Windows Analysis Report
FB101DRIT_V13SP3.exe

Overview

General Information

Sample name: FB101DRIT_V13SP3.exe
Analysis ID: 1546860
MD5: fcd8c07af0e9620fb40fb44ed5a3dc43
SHA1: 319fd243ff58f400b3b5663111b2ab201406ed04
SHA256: 41c0d0bd114301973fd6e3ea1f6fb2a95a8283899fcd7243c652624e7abc96a5

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

PE file contains sections with non-standard names
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: FB101DRIT_V13SP3.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49736
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49730
Source: setup.exe String found in binary or memory: ftp://%s%d.tmpsetup.ethermk:
Source: setup.exe String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl0
Source: setup.exe String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: data1.hdr String found in binary or memory: http://deviis4.installshield.com/NetNirvana/
Source: setup.exe String found in binary or memory: http://www.installengine.com/oci_range_check.txt
Source: setup.exe String found in binary or memory: http://www.installengine.com/oci_range_check.txtproxy
Source: setup.ini String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: setup.exe String found in binary or memory: http://www.installshield.com0
Source: FB101DRIT_V13SP3.exe, 00000000.00000002.2930563969.0000000001244000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.winzip.com
Source: FB101DRIT_V13SP3.exe, 00000000.00000002.2930563969.0000000001244000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.winzip.comCan
Source: setup.exe String found in binary or memory: https://http://...
Uses 32bit PE files
Source: FB101DRIT_V13SP3.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean1.winEXE@1/0@0/0
Source: FB101DRIT_V13SP3.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: FB101DRIT_V13SP3.exe String found in binary or memory: /aDdw
Source: setup.exe String found in binary or memory: re Installasjonsprogrammet igjen.-Installasjonsprogrammet har oppdaget en feil.
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe File read: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: networkexplorer.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: drprov.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: ntlanman.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: davclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: playtodevice.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: devdispitemprovider.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: portabledeviceapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: audiodev.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: wmvcore.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: wmasf.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: mfperfhelper.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Automated click: OK
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Automated click: OK
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Automated click: OK
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Automated click: OK
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Automated click: OK
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Automated click: OK
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Automated click: OK
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Automated click: OK
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: FB101DRIT_V13SP3.exe Static file information: File size 12963840 > 1048576
Source: FB101DRIT_V13SP3.exe Static PE information: Raw size of _winzip_ is bigger than: 0x100000 < 0xc53a00
PE file contains sections with non-standard names
Source: FB101DRIT_V13SP3.exe Static PE information: section name: _winzip_
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FB101DRIT_V13SP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: FB101DRIT_V13SP3.exe, 00000000.00000003.1736246811.00000000012AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: FB101DRIT_V13SP3.exe, 00000000.00000003.1736246811.00000000012AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: FB101DRIT_V13SP3.exe, 00000000.00000003.1736246811.00000000012AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: FB101DRIT_V13SP3.exe, 00000000.00000002.2930563969.0000000001293000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SS[#
Source: FB101DRIT_V13SP3.exe, 00000000.00000002.2930563969.00000000012AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: FB101DRIT_V13SP3.exe, 00000000.00000003.1878815296.0000000001308000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&
Source: FB101DRIT_V13SP3.exe, 00000000.00000002.2930563969.00000000012AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1546860 Sample: FB101DRIT_V13SP3.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 1 4 FB101DRIT_V13SP3.exe 1 6 2->4         started       
No contacted IP infos