Windows Analysis Report
Wow.exe

Overview

General Information

Sample name: Wow.exe
Analysis ID: 1546274
MD5: 5758d89ed392e2190c44c5183a6d23a3
SHA1: f397a538e6d7ecd362768303feb2d43d90227c31
SHA256: bf644876709c591acc17c0da8cdf1814edcc9f1e6bc109a8c0d5c38c79dc953c
Infos:

Detection

Score: 7
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to query CPU information (cpuid)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: Wow.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: d:\BuildServer\WoW\1\work\WoW-code\branches\wow-patch-3_3_5_A-BNet\WoW\Bin\Wow.pdb source: Wow.exe
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00771D10 GetModuleFileNameA,_memset,FindFirstFileA,FindClose,LeaveCriticalSection,FormatMessageA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LeaveCriticalSection,GetLocalTime,CloseHandle,CloseHandle,IsWindow,IsWindowVisible,MessageBoxA,LeaveCriticalSection,GetVersion,GetCurrentProcess,GetCurrentProcess,GetExitCodeProcess,GetCurrentProcess,TerminateProcess, 0_2_00771D10
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:56997
Source: Wow.exe String found in binary or memory: http://cn.kbase.blizzard.com/kb/wow/
Source: Wow.exe String found in binary or memory: http://eu.tracker.worldofwarcraft.com:3724/announce
Source: Wow.exe String found in binary or memory: http://support.worldofwarcraft.co.kr/kb/
Source: Wow.exe String found in binary or memory: http://support.worldofwarcraft.com/kb/
Source: Wow.exe String found in binary or memory: http://support.worldofwarcraft.com/kb/http://support.wowtaiwan.com.tw/kb/http://cn.kbase.blizzard.co
Source: Wow.exe String found in binary or memory: http://support.wow-europe.com/kb/
Source: Wow.exe String found in binary or memory: http://support.wowtaiwan.com.tw/kb/
Source: Wow.exe String found in binary or memory: http://us.tracker.worldofwarcraft.com:3724/announce
Source: Wow.exe String found in binary or memory: http://us.tracker.worldofwarcraft.com:3724/announcehttp://eu.tracker.worldofwarcraft.com:3724/announ
Source: Wow.exe String found in binary or memory: http://www.blizzard.com
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00869760 GetAsyncKeyState,SendInput,SystemParametersInfoA, 0_2_00869760
Creates a DirectInput object (often for capturing keystrokes)
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_008706E0 GetModuleHandleA,DirectInput8Create, 0_2_008706E0
Detected potential crypto function
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_004640A0 0_2_004640A0
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_004181B0 0_2_004181B0
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_004102B2 0_2_004102B2
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_004186F2 0_2_004186F2
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00870B80 0_2_00870B80
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00418C34 0_2_00418C34
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_004250D0 0_2_004250D0
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00859160 0_2_00859160
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_004152D3 0_2_004152D3
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_004192F4 0_2_004192F4
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00779370 0_2_00779370
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_0088D420 0_2_0088D420
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_0041167D 0_2_0041167D
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00729740 0_2_00729740
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00425850 0_2_00425850
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00891A79 0_2_00891A79
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00509DD0 0_2_00509DD0
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00425DE0 0_2_00425DE0
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00925EE0 0_2_00925EE0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Wow.exe Code function: String function: 0076ED20 appears 54 times
Source: C:\Users\user\Desktop\Wow.exe Code function: String function: 0076E540 appears 160 times
Source: C:\Users\user\Desktop\Wow.exe Code function: String function: 00767FC0 appears 271 times
Source: C:\Users\user\Desktop\Wow.exe Code function: String function: 005EEB70 appears 54 times
Source: C:\Users\user\Desktop\Wow.exe Code function: String function: 0076E5A0 appears 268 times
Source: C:\Users\user\Desktop\Wow.exe Code function: String function: 00817DB0 appears 33 times
PE file contains executable resources (Code or Archives)
Source: Wow.exe Static PE information: Resource name: None type: b.out segmented executable V2.3 86
Uses 32bit PE files
Source: Wow.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: clean7.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00434CE0 GetDiskFreeSpaceA, 0_2_00434CE0
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_0077D710 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,Thread32Next,Thread32Next,CloseHandle,GetCurrentThreadId, 0_2_0077D710
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_004294C0 FindResourceExA,LoadResource,LockResource,SizeofResource, 0_2_004294C0
Source: C:\Users\user\Desktop\Wow.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: acspecfc.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: ddraw.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: dciman32.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: opengl32.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: dinput8.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: divxdecoder.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: hid.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Wow.exe Section loaded: glu32.dll Jump to behavior
Source: Wow.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Wow.exe Static file information: File size 7699456 > 1048576
Source: Wow.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5dd400
Source: Wow.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\BuildServer\WoW\1\work\WoW-code\branches\wow-patch-3_3_5_A-BNet\WoW\Bin\Wow.pdb source: Wow.exe
PE file contains an invalid checksum
Source: Wow.exe Static PE information: real checksum: 0x764074 should be: 0x7667db
PE file contains sections with non-standard names
Source: Wow.exe Static PE information: section name: .zdata
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00869E00 IsIconic,GetWindowRect,AdjustWindowRectEx,PeekMessageA,PeekMessageA,GetMessageA,TranslateMessage,GetMessageA,TranslateMessage,DispatchMessageA,PeekMessageA, 0_2_00869E00
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_0077D710 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,Thread32Next,Thread32Next,CloseHandle,GetCurrentThreadId, 0_2_0077D710
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00771D10 GetModuleFileNameA,_memset,FindFirstFileA,FindClose,LeaveCriticalSection,FormatMessageA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LeaveCriticalSection,GetLocalTime,CloseHandle,CloseHandle,IsWindow,IsWindowVisible,MessageBoxA,LeaveCriticalSection,GetVersion,GetCurrentProcess,GetCurrentProcess,GetExitCodeProcess,GetCurrentProcess,TerminateProcess, 0_2_00771D10
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_0040C684 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040C684
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_0077D710 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,Thread32Next,Thread32Next,CloseHandle,GetCurrentThreadId, 0_2_0077D710
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00770FA0 GetProcessHeap,HeapAlloc, 0_2_00770FA0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_0040C684 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040C684
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_004111C6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004111C6
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00414E28 cpuid 0_2_00414E28
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_007712D0 GetLocalTime, 0_2_007712D0
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_0077CF70 GetUserNameA, 0_2_0077CF70
Source: C:\Users\user\Desktop\Wow.exe Code function: 0_2_00771D10 GetModuleFileNameA,_memset,FindFirstFileA,FindClose,LeaveCriticalSection,FormatMessageA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LeaveCriticalSection,GetLocalTime,CloseHandle,CloseHandle,IsWindow,IsWindowVisible,MessageBoxA,LeaveCriticalSection,GetVersion,GetCurrentProcess,GetCurrentProcess,GetExitCodeProcess,GetCurrentProcess,TerminateProcess, 0_2_00771D10
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1546274 Sample: Wow.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 7 4 Wow.exe 2->4         started       
No contacted IP infos