Edit tour
Windows
Analysis Report
WinMerge-2.16.42.1-x64-Setup.exe
Overview
General Information
Detection
Score: | 15 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Signatures
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample file is different than original file name gathered from version info
Sigma detected: Classes Autorun Keys Modification
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- WinMerge-2.16.42.1-x64-Setup.exe (PID: 7308 cmdline:
"C:\Users\ user\Deskt op\WinMerg e-2.16.42. 1-x64-Setu p.exe" MD5: 694814DFEB6BC886ADC91431FA3710F8) - WinMerge-2.16.42.1-x64-Setup.tmp (PID: 7364 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\is-U AN49.tmp\W inMerge-2. 16.42.1-x6 4-Setup.tm p" /SL5="$ 1045C,9350 605,121344 ,C:\Users\ user\Deskt op\WinMerg e-2.16.42. 1-x64-Setu p.exe" MD5: 364B8FA0269A0789DCB7A9673C7757E4) - regsvr32.exe (PID: 8064 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files\WinM erge\Shell ExtensionX 64.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - WinMerge32BitPluginProxy.exe (PID: 8080 cmdline:
"C:\Progra m Files\Wi nMerge\Win Merge32Bit PluginProx y.exe" /Re gServer MD5: 0BF44140B929D5B80CF5F3A8FBA33767) - WinMergeU.exe (PID: 8160 cmdline:
"C:\Progra m Files\Wi nMerge\Win MergeU.exe " /s- /min imize /non interactiv e /set-use rtasks-to- jumplist 4 097 MD5: 4D8808EB623326E39416F884B2DF745B) - WinMergeU.exe (PID: 6936 cmdline:
"C:\Progra m Files\Wi nMerge\Win MergeU.exe " MD5: 4D8808EB623326E39416F884B2DF745B)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: frack113, Nasreddine Bencherchali: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Static PE information: |
Source: | Window detected: |