Edit tour
Windows
Analysis Report
ibaAnalyzerSetup_x64_v7.3.6.exe
Overview
General Information
Detection
Score: | 24 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Compliance
Score: | 34 |
Range: | 0 - 100 |
Signatures
Found evasive API chain (may stop execution after checking mutex)
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Contains functionality to get notified if a device is plugged in / out
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Found inlined nop instructions (likely shell or obfuscated code)
DLL planting / hijacking vulnerabilities found
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to delete services
Contains functionality for read data from the clipboard
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample may be VM or Sandbox-aware, try analysis on a native machine |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
- System is w10x64
- ibaAnalyzerSetup_x64_v7.3.6.exe (PID: 7052 cmdline:
"C:\Users\ user\Deskt op\ibaAnal yzerSetup_ x64_v7.3.6 .exe" MD5: C1AE350F67039CBE69F10DF9B8001371) - regsvr32.exe (PID: 3544 cmdline:
C:\Windows \system32\ regsvr32.e xe" /s "C: \Program F iles\iba\i baAnalyzer \ibaHDOffl ineActiveX .ocx MD5: 426E7499F6A7346F0410DEAD0805586B) - regsvr32.exe (PID: 4904 cmdline:
/s "C:\Pr ogram File s\iba\ibaA nalyzer\ib aHDOffline ActiveX.oc x" MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 5848 cmdline:
C:\Windows \system32\ regsvr32.e xe" /s "C: \Program F iles\iba\i baAnalyzer \ibaAnalyz erViewHost ActiveX.oc x MD5: 426E7499F6A7346F0410DEAD0805586B) - regsvr32.exe (PID: 6048 cmdline:
/s "C:\Pr ogram File s\iba\ibaA nalyzer\ib aAnalyzerV iewHostAct iveX.ocx" MD5: D78B75FC68247E8A63ACBA846182740E)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Avira: |
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior |
Compliance |
---|
Source: | Static PE information: |
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior | ||
Source: | DLL: | Jump to behavior |
Source: | Window detected: |