Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-02-14 13:23:25 2020-02-14 13:24:17 52 seconds Show Options Show Log
  • Info: Analysis failed: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.
route = inetsim
procdump = 1
2020-02-14 14:23:40,015 [root] INFO: Date set to: 02-14-20, time set to: 13:23:40, timeout set to: 200
2020-02-14 14:23:40,062 [root] DEBUG: Starting analyzer from: C:\cqcke
2020-02-14 14:23:40,062 [root] DEBUG: Storing results at: C:\ZQNDlp
2020-02-14 14:23:40,062 [root] DEBUG: Pipe server name: \\.\PIPE\gpIbxn
2020-02-14 14:23:40,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-02-14 14:23:40,078 [root] INFO: Automatically selected analysis package "exe"
2020-02-14 14:23:41,483 [root] DEBUG: Started auxiliary module Browser
2020-02-14 14:23:41,500 [root] DEBUG: Started auxiliary module Curtain
2020-02-14 14:23:41,500 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-02-14 14:23:43,421 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-02-14 14:23:43,421 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-02-14 14:23:43,421 [root] DEBUG: Started auxiliary module DigiSig
2020-02-14 14:23:43,437 [root] DEBUG: Started auxiliary module Disguise
2020-02-14 14:23:43,437 [root] DEBUG: Started auxiliary module Human
2020-02-14 14:23:43,437 [root] DEBUG: Started auxiliary module Screenshots
2020-02-14 14:23:43,437 [root] DEBUG: Started auxiliary module Sysmon
2020-02-14 14:23:43,437 [root] DEBUG: Started auxiliary module Usage
2020-02-14 14:23:43,437 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-02-14 14:23:43,437 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-02-14 14:23:45,578 [lib.api.process] ERROR: Failed to execute process from path "C:\Users\Rebecca\AppData\Local\Temp\BIT158D.tmp" with arguments "None" (Error: 14001)
2020-02-14 14:23:45,578 [root] ERROR: Traceback (most recent call last):
  File "C:\cqcke\analyzer.py", line 1332, in <module>
    success = analyzer.run()
  File "C:\cqcke\analyzer.py", line 1151, in run
    "error: {1}".format(package_name, e))
CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.
Traceback (most recent call last):
  File "C:\cqcke\analyzer.py", line 1332, in <module>
    success = analyzer.run()
  File "C:\cqcke\analyzer.py", line 1151, in run
    "error: {1}".format(package_name, e))
CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
win7_3 win7_3 KVM 2020-02-14 13:23:25 2020-02-14 13:24:16

File Details

File Name BIT158D.tmp
File Size 405248 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1b1563de20be6de5bec9f1ff1b2f0a42
SHA1 3d322b9a0ba598fed54eb2e2bf1e4e7bbd84ed46
SHA256 6b6ab8698d1a2e9f18e809a1583db70c81251ad635bd25d164deb3dfeeee0e83
SHA512 e84d4ab2e96e93f38b283573ec378ec9dcb2e995300356fa74fe555fe161a41ec0b7e2031fd78aab34b33d9b9f20aed7b4d40f41f9dfed84650d0fb419715777
CRC32 87D7C9FC
Ssdeep 3072:VeMUdOxSGfLp6OhObI+qasfiX09r8xIQ:VeMaQDp5hasfS2uIQ
TrID None matched
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

The PE file contains a PDB path
pdbpath: mini_installer.exe.pdb
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary contains an unknown PE section name indicative of packing
unknown section: name: .00cfg, entropy: 0.06, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00000200, virtual_size: 0x00000004
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

BinGraph

PE Information

Image Base 0x00400000
Entry Point 0x00401000
Reported Checksum 0x0006fc5e
Actual Checksum 0x00072838
Minimum OS Version 5.1
PDB Path mini_installer.exe.pdb
Compile Time 2020-02-13 01:08:07
Import Hash ec06ab323a50409817b4a6a54b98f157

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0000283e 0x00002a00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.29
.rdata 0x00004000 0x00001041 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.20
.data 0x00006000 0x00000068 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.60
.00cfg 0x00007000 0x00000004 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.06
.rsrc 0x00008000 0x0005a770 0x0005a800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.50
.reloc 0x00063000 0x00000298 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.00

Overlay

Offset 0x0005f000
Size 0x00003f00

Resources

Name Offset Size Language Sub-language Entropy File type
B7 0x00061624 0x000005b1 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 data
B7 0x00061624 0x000005b1 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 data
RT_ICON 0x00061bd8 0x000002e8 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 data
RT_RCDATA 0x00061ec0 0x0000001c LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 data
RT_GROUP_ICON 0x00061edc 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 data
RT_VERSION 0x00061ef0 0x00000454 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 data
RT_MANIFEST 0x00062344 0x0000042c LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 data

Imports

Library SHELL32.dll:
0x404b60 CommandLineToArgvW
Library KERNEL32.dll:
0x404b68 CloseHandle
0x404b6c CreateDirectoryW
0x404b70 CreateFileW
0x404b74 CreateProcessW
0x404b78 DeleteFileW
0x404b80 EnumResourceNamesW
0x404b84 ExitProcess
0x404b8c FindClose
0x404b90 FindFirstFileExW
0x404b94 FindFirstFileW
0x404b98 FindNextFileW
0x404b9c FindResourceW
0x404ba0 FreeLibrary
0x404ba4 GetCommandLineW
0x404ba8 GetCurrentProcess
0x404bb0 GetExitCodeProcess
0x404bb4 GetFileAttributesW
0x404bb8 GetLastError
0x404bbc GetModuleFileNameW
0x404bc0 GetModuleHandleW
0x404bc4 GetProcAddress
0x404bc8 GetProcessHeap
0x404bcc GetSystemInfo
0x404bd0 GetTempPathW
0x404bd8 GetVolumePathNameW
0x404bdc HeapAlloc
0x404be0 HeapFree
0x404be4 LoadLibraryExA
0x404be8 LoadLibraryExW
0x404bec LoadResource
0x404bf0 LocalAlloc
0x404bf8 LocalFree
0x404bfc LockResource
0x404c00 MultiByteToWideChar
0x404c04 RaiseException
0x404c08 ReadFile
0x404c0c RemoveDirectoryW
0x404c10 SetFileAttributesW
0x404c14 SetFilePointer
0x404c18 SetFileTime
0x404c20 SizeofResource
0x404c24 VirtualProtect
0x404c28 VirtualQuery
0x404c2c WaitForSingleObject
0x404c30 WideCharToMultiByte
0x404c34 WriteFile
0x404c38 lstrcmpiW
0x404c3c lstrlenW

!This program cannot be run in DOS mode.$
.text
`.rdata
@.data
.00cfg
@.rsrc
@.reloc
RQPPh
FDICreate
FDIDestroy
FDICopy
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
mini_installer.exe.pdb
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetTokenInformation
OpenProcessToken
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
SystemFunction036
ADVAPI32.dll
CommandLineToArgvW
CloseHandle
CreateDirectoryW
CreateFileW
CreateProcessW
DeleteFileW
DosDateTimeToFileTime
EnumResourceNamesW
ExitProcess
ExpandEnvironmentStringsW
FindClose
FindFirstFileExW
FindFirstFileW
FindNextFileW
FindResourceW
FreeLibrary
GetCommandLineW
GetCurrentProcess
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesW
GetLastError
GetModuleFileNameW
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSystemInfo
GetTempPathW
GetVolumeInformationW
GetVolumePathNameW
HeapAlloc
HeapFree
LoadLibraryExA
LoadLibraryExW
LoadResource
LocalAlloc
LocalFileTimeToFileTime
LocalFree
LockResource
MultiByteToWideChar
RaiseException
ReadFile
RemoveDirectoryW
SetFileAttributesW
SetFilePointer
SetFileTime
SetProcessWorkingSetSize
SizeofResource
VirtualProtect
VirtualQuery
WaitForSingleObject
WideCharToMultiByte
WriteFile
lstrcmpiW
lstrlenW
SHELL32.dll
KERNEL32.dll
;-sB)
;fT5~
{8A69D345-D564-463c-AFF1-A69D9E530F96}
{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}
{8237E44A-0054-442C-B6B6-EA0509993955}
{401C381F-E0DE-4B85-8BD8-3F3F14FBDA57}
{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}
--system-level
--chrome-beta
--chrome-dev
--chrome-sxs
--cleanup
--chrome-frame
--multi-install
GoogleUpdateIsMachine
@%WINDIR%\system32\cabinet.dll
%SYSTEMROOT%\system32\cabinet.dll
C:\Windows\system32\cabinet.dll
D:PAI(A;;FA;;;BA)(A;OIIOCI;GA;;;BA)(A;;FA;;;SY)(A;OIIOCI;GA;;;SY)(A;OIIOCI;GA;;;CO)(A;;FA;;;
@chrome_
setup.exe
chrome
setup
install-archive
update-setup-exe
new-setup-exe
previous-version
-full
ChromeInstallerCleanup
InstallerError
InstallerExtraCode1
InstallerResult
UninstallArguments
UninstallString
Software\Google\Update\Clients\
Software\Google\Update\ClientState\
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
0123456789ABCDEF
KERNEL32.DLL
This file is not on VirusTotal.

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.3 62840 1.1.1.1 53
192.168.1.3 62988 1.1.1.1 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
JSON Report Download
MAEC Report Download

Comments



No comments posted
Defense Evasion
  • T1045 - Software Packing
    • Signature - packer_unknown_pe_section_name

    Processing ( 6.839 seconds )

    • 5.026 Suricata
    • 0.66 Static
    • 0.549 VirusTotal
    • 0.325 peid
    • 0.083 TargetInfo
    • 0.078 CAPE
    • 0.057 Deduplicate
    • 0.032 NetworkAnalysis
    • 0.015 BehaviorAnalysis
    • 0.008 AnalysisInfo
    • 0.003 Debug
    • 0.003 Strings

    Signatures ( 0.023 seconds )

    • 0.005 ransomware_files
    • 0.004 antiav_detectreg
    • 0.003 antiav_detectfile
    • 0.003 ransomware_extensions
    • 0.001 persistence_autorun
    • 0.001 antianalysis_detectfile
    • 0.001 antianalysis_detectreg
    • 0.001 browser_security
    • 0.001 infostealer_bitcoin
    • 0.001 infostealer_ftp
    • 0.001 infostealer_im
    • 0.001 infostealer_mail

    Reporting ( 0.722 seconds )

    • 0.655 BinGraph
    • 0.035 MaecReport
    • 0.023 MITRE_TTPS
    • 0.009 JsonDump
    Task ID 12801
    Mongo ID 5e469f8bc2ea48845f667592
    Cuckoo release 1.3-CAPE
    Delete