Reminder.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.965829564509541
|
Filename: |
Reminder.exe
|
Filesize: |
10161880
|
MD5: |
d743bb6502147d38addb430590bc7a98
|
SHA1: |
16cd70dd31fc54c0e42695441dbf3eab5de2e2bd
|
SHA256: |
ebe565a1a2b13e3cbcf7bcc58ea8bee81bd1ed2fed0e5977dc9e108ee8cbae95
|
SHA512: |
b6b61e445e59f3431414a8c664ed5686d79cb01fd50e7442c869f6c94f4f4183f980de2827f1ddf70817a4dd08661281e1d050ace81c5c5b50b7dbf7a073a735
|
SSDEEP: |
196608:F/UI+mNZKDKmDX7HPY58yZqLcbUm4CzknrnbELh19M8pjx6gO0EMTe:F8HV7YqyZqLwqqk3E39npjZO0Eme
|
Preview: |
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
PE file contains an invalid checksum |
Data Obfuscation |
|
PE file contains more sections than normal |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Parts of this applications are using Borland Delphi (Probably coded in Delphi) |
System Summary |
|
Reads software policies |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
Sample reads its own file content |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_isdecmp.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_isdecmp.dll
|
Category: |
dropped
|
Dump: |
_isdecmp.dll.8.dr
|
ID: |
dr_2
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.042110181107409
|
Encrypted: |
false
|
Size: |
29472
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_setup64.tmp
|
PE32+ executable (console) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_setup64.tmp
|
Category: |
dropped
|
Dump: |
_setup64.tmp.8.dr
|
ID: |
dr_1
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
|
Type: |
PE32+ executable (console) x86-64, for MS Windows
|
Entropy: |
4.720366600008286
|
Encrypted: |
false
|
Size: |
6144
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
|
Category: |
dropped
|
Dump: |
Reminder.tmp.5.dr
|
ID: |
dr_0
|
Target ID: |
5
|
Process: |
C:\Users\user\Desktop\Reminder.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.597962076419531
|
Encrypted: |
false
|
Size: |
3325440
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Creates files inside the user directory |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Parts of this applications are using Borland Delphi (Probably coded in Delphi) |
System Summary |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Executable creates window controls seldom found in malware |
System Summary |
|
|
C:\Users\user\AppData\Local\coigned\Updater.exe (copy)
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\coigned\Updater.exe (copy)
|
Category: |
dropped
|
Dump: |
is-9F4FN.tmp.8.dr
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Queries information about the installed CPU (vendor, model number etc) |
Language, Device and Operating System Detection |
System Information Discovery
|
Queries the product ID of Windows |
Language, Device and Operating System Detection |
System Information Discovery
|
Creates an autostart registry key |
Boot Survival |
Registry Run Keys / Startup Folder
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Parts of this applications are using Borland Delphi (Probably coded in Delphi) |
System Summary |
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Local\coigned\friendliwise.csv (copy)
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\coigned\friendliwise.csv (copy)
|
Category: |
dropped
|
Dump: |
is-F09AJ.tmp.8.dr
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
|
Type: |
data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\coigned\friendliwise.mid (copy)
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\coigned\friendliwise.mid (copy)
|
Category: |
dropped
|
Dump: |
is-P4H94.tmp.8.dr
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
|
Type: |
data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\coigned\is-9F4FN.tmp
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\coigned\is-9F4FN.tmp
|
Category: |
dropped
|
Dump: |
is-9F4FN.tmp.8.dr
|
ID: |
dr_3
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.621472142472864
|
Encrypted: |
false
|
Size: |
943784
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\coigned\is-F09AJ.tmp
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\coigned\is-F09AJ.tmp
|
Category: |
dropped
|
Dump: |
is-F09AJ.tmp.8.dr
|
ID: |
dr_4
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
|
Type: |
data
|
Entropy: |
7.997065387988865
|
Encrypted: |
true
|
Size: |
61106
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\coigned\is-P4H94.tmp
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\coigned\is-P4H94.tmp
|
Category: |
dropped
|
Dump: |
is-P4H94.tmp.8.dr
|
ID: |
dr_5
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
|
Type: |
data
|
Entropy: |
6.4607709946359995
|
Encrypted: |
false
|
Size: |
737665
|
Whitelisted: |
false
|
|
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
\Device\Null
|
Category: |
dropped
|
Dump: |
Null.40.dr
|
ID: |
dr_6
|
Target ID: |
40
|
Process: |
C:\Windows\SysWOW64\PING.EXE
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
4.9404427828211634
|
Encrypted: |
false
|
Size: |
478
|
Whitelisted: |
false
|
|