U1902.exe
This report is generated from a file or URL submitted to this webservice on March 23rd 2019 01:24:15 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 3 domains and 6 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 12
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 19/65 Antivirus vendors marked sample as malicious (29% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
9/37 Antivirus vendors marked sample as malicious (24% detection rate)
19/65 Antivirus vendors marked sample as malicious (29% detection rate) - source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 10/70 Antivirus vendors marked dropped file "u.exe" as malicious (classified as "Gen:Variant.Ser.Razy" with 14% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
- 10/70 Antivirus vendors marked spawned process "u.exe" (PID: 2572) as malicious (classified as "Gen:Variant.Ser.Razy" with 14% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"U1902.exe" allocated memory in "%WINDIR%\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll"
"U1902.exe" allocated memory in "C:\utmp\u.exe"
"U1902.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"U1902.exe" wrote 32 bytes to a remote process "C:\utmp\u.exe" (Handle: 720)
"U1902.exe" wrote 52 bytes to a remote process "C:\utmp\u.exe" (Handle: 720)
"U1902.exe" wrote 4 bytes to a remote process "C:\utmp\u.exe" (Handle: 720)
"U1902.exe" wrote 8 bytes to a remote process "C:\utmp\u.exe" (Handle: 720)
"U1902.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\Internet Explorer\iexplore.exe" (Handle: 712)
"U1902.exe" wrote 52 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 712)
"U1902.exe" wrote 4 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 712)
"U1902.exe" wrote 8 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 712)
"U1902.exe" wrote 32 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 536)
"U1902.exe" wrote 52 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 536)
"U1902.exe" wrote 4 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 536)
"U1902.exe" wrote 8 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 536)
"iexplore.exe" wrote 32 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 872)
"iexplore.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 872)
"iexplore.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 872)
"iexplore.exe" wrote 4 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 872)
"iexplore.exe" wrote 32 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 1944)
"iexplore.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 1944)
"iexplore.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 1944)
"iexplore.exe" wrote 4 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 1944) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "13.33.166.52": ...
URL: https://download.ccleaner.com/ccsetup547pro.exe (AV positives: 1/67 scanned on 10/07/2018 12:44:00)
URL: http://cdn.onesafe-software.com/OneSafe_PC_Cleaner/DK/OneSafe_PC_Cleaner.exe (AV positives: 3/68 scanned on 10/06/2018 19:41:15)
URL: https://www.aestheticala.com/wp-admin/user/ameli/portailas/appmanager/portailas/assure_somtc=true/fa375b4b2b520c6d8b27a6fe433938f6 (AV positives: 3/67 scanned on 10/06/2018 08:49:15)
URL: http://aestheticala.com/wp-admin/user/ameli/portailas/appmanager/portailas/assure_somtc=true/fa375b4b2b520c6d8b27a6fe433938f6 (AV positives: 4/68 scanned on 10/06/2018 08:49:12)
URL: http://cdn.pckeeper.com/pckeeper/installer/builds/1.1.990.8/installer.exe (AV positives: 2/68 scanned on 10/06/2018 08:15:23)
File SHA256: ab83539b3ddcd60135d8da1f7f522c3690351e144acdb484ac07bfdb0ad33b98 (AV positives: 2/65 scanned on 10/07/2018 12:44:05)
File SHA256: 7503d9cc9c0d23058777086e7811fb22b075ce34854d9e4037e3bb263b219c1a (AV positives: 21/68 scanned on 10/06/2018 19:41:17)
File SHA256: 0cd65c27764b5c9674722e26b76253dd392b7644a37b35b02b10adb410630167 (AV positives: 21/68 scanned on 10/06/2018 08:15:27)
File SHA256: 817c58cbe7ee26e208506917cb910f76533bf3a3e28e6ca18822a594dd30b5d9 (AV positives: 29/66 scanned on 10/05/2018 18:05:05)
File SHA256: e5f3779cc71ca7ab7741d3c8f08cae47e81890a9ebe51e749d5d3d922fc58a0b (AV positives: 19/54 scanned on 10/03/2018 11:48:40)
Found malicious artifacts related to "74.82.60.90": ...
File SHA256: ea16e08de0a81c229bb997a68aa4e948a190731cb4180c17691eb9dddb7bf630 (AV positives: 16/70 scanned on 07/28/2018 11:10:11)
File SHA256: d8d5a35d91d9f7495a692827d84b90a337af0a8d13a05929469aeda5b6b12daf (Date: 10/27/2017 06:29:01)
File SHA256: 65ed53b633a834e86207a4a81e83fedd8c054d36b74bde5ee08ca880fc93c816 (Date: 10/27/2017 06:27:33)
Found malicious artifacts related to "74.82.60.96": ...
URL: http://esophagusdispatchrarity.info/ (AV positives: 1/67 scanned on 09/23/2018 23:00:34)
File SHA256: 76fbbdd811bc0c3bd9260edf7b532857c47b95d432ab8bc52ebe57e1a7acd56d (AV positives: 1/57 scanned on 02/06/2019 06:00:40)
File SHA256: 6df55c9e31f958da74249da9007fd672d08d4411cd5d54db05e55b4c01b121fe (AV positives: 15/70 scanned on 01/08/2019 08:14:47) - source
- Network Traffic
- relevance
- 10/10
-
Modifies internet zones
- details
-
"U1902.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\3"; Key: "1C00"; Value: "00000000")
"U1902.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\3"; Key: "CURRENTLEVEL"; Value: "00000000")
"U1902.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\3"; Key: "1C00"; Value: "00000100")
"U1902.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\3"; Key: "CURRENTLEVEL"; Value: "00100100") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "13.33.166.52": ...
URL: https://download.ccleaner.com/ccsetup547pro.exe (AV positives: 1/67 scanned on 10/07/2018 12:44:00)
URL: http://cdn.onesafe-software.com/OneSafe_PC_Cleaner/DK/OneSafe_PC_Cleaner.exe (AV positives: 3/68 scanned on 10/06/2018 19:41:15)
URL: https://www.aestheticala.com/wp-admin/user/ameli/portailas/appmanager/portailas/assure_somtc=true/fa375b4b2b520c6d8b27a6fe433938f6 (AV positives: 3/67 scanned on 10/06/2018 08:49:15)
URL: http://aestheticala.com/wp-admin/user/ameli/portailas/appmanager/portailas/assure_somtc=true/fa375b4b2b520c6d8b27a6fe433938f6 (AV positives: 4/68 scanned on 10/06/2018 08:49:12)
URL: http://cdn.pckeeper.com/pckeeper/installer/builds/1.1.990.8/installer.exe (AV positives: 2/68 scanned on 10/06/2018 08:15:23)
File SHA256: ab83539b3ddcd60135d8da1f7f522c3690351e144acdb484ac07bfdb0ad33b98 (AV positives: 2/65 scanned on 10/07/2018 12:44:05)
File SHA256: 7503d9cc9c0d23058777086e7811fb22b075ce34854d9e4037e3bb263b219c1a (AV positives: 21/68 scanned on 10/06/2018 19:41:17)
File SHA256: 0cd65c27764b5c9674722e26b76253dd392b7644a37b35b02b10adb410630167 (AV positives: 21/68 scanned on 10/06/2018 08:15:27)
File SHA256: 817c58cbe7ee26e208506917cb910f76533bf3a3e28e6ca18822a594dd30b5d9 (AV positives: 29/66 scanned on 10/05/2018 18:05:05)
File SHA256: e5f3779cc71ca7ab7741d3c8f08cae47e81890a9ebe51e749d5d3d922fc58a0b (AV positives: 19/54 scanned on 10/03/2018 11:48:40)
Found malicious artifacts related to "74.82.60.90": ...
File SHA256: ea16e08de0a81c229bb997a68aa4e948a190731cb4180c17691eb9dddb7bf630 (AV positives: 16/70 scanned on 07/28/2018 11:10:11)
File SHA256: d8d5a35d91d9f7495a692827d84b90a337af0a8d13a05929469aeda5b6b12daf (Date: 10/27/2017 06:29:01)
File SHA256: 65ed53b633a834e86207a4a81e83fedd8c054d36b74bde5ee08ca880fc93c816 (Date: 10/27/2017 06:27:33)
Found malicious artifacts related to "74.82.60.96": ...
URL: http://esophagusdispatchrarity.info/ (AV positives: 1/67 scanned on 09/23/2018 23:00:34)
File SHA256: 76fbbdd811bc0c3bd9260edf7b532857c47b95d432ab8bc52ebe57e1a7acd56d (AV positives: 1/57 scanned on 02/06/2019 06:00:40)
File SHA256: 6df55c9e31f958da74249da9007fd672d08d4411cd5d54db05e55b4c01b121fe (AV positives: 15/70 scanned on 01/08/2019 08:14:47) - source
- Network Traffic
- relevance
- 10/10
-
Uses network protocols on unusual ports
- details
-
TCP traffic to 74.82.60.90 on port 11306
TCP traffic to 74.82.60.96 on port 30231 - source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1065 (Show technique in the MITRE ATT&CK™ matrix)
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "U1902.exe" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
Checks for a resource fork (ADS) file
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 28
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"U1902.exe" at 00074017-00003156-00000033-6129890693
"u.exe" at 00074216-00002572-00000033-11063602226 - source
- API Call
- relevance
- 6/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "U1902.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "iexplore.exe" is protecting 8192 bytes with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
-
UPX1
UPX1 with unusual entropies 7.81989059041
7.91805661634 - source
- Static Parser
- relevance
- 10/10
-
PE file is packed with UPX
- details
-
"b4d77967038ace1d5abfced3eae4152c7eb3d04c18ff54df17d4df6591b94702.bin" has a section named "UPX0"
"b4d77967038ace1d5abfced3eae4152c7eb3d04c18ff54df17d4df6591b94702.bin" has a section named "UPX1"
"u.exe" has a section named "UPX0"
"u.exe" has a section named "UPX1"
"u.exe" has a section named "UPX2" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Reads the active computer name
- details
-
"U1902.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"u.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"U1902.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"u.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
General
-
Opened the service control manager
- details
-
"iexplore.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"iexplore.exe" called "OpenSCManager" requesting access rights "0XE0000000L" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads configuration files
- details
- "U1902.exe" read file "%LOCALAPPDATA%\Microsoft\Windows\History\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
Opened the service control manager
-
Installation/Persistance
-
Drops executable files
- details
- "u.exe" has type "PE32 executable (GUI) Intel 80386 (stripped to external PDB) for MS Windows UPX compressed"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"127.0.0.1:9666"
"127.0.0.1"
Heuristic match: "-L="127.0.0.1:9666" -CID="68f1f44f", -ProgPath="C:\\" -TmpPath="C:\utmp\\" -ConnMode=0 -version="1902100"" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 13.33.166.52 on port 443 is sent without HTTP header
TCP traffic to 74.82.63.74 on port 443 is sent without HTTP header
TCP traffic to 66.160.188.196 on port 443 is sent without HTTP header
TCP traffic to 52.38.138.104 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
-
"U1902.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
"u.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\U1902.exe" marked "C:\11cf" for deletion
"C:\U1902.exe" marked "C:\utmp\Qqbwfmgwob6z7g9r" for deletion
"C:\U1902.exe" marked "C:\utmp\Aczsnknjgj5f1x2c" for deletion
"C:\U1902.exe" marked "C:\utmp\Ojaijwptnc4y6i7a" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"U1902.exe" opened "C:\11cf" with delete access
"U1902.exe" opened "C:\utmp\Qauhcqtimp9y9f9u" with delete access
"U1902.exe" opened "C:\utmp\Qqbwfmgwob6z7g9r" with delete access
"U1902.exe" opened "C:\utmp\Aczsnknjgj5f1x2c" with delete access
"U1902.exe" opened "C:\utmp\Ojaijwptnc4y6i7a" with delete access
"u.exe" opened "C:\utmp\ylthloixpejb" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"U1902.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"U1902.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"U1902.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"U1902.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "01000000")
"U1902.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER"; Value: "127.0.0.1:9666")
"U1902.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE"; Value: "127.0.0.1") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "u.exe" claimed CRC 2462707 while the actual is CRC 3741867
- source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
- details
-
"b4d77967038ace1d5abfced3eae4152c7eb3d04c18ff54df17d4df6591b94702.bin" has an entrypoint in section "UPX1"
"u.exe" has an entrypoint in section "UPX1" - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCloseKey
VirtualProtect
GetProcAddress
VirtualAlloc
LoadLibraryA
ShellExecuteA
InternetOpenA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"U1902.exe" wrote bytes "b4360200" to virtual address "0x754A4D68" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "711177027a3b7602ab8b02007f950200fc8c0200729602006cc805001ecd73027d267302" to virtual address "0x754F07E4" (part of module "USER32.DLL")
"U1902.exe" wrote bytes "d83a4a75" to virtual address "0x754B01E0" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "b4364a75" to virtual address "0x754B0200" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "c0dfc0771cf9bf77ccf8bf770d64c17700000000c0117b7600000000fc3e7b7600000000e0137b76000000009457617725e0c077c6e0c07700000000bc6a607700000000cf317b760000000093196177000000002c327b7600000000" to virtual address "0x76AE1000" (part of module "NSI.DLL")
"U1902.exe" wrote bytes "b4360200" to virtual address "0x754A4EA4" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "b4364a75" to virtual address "0x754B01E4" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "60126e74" to virtual address "0x76EBE324" (part of module "WININET.DLL")
"U1902.exe" wrote bytes "b840136e74ffe0" to virtual address "0x754A3AD8" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "d83a0200" to virtual address "0x754A4E38" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "d83a0200" to virtual address "0x754A4D78" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "d83a4a75" to virtual address "0x754B0258" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "b4364a75" to virtual address "0x754B0278" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "0efcc37781edc277ae86c177c6e0c077effdc3772d16c277c0fcbf77da8fca776014c477478dc177a8e2c0776089c17700000000ad375e758b2d5e75b6415e7500000000" to virtual address "0x74551000" (part of module "WSHIP6.DLL")
"U1902.exe" wrote bytes "b830126e74ffe0" to virtual address "0x755E1368" (part of module "WS2_32.DLL")
"U1902.exe" wrote bytes "b4364a75" to virtual address "0x754B025C" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "d83a4a75" to virtual address "0x754B01FC" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "b8c0156e74ffe0" to virtual address "0x754A36B4" (part of module "SSPICLI.DLL")
"U1902.exe" wrote bytes "68130000" to virtual address "0x755E1680" (part of module "WS2_32.DLL")
"U1902.exe" wrote bytes "d83a4a75" to virtual address "0x754B0274" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "U1902.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Timestamp in PE header is very old or in the future
- details
- "u.exe" claims program is from Thu Jan 1 00:00:00 1970
- source
- Static Parser
- relevance
- 10/10
-
CRC value set in PE header does not match actual value
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 23
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
- Raw size of "UPX0" is zero
- source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Queries volume information
- details
- "U1902.exe" queries volume information of "C:\" at 00074017-00003156-00000046-5203497591
- source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
- "U1902.exe" queries volume information of "C:\" at 00074017-00003156-00000046-5203497591
- source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"U1902.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CHROME.EXE")
"U1902.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\U1902.EXE")
"U1902.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\U1902.EXE")
"u.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CHROME.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
General
-
Contacts domains
- details
-
"autopush.prod.mozaws.net"
"dq33tynpwunh.cloudfront.net"
"ultrasurf.us" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"13.33.166.52:443"
"74.82.63.74:443"
"74.82.60.90:11306"
"66.160.188.196:443"
"74.82.60.96:30231"
"52.38.138.104:443" - source
- Network Traffic
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"iexplore.exe" created file "%TEMP%\~DF933446F859F7B122.TMP"
"iexplore.exe" created file "%TEMP%\~DF6D44B8D0D51F1F6C.TMP"
"iexplore.exe" created file "%TEMP%\~DF9B7512B686D455F8.TMP"
"iexplore.exe" created file "%TEMP%\~DF3699B3363B0658EC.TMP"
"iexplore.exe" created file "%TEMP%\~DF05D49CFEE246E78D.TMP"
"iexplore.exe" created file "%TEMP%\JavaDeployReg.log"
"iexplore.exe" created file "%TEMP%\JavaDeployReg.log" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\_!SHMSFTHISTORY!_"
"_!SHMSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\IsoScope_d64_IESQMMUTEX_0_519"
"IsoScope_d64_IESQMMUTEX_0_303"
"IsoScope_d64_IE_EarlyTabStart_0xc3c_Mutex"
"{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"
"Local\URLBLOCK_FILEMAPSWITCH_MUTEX_3428"
"{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"
"IsoScope_d64_IESQMMUTEX_0_519"
"Local\!BrowserEmulation!SharedMemory!Mutex"
"IsoScope_d64_ConnHashTable<3428>_HashTable_Mutex"
"Local\URLBLOCK_HASHFILESWITCH_MUTEX"
"Local\VERMGMTBlockListFileMutex"
"IsoScope_d64_IESQMMUTEX_0_331"
"UpdatingNewTabPageData"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"IsoScope_d64_IE_EarlyTabStart_0xd4c_Mutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
Launches a browser
- details
-
Launches browser "iexplore.exe" (Show Process)
Launches browser "iexplore.exe" (Show Process)
Launches browser "iexplore.exe" (Show Process)
Launches browser "iexplore.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Overview of unique CLSIDs touched in registry
- details
-
"U1902.exe" touched "WinInetBroker Class" (Path: "HKCU\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}")
"U1902.exe" touched "PSFactoryBuffer" (Path: "HKCU\WOW6432NODE\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}")
"U1902.exe" touched "Microsoft Url History Service" (Path: "HKCU\WOW6432NODE\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\TREATAS")
"U1902.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"U1902.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
"U1902.exe" touched "History" (Path: "HKCU\WOW6432NODE\CLSID\{FF393560-C2A7-11CF-BFF4-444553540000}\INPROCSERVER32") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "iexplore.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "iexplore.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "iexplore.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "iexplore.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "iexplore.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "iexplore.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432" - source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "u.exe" with commandline "-L="127.0.0.1:9666" -CID="68f1f44f", -ProgPath="C:\\" -TmpPath=" ..." (Show Process), Spawned process "iexplore.exe" with commandline "http://ultrasurf.us/search.htm" (Show Process), Spawned process "iexplore.exe" with commandline "SCODEF:3428 CREDAT:275457 /prefetch:2" (Show Process), Spawned process "iexplore.exe" with commandline "http://ultrasurf.us/search.htm" (Show Process), Spawned process "iexplore.exe" with commandline "SCODEF:3428 CREDAT:3355663 /prefetch:2" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "u.exe" with commandline "-L="127.0.0.1:9666" -CID="68f1f44f", -ProgPath="C:\\" -TmpPath=" ..." (Show Process), Spawned process "iexplore.exe" with commandline "http://ultrasurf.us/search.htm" (Show Process), Spawned process "iexplore.exe" with commandline "SCODEF:3428 CREDAT:275457 /prefetch:2" (Show Process), Spawned process "iexplore.exe" with commandline "http://ultrasurf.us/search.htm" (Show Process), Spawned process "iexplore.exe" with commandline "SCODEF:3428 CREDAT:3355663 /prefetch:2" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6; see report for more information)
The input sample is signed with a certificate issued by "CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 68:B3:2E:AC:87:65:2A:F4:17:2E:40:E3:76:44:77:43:7E:5A:5C:E9; see report for more information)
The input sample is signed with a certificate issued by "CN=DigiCert Assured ID CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 61:4D:27:1D:91:02:E3:01:69:82:24:87:FD:E5:DE:00:A3:52:B0:1D; see report for more information)
The input sample is signed with a certificate issued by "CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 19:A0:9B:5A:36:F4:DD:99:72:7D:F7:83:C1:7A:51:23:1A:56:C1:17; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
- "U1902.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"u.exe" has type "PE32 executable (GUI) Intel 80386 (stripped to external PDB) for MS Windows UPX compressed"
"urlblockindex_1_.bin" has type "data"
"background_gradient_red_1_" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 Exif Standard: [TIFF image data little-endian direntries=0] baseline precision 8 1x800 frames 3"
"red_shield_48_1_" has type "PNG image data 40 x 48 8-bit/color RGBA non-interlaced"
"favicon_2_.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced"
"~DF6D44B8D0D51F1F6C.TMP" has type "data"
"errorPageStrings_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"
"favicon_1_.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced"
"search_1_.json" has type "ASCII text with no line terminators"
"down_1_" has type "PNG image data 15 x 15 8-bit colormap non-interlaced"
"~DF05D49CFEE246E78D.TMP" has type "data"
"_BBD11C64-4D0B-11E9-AE5A-3C00271EB523_.dat" has type "Composite Document File V2 Document Cannot read section info"
"_764DB073-4D0B-11E9-AE5A-3C00271EB523_.dat" has type "Composite Document File V2 Document Cannot read section info"
"Qqbwfmgwob6z7g9r" has type "data"
"invalidcert_1_" has type "HTML document UTF-8 Unicode (with BOM) text with CRLF line terminators"
"search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced"
"Aczsnknjgj5f1x2c" has type "data"
"green_shield_1_" has type "PNG image data 14 x 16 8-bit colormap non-interlaced"
"ErrorPageTemplate_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"U1902.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"U1902.exe" touched file "C:\Windows\SysWOW64\tzres.dll"
"U1902.exe" touched file "C:\Windows\SysWOW64\en-US\tzres.dll.mui"
"U1902.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"U1902.exe" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"U1902.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\counters.dat"
"U1902.exe" touched file "C:\Windows\SysWOW64\rsaenh.dll"
"U1902.exe" touched file "C:\Windows\SysWOW64\en-US\wininet.dll.mui"
"U1902.exe" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"U1902.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"U1902.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"U1902.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"U1902.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"U1902.exe" touched file "C:\Windows\SysWOW64\en-US\setupapi.dll.mui"
"U1902.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"U1902.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"U1902.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: ":/g/faq.Dm"
Heuristic match: "h/@`@P.Td"
Pattern match: "www.digicert.com1$0"
Pattern match: "www.digicert.com110/"
Pattern match: "http://ocsp.digicert.com0C"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O"
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "http://crl3.digicert.com/sha2-assured-cs-g1.crl05"
Pattern match: "http://crl4.digicert.com/sha2-assured-cs-g1.crl0L"
Pattern match: "http://ocsp.digicert.com0N"
Pattern match: "cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0"
Pattern match: "www.digicert.com1!0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDCA-1.crl08"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w"
Pattern match: "http://ocsp.digicert.com0A"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0"
Pattern match: "http://www.digicert.com/ssl-cps-repository.htm0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0"
Heuristic match: "autopush.prod.mozaws.net"
Heuristic match: "dq33tynpwunh.cloudfront.net"
Heuristic match: "ultrasurf.us"
Pattern match: "http://ultrasurf.us/search.htm"
Pattern match: "https://example.com"
Heuristic match: "l#.sB" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "u.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"U1902.exe" opened "\Device\KsecDD"
"u.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"b4d77967038ace1d5abfced3eae4152c7eb3d04c18ff54df17d4df6591b94702.bin" was detected as "Netopsystems FEAD Optimizer 1"
"u.exe" was detected as "UPX -> www.upx.sourceforge.net" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
U1902.exe
- Filename
- U1902.exe
- Size
- 3.5MiB (3682952 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- Architecture
- WINDOWS
- SHA256
- b4d77967038ace1d5abfced3eae4152c7eb3d04c18ff54df17d4df6591b94702
- MD5
- 48fe7b7c67bc65aaa1f0a1318b45a3b5
- SHA1
- 9c3756cc878a5c80eeecc376a66f985969aeae76
- ssdeep
- 98304:6XTU15sTq7nCmrxd9Jozx9vdS3/IZRt8+6XmExMSbejtRUCNuOV3aFSp:Ea5sTwC9dS3KRtH62igRUwdaFc
- imphash
- fc886b896f4eab5fd8b7116cded50612
- authentihash
- 6ff63f2d2822e87e6e7108ab201adeafa8f57ee0d3cca7e5d03770605f4b7eb0
- Compiler/Packer
- Netopsystems FEAD Optimizer 1
Classification (TrID)
- 38.2% (.EXE) UPX compressed Win32 Executable
- 37.5% (.EXE) Win32 EXE Yoda's Crypter
- 9.2% (.DLL) Win32 Dynamic Link Library (generic)
- 6.3% (.EXE) Win32 Executable (generic)
- 2.8% (.EXE) OS/2 Executable (generic)
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 8168)
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1720)
- 127 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8168)
- 659 .C Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8168)
- 35 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 2179)
- 31 .ASM Files assembled with MASM 6.13 (Visual Studio 6 SP1) (build: 7299)
- 6 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 2190)
- 5 .OBJ Files linked with ALIASOBJ.EXE 6.00 (Internal OLDNAMES.LIB Tool) (build: 7291)
- File contains C++ code
- File appears to contain raw COFF/OMF content
- File is the product of a very large codebase (786 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (7.1KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US | CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 409181b5fd5bb66755343b56f955008 |
10/22/2013 12:00:00 10/22/2028 12:00:00 |
B6:56:37:6C:3D:2A:CE:BB:A1:88:49:D6:04:36:1B:D5 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6 |
CN=Ultrareach Internet Corp., O=Ultrareach Internet Corp., L=Cheyenne, ST=Wyoming, C=US | CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 5abac07f8d0ce567f7d75ee047efee2 |
04/20/2018 00:00:00 06/23/2021 12:00:00 |
76:B3:9E:B3:9F:1D:F5:3A:FA:57:12:22:A9:7C:C5:D4 68:B3:2E:AC:87:65:2A:F4:17:2E:40:E3:76:44:77:43:7E:5A:5C:E9 |
CN=DigiCert Timestamp Responder, O=DigiCert, C=US | CN=DigiCert Assured ID CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 3019a023aff58b16bd6d5eae617f066 |
10/22/2014 00:00:00 10/22/2024 00:00:00 |
76:D5:EF:42:89:8A:B2:DF:A5:54:51:92:6C:A5:CA:0F 61:4D:27:1D:91:02:E3:01:69:82:24:87:FD:E5:DE:00:A3:52:B0:1D |
CN=DigiCert Assured ID CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US | CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 6fdf9039603adea000aeb3f27bbba1b |
11/10/2006 00:00:00 11/10/2021 00:00:00 |
F3:13:AC:54:9D:E5:66:89:58:A4:80:DA:76:97:0E:BC 19:A0:9B:5A:36:F4:DD:99:72:7D:F7:83:C1:7A:51:23:1A:56:C1:17 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 6 processes in total (System Resource Monitor).
-
U1902.exe
(PID: 3156)
24/89
- u.exe -L="127.0.0.1:9666" -CID="68f1f44f", -ProgPath="C:\\" -TmpPath="C:\utmp\\" -ConnMode=0 -version="1902100" (PID: 2572) 10/70
-
iexplore.exe
http://ultrasurf.us/search.htm
(PID: 3428)
- iexplore.exe SCODEF:3428 CREDAT:275457 /prefetch:2 (PID: 3740)
- iexplore.exe SCODEF:3428 CREDAT:3355663 /prefetch:2 (PID: 2548)
- iexplore.exe http://ultrasurf.us/search.htm (PID: 3120)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
autopush.prod.mozaws.net
OSINT |
34.211.250.176
TTL: 8 |
GANDI SAS
Organization: Mozilla Name Server: NS-1084.AWSDNS-07.ORG Creation Date: Tue, 18 Jun 2013 00:00:00 GMT |
United States |
dq33tynpwunh.cloudfront.net
OSINT |
143.204.167.68
TTL: 59 |
MarkMonitor, Inc. | United States |
ultrasurf.us
OSINT |
104.31.68.120
TTL: 68 |
whois.godaddy.com
Name Server: NS1.ULTRASURF.US Creation Date: Fri, 12 Nov 2010 05:15:53 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
13.33.166.52 |
443
TCP |
u.exe PID: 2572 |
United States |
74.82.63.74 |
443
TCP |
u.exe PID: 2572 |
United States |
74.82.60.90 |
11306
TCP |
u.exe PID: 2572 |
United States |
66.160.188.196 |
443
TCP |
u.exe PID: 2572 |
United States |
74.82.60.96 |
30231
TCP |
u.exe PID: 2572 |
United States |
52.38.138.104 |
443
TCP |
firefox.exe PID: 2740 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 20 extracted file(s). The remaining 29 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
u.exe
- Size
- 2.3MiB (2461832 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
- AV Scan Result
- Labeled as "Gen:Variant.Ser.Razy" (10/70)
- Runtime Process
- U1902.exe (PID: 3156)
- MD5
- 6f39f6931a136376c66289970639a50c
- SHA1
- 7a18217e41f9b1a9cb65c8cd11862c5d460dd194
- SHA256
- 0217f1f5e59cd1459665d7b1b89d1c21b1f414d8fd37a50caa7d760fb83b9d10
-
-
Clean 1
-
-
urlblockindex_1_.bin
- Size
- 16B (16 bytes)
- Type
- data
- AV Scan Result
- 0/80
- MD5
- fa518e3dfae8ca3a0e495460fd60c791
- SHA1
- e4f30e49120657d37267c0162fd4a08934800c69
- SHA256
- 775853600060162c4b4e5f883f9fd5a278e61c471b3ee1826396b6d129499aa7
-
-
Informative Selection 1
-
-
desktop.ini
- Size
- Unknown (0 bytes)
- Type
- empty
- Runtime Process
- U1902.exe (PID: 3156)
-
-
Informative 17
-
-
4Q0NBFOC.txt
- Size
- 158B (158 bytes)
- Runtime Process
- iexplore.exe (PID: 3428)
- MD5
- f32b2716fac0cd9f27624392584dd521
- SHA1
- 643e4978196a401428a88adeea1ffafadb4d458d
- SHA256
- 7ca7fea6b34066d78056a0796bf5cd16081ed409274b9708a358ed47a9fcf899
-
5YFJ8V15.txt
- Size
- 65B (65 bytes)
- Runtime Process
- iexplore.exe (PID: 3428)
- MD5
- 5b102a4e0c1182552e7f86a69b9c0512
- SHA1
- 4f5a3629159e4733d599724b21bb7ff22316d37a
- SHA256
- ce78efecb063172815ec6c5130ddd5a9d3201b8bb4a0862bfec496a77fa755ec
-
en-US.4
- Size
- 18KiB (18176 bytes)
- Runtime Process
- iexplore.exe (PID: 3428)
- MD5
- 5a34cb996293fde2cb7a4ac89587393a
- SHA1
- 3c96c993500690d1a77873cd62bc639b3a10653f
- SHA256
- c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
-
~DF05D49CFEE246E78D.TMP
- Size
- 16KiB (16384 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 3428)
- MD5
- bc8b2c1f4815b11727dc179e2f17a931
- SHA1
- 8baf7d62bbc4ba7e5a24a653ae88036c5c989629
- SHA256
- 990bfe5157b6f7fdcfb1b4312c6a527dc4115bc0ae9c160edfcfeef391e9169c
-
~DF3699B3363B0658EC.TMP
- Size
- 16KiB (16384 bytes)
- Runtime Process
- iexplore.exe (PID: 3428)
- MD5
- 72b16c3199d14babf5b0c0bdffe3395e
- SHA1
- de9a8596f5366fc55ca0fbbef3a3da5f658d9a33
- SHA256
- 941dc2c692c112521af646069112955348c644adfba7268633f00c9ca857c4de
-
~DF6D44B8D0D51F1F6C.TMP
- Size
- 16KiB (16384 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 3428)
- MD5
- 0a0131fb4140405612fba2a19c0d4bf6
- SHA1
- 4e20782a64ef6322acf1b8ab3493e816899cb57a
- SHA256
- 840076344de21f0d3cccfd488f6898151b405799c3f8b2bef86647ff1088368b
-
~DF933446F859F7B122.TMP
- Size
- 16KiB (16384 bytes)
- Runtime Process
- iexplore.exe (PID: 3428)
- MD5
- fc040357d37bffef6ca0d241c1a34f0d
- SHA1
- 50783a3553b0eb3b15f3ff601bb1855c1f76f34e
- SHA256
- 544d029d3327dba681249cdeaaa4f1932bcec407bf3d505abea3b4bbb585d826
-
~DF9B7512B686D455F8.TMP
- Size
- 16KiB (16384 bytes)
- Runtime Process
- iexplore.exe (PID: 3428)
- MD5
- c47c51eb7342c1627d8477c5a736a069
- SHA1
- e1fc5de0902b900a4ed37323c4fb308315191a11
- SHA256
- 8116b06bddb30090e268c1ca6805c6d1d8c85399d629e4145acf53b5215ac8c1
-
PUTTY.RND
- Size
- 600B (600 bytes)
- Runtime Process
- U1902.exe (PID: 3156)
- MD5
- 709ff930afb2258f119a950104c263cc
- SHA1
- 504d2dcf86d0810429eb827a0b84acbf25c5d939
- SHA256
- 447b1b841702d386c0ad47fd37b790800e929cfe4c19964dd725e537acef67c7
-
Aczsnknjgj5f1x2c
- Size
- 52B (52 bytes)
- Type
- data
- Runtime Process
- U1902.exe (PID: 3156)
- MD5
- 0f20ed7216f4fa044a9f9efc15e69ed7
- SHA1
- 65627bf88a38967ecf6f0da6603d137b527c0bed
- SHA256
- 757ff0617b10e015a65ef1366492bf864db2bc55cc28d3de1984f67f4720e282
-
Ojaijwptnc4y6i7a
- Size
- 28B (28 bytes)
- Runtime Process
- U1902.exe (PID: 3156)
- MD5
- a55a696ab3f86934e5d00d23caa6aea1
- SHA1
- 97f79fd6c48ba83e919a1296814e91912919e649
- SHA256
- ca3e20414d2f18de984561c8d13702b35a84282ff64c7851452a57e4ac22cd1e
-
Qqbwfmgwob6z7g9r
- Size
- 74B (74 bytes)
- Type
- data
- Runtime Process
- U1902.exe (PID: 3156)
- MD5
- 8ecdc18380c5c15a3556465d91c32eac
- SHA1
- dfb2351996effbf48ae8bc5657e2b28520abf417
- SHA256
- 4ea17ece81b06ebef50ec9d7a3196898807274e32dccd939de44e56bcd166c8c
-
ylthloixpejb
- Size
- 6.7KiB (6816 bytes)
- Runtime Process
- u.exe (PID: 2572)
- MD5
- 06dd33fa0cba8a5fcefafec6f5784240
- SHA1
- badb395559040d87a353a6901f9bf2e91872b8b6
- SHA256
- 5700a191c245a76fcb0e67c718fdf02aae4a2e4f6fcc1c1629d67ad64f85bc16
-
background_gradient_red_1_
- Size
- 868B (868 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1x800, frames 3
- MD5
- 337038e78cf3c521402fc7352bdd5ea6
- SHA1
- 017eaf48983c31ae36b5de5de4db36bf953b3136
- SHA256
- fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61
-
red_shield_48_1_
- Size
- 4KiB (4127 bytes)
- Type
- img image
- Description
- PNG image data, 40 x 48, 8-bit/color RGBA, non-interlaced
- MD5
- 7c588d6bb88d85c7040c6ffef8d753ec
- SHA1
- 7fdd217323d2dcc4a25b024eafd09ae34da3bfef
- SHA256
- 5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0
-
favicon_2_.ico
- Size
- 237B (237 bytes)
- Type
- img image
- Description
- PNG image data, 16 x 16, 4-bit colormap, non-interlaced
- MD5
- 9fb559a691078558e77d6848202f6541
- SHA1
- ea13848d33c2c7f4f4baa39348aeb1dbfad3df31
- SHA256
- 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
-
errorPageStrings_1_
- Size
- 3.4KiB (3470 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with CRLF line terminators
- MD5
- 6b26ecfa58e37d4b5ec861fcdd3f04fa
- SHA1
- b69cd71f68fe35a9ce0d7ea17b5f1b2bad9ea8fa
- SHA256
- 7f7d1069ca8a852c1c8eb36e1d988fe6a9c17ecb8eff1f66fc5ebfeb5418723a
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-51" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-27" are available in the report
- Some low-level data is hidden, as this is only a slim report