Edit tour
Windows
Analysis Report
WinMerge-2.16.42.1-x64-Setup.exe
Overview
General Information
Detection
Score: | 15 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Signatures
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample file is different than original file name gathered from version info
Sigma detected: Classes Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- WinMerge-2.16.42.1-x64-Setup.exe (PID: 7268 cmdline:
"C:\Users\ user\Deskt op\WinMerg e-2.16.42. 1-x64-Setu p.exe" MD5: 694814DFEB6BC886ADC91431FA3710F8) - WinMerge-2.16.42.1-x64-Setup.tmp (PID: 7284 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-HF9 5R.tmp\Win Merge-2.16 .42.1-x64- Setup.tmp" /SL5="$20 436,935060 5,121344,C :\Users\us er\Desktop \WinMerge- 2.16.42.1- x64-Setup. exe" MD5: 364B8FA0269A0789DCB7A9673C7757E4) - regsvr32.exe (PID: 7664 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files\WinM erge\Shell ExtensionX 64.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - WinMerge32BitPluginProxy.exe (PID: 7680 cmdline:
"C:\Progra m Files\Wi nMerge\Win Merge32Bit PluginProx y.exe" /Re gServer MD5: 0BF44140B929D5B80CF5F3A8FBA33767) - WinMergeU.exe (PID: 7768 cmdline:
"C:\Progra m Files\Wi nMerge\Win MergeU.exe " /s- /min imize /non interactiv e /set-use rtasks-to- jumplist 4 097 MD5: 4D8808EB623326E39416F884B2DF745B) - WinMergeU.exe (PID: 7880 cmdline:
"C:\Progra m Files\Wi nMerge\Win MergeU.exe " MD5: 4D8808EB623326E39416F884B2DF745B)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Static PE information: |
Source: | Window detected: |