Edit tour

Windows Analysis Report
main.exe

Overview

General Information

Sample name:	main.exe
Analysis ID:	1547827
MD5:	91d6288da150030f5bb3520d313b4c3b
SHA1:	cddd9dd6abaed79d89c7acd0c679db7173d55a9f
SHA256:	a661cd857dc41135f7f2f95bc7cc257d020ebbe44b80e9c8d1c9436ccc322c6c
Tags:	exeParaniCheckeruser-Fact_Finder03
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64

main.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\main.exe" MD5: 91D6288DA150030F5BB3520D313B4C3B)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

main.exe (PID: 7696 cmdline: "C:\Users\user\Desktop\main.exe" MD5: 91D6288DA150030F5BB3520D313B4C3B)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-03T06:52:20.012210+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.4	49735	TCP
2024-11-03T06:52:58.885422+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.4	49739	TCP

Code function: 0_2_00007FF7B35C4C50 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF7B35C4C50