Detections

Yara:

TrickBot

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-22 20:24:41 2020-06-22 20:28:53 252 seconds Show Options Show Log
procdump = yes
2020-05-13 09:09:20,743 [root] INFO: Date set to: 20200622T20:24:40, timeout set to: 200
2020-06-22 20:24:40,031 [root] DEBUG: Starting analyzer from: C:\tmp2ylp3rhi
2020-06-22 20:24:40,031 [root] DEBUG: Storing results at: C:\LGoTLbNk
2020-06-22 20:24:40,031 [root] DEBUG: Pipe server name: \\.\PIPE\dBcXXbgd
2020-06-22 20:24:40,031 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-22 20:24:40,031 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-22 20:24:40,031 [root] INFO: Automatically selected analysis package "exe"
2020-06-22 20:24:40,031 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-22 20:24:40,046 [root] DEBUG: Imported analysis package "exe".
2020-06-22 20:24:40,046 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-22 20:24:40,046 [root] DEBUG: Initialized analysis package "exe".
2020-06-22 20:24:40,078 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-22 20:24:40,093 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-22 20:24:40,093 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-22 20:24:40,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-22 20:24:40,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-22 20:24:40,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-22 20:24:40,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-22 20:24:40,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-22 20:24:40,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-22 20:24:40,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-22 20:24:40,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-22 20:24:40,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-22 20:24:40,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-22 20:24:40,187 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-22 20:24:40,187 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-22 20:24:40,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-22 20:24:40,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-22 20:24:40,187 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-22 20:24:40,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-22 20:24:40,187 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-22 20:24:40,187 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-22 20:24:40,531 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-22 20:24:40,531 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-22 20:24:40,546 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-22 20:24:40,546 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-22 20:24:40,546 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-22 20:24:40,546 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-22 20:24:40,546 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-22 20:24:40,562 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-22 20:24:40,562 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-22 20:24:40,562 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-22 20:24:40,562 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-22 20:24:40,562 [root] DEBUG: Started auxiliary module Browser
2020-06-22 20:24:40,562 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-22 20:24:40,562 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-22 20:24:40,562 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-22 20:24:40,562 [root] DEBUG: Started auxiliary module Curtain
2020-06-22 20:24:40,578 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-22 20:24:40,578 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-22 20:24:40,578 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-22 20:24:40,578 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-22 20:24:40,796 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-22 20:24:40,796 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-22 20:24:40,812 [root] DEBUG: Started auxiliary module DigiSig
2020-06-22 20:24:40,812 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-22 20:24:40,812 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-22 20:24:40,812 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-22 20:24:40,828 [root] DEBUG: Started auxiliary module Disguise
2020-06-22 20:24:40,828 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-22 20:24:40,828 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-22 20:24:40,843 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-22 20:24:40,843 [root] DEBUG: Started auxiliary module Human
2020-06-22 20:24:40,843 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-22 20:24:40,843 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-22 20:24:40,843 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-22 20:24:40,843 [root] DEBUG: Started auxiliary module Procmon
2020-06-22 20:24:40,843 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-22 20:24:40,843 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-22 20:24:40,843 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-22 20:24:40,843 [root] DEBUG: Started auxiliary module Screenshots
2020-06-22 20:24:40,843 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-22 20:24:40,843 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-22 20:24:40,843 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-22 20:24:40,859 [root] DEBUG: Started auxiliary module Sysmon
2020-06-22 20:24:40,859 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-22 20:24:40,859 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-22 20:24:40,859 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-22 20:24:40,859 [root] DEBUG: Started auxiliary module Usage
2020-06-22 20:24:40,859 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-22 20:24:40,859 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-22 20:24:40,859 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-22 20:24:40,859 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-22 20:24:40,890 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\picture10-1.exe" with arguments "" with pid 3648
2020-06-22 20:24:40,890 [lib.api.process] INFO: Monitor config for process 3648: C:\tmp2ylp3rhi\dll\3648.ini
2020-06-22 20:24:40,906 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-22 20:24:40,906 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\lGgPbq.dll, loader C:\tmp2ylp3rhi\bin\BMMnfyr.exe
2020-06-22 20:24:40,953 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dBcXXbgd.
2020-06-22 20:24:40,953 [root] DEBUG: Loader: Injecting process 3648 (thread 4488) with C:\tmp2ylp3rhi\dll\lGgPbq.dll.
2020-06-22 20:24:40,953 [root] DEBUG: Process image base: 0x00820000
2020-06-22 20:24:40,953 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ylp3rhi\dll\lGgPbq.dll.
2020-06-22 20:24:40,968 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-22 20:24:40,968 [root] DEBUG: Successfully injected DLL C:\tmp2ylp3rhi\dll\lGgPbq.dll.
2020-06-22 20:24:40,968 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3648
2020-06-22 20:24:42,968 [lib.api.process] INFO: Successfully resumed process with pid 3648
2020-06-22 20:24:43,078 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 20:24:43,078 [root] DEBUG: Process dumps disabled.
2020-06-22 20:24:43,078 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 20:24:43,078 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-22 20:24:43,078 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3648 at 0x689e0000, image base 0x820000, stack from 0x1b6000-0x1c0000
2020-06-22 20:24:43,125 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\picture10-1.exe".
2020-06-22 20:24:43,140 [root] INFO: Loaded monitor into process with pid 3648
2020-06-22 20:24:43,140 [root] INFO: Disabling sleep skipping.
2020-06-22 20:24:43,171 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-22 20:24:43,203 [root] DEBUG: DLL loaded at 0x74A40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-22 20:24:43,234 [root] DEBUG: DLL loaded at 0x748C0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-06-22 20:24:43,234 [root] DEBUG: DLL loaded at 0x75290000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-22 20:24:43,249 [root] DEBUG: DLL loaded at 0x751E0000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-06-22 20:25:19,171 [root] DEBUG: set_caller_info: Adding region at 0x00230000 to caller regions list (ntdll::NtQuerySystemInformation).
2020-06-22 20:25:19,171 [root] DEBUG: set_caller_info: Adding region at 0x01510000 to caller regions list (kernel32::GetSystemTime).
2020-06-22 20:25:19,187 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1510000
2020-06-22 20:25:19,187 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01510000 size 0x400000.
2020-06-22 20:25:19,218 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LGoTLbNk\CAPE\3648_32451621719252222162020 (size 0xfff)
2020-06-22 20:25:19,218 [root] DEBUG: DumpRegion: Dumped stack region from 0x01510000, size 0x1000.
2020-06-22 20:25:19,265 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LGoTLbNk\CAPE\3648_175982822819252222162020 (size 0x31f42)
2020-06-22 20:25:19,265 [root] DEBUG: DumpRegion: Dumped stack region from 0x00230000, size 0x32000.
2020-06-22 20:25:19,281 [root] DEBUG: set_caller_info: Adding region at 0x00270000 to caller regions list (ntdll::LdrLoadDll).
2020-06-22 20:25:19,281 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x00270000
2020-06-22 20:25:19,281 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-22 20:25:19,281 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00270000.
2020-06-22 20:25:19,281 [root] DEBUG: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x00400000.
2020-06-22 20:25:19,312 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x31c00.
2020-06-22 20:25:19,328 [root] DEBUG: DLL loaded at 0x75640000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-22 20:25:19,359 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\logA739.tmp
2020-06-22 20:25:42,375 [root] DEBUG: set_caller_info: Adding region at 0x002B0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-22 20:25:42,375 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-22 20:25:42,375 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x002B0000.
2020-06-22 20:25:42,375 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000A040.
2020-06-22 20:25:42,406 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1e000.
2020-06-22 20:25:42,406 [root] DEBUG: DLL loaded at 0x74E20000: C:\Windows\system32\ncrypt (0x39000 bytes).
2020-06-22 20:25:42,406 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-22 20:25:42,406 [root] DEBUG: DLL loaded at 0x75300000: C:\Windows\system32\MSASN1 (0xc000 bytes).
2020-06-22 20:25:42,421 [root] DEBUG: DLL loaded at 0x73760000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-06-22 20:25:42,421 [root] DEBUG: DLL loaded at 0x73750000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-22 20:25:42,421 [root] DEBUG: DLL loaded at 0x763D0000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-22 20:25:42,437 [root] DEBUG: DLL loaded at 0x75400000: C:\Windows\system32\CRYPT32 (0x122000 bytes).
2020-06-22 20:25:42,437 [root] DEBUG: DLL loaded at 0x6EF10000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2020-06-22 20:25:42,437 [root] DEBUG: DLL loaded at 0x6EEC0000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-22 20:25:42,453 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 248, handle 0xfc.
2020-06-22 20:25:42,468 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,468 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 332, handle 0xfc.
2020-06-22 20:25:42,468 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,484 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 368, handle 0xfc.
2020-06-22 20:25:42,484 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,500 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 376, handle 0xfc.
2020-06-22 20:25:42,500 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,500 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 416, handle 0xfc.
2020-06-22 20:25:42,500 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,500 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 464, handle 0xfc.
2020-06-22 20:25:42,500 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,515 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 472, handle 0xfc.
2020-06-22 20:25:42,515 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,546 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 480, handle 0xfc.
2020-06-22 20:25:42,546 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,546 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 584, handle 0xfc.
2020-06-22 20:25:42,546 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,562 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 660, handle 0xfc.
2020-06-22 20:25:42,562 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,578 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 752, handle 0xfc.
2020-06-22 20:25:42,578 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,593 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 784, handle 0xfc.
2020-06-22 20:25:42,593 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,625 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 816, handle 0xfc.
2020-06-22 20:25:42,625 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,640 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 840, handle 0xfc.
2020-06-22 20:25:42,640 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,671 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1084, handle 0xfc.
2020-06-22 20:25:42,671 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,687 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1196, handle 0xfc.
2020-06-22 20:25:42,687 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,703 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1288, handle 0xfc.
2020-06-22 20:25:42,703 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,718 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1420, handle 0xfc.
2020-06-22 20:25:42,718 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,734 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1492, handle 0xfc.
2020-06-22 20:25:42,750 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,750 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1580, handle 0xfc.
2020-06-22 20:25:42,750 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,750 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1588, handle 0xfc.
2020-06-22 20:25:42,765 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,796 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1764, handle 0xfc.
2020-06-22 20:25:42,796 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,812 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 312, handle 0xfc.
2020-06-22 20:25:42,812 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,812 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1440, handle 0xfc.
2020-06-22 20:25:42,812 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,812 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2052, handle 0xfc.
2020-06-22 20:25:42,843 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2284, handle 0xfc.
2020-06-22 20:25:42,843 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,843 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3212, handle 0xfc.
2020-06-22 20:25:42,859 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,859 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3936, handle 0xfc.
2020-06-22 20:25:42,859 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,875 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 5056, handle 0xfc.
2020-06-22 20:25:42,875 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:42,890 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3648, handle 0xfc.
2020-06-22 20:25:42,890 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-22 20:25:44,921 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-22 20:25:44,937 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\credssp (0x8000 bytes).
2020-06-22 20:25:44,937 [root] DEBUG: DLL unloaded from 0x74CB0000.
2020-06-22 20:25:45,437 [root] DEBUG: DLL loaded at 0x73460000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-22 20:25:45,453 [root] DEBUG: set_caller_info: Adding region at 0x00650000 to caller regions list (ntdll::memcpy).
2020-06-22 20:25:45,468 [root] DEBUG: set_caller_info: Adding region at 0x00500000 to caller regions list (ncrypt::NCryptImportKey).
2020-06-22 20:25:45,531 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\LGoTLbNk\CAPE\3648_23143151759252222162020 (size 0x100099)
2020-06-22 20:25:45,625 [root] DEBUG: DLL loaded at 0x74D80000: C:\Windows\system32\bcryptprimitives (0x3d000 bytes).
2020-06-22 20:25:45,640 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-22 20:25:45,640 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-22 20:25:45,656 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-06-22 20:28:03,218 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-22 20:28:03,218 [lib.api.process] INFO: Terminate event set for process 3648
2020-06-22 20:28:03,218 [root] DEBUG: Terminate Event: Skipping dump of process 3648
2020-06-22 20:28:03,218 [lib.api.process] INFO: Termination confirmed for process 3648
2020-06-22 20:28:03,218 [root] INFO: Terminate event set for process 3648.
2020-06-22 20:28:03,218 [root] INFO: Created shutdown mutex.
2020-06-22 20:28:04,218 [root] INFO: Shutting down package.
2020-06-22 20:28:04,218 [root] INFO: Stopping auxiliary modules.
2020-06-22 20:28:04,312 [lib.common.results] WARNING: File C:\LGoTLbNk\bin\procmon.xml doesn't exist anymore
2020-06-22 20:28:04,312 [root] INFO: Finishing auxiliary modules.
2020-06-22 20:28:04,312 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-22 20:28:04,312 [root] WARNING: Folder at path "C:\LGoTLbNk\debugger" does not exist, skip.
2020-06-22 20:28:04,328 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_2 win7_2 KVM 2020-06-22 20:24:42 2020-06-22 20:28:53

File Details

File Name picture10-1.exe
File Size 235520 bytes
File Type PE32 executable (console) Intel 80386, for MS Windows
PE timestamp 2020-06-22 13:38:46
MD5 ff8e1fd14cd3fee1afcaa0ed67bdae0f
SHA1 5cf24e2cdac69c939a412ab2e2ce86d95775d017
SHA256 299c71c00c4ef4669236c4171e5693c1364ba3619736a6437cc677d46e2d6670
SHA512 8b4c630b11fc47850b8732f84d2fae239c7db7a4b8852bf60a1aa4a6b0fb41beff6f9b8cbdade811488bd905ee10354eaa5bdf37d995a05ef4c8fd9b0d128fb5
CRC32 4D7D4204
Ssdeep 3072:t1SIIp2znmAO0V03wUo/lnpmzUW3SO8J7P1jLLw9/SC73tErtDEPHyW/HoeoUPbc:vq2D+wr03IJjpfwjEiHBoajYf
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Attempts to connect to a dead IP:Port (3 unique times)
IP: 122.50.6.122:449 (Indonesia)
IP: 78.108.216.47:443 (unknown)
IP: 185.14.31.104:443 (Ukraine)
Communicates with IPs located across a large number of unique countries
country: Romania
country: United States
country: unknown
country: Ukraine
country: Indonesia
country: Australia
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3648 trigged the Yara rule 'shellcode_patterns'
Hit: PID 3648 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 3648 trigged the Yara rule 'shellcode_peb_parsing'
Hit: PID 3648 trigged the Yara rule 'TrickBot'
Creates RWX memory
Dynamic (imported) function loading detected
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: RPCRT4.dll/UuidFromStringW
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: ncrypt.dll/GetKeyStorageInterface
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptSetKeyParam
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: bcryptprimitives.dll/GetSignatureInterface
DynamicLoader: WS2_32.dll/WSAGetOverlappedResult
DynamicLoader: WS2_32.dll/
At least one IP Address, Domain, or File Name was found in a crypto call
ioc: 95.171.16.42:443
ioc: 185.90.61.9:443
ioc: 5.1.81.68:443
ioc: 185.99.2.65:443
ioc: 134.119.191.11:443
ioc: 85.204.116.100:443
ioc: 78.108.216.47:443
ioc: 51.81.112.144:443
ioc: 194.5.250.121:443
ioc: 185.14.31.104:443
ioc: 185.99.2.66:443
ioc: 107.175.72.141:443
ioc: 192.3.247.123:443
ioc: 134.119.191.21:443
ioc: 85.204.116.216:443
ioc: 91.235.129.20:443
ioc: 181.129.104.139:449
ioc: 181.112.157.42:449
ioc: 181.129.134.18:449
ioc: 131.161.253.190:449
ioc: 121.100.19.18:449
ioc: 190.136.178.52:449
ioc: 45.6.16.68:449
ioc: 110.232.76.39:449
ioc: 122.50.6.122:449
ioc: 103.12.161.194:449
ioc: 36.91.45.10:449
ioc: 110.93.15.98:449
ioc: 80.210.32.67:449
ioc: 103.111.83.246:449
ioc: 200.107.35.154:449
ioc: 36.89.182.225:449
ioc: 36.89.243.241:449
ioc: 36.92.19.205:449
ioc: 110.50.84.5:449
ioc: 182.253.113.67:449
ioc: 36.66.218.117:449
Reads data out of its own binary image
self_read: process: picture10-1.exe, pid: 3648, offset: 0x00000000, length: 0x00039800
CAPE extracted potentially suspicious content
picture10-1.exe: Unpacked Shellcode
picture10-1.exe: Unpacked Shellcode
picture10-1.exe: TrickBot Payload: 32-bit executable
picture10-1.exe: TrickBot
picture10-1.exe: Unpacked PE Image
picture10-1.exe: Unpacked Shellcode
Multiple direct IP connections
direct_ip_connections: Made direct connections to 6 unique IP addresses
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .data, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00032000, virtual_size: 0x000324f8
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\picture10-1.exe
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: picture10-1.exe (3648) called API WriteConsoleA 204611 times
CAPE detected the TrickBot malware family
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 85.204.116.100 [VT] Romania
Y 8.8.8.8 [VT] United States
Y 78.108.216.47 [VT] unknown
Y 185.14.31.104 [VT] Ukraine
Y 122.50.6.122 [VT] Indonesia
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
C:\Windows
C:\Windows\winsxs
C:\Users\Rebecca\AppData\Local\Temp
C:\Users\Rebecca\AppData\Local\Temp\logA739.tmp
C:\
C:\Users\Rebecca\AppData\Local\Temp\*
C:\Users\Rebecca\AppData\Local\Temp\FXSAPIDebugLogFile.txt
C:\Users\Rebecca\AppData\Local\Temp\picture10-1.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CleanMaster\*
C:\Users\Rebecca\AppData\Local\Temp\logA739.tmp
C:\Users\Rebecca\AppData\Local\Temp\FXSAPIDebugLogFile.txt
C:\Users\Rebecca\AppData\Local\Temp\picture10-1.exe
C:\Users\Rebecca\AppData\Local\Temp\logA739.tmp
C:\Users\Rebecca\AppData\Local\Temp\logA739.tmp
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\RasPbFile
HKEY_CURRENT_USER\Software\Classes\d3b1bbc7-c020-4056-9ded-7c6f40b5a2fc
HKEY_CURRENT_USER\Software\Classes\FwtSqmSession101457921_S-1-5-18
HKEY_CURRENT_USER\Software\Classes\WindowsUpdateTracingMutex
HKEY_CURRENT_USER\Software\Classes\ZonesCacheCounterMutex
HKEY_CURRENT_USER\Software\Classes\ZonesLockedCacheCounterMutex
HKEY_CURRENT_USER\Software\Classes\ClickToRun_ResumeScenario
HKEY_CURRENT_USER\Software\Classes\ClickToRun_System_SingleInstance_16
HKEY_CURRENT_USER\Software\Classes\ClickToRun_Pipeline16
HKEY_CURRENT_USER\Software\Classes\ClickToRun_ExecutionContext
HKEY_CURRENT_USER\Software\Classes\AccessibilitySoundAgentRunning
HKEY_CURRENT_USER\Software\Classes\CicLoadWinStaWinSta0
HKEY_CURRENT_USER\Software\Classes\MSCTF.CtfMonitorInstMutexDefault1
HKEY_CURRENT_USER\Software\Classes\MSCTF.Asm.MutexDefault1
HKEY_CURRENT_USER\Software\Classes\_SHuassist.mtx
HKEY_CURRENT_USER\Software\Classes\ALTTAB_RUNNING_MUTEX
HKEY_CURRENT_USER\Software\Classes\MidiMapper_modLongMessage_RefCnt
HKEY_CURRENT_USER\Software\Classes\FileZilla3DragDropExtMutex
HKEY_CURRENT_USER\Software\Classes\SearchServiceMUT
HKEY_CURRENT_USER\Software\Classes\WindowsSearchService_EfsRegKeysMutex
HKEY_CURRENT_USER\Software\Classes\DBWinMutex
HKEY_CURRENT_USER\Software\Classes\F659A567-8ACB-4E4A-92A7-5C2DD1884F72
HKEY_CURRENT_USER\Software\Classes\__?_c:_programdata_microsoft_rac_statedata_racdatabase.sdf
HKEY_CURRENT_USER\Software\Classes\__?_c:_programdata_microsoft_rac_statedata_racdatabase.sdf:x
HKEY_CURRENT_USER\Software\Classes\__?_c:_programdata_microsoft_rac_statedata_racdatabase.sdf:splk:5056
HKEY_CURRENT_USER\Software\Classes\__?_c:_programdata_microsoft_rac_publisheddata_racwmidatabase.sdf
HKEY_CURRENT_USER\Software\Classes\__?_c:_programdata_microsoft_rac_publisheddata_racwmidatabase.sdf:x
HKEY_CURRENT_USER\Software\Classes\__?_c:_programdata_microsoft_rac_publisheddata_racwmidatabase.sdf:splk:5056
HKEY_CURRENT_USER\Software\Classes\__?_c:_programdata_microsoft_rac_temp_sql102a.tmp
HKEY_CURRENT_USER\Software\Classes\__?_c:_programdata_microsoft_rac_temp_sql102a.tmp:x
HKEY_CURRENT_USER\Software\Classes\__?_c:_programdata_microsoft_rac_temp_sql102a.tmp:splk:5056
HKEY_CURRENT_USER\Software\Classes\__?_c:_programdata_microsoft_rac_temp_sql1069.tmp
HKEY_CURRENT_USER\Software\Classes\__?_c:_programdata_microsoft_rac_temp_sql1069.tmp:x
HKEY_CURRENT_USER\Software\Classes\__?_c:_programdata_microsoft_rac_temp_sql1069.tmp:splk:5056
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaximumAllowedAllocationSize
HKEY_CURRENT_USER\Software\Classes\AppID\picture10-1.exe
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaximumAllowedAllocationSize
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.FindActCtxSectionStringW
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptReleaseContext
cryptbase.dll.SystemFunction036
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
rpcrt4.dll.UuidFromStringW
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.NdrClientCall2
ncrypt.dll.GetKeyStorageInterface
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptSetKeyParam
cryptsp.dll.CryptDecrypt
cryptsp.dll.CryptDestroyKey
bcryptprimitives.dll.GetSignatureInterface
ws2_32.dll.WSAGetOverlappedResult
ws2_32.dll.#3
Global\{A2E78397-7F43-D607-932D-DEBF62271223}

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x00403e8f 0x00043a02 0x00044df5 5.0 2020-06-22 13:38:46 eba5fb0c6b7155a9d34ce06d27d8a8f7

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x00003467 0x00003600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.65
.rdata 0x00003a00 0x00005000 0x000029c4 0x00002a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.13
.data 0x00006400 0x00008000 0x000324f8 0x00032000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 8.00
.rsrc 0x00038400 0x0003b000 0x000006b4 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.75
.reloc 0x00038c00 0x0003c000 0x00000a16 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.08

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x0003b0a0 0x000003bc LANG_ENGLISH SUBLANG_ENGLISH_US 3.49 None
RT_MANIFEST 0x0003b45c 0x00000256 LANG_ENGLISH SUBLANG_ENGLISH_US 5.02 None

Imports

0x405108 connect
0x40510c WSAStartup
0x405110 WSAGetLastError
0x405118 getsockname
0x40511c recv
0x405120 bind
0x405124 socket
0x405128 WSALookupServiceEnd
0x405130 WSASetServiceW
0x405134 closesocket
0x405138 send
0x40513c listen
0x405140 WSAStringToAddressW
0x405144 accept
0x40500c GetCurrentProcessId
0x405010 GetCurrentThreadId
0x405014 GetTickCount
0x40501c IsDebuggerPresent
0x405028 GetCurrentProcess
0x40502c TerminateProcess
0x405034 InterlockedExchange
0x405038 LoadLibraryExW
0x40503c GetLastError
0x405040 ExitProcess
0x405044 HeapAlloc
0x405048 FreeConsole
0x40504c HeapFree
0x405050 GetComputerNameW
0x405054 GetProcessHeap
0x405058 Sleep
0x405100 MessageBoxA
0x405078 _invoke_watson
0x40507c _controlfp_s
0x405080 memset
0x405084 __CxxFrameHandler3
0x405088 swscanf_s
0x40508c _decode_pointer
0x405090 _wcsicmp
0x405094 wprintf
0x405098 printf
0x40509c _vsnwprintf
0x4050a0 memcpy
0x4050a4 _amsg_exit
0x4050a8 __wgetmainargs
0x4050ac _cexit
0x4050b0 _exit
0x4050b4 _XcptFilter
0x4050b8 exit
0x4050bc __winitenv
0x4050c0 _initterm
0x4050c4 _initterm_e
0x4050c8 _configthreadlocale
0x4050cc __setusermatherr
0x4050d0 _adjust_fdiv
0x4050d4 __p__commode
0x4050d8 __p__fmode
0x4050dc _encode_pointer
0x4050e0 __set_app_type
0x4050e4 _crt_debugger_hook
0x4050ec _unlock
0x4050f0 __dllonexit
0x4050f4 _lock
0x4050f8 _onexit

!This program cannot be run in DOS mode.
RichSr
.text
`.rdata
@.data
.rsrc
@.reloc
|ZSV3
PQVS3
L$:Qf
L$0Qh
PQj h
VhH[@
Vh(\@
Vh`^@
Rh(\@
Y__^[
VVVVV
bad allocation
tsiva
name = %p
&name[0] = %p
name printed as %%s is %s
*name = %c
name[0] = %c
RL7BXV2L
Float number: %3.2f
Hexadecimal: %x
Octal: %o
Unsigned value: %u
Just print the percentage sign %%
The color: %s
First number: %d
Second number: %04d
Third number: %i
AT4J3JqQaTK2bjgJ88qegHBLGM2OOcKcNVF
WSAStringToAddressW
WSASetServiceW
WSALookupServiceBeginW
WSALookupServiceEnd
WSALookupServiceNextW
WS2_32.dll
ExitProcess
HeapAlloc
LoadLibraryExW
HeapFree
GetComputerNameW
GetProcessHeap
Sleep
FreeConsole
GetLastError
KERNEL32.dll
MessageBoxA
USER32.dll
CryptAcquireContextA
ADVAPI32.dll
MSVCP90.dll
_wcsicmp
wprintf
printf
_vsnwprintf
swscanf_s
MSVCR90.dll
_amsg_exit
__wgetmainargs
_cexit
_exit
_XcptFilter
__winitenv
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_encode_pointer
__set_app_type
_crt_debugger_hook
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
_except_handler4_common
_invoke_watson
_controlfp_s
InterlockedExchange
InterlockedCompareExchange
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
memset
__CxxFrameHandler3
memcpy
O.p%D
;qF/*
Cu;tn{
\U+-\
'|22.
RbJZ*
<f8J(
=nZju~
@_VkR
5gHpS<
%cf%;
Lf~Jw
_>3KaX
M?1/q~
'*+Qs?
2+<_<
+{fkI
`1<2^zBS
>uQl'
LoG#n
TsZ[i
[(IY:
!W[-L:B
3MVM?.+C
tileY
a"V"4
kC&a`dU
?p_~^yL
@P6^5}
bZeTkpli
'jO_$'OwwB
BB(|O2
#Ur|:"
i7$u#!o
I /E)
H7_Fg
+x*z.
$<f<
%l7pn
1!l5n
KBMgA>
=PIC1
[Za0U
wKSY.
V6 A>
CQ/w.T
yLsuu
v{p'a
N X6$
U-Aq0
{F>3whX
4%Bsi
7P/mP
l4/HfU
a1r6h
#2uh7
1<>JG
_Ql1`
c,{IM{e
V0.T!~
4j!nR
}6~<X
l8<m+
Sz|&R
h??lw
Coht>G
m-z('#q
/X,N?*x
O8E%y
wztP'
Rju)<B
'{8+n_v
sDL1T
QqjO3
U<Xbt
w73;U
3GZ`x
@A,%i/
AIof?
r?e/[
{pMHY
LX.zG%
+S1!i
dW0RB
%M1v~G!\
pTdlj
hcIQC
"&ZgG
\Lz<s
( +^l
dyjEs
Ab{_98
~v_-8
opvZ,
NEns_
y-!W]O9
~weud
l0Yb3
l6UNYoA
zkIEf
^&`9i
3e=q
FU0c7
=I#|1G
oQ$Uz
|!-S[~m}
1<8{2L
e'v%4
g/DqC
m7niG!
A<>i:
,2KBT
i4JAl
AF-ak
>5t/U
{:Ejd
$CS#o#
=<xJ+
BhYRL
fYKnA`
nU)La
c-Hrl
W;(&6
??ee/
v"isY
E$0$"v
`!F"u
vn}X:D
BqJc,
ZWq;7
YhIk~
Z|:51
[4[kS
N7v:6
.&H9)z
777[;/~^
1xEer
'm\1g
_WP%s
4#`8MZ_T?
JmuU/
[~SXj
4i5l"
fd\319
4`9{u
(laV7^
K/gj~
S'Yvd-
{&`({>
%NE4o
b'K, 2
Pob[Y
*'HMySP6
IwB1a/3
dB|r2C
gGWv&O
s2ir'e
!?-h5=
dq$|I
sem8zj
px;8M
~Y]rW
SfHU\
^$D'c
#l[2VF
!f"u-
ABEiwP
bH<Gv
sTYF~
M.Dz[
P!1G:|
!Vi63
wMVH4&R
nuNPo
]"@[H
cfocQ
m{)yD
}K*}
2qk]{
Jl)9r/#<t
3\}AGb
O_m2K#
PX`X5T
eG$4:*
D2gA.
yg={V
rGrtd$
|r<C=u
68Pum
`rWh)j
PI<zJ
Lm-WW
FYX}u
%xRvG
!"F7O
bV8ja
:kL$$
ITR0_
0pyJ[D
Cy7r1
vv[H'
%Jf =
[$l"O
nR{kqIx
iG\L<
'zUs'
Jw.=w
(B26A(
pE**3
/JW,mS%
3\}e:
U_"L}
ijS!"
`{1v)
}&f*s
yUgR(&28
W:]2K
= >p%t
92As0
\p9$G
|[ Pw
=jd`R0
WfC;w
:vY+9
e`2GH
e ,OA e
8Su{tg
XLf0%
@?eG3"{#
FQR&>
!vveB
WEIxEU]
3pIXd
0 @J)G
&!+cV2
<DX1#
}G )J
?cK!~
A~_]V
>F2uc
s= 7K
YjtxU<
?r\f3
f}m\/
4ZL/`
X zKX>o1
iW6e;
jkL~{
#_Hg9
Ga:3<
Dz0PO*
g`q~R
zIlu=C
$d?:j
TcHa}k
b6GEqU
2Xu0F
[imZz
txDin
2JQ}`
@^{(r
x96o<3
Iz,yM
I4?cZ
H]3U)Q
:WXry
lWc'sF
?=sJ.
i{AA_D
&11|v
cHJ2g
"ig`|H9
H/w\J-
Wq Of
CnyK ;8:
Aq>TW
W5H3b
["BOX
hn'vp>
nI3rx<
Wpvc8
f{4T<&
SL#Yl
~tvO>+
:<W',
F*;u_m
0ukVs9(
Y7u}3P
+AHRU
Zy:.,
w8m4n
wym,L
#OVGC`
0rcav}:
vX0fCT
j\Yq*
2k*gp
Vu&"S
<qG%b3
2Dn._N
9MD=bs
jo&7;
"(z&m
vFK%"t
*!UO>
mg(::-
0'4xJO
rks#O
&q;mC1
/}NSf
D|&}2#A
pFtth
_?4y.
y"bh*J
W>q~_
7=Vf0
ZTB><
`9mJ=
T^H2(
yr<3$/
/6+BW
0;b]TLmQ$
(IE_p
LF;V7
V"&bt
n>#)]o
E|R!2
`NK/WLN
Gh$]O
eL|:/
`U2)"D
Qc*%U/
0&L[K
"UM~L
U%?#mk
qxGKMn=
Dlm+!
_#YR#
[FD~q2
@E5=8
Ls_||
!E>=o
LU]MJ
?1.D1
~x/v5
CgOae5
Cx6kU9
]7^xP$
b#ie1
mpZ~I
`%XtV
;=PEhpfH-
>=DqWt
A~)@$7^TL/
":HH_
l9L~}
Copc&U
]y2<TD
a<xV
{ys|5
|Nd,
mI{]=
DI9Y'
8'<J1
Q-C2I
<%Hg2
h^NK?g
CQ;ye'-
5TMvC
I.4DZ
(p}ulu
r' mS
Tp5$i
~(dnh
X6^BE
,2VV}
6Vwd,
9U+l}
,w8[8
]WT( n$~
N]4?tQ
(,@t~
?KQ/9
JAtgb6I
Mqwg:
vWFE8Wv
4riZY
VgjMB
H1`}*
FJK2r8
GNVs^
#9l,7
fu<WQ
jZ+ht
mM=b<
cyzm2
!&{qx
Fur6\
ypzL.
YnC+"
1-^dO
-qXJHKd
1Z<L.
^Pw1?6
#LChl
=JXGN
Q;)J*
nXGoG
S8l#dQ
hnd&S
!{s`*
|SA,n
w}v/^
t>:t9
-J2BO
ayZ+!
0x8lP
jL"EA
#zAv?
(+Z$a
ylGUI
MA+)!`a
4=MO,j
`@2$;,
:0"*"
V$&OB
_\Jno
I91Ti`
X}/Nm
^$!vC~
pfK;j
edu3KE#
,cy-40
zgVrP
*7d>2
f~K"?bP
M| "A
HU*qtH"
:"dpiR
M&.>V
QECVK
YzG_e
35c+a&&
k<Bb>
noA;r
kc?M%
:'HK^
O+`BYz
MeHY?u
mq\&X
J8sGi
)Hh9_
TAw0j
?\b1r.
xfV0p
n%$J]
&I}uv
[F4E/x#
_c\U6
,m:az
(ea;eE&
"]n?f
,I?8-K
SJ31*
Px{r>}
"s%R\
Ue&z/
?!wX;
IhF^I
S+&TU
{7U[g0a
'k2G%
.rYhy
kj~Y[$
r6B3+
\!fl2
$^+W1
6WSuh
xey%>`
%_B-4v
gH7WGjw
hve-9
'^T*h
,.6AC
uFRUZ
Lb`Hq
k''}]
n==s1
-S#TN
NTim(y
k}"6y
#<EE_'
]/Mio
o/>?Dv%
ggh_=#
-g\6;
+= {e
?X0[`
2Fhq7
Z34qN2
bz_=x
|V_7y
_7jE!
V5\]d
!<%c7
I/^FuH7
?'c$H
$XH~Kn
AqmvK
mSDbCL
hd~tH
rMOHyK
\>%pc
aYVltU
.{C)4
?4 Hl
W/D-hk
3r`8f
S?kl[
ja3w"8
|J\)E
:Fm+%
W "5_U
,=5<S
Gv1b`
\^7Yc
>M)^DJ
Cwc!i
+iT'D
3,_|4
#7me)
jvfmU
/!(.[
Y[9KZ
9G|@(
Pf+#5
|^j*9jS&y^
whna
M!CF%
8SRj"q
LmHsF
r9o$t
s-/\y
7YJ|PU
a2<vL
U)%8)F
Z)iSFX
}D9[O\
A\4*o2
K*!Dn
LnQS|
#`uJ_
_r6jfP
4)uif
XM-{7J
M1~;q
w}"\Q
&T(Ms0*v!
FW<KEu=
F8-+v.
TVLIE
R[p*j
L,6zX
|~[q;
ugVhU
D?xy!
l%)Ar*y
GD*Q\]
Y`q\*
BWy%GV
X^Xu5o!
@0p?Ld
3|I(L
KOF+Z
)x>W]
Vz2yO
-C4X6
zmXw~
qz|Dv
){:&`
z10zk
}y,n9
rW*Xr%
-Fjycn
\GI}ahK
&!OjF
[E_Gw
rAJ/Oc2
d=E^`
r~O4*
o5X<t-
l:/@t
=L9&-
H(j/E
xp=.Q
r)2Gn
|3QWB
RW0}PN
kn0)Mz
fKAyq
vShB4dv
y5B$/E
i8NfS
"|ss:;
B/Y[7
[[a^B1
bBw.U
D< o;
R.X~<lJt
Z~[5c
][WSf
jGC:/
Z"L-,
?f08>1
F/Db,
L-mD_
1+U-b
Kd`Q\`
P~yB(
cO^#7
#&|wz
(mtiv]
jR,ceg
s9pBe
,*A#I
Y~hB
ll<z9R
UT}D~
wv&=k
Zxr:o
F>WWc
]qa(s
7p";~
^v6 h
hw6Qz
S`&M4
a?SS9
#|l%Z*
o&kac
bky!?I
hvn#6
*4r/&
?s84
jt{Q6
-&G:k
\I8t?
~!bq=
SIW<!(X
=T3k-
6OO'Aml
amNxLc`
$tE)c
J=>Wk!
u^Wxs
pOT$(
@AAIm
>-*!G
|Lw>'\Sg
?RAbP2
ZqB1#
dobc%(
oGWlAdX
Ib6*hAR
Jk('aY
km4ae
Dj=uPer?
`Z^6I
8r8h]
nK05{@fjE
:,D$s
[RiCO
1DSgD_L
`vyEC:<
CdYfV
@iV2RHp
YfK$YU
:BvkY1F
J2|Wp04
)ur7}
p~1tX
'KP/`
C]knA
>G$s|
~^Tea
2 ~P#
X{r]t
[68:]b
<U{Mu
5OX!Xf;
s)GdR_]
*CF6mOwl
XJYg|H
v0GZR
fI$Kq
OiEM`z
JE~p1
/6K_z
8i F?
x7\kb
xg=)uJpx
vQFp
Z]xs;
kC|9.
'V(=^S
VbE[e
T:u5Y
)Mg,=
__4x}|
og6-H
_<-^X
*66J!
fOBn.}:
&2XnPi
;*z(%
4=jtNL
#L,d7k
gyp0e
_]jET
/zUC3
?XQ8|
dhUibG
e_]VMl
jZCRZc
!^1r&
E'h~< X
|]oS$
c-}\t^
? :~Rk
>C,7,
rJQ^@
wzV-B
0\)oTA
1V{cVO
M~xS1[D
q.9Ui
2eD7Z
>l4G*6
~o.<[K
<9>iP
pcg:*
~jEdK9
t=~ZP
>RFJk,O
_hsJb
=pM2U
+DB*X
t8Rs~Y-2
s:y(3
=3I?s
)Y\3q
[[UR7
FP9)TF
]V`7E
zpZv;|
~;EP\
s-i?C
?__a%3
[:a`\
~{nY<
ZJHOW
[[w/_
mpFiz
W?qN;
x -?Dlb
z6fRo
B(fb'
;:JzZ
*<R2$>Th
{QJbH
\^Z%+
$Z?0h
Q#"_U
0fk\B
}ThB/_
xFOb%sx
/b j;
M5hz\G
+IsUY
dJc!G
,St`T
|(zY#
YN =| b
8z\)<
,:Gr/3
7aMj;
2+ca{
#~P$J
;iO <
%_zep
;IHkw
76z%Yx!
cVrIS
k[qAT
fn?9]<@YU
rX|YC
XCV(/T
<5/^T
N%3-O
@-ICQt
W5#4*
*lcZ"
e07&C
0!sxBv!Z
)!CQn
CwM9:
xqjzu
]N`w>
Kl`0'
o$K]*
USFcA
J.4h8
5M1t"
Ail~&
}%[hI
n|E}("7J
P;^?j
V*@&+G
+g4Hj
fHn=^
+(5)!
{t:Qa
}dYa{
U]8?9
JZo.\
?7DN7
%^~U9
#1s_A
Ki_}z{
@E/G|
`\K-`<
<62xerkG
*vF?8"
W36gB2
(Jvu}=
8^c13!
=Eh*H>6
U7Xd;
BWb+d$)/?
f 5w>
\lDg7
tX_:b#1
,U%S7
kwH. J0
?Jv$C
>g*z?
$6O\h|
pxDAO
V0eSo
7}v4I-
+3"Q'?
;kUb^
r#g_|
0:2,H>y
@gwKn
=e)*w
[!668
|fZhN
,9-oX
qsX6_
}dLBc
-d9;$9
;AyfS
\N\V;
FDtkFm
W\]QhgRw
R E'#
D^_4r
A>DEe
mea\yx^3:
J,lQ{oC
os\CO*8
mRkf!jP
&}d$q
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
</dependentAssembly>
</dependency>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
3!3,373F3R3]3h3s3
4$404<4G4R4`4l4x4
5)545?5J5V5b5m5{5
6)676C6O6Z6e6p6|6
7!7-797D7R7]7i7u7
8&818<8G8S8_8m8x8
:*:6:D:O:Z:f:r:}:
;#;.;9;D;P;_;j;u;
<&<1<=<I<T<_<j<y<
='=6=A=L=W=c=o=z=
> >+>6>A>P>\>g>r>}>
?#?.?:?F?Q?\?j?v?
0'030>0I0T0`0l0w0
1(131A1M1Y1d1o1z1
2 2+272C2N2\2g2s2
3$303;3F3Q3]3i3w3
4%434>4J4V4a4l4w4
6!6-686C6N6Z6i6t6
7%707;7G7S7^7i7t7
:":-:8:D:P:[:f:t:
;";1;=;H;S;^;j;v;
<'<2<=<K<W<c<n<y<
>_>o>}>
?&?2?;?B?G?S?\?k?s?{?
J0P0a0g0
1"1'1-1B1J1
2#2U2q2{2
3,3;3A3S3Y3f3
4 4/484K4`4f4{4
5'585E5N5f5o5v5
6"6G6Q6W6]6v6
7\7t7z7
8&8,828I8T8]8c8t8
9'9-9V9d9s9~9
:!:':>:D:~:
;B;G;N;W;_;p;
<'<;<V<_<z<
=$=*=2=8=>=K=Q=Z=y=
>%>*>0>6>>>D>K>R>b>j>p>|>
?!?&?,?6???J?V?[?k?p?v?|?
030>0V0l0y0
1`2f2m2
2!3D3Q3]3e3m3y3
4$454>4^4
P1\1`1h1l1
2 2,2
KERNEL32.dll
F-FATAL- | Error in parsing command line
-FATAL- | Unable to initialize Winsock version 2.2
-FATAL- | Unable to get address of the remote radio having name %s
-FATAL- | Unable to get address of the remote radio having formated address-string %s
!ERROR! | Unable to allocate memory for WSAQUERYSET
*INFO* | Inquiring device from cache...
*INFO* | Unable to find device. Waiting for %d seconds before re-inquiry...
*INFO* | Inquiring device ...
=CRITICAL= | WSALookupServiceBegin() failed with error code %d, WSAGetLastError = %d
!ERROR! | Unable to allocate memory for WSAQERYSET
=CRITICAL= | WSALookupServiceNext() failed with error code %d
=CRITICAL= | HeapAlloc failed | out of memory, gle = [%d]
[email protected]#$%^&*()-_=+?<>1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
=CRITICAL= | Creating a static data string failed
=CRITICAL= | socket() call failed. WSAGetLastError = [%d]
=CRITICAL= | connect() call failed. WSAGetLastError=[%d]
*INFO* | Sending following data string:
=CRITICAL= | send() call failed w/socket = [0x%I64X], szData = [%p], dataLen = [%I64u]. WSAGetLastError=[%d]
=CRITICAL= | closesocket() call failed w/socket = [0x%I64X]. WSAGetLastError=[%d]
!ERROR! | Unable to allocate memory for CSADDR_INFO
=CRITICAL= | GetComputerName() call failed. WSAGetLastError=[%d]
=CRITICAL= | bind() call failed w/socket = [0x%I64X]. WSAGetLastError=[%d]
=CRITICAL= | getsockname() call failed w/socket = [0x%I64X]. WSAGetLastError=[%d]
-FATAL- | ComputerName specified is too large
-FATAL- | HeapAlloc failed | out of memory | gle = [%d]
Sample Bluetooth Server
%s %s
Example Service instance registered in the directory service through RnR
=CRITICAL= | WSASetService() call failed. WSAGetLastError=[%d]
=CRITICAL= | listen() call failed w/socket = [0x%I64X]. WSAGetLastError=[%d]
=CRITICAL= | accept() call failed. WSAGetLastError=[%d]
=CRITICAL= | recv() call failed. WSAGetLastError=[%d]
=CRITICAL= | received too much data
+WARNING+ | Data transfer aborted mid-stream. Expected Length = [%I64u], Actual Length = [%d]
*INFO* | Received following data string from remote device:
Bluetooth Connection Sample application for demonstrating connection and data transfer.
BTHCxn.exe [-n<RemoteName> | -a<RemoteAddress>]
[-c<ConnectionCycles>]
Switches applicable for Client mode:
-n<RemoteName> Specifies name of remote BlueTooth-Device.
-a<RemoteAddress> Specifies address of remote BlueTooth-Device.
The address is in form XX:XX:XX:XX:XX:XX
where XX is a hexidecimal byte
One of the above two switches is required for client.
Switches applicable for both Client and Server mode:
-c<ConnectionCycles> Specifies number of connection cycles.
Default value for this parameter is 1. Specify 0 to
run infinite number of connection cycles.
Command Line Examples:
"BTHCxn.exe -c0"
Runs the BTHCxn server for infinite connection cycles.
The application reports minimal information onto the cmd window.
"BTHCxn.exe -nServerDevice -c50"
Runs the BTHCxn client connecting to remote device (having name
"ServerDevice" for 50 connection cycles.
The application reports minimal information onto the cmd window.
!ERROR! | cmd line | Unable to parse -n<RemoteName>, length error (min 1 char, max %d chars)
!ERROR! | cmd line | Unable to parse -a<RemoteAddress>, Remote bluetooth radio address string length expected %d | Found: %I64u)
!ERROR! | cmd line | Must provide +ve or 0 value with -c option
!ERROR! | cmd line | Must provide a value with -c option
!ERROR! | cmd line | Bad option prefix, use '/' or '-'
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Windows (R) Codename Longhorn DDK provider
FileDescription
Bluetooth Connection Sample Application
FileVersion
6.0.6000.16384
InternalName
BthCxn.exe
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
BthCxn.exe
ProductName
Windows (R) Codename Longhorn DDK driver
ProductVersion
6.0.6000.16384
VarFileInfo
Translation

Full Results

Engine Signature Engine Signature Engine Signature
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 85.204.116.100 [VT] Romania
Y 8.8.8.8 [VT] United States
Y 78.108.216.47 [VT] unknown
Y 185.14.31.104 [VT] Ukraine
Y 122.50.6.122 [VT] Indonesia
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.3 49196 122.50.6.122 449
192.168.1.3 49197 122.50.6.122 449
192.168.1.3 49192 185.14.31.104 443
192.168.1.3 49193 185.14.31.104 443
192.168.1.3 49194 78.108.216.47 443
192.168.1.3 49195 78.108.216.47 443
192.168.1.3 49198 85.204.116.100 443

UDP

Source Source Port Destination Destination Port
192.168.1.3 58700 1.1.1.1 53
192.168.1.3 60886 1.1.1.1 53
192.168.1.3 137 192.168.1.255 137
192.168.1.3 58700 8.8.8.8 53
192.168.1.3 60886 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1045 - Software Packing
    • Signature - packer_entropy

    Processing ( 17.284 seconds )

    • 16.391 BehaviorAnalysis
    • 0.286 CAPE
    • 0.248 VirusTotal
    • 0.2 Static
    • 0.07 Deduplicate
    • 0.021 NetworkAnalysis
    • 0.02 AnalysisInfo
    • 0.02 TargetInfo
    • 0.011 Dropped
    • 0.007 peid
    • 0.005 Debug
    • 0.005 Strings

    Signatures ( 7.387000000000002 seconds )

    • 1.045 antivm_generic_disk
    • 0.639 virus
    • 0.587 stealth_file
    • 0.503 bootkit
    • 0.449 mimics_filetime
    • 0.434 stealth_timeout
    • 0.426 decoy_document
    • 0.414 reads_self
    • 0.335 injection_createremotethread
    • 0.323 api_spamming
    • 0.315 hancitor_behavior
    • 0.305 NewtWire Behavior
    • 0.21 InjectionInterProcess
    • 0.206 InjectionCreateRemoteThread
    • 0.206 vawtrak_behavior
    • 0.187 Doppelganging
    • 0.162 lsass_credential_dumping
    • 0.101 dyre_behavior
    • 0.101 injection_explorer
    • 0.094 injection_runpe
    • 0.093 InjectionProcessHollowing
    • 0.076 process_needed
    • 0.021 antiav_detectreg
    • 0.014 encrypted_ioc
    • 0.012 ransomware_files
    • 0.009 infostealer_ftp
    • 0.008 cryptowall_behavior
    • 0.008 territorial_disputes_sigs
    • 0.007 ransomware_extensions
    • 0.006 sets_autoconfig_url
    • 0.006 antiav_detectfile
    • 0.005 ransomware_message
    • 0.005 dcrat_behavior
    • 0.005 infostealer_im
    • 0.004 antianalysis_detectfile
    • 0.004 antianalysis_detectreg
    • 0.004 infostealer_bitcoin
    • 0.003 dridex_behavior
    • 0.003 Raccoon Behavior
    • 0.003 persistence_autorun
    • 0.003 securityxploded_modules
    • 0.003 infostealer_mail
    • 0.003 masquerade_process_name
    • 0.002 antivm_generic_scsi
    • 0.002 uac_bypass_cmstp
    • 0.002 disables_spdy
    • 0.002 disables_wfp
    • 0.002 ipc_namedpipe
    • 0.002 nemty_note
    • 0.002 rat_luminosity
    • 0.002 rat_nanocore
    • 0.002 antivm_vbox_files
    • 0.002 antivm_vbox_keys
    • 0.001 antisandbox_sleep
    • 0.001 antivm_generic_services
    • 0.001 betabot_behavior
    • 0.001 dotnet_code_compile
    • 0.001 ispy_behavior
    • 0.001 kibex_behavior
    • 0.001 Locky_behavior
    • 0.001 office_postscript
    • 0.001 office_write_exe
    • 0.001 blackrat_apis
    • 0.001 OrcusRAT Behavior
    • 0.001 shifu_behavior
    • 0.001 tinba_behavior
    • 0.001 antivm_parallels_keys
    • 0.001 antivm_vmware_keys
    • 0.001 antivm_xen_keys
    • 0.001 geodo_banking_trojan
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 revil_mutexes

    Reporting ( 5.583 seconds )

    • 5.548 BinGraph
    • 0.034 MITRE_TTPS
    • 0.001 PCAP2CERT