Loading ...

Play interactive tourEdit tour

Analysis Report ciscovideoguard.exe

Overview

General Information

Sample Name:ciscovideoguard.exe
Analysis ID:372989
MD5:01eb1a2e5fc8d464431a34ab5e28255c
SHA1:e5b76b9344ebe7f90aaa38aa1ec9962fdce3cafb
SHA256:40c71df5baff986e7ce4e668e3d6bd8f5e149c7c479f97ebc47d7f1bc4a3c33c
Infos:

Most interesting Screenshot:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Program does not show much activity (idle)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • ciscovideoguard.exe (PID: 7164 cmdline: 'C:\Users\user\Desktop\ciscovideoguard.exe' MD5: 01EB1A2E5FC8D464431A34AB5E28255C)
    • conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ciscovideoguard.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: ciscovideoguard.exeStatic PE information: certificate valid
Source: ciscovideoguard.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: ciscovideoguard.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ciscovideoguard.exeString found in binary or memory: http://ocsp.thawte.com0
Source: ciscovideoguard.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ciscovideoguard.exeString found in binary or memory: http://s2.symcb.com0
Source: ciscovideoguard.exeString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: ciscovideoguard.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ciscovideoguard.exeString found in binary or memory: http://sv.symcd.com0&
Source: ciscovideoguard.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ciscovideoguard.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ciscovideoguard.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: ciscovideoguard.exeString found in binary or memory: http://www.symauth.com/cps0(
Source: ciscovideoguard.exeString found in binary or memory: http://www.symauth.com/rpa00
Source: ciscovideoguard.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: ciscovideoguard.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: ciscovideoguard.exe, 00000001.00000002.645433477.0000000000BEA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_0096380A1_2_0096380A
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_0095848E1_2_0095848E
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_00952C601_2_00952C60
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_0095E5381_2_0095E538
Source: C:\Users\user\Desktop\ciscovideoguard.exeSection loaded: pcshowserver.dllJump to behavior
Source: ciscovideoguard.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engineClassification label: clean5.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01
Source: ciscovideoguard.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ciscovideoguard.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ciscovideoguard.exe 'C:\Users\user\Desktop\ciscovideoguard.exe'
Source: C:\Users\user\Desktop\ciscovideoguard.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: ciscovideoguard.exeStatic PE information: certificate valid
Source: ciscovideoguard.exeStatic file information: File size 1074416 > 1048576
Source: ciscovideoguard.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_009541BB push ecx; ret 1_2_009541CE
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_0095BF15 push ecx; ret 1_2_0095BF28
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_008F2880 GetSystemInfo,1_2_008F2880
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_0095C0BF _memset,IsDebuggerPresent,1_2_0095C0BF
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_009660CC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_009660CC
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_0090D1D0 GetProcessHeap,HeapAlloc,std::exception::exception,1_2_0090D1D0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_009566AE SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_009566AE
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_008F28A0 TlsAlloc,GetLastError,TlsAlloc,GetLastError,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,1_2_008F28A0
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: GetLocaleInfoW,1_2_0095B898
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,1_2_009710CB
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: EnumSystemLocalesW,1_2_0095B812
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,1_2_0097085B
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: EnumSystemLocalesW,1_2_00970ACF
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,1_2_00970BA8
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,1_2_00970B2B
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_00970F4A
Source: C:\Users\user\Desktop\ciscovideoguard.exeCode function: 1_2_00902500 GetSystemTimeAsFileTime,__aulldiv,__aulldiv,1_2_00902500

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection1Process Injection1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1DLL Side-Loading1LSASS MemorySecurity Software Discovery3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 372989 Sample: ciscovideoguard.exe Startdate: 22/03/2021 Architecture: WINDOWS Score: 5 5 ciscovideoguard.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.