Windows
Analysis Report
ActiveBarcode-Setup6.12.0.exe
Overview
General Information
Detection
Score: | 4 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 20% |
Compliance
Score: | 52 |
Range: | 0 - 100 |
Signatures
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
Stores files to the Windows start menu directory
Found dropped PE file which has not been started or loaded
Modifies existing windows services
Adds / modifies Windows certificates
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Queries keyboard layouts
Checks for available system drives (often done to infect USB drives)
Creates or modifies windows services
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample searches for specific file, try point organization specific fake files to the analysis machine |
- System is w10x64_ra
ActiveBarcode-Setup6.12.0.exe (PID: 5544 cmdline:
C:\Users\u ser\Deskto p\ActiveBa rcode-Setu p6.12.0.ex e MD5: 7791A8A48AF7782006DD4CCFAD1CB14D) ActiveBarcode-Setup6.12.0.tmp (PID: 6300 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-8F6 3M.tmp\Act iveBarcode -Setup6.12 .0.tmp" /S L5="$5033A ,35135642, 121344,C:\ Users\user \Desktop\A ctiveBarco de-Setup6. 12.0.exe" MD5: D37F2C5CAC5747F6321F90C095DCE0FD) vc_redist.x64.exe (PID: 6124 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-483 BE.tmp\vc_ redist.x64 .exe" /pas sive /nore start MD5: 45B47F4214DDC9F4782363A38504C9D2) vc_redist.x64.exe (PID: 2916 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-483 BE.tmp\vc_ redist.x64 .exe" /pas sive /nore start -bur n.unelevat ed BurnPip e.{4F78198 D-CCF4-4BD A-B229-9F6 ECD155586} {4F97EF20 -8ED2-4EE3 -ADE3-D632 CD31AA0A} 6124 MD5: 45B47F4214DDC9F4782363A38504C9D2) vc_redist.x86.exe (PID: 4612 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-483 BE.tmp\vc_ redist.x86 .exe" /pas sive /nore start MD5: A3CB49DAA1347FFE34B517F1A12F40AB) vc_redist.x86.exe (PID: 4284 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-483 BE.tmp\vc_ redist.x86 .exe" /pas sive /nore start -bur n.unelevat ed BurnPip e.{47F62FC B-416C-4BB B-9E18-CDA 7A796F212} {D21067EF -2E64-4E1B -B04F-EE78 644A74D1} 4612 MD5: A3CB49DAA1347FFE34B517F1A12F40AB) msiexec.exe (PID: 6812 cmdline:
"msiexec.e xe" /i C:\ Users\user \AppData\L ocal\Temp\ is-483BE.t mp\ActiveB arcode.x86 .msi MD5: 9D09DC1EDA745A5F87553048E57620CF) msiexec.exe (PID: 3416 cmdline:
"msiexec.e xe" /i C:\ Users\user \AppData\L ocal\Temp\ is-483BE.t mp\ActiveB arcode.x64 .msi MD5: 9D09DC1EDA745A5F87553048E57620CF) ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe (PID: 1180 cmdline:
"C:\Progra m Files (x 86)\Active Barcode\ex cel\Active Barcode-Ad d-In-for-E xcel-Setup -2.0.0.exe " /SILENT MD5: D567E7D9EB838A16C601E3E3CEA0C83F) ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp (PID: 3192 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-HNI RC.tmp\Act iveBarcode -Add-In-fo r-Excel-Se tup-2.0.0. tmp" /SL5= "$A02C0,48 1838,12134 4,C:\Progr am Files ( x86)\Activ eBarcode\e xcel\Activ eBarcode-A dd-In-for- Excel-Setu p-2.0.0.ex e" /SILENT MD5: A37C67C02D9C55EDCA3BD37B276A4ADA) ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe (PID: 420 cmdline:
"C:\Progra m Files (x 86)\Active Barcode\wo rd\ActiveB arcode-Add -In-for-Wo rd-Setup-1 .1.0.exe" /SILENT MD5: 3EC4D0F37CDF888018A109816DEB41F2) ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp (PID: 6072 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-U4B AJ.tmp\Act iveBarcode -Add-In-fo r-Word-Set up-1.1.0.t mp" /SL5=" $902D2,361 899,121344 ,C:\Progra m Files (x 86)\Active Barcode\wo rd\ActiveB arcode-Add -In-for-Wo rd-Setup-1 .1.0.exe" /SILENT MD5: 509F520729C3E6EFEF76ACE2CE206D45) ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe (PID: 5196 cmdline:
"C:\Progra m Files (x 86)\Active Barcode\po werpoint\A ctiveBarco de-Add-In- for-PowerP oint-Setup -1.1.0.exe " /SILENT MD5: 22EC2A1988C8789D3F9D3E97F6E76EA8) ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp (PID: 3024 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-AC1 7U.tmp\Act iveBarcode -Add-In-fo r-PowerPoi nt-Setup-1 .1.0.tmp" /SL5="$A02 CE,385517, 121344,C:\ Program Fi les (x86)\ ActiveBarc ode\powerp oint\Activ eBarcode-A dd-In-for- PowerPoint -Setup-1.1 .0.exe" /S ILENT MD5: 0544949ED66EFF058CB7E1311C104CDD)
SrTasks.exe (PID: 5976 cmdline:
C:\Windows \system32\ srtasks.ex e ExecuteS copeRestor ePoint /Wa itForResto rePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB) conhost.exe (PID: 6444 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
msiexec.exe (PID: 6112 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) SrTasks.exe (PID: 5292 cmdline:
C:\Windows \system32\ srtasks.ex e ExecuteS copeRestor ePoint /Wa itForResto rePoint:2 MD5: 2694D2D28C368B921686FE567BD319EB) conhost.exe (PID: 5552 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) SrTasks.exe (PID: 5824 cmdline:
C:\Windows \system32\ srtasks.ex e ExecuteS copeRestor ePoint /Wa itForResto rePoint:3 MD5: 2694D2D28C368B921686FE567BD319EB) conhost.exe (PID: 4864 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • Compliance
- • Spreading
- • System Summary
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
Compliance |
---|
Source: | Static PE information: |
Source: | Window detected: |