Windows
Analysis Report
setup_CodecInstaller_full.exe
Overview
General Information
Detection
EICAR
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected EICAR
Creates an undocumented autostart registry key
Disables DEP (Data Execution Prevention) for certain images
Machine Learning detection for dropped file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Whitelists domains for ActiveX usage
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Changes the start page of internet explorer
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May infect USB drives
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Common Autorun Keys Modification
Sigma detected: Internet Explorer Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
setup_CodecInstaller_full.exe (PID: 6700 cmdline:
"C:\Users\ user\Deskt op\setup_C odecInstal ler_full.e xe" MD5: 171B409B3248772CC366D31A44AED9F6) CrawlerSetup12.exe (PID: 7428 cmdline:
"C:\Progra m Files (x 86)\Jocker Soft\Codec Installer\ CrawlerSet up12.exe" /NORESTART /verysile nt MD5: 3AFF13BDB88B4D57D41DC605A18738C9) CrawlerSetup12.tmp (PID: 7492 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-56A VD.tmp\Cra wlerSetup1 2.tmp" /SL 5="$304AA, 2431449,71 680,C:\Pro gram Files (x86)\Joc kerSoft\Co decInstall er\Crawler Setup12.ex e" /NOREST ART /verys ilent MD5: DFB7304D96F8F1C29FDA2748779663D7) CToolbar.exe (PID: 7764 cmdline:
"C:\Progra m Files (x 86)\Crawle r\CToolbar .exe" /REG SVR MD5: EC506EE0F7F493C09DEFC911CAEDFD08) CodecInstaller.exe (PID: 7556 cmdline:
"C:\Progra m Files (x 86)\Jocker Soft\Codec Installer\ CodecInsta ller.exe" MD5: 0A7C0374DA795E987E1F490B495B82F5)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_EICAR | Yara detected EICAR | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Window detected: |