Sample Name: ciscovideoguard.exe
Analysis ID: 372989
MD5: 01eb1a2e5fc8d464431a34ab5e28255c
SHA1: e5b76b9344ebe7f90aaa38aa1ec9962fdce3cafb
SHA256: 40c71df5baff986e7ce4e668e3d6bd8f5e149c7c479f97ebc47d7f1bc4a3c33c
Infos:

Most interesting Screenshot:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Program does not show much activity (idle)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Compliance:

barindex
Uses 32bit PE files
Source: ciscovideoguard.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: ciscovideoguard.exe Static PE information: certificate valid
Source: ciscovideoguard.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: ciscovideoguard.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ciscovideoguard.exe String found in binary or memory: http://ocsp.thawte.com0
Source: ciscovideoguard.exe String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ciscovideoguard.exe String found in binary or memory: http://s2.symcb.com0
Source: ciscovideoguard.exe String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: ciscovideoguard.exe String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ciscovideoguard.exe String found in binary or memory: http://sv.symcd.com0&
Source: ciscovideoguard.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ciscovideoguard.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ciscovideoguard.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: ciscovideoguard.exe String found in binary or memory: http://www.symauth.com/cps0(
Source: ciscovideoguard.exe String found in binary or memory: http://www.symauth.com/rpa00
Source: ciscovideoguard.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: ciscovideoguard.exe String found in binary or memory: https://d.symcb.com/rpa0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: ciscovideoguard.exe, 00000001.00000002.645433477.0000000000BEA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_0096380A 1_2_0096380A
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_0095848E 1_2_0095848E
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_00952C60 1_2_00952C60
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_0095E538 1_2_0095E538
Tries to load missing DLLs
Source: C:\Users\user\Desktop\ciscovideoguard.exe Section loaded: pcshowserver.dll Jump to behavior
Uses 32bit PE files
Source: ciscovideoguard.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: clean5.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01
Source: ciscovideoguard.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ciscovideoguard.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ciscovideoguard.exe 'C:\Users\user\Desktop\ciscovideoguard.exe'
Source: C:\Users\user\Desktop\ciscovideoguard.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: ciscovideoguard.exe Static PE information: certificate valid
Source: ciscovideoguard.exe Static file information: File size 1074416 > 1048576
Source: ciscovideoguard.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_009541BB push ecx; ret 1_2_009541CE
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_0095BF15 push ecx; ret 1_2_0095BF28

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_008F2880 GetSystemInfo, 1_2_008F2880

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_0095C0BF _memset,IsDebuggerPresent, 1_2_0095C0BF
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_009660CC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_009660CC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_0090D1D0 GetProcessHeap,HeapAlloc,std::exception::exception, 1_2_0090D1D0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_009566AE SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_009566AE
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_008F28A0 TlsAlloc,GetLastError,TlsAlloc,GetLastError,InitializeSecurityDescriptor,SetSecurityDescriptorDacl, 1_2_008F28A0

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: GetLocaleInfoW, 1_2_0095B898
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 1_2_009710CB
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: EnumSystemLocalesW, 1_2_0095B812
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 1_2_0097085B
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: EnumSystemLocalesW, 1_2_00970ACF
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_00970BA8
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_00970B2B
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_00970F4A
Source: C:\Users\user\Desktop\ciscovideoguard.exe Code function: 1_2_00902500 GetSystemTimeAsFileTime,__aulldiv,__aulldiv, 1_2_00902500
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 372989 Sample: ciscovideoguard.exe Startdate: 22/03/2021 Architecture: WINDOWS Score: 5 5 ciscovideoguard.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos