Windows
Analysis Report
DouWan-Video-Setup-En-4.3.0.3-x64.exe
Overview
General Information
Detection
Score: | 26 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 20% |
Compliance
Score: | 36 |
Range: | 0 - 100 |
Signatures
Modifies the windows firewall
Query firmware table information (likely to detect VMs)
Uses netsh to modify the Windows network and firewall settings
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected potential crypto function
Drops PE files
EXE planting / hijacking vulnerabilities found
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Classes Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Classification
- System is w10x64
DouWan-Video-Setup-En-4.3.0.3-x64.exe (PID: 6552 cmdline:
"C:\Users\ user\Deskt op\DouWan- Video-Setu p-En-4.3.0 .3-x64.exe " MD5: 54F1DFBDA1D18A3CDB6055546D45DC84) netsh.exe (PID: 3848 cmdline:
netsh advf irewall fi rewall add rule name ="DouWan" dir=in act ion=allow program="C :\Program Files\douw an\DouWan. exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF) conhost.exe (PID: 5820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) WerFault.exe (PID: 3740 cmdline:
C:\Windows \system32\ WerFault.e xe -pss -s 488 -p 60 16 -ip 601 6 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) regsvr32.exe (PID: 3468 cmdline:
"C:\Window s\system32 \regsvr32. exe" /i /s "C:\Progr am Files\d ouwan\VCam \douwan-vi rtualcam32 .dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5260 cmdline:
"C:\Window s\system32 \regsvr32. exe" /i /s "C:\Progr am Files\d ouwan\VCam \douwan-vi rtualaud32 .dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5652 cmdline:
"C:\Window s\system32 \regsvr32. exe" /i /s "C:\Progr am Files\d ouwan\VCam \douwan-vi rtualcam64 .dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5264 cmdline:
/i /s "C: \Program F iles\douwa n\VCam\dou wan-virtua lcam64.dll " MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) regsvr32.exe (PID: 1740 cmdline:
"C:\Window s\system32 \regsvr32. exe" /i /s "C:\Progr am Files\d ouwan\VCam \douwan-vi rtualaud64 .dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 1832 cmdline:
/i /s "C: \Program F iles\douwa n\VCam\dou wan-virtua laud64.dll " MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) DouWan.exe (PID: 6016 cmdline:
"C:\Progra m Files\do uwan\DouWa n.exe" MD5: E9A3B9746938F5A64159092AB84A9A9E) WMIC.exe (PID: 3396 cmdline:
wmic cspro duct get u uid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) conhost.exe (PID: 4520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) WerFault.exe (PID: 3272 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 016 -s 315 6 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Binary or memory string: | memstr_c6108e29-5 |
Source: | EXE: | Jump to behavior |
Compliance |
---|
Source: | EXE: | Jump to behavior |
Source: | Static PE information: |
Source: | Window detected: |