zcuSHbuD2Wn3.exe
来源:互联网 发布:达内可靠吗 知乎 编辑:程序博客网 时间:2024/06/05 03:01
转自:https://www.hybrid-analysis.com/sample/f41d0e00ffe1f8932eda937bb8d32a83c8992c1f596bd3a741c08190925c9e64?environmentId=1
zcuSHbuD2Wn3.exe
Analyzed on April 28th 2016 06:45:03 (CEST) to Windows 7 32 bit
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by VxStream Sandbox v4.10 © Payload Security
Attention: this analysis ran with the legacy Usermode Monitor. It ishighly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains ability to listen for incoming connections
- Spyware/Leak
- POSTs files to a webserver
- Ransomware
- The input sample dropped a known ransomware file
Deletes volume snapshots (often used by Ransomware) - Fingerprint
- Reads the cryptographic machine GUID
Contains ability to lookup the windows account name - Network Behavior
- Contacts 1 host. View the network section for more details.
Indicators
Not all malicious and suspicious indicators are displayed. Get your owncloud service or thefull version to view all details.
Malicious Indicators 9
- External Systems
- Detected Emerging Threats Alert
- Sample was identified as malicious by at least one Antivirus engine
- Installation/Persistance
- Allocates virtual memory in foreign process
- Writes data to a remote process
- Spyware/Information Retrieval
- Accesses potentially sensitive information from local browsers
- Unusual Characteristics
- Contains native function calls
- Hiding 3 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
Suspicious Indicators 25
- Anti-Detection/Stealthyness
- Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- Sets the process error mode to suppress error box
- Anti-Reverse Engineering
- Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- PE file has unusual entropy sections
- Environment Awareness
- Contains ability to query the machine version
- Reads the cryptographic machine GUID
- External Systems
- Detected Emerging Threats Alert
- General
- POSTs files to a webserver
- Installation/Persistance
- Creates/touches files in windows directory
- Monitors specific registry key for changes
- Network Related
- Found potential IP address in binary/memory
- Uses a User Agent typical for browsers, although no browser was ever launched
- System Destruction
- Opens file with deletion access rights
- System Security
- Contains ability to elevate privileges
- Modifies proxy settings
- Unusual Characteristics
- Imports suspicious APIs
- Reads information about supported languages
- Hiding 8 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
Informative 12
- Environment Awareness
- Contains ability to query machine time
- Contains ability to query volume size
- General
- Contacts server
- Contains PDB pathways
- Creates mutants
- Loads modules at runtime
- Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- Runs shell commands
- Spawns new processes
- Installation/Persistance
- Contains ability to lookup the windows account name
- Dropped files
- Network Related
- Found potential URL in binary/memory
File Details
zcuSHbuD2Wn3.exe
- Filename
- zcuSHbuD2Wn3.exe
- Size
- 176KiB (179712 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- 32 Bit
- SHA256
- f41d0e00ffe1f8932eda937bb8d32a83c8992c1f596bd3a741c08190925c9e64
Resources
- Language
- ENGLISH
- Icon
Visualization
- Input File (PortEx)
Version Info
- LegalCopyright
- Copyright 2005-2015 Piriform Ltd
- InternalName
- ecleaner
- FileVersion
- 5, 11, 00, 5408
- CompanyName
- Piriform Ltd
- Comments
- CCleaner
- ProductName
- ECleaner
- ProductVersion
- 5, 11, 00, 5408
- FileDescription
- ECleaner
- OriginalFilename
- ecleaner.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 42.1% (.EXE) Win32 Executable MS Visual C++ (generic)
- 37.3% (.EXE) Win64 Executable (generic)
- 8.8% (.DLL) Win32 Dynamic Link Library (generic)
- 6.0% (.EXE) Win32 Executable (generic)
- 2.7% (.EXE) Generic Win/DOS Executable
File Sections
File Imports
Screenshots
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total (System Resource Monitor).
- zcuSHbuD2Wn3.exe (PID: 3824)
- vssadmin.exe Delete Shadows /All /Quiet (PID: 1128)
- cmd.exe /C del /Q /F "%TEMP%\sysE574.tmp" (PID: 2984)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
ASN: 49505 (OOO Network of data-centers Selectel)
Port 80: Hypertext Transfer Protocol (HTTP)
Contacted Countries
HTTP Traffic
Emerging Threats
Extracted Strings
- zcuSHbuD2Wn3.exe
- Exe
- exe
- usrinit.exe,OSE.EXE
- msicuu.exe,msizap.exe
- win32smd.exe、winsmd.exe、vktserv.exe木马病毒
- rsvp.exe,AdskScSrv.exe ,avp.exe
- rundll32.exe
- NTdhcp.exe
- rnathchk.exe
- msiexec.exe
- Issue.exe
- REGEDIT.exe
- cmd.exe
- Cidaemon.exe
- ExERoute.exe
- cabArc.exe
- AL.exe
- 年薪百万的年轻人都是怎样生活的?——脸书程序员的故事
- Linux常用命令大全
- HIVE和HBASE区别
- Node.js 创建第一个应用
- Jfinal 集成spring 、cxf 做webService服务
- zcuSHbuD2Wn3.exe
- 数的存储方式
- 开发Android遇到过的坑
- uint8_t、uint16_t、uint32_t、uint64_t、size_t、ssize_t、
- leetcode :Reverse Vowels of a String
- 夏令营第一题
- NPM 使用介绍
- POJ1703-Find them, Catch them
- android隐藏虚拟键盘的代码参考