Edit tour
Windows
Analysis Report
winamp59_9999_rc1_full_en-us.exe
Overview
General Information
Detection
Score: | 36 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Compliance
Score: | 33 |
Range: | 0 - 100 |
Signatures
Multi AV Scanner detection for submitted file
Antivirus detection for dropped file
Uses netsh to modify the Windows network and firewall settings
Flash file may contain encrypted javascript
Sets file extension default program settings to executables
Modifies the windows firewall
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
EXE planting / hijacking vulnerabilities found
Drops files with a non-matching file extension (content does not match file extension)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
- System is w10x64
- winamp59_9999_rc1_full_en-us.exe (PID: 1416 cmdline:
"C:\Users\ user\Deskt op\winamp5 9_9999_rc1 _full_en-u s.exe" MD5: 5A08CF7A8E694F9AE682D3F0CEBFF93E) - Elevator.exe (PID: 5892 cmdline:
"C:\Progra m Files (x 86)\Winamp \elevator. exe" /RegS erver MD5: 4DCA168AC0EE99081097BBBFB61CE6BE) - netsh.exe (PID: 5456 cmdline:
netsh advf irewall fi rewall set rule name ="Winamp" dir=in pro gram="C:\P rogram Fil es (x86)\W inamp\wina mp.exe" pr ofile=priv ate,public protocol= TCP new ac tion=allow enable=ye s MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - conhost.exe (PID: 5760 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - netsh.exe (PID: 5496 cmdline:
netsh advf irewall fi rewall add rule name ="Winamp" dir=in act ion=allow program="C :\Program Files (x86 )\Winamp\w inamp.exe" enable=ye s profile= private,pu blic proto col=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - conhost.exe (PID: 5684 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - netsh.exe (PID: 6072 cmdline:
netsh advf irewall fi rewall set rule name ="Winamp" dir=in pro gram="C:\P rogram Fil es (x86)\W inamp\wina mp.exe" pr ofile=priv ate,public protocol= UDP new ac tion=allow enable=ye s MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - conhost.exe (PID: 6052 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - netsh.exe (PID: 5548 cmdline:
netsh advf irewall fi rewall add rule name ="Winamp" dir=in act ion=allow program="C :\Program Files (x86 )\Winamp\w inamp.exe" enable=ye s profile= private,pu blic proto col=UDP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - conhost.exe (PID: 4828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira: |
Source: | EXE: | Jump to behavior |
Compliance |
---|
Source: | Static PE information: |
Source: | EXE: | Jump to behavior |
Source: | Window detected: |