Analysis

Category Started Completed Duration Log
FILE 2020-01-21 06:35:04 2020-01-21 06:37:18 134 seconds Show Log
2019-09-23 07:35:04,000 [root] INFO: Date set to: 09-23-19, time set to: 12:35:04
2019-09-23 07:35:04,015 [root] DEBUG: Starting analyzer from: C:\dxsof
2019-09-23 07:35:04,015 [root] DEBUG: Storing results at: C:\MwwebPnSWK
2019-09-23 07:35:04,015 [root] DEBUG: Pipe server name: \\.\PIPE\vaEJGkX
2019-09-23 07:35:04,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-09-23 07:35:04,015 [root] INFO: Automatically selected analysis package "exe"
2019-09-23 07:35:04,155 [root] DEBUG: Started auxiliary module Browser
2019-09-23 07:35:04,155 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-09-23 07:35:04,155 [root] DEBUG: Started auxiliary module DigiSig
2019-09-23 07:35:04,155 [root] DEBUG: Started auxiliary module Disguise
2019-09-23 07:35:04,171 [root] DEBUG: Started auxiliary module Human
2019-09-23 07:35:04,171 [root] DEBUG: Started auxiliary module Screenshots
2019-09-23 07:35:04,171 [root] DEBUG: Started auxiliary module Usage
2019-09-23 07:35:04,171 [lib.api.process] INFO: Successfully executed process from path "C:\Users\ADMINI~1\AppData\Local\Temp\winlog.exe" with arguments "" with pid 1372
2019-09-23 07:35:04,171 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-09-23 07:35:04,187 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1372
2019-09-23 07:35:06,187 [lib.api.process] INFO: Successfully resumed process with pid 1372
2019-09-23 07:35:06,187 [root] INFO: Added new process to list with pid: 1372
2019-09-23 07:35:06,250 [root] INFO: Cuckoomon successfully loaded in process with pid 1372.
2019-09-23 07:35:06,280 [root] INFO: Added new file to list with path: C:\Users\Administrator\AppData\Local\Temp\~DFAE0B7EB7C71CA0CC.TMP
2019-09-23 07:35:06,296 [root] INFO: Disabling sleep skipping.
2019-09-23 07:37:05,217 [root] INFO: Analysis timeout hit, terminating analysis.
2019-09-23 07:37:05,217 [root] INFO: Created shutdown mutex.
2019-09-23 07:37:06,217 [root] INFO: Shutting down package.
2019-09-23 07:37:06,217 [root] INFO: Stopping auxiliary modules.
2019-09-23 07:37:06,717 [root] INFO: Finishing auxiliary modules.
2019-09-23 07:37:06,717 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-23 07:37:06,717 [root] INFO: Analysis completed.

MalScore

10.0

Ursu

Machine

Name Label Manager Started On Shutdown On
cuckoo8 cuckoo8 VirtualBox 2020-01-21 06:35:04 2020-01-21 06:37:18

File Details

File Name winlog.exe
File Size 61440 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6221259976b1182a877e0617b8ee3da6
SHA1 84f9d47d225c58f5794eb96898098e584c35c661
SHA256 ca66784a5b5b235edbef6a0269603a33a605121f3d43b6549022688c35be7a36
SHA512 f68e60f935f7162b82c1452f49231c7eb59fe2ef38a1a0fdc6e3c3fd7506bf96492d67d39ab58e4d571f9fb4fadc7f05cbf8bf574a9d8b3ef7072af72a854a90
CRC32 8EA684B1
Ssdeep 768:km+urn+XwQAaxxfdp3PzY2ZQfRiZBFjCspm+urn+XwQAaxxfdp3PzY2ZQfRi:Xj+XwQA6fL3PzYinIj+XwQA6fL3PzY
ClamAV None matched
Yara None matched

Signatures

Creates RWX memory
Performs some HTTP requests
url: http://www.msftncsi.com/ncsi.txt
Network activity detected but not expressed in API logs
File has been identified by at least ten Antiviruses on VirusTotal as malicious
MicroWorld-eScan: Gen:Variant.Ser.Ursu.13744
FireEye: Gen:Variant.Ser.Ursu.13744
Cylance: Unsafe
Sangfor: Malware
Arcabit: Trojan.Ser.Ursu.D35B0
Invincea: heuristic
BitDefenderTheta: Gen:NN.ZevbaCO.34084.dm0@a8yY2Jei
BitDefender: Gen:Variant.Ser.Ursu.13744
Emsisoft: Gen:Variant.Ser.Ursu.13744 (B)
Trapmine: malicious.high.ml.score
MAX: malware (ai score=80)
Microsoft: Trojan:Win32/Wacatac.C!ml
GData: Gen:Variant.Ser.Ursu.13744
ALYac: Gen:Variant.Ser.Ursu.13744
Ad-Aware: Gen:Variant.Ser.Ursu.13744
APEX: Malicious
eGambit: Unsafe.AI_Score_90%

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] unknown
N 129.6.15.29 [VT] unknown
N 104.124.61.26 [VT] unknown

DNS

Name Response Post-Analysis Lookup
teredo.ipv6.microsoft.com [VT] NXDOMAIN [VT]
time-b.nist.gov [VT] CNAME time-b-g.nist.gov [VT]
A 129.6.15.29 [VT]
129.6.15.29 [VT]
www.msftncsi.com [VT] CNAME a1961.g2.akamai.net [VT]
A 104.124.61.33 [VT]
CNAME www.msftncsi.com.edgesuite.net [VT]
A 104.124.61.16 [VT]
A 104.124.61.10 [VT]
A 104.124.61.25 [VT]
A 104.124.61.26 [VT]
104.124.61.27 [VT]

Summary

\Device\KsecDD
C:\Users\Administrator\AppData\Local\Temp\winlog.exe.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\Administrator\AppData\Local\Temp\~DFAE0B7EB7C71CA0CC.TMP
C:\Windows\SysWOW64\en-US\USER32.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
\Device\KsecDD
C:\Users\Administrator\AppData\Local\Temp\~DFAE0B7EB7C71CA0CC.TMP
C:\Windows\SysWOW64\en-US\USER32.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Users\Administrator\AppData\Local\Temp\~DFAE0B7EB7C71CA0CC.TMP
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\winlog.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
cryptbase.dll.SystemFunction036
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
dwmapi.dll.DwmIsCompositionEnabled
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
kernel32.dll.NlsGetCacheUpdateCount
kernel32.dll.GetCalendarInfoW
kernel32.dll.LoadLibraryA
kernel32.dll.TerminateProcess
user32.dll.EnumWindows
ntdll.dll.NtProtectVirtualMemory
ntdll.dll.DbgBreakPoint
ntdll.dll.DbgUiRemoteBreakin
ntdll.dll.NtSetInformationThread
ntdll.dll.NtAllocateVirtualMemory
ntdll.dll.NtGetContextThread
ntdll.dll.NtSetContextThread
ntdll.dll.NtWriteVirtualMemory
ntdll.dll.NtCreateSection
ntdll.dll.NtMapViewOfSection
ntdll.dll.NtOpenFile
ntdll.dll.NtClose
ntdll.dll.NtResumeThread
kernel32.dll.CreateProcessInternalW
kernel32.dll.GetLongPathNameW
kernel32.dll.Sleep
kernel32.dll.CreateThread
kernel32.dll.TerminateThread
kernel32.dll.AddVectoredExceptionHandler
kernel32.dll.CreateFileW
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
shell32.dll.ShellExecuteW
shell32.dll.SHCreateDirectoryExW
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegSetValueExA
"C:\Users\ADMINI~1\AppData\Local\Temp\winlog.exe"
Local\MSCTF.Asm.MutexDefault1

PE Information

Image Base 0x00400000
Entry Point 0x004012c4
Reported Checksum 0x0001b53a
Actual Checksum 0x0001b53a
Minimum OS Version 4.0
Compile Time 2011-11-28 23:23:10
Icon
Icon Exact Hash c9663fdd89db702d89186f1c927484c3
Icon Similarity Hash 511672fbe1baffd97833e72509951904

Version Infos

Translation 0x0409 0x04b0
LegalCopyright Brokadersb
InternalName Belladon3
FileVersion 1.00
CompanyName Tetrousle3
LegalTrademarks JERNBETON
ProductName Katats4
ProductVersion 1.00
FileDescription Sibila4
OriginalFilename Belladon3.exe

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00006c78 0x00007000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.66
.data 0x00008000 0x000009ec 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00009000 0x0000573c 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.49

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x000093cc 0x00005370 LANG_NEUTRAL SUBLANG_NEUTRAL 7.00 data
RT_GROUP_ICON 0x000093b8 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.32 MS Windows icon resource - 1 icon
RT_VERSION 0x000090f0 0x000002c8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.25 data

Imports

Library MSVBVM60.DLL:
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaFreeVar
0x40100c None
0x401010 __vbaFreeVarList
0x401014 _adj_fdiv_m64
0x401018 __vbaFreeObjList
0x40101c __vbaR8Sgn
0x401020 _adj_fprem1
0x401024 __vbaStrCat
0x40102c _adj_fdiv_m32
0x401030 None
0x401034 __vbaOnError
0x401038 __vbaObjSet
0x40103c _adj_fdiv_m16i
0x401040 _adj_fdivr_m16i
0x401044 None
0x401048 None
0x40104c __vbaFpR8
0x401050 _CIsin
0x401054 __vbaChkstk
0x401058 EVENT_SINK_AddRef
0x40105c __vbaVarTstEq
0x401060 __vbaObjVar
0x401064 None
0x401068 None
0x40106c _adj_fpatan
0x401070 EVENT_SINK_Release
0x401074 _CIsqrt
0x40107c __vbaExceptHandler
0x401080 _adj_fprem
0x401084 _adj_fdivr_m64
0x401088 __vbaFPException
0x40108c _CIlog
0x401090 __vbaNew2
0x401094 _adj_fdiv_m32i
0x401098 _adj_fdivr_m32i
0x40109c _adj_fdivr_m32
0x4010a0 _adj_fdiv_r
0x4010a4 None
0x4010a8 __vbaVarTstNe
0x4010ac __vbaLateMemCall
0x4010b0 __vbaVarDup
0x4010b4 _CIatan
0x4010b8 __vbaStrMove
0x4010bc None
0x4010c0 __vbaR8IntI4
0x4010c4 _allmul
0x4010c8 _CItan
0x4010cc _CIexp
0x4010d0 __vbaFreeStr
0x4010d4 __vbaFreeObj

.text
`.data
.rsrc
MSVBVM60.DLL
ENTRENDELA
takkek
Voldfre9
h~i}|
Voldfre9
Timer1
VB5!6&*
Belladon3
judopho
ENTRENDELA
ENTRENDELA
takkek
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Timer1
VBA6.DLL
__vbaFreeObjList
__vbaR8Sgn
__vbaR8IntI4
__vbaVarTstEq
__vbaFreeObj
__vbaObjSet
__vbaNew2
__vbaObjVar
__vbaLateMemCall
__vbaVarTstNe
__vbaStrCat
__vbaHresultCheckObj
__vbaOnError
__vbaFreeStr
__vbaFreeVarList
__vbaVarDup
__vbaFpR8
__vbaFreeVar
__vbaStrMove
} j@h,o@
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaFreeVar
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
__vbaR8Sgn
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaOnError
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaFpR8
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaVarTstEq
__vbaObjVar
_adj_fpatan
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarTstNe
__vbaLateMemCall
__vbaVarDup
_CIatan
__vbaStrMove
__vbaR8IntI4
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
h~i}|
uiQYhwI7VBHGPo6rUbPbgNhf0RjFvtvdDXIYxWLWuMx420
mb3EICvjZj6FDvtZGCF8jHP74
FtgGKAf7zYEpyN8jVFW2GO60
cG5xCKdpwItrj0SCOHwMitEcOP49
JSTouVaHtsht4dCUHJ6wU9WZK9AiijU9wzFBkZbWTOmOj7
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
CompanyName
Tetrousle3
FileDescription
Sibila4
LegalCopyright
Brokadersb
LegalTrademarks
JERNBETON
ProductName
Katats4
FileVersion
ProductVersion
InternalName
Belladon3
OriginalFilename
Belladon3.exe

Full Results

Antivirus Signature
Bkav Clean
MicroWorld-eScan Gen:Variant.Ser.Ursu.13744
FireEye Gen:Variant.Ser.Ursu.13744
CAT-QuickHeal Clean
Qihoo-360 Clean
McAfee Clean
Cylance Unsafe
VIPRE Clean
AegisLab Clean
Sangfor Malware
K7AntiVirus Clean
BitDefender Gen:Variant.Ser.Ursu.13744
K7GW Clean
Cybereason Clean
TrendMicro Clean
BitDefenderTheta Gen:NN.ZevbaCO.34084.dm0@a8yY2Jei
F-Prot Clean
Symantec Clean
TotalDefense Clean
Baidu Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky Clean
Alibaba Clean
NANO-Antivirus Clean
ViRobot Clean
Rising Clean
Endgame Clean
Sophos Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
Invincea heuristic
McAfee-GW-Edition Clean
SentinelOne Clean
Trapmine malicious.high.ml.score
CMC Clean
Emsisoft Gen:Variant.Ser.Ursu.13744 (B)
APEX Malicious
Cyren Clean
Jiangmin Clean
Webroot Clean
Avira Clean
Fortinet Clean
Antiy-AVL Clean
Kingsoft Clean
Arcabit Trojan.Ser.Ursu.D35B0
SUPERAntiSpyware Clean
ZoneAlarm Clean
Avast-Mobile Clean
Microsoft Trojan:Win32/Wacatac.C!ml
TACHYON Clean
AhnLab-V3 Clean
Acronis Clean
VBA32 Clean
ALYac Gen:Variant.Ser.Ursu.13744
MAX malware (ai score=80)
Ad-Aware Gen:Variant.Ser.Ursu.13744
Malwarebytes Clean
Panda Clean
Zoner Clean
ESET-NOD32 Clean
Tencent Clean
Ikarus Clean
eGambit Unsafe.AI_Score_90%
GData Gen:Variant.Ser.Ursu.13744
AVG Clean
Paloalto Clean
CrowdStrike Clean
MaxSecure Clean

Process Tree

  • winlog.exe 1372 "C:\Users\ADMINI~1\AppData\Local\Temp\winlog.exe"

winlog.exe, PID: 1372, Parent PID: 1900
Full Path: C:\Users\Administrator\AppData\Local\Temp\winlog.exe
Command Line: "C:\Users\ADMINI~1\AppData\Local\Temp\winlog.exe"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] unknown
N 129.6.15.29 [VT] unknown
N 104.124.61.26 [VT] unknown

TCP

Source Source Port Destination Destination Port
192.168.56.108 49161 104.124.61.26 www.msftncsi.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.108 123 129.6.15.29 time-b.nist.gov 123
192.168.56.108 137 192.168.56.255 137
192.168.56.108 138 192.168.56.255 138
192.168.56.108 49373 224.0.0.252 5355
192.168.56.108 50186 224.0.0.252 5355
192.168.56.108 55702 224.0.0.252 5355
192.168.56.108 58504 224.0.0.252 5355
192.168.56.108 51161 8.8.8.8 53
192.168.56.108 52338 8.8.8.8 53
192.168.56.108 54860 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
teredo.ipv6.microsoft.com [VT] NXDOMAIN [VT]
time-b.nist.gov [VT] CNAME time-b-g.nist.gov [VT]
A 129.6.15.29 [VT]
129.6.15.29 [VT]
www.msftncsi.com [VT] CNAME a1961.g2.akamai.net [VT]
A 104.124.61.33 [VT]
CNAME www.msftncsi.com.edgesuite.net [VT]
A 104.124.61.16 [VT]
A 104.124.61.10 [VT]
A 104.124.61.25 [VT]
A 104.124.61.26 [VT]
104.124.61.27 [VT]

HTTP Requests

URI Data
http://www.msftncsi.com/ncsi.txt
GET /ncsi.txt HTTP/1.1
Connection: Close
User-Agent: Microsoft NCSI
Host: www.msftncsi.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.
File name ~DFAE0B7EB7C71CA0CC.TMP
Associated Filenames
C:\Users\Administrator\AppData\Local\Temp\~DFAE0B7EB7C71CA0CC.TMP
File Size 32768 bytes
File Type Composite Document File V2 Document, No summary info
MD5 656b6c47acc8acdeb19d0d0c7767a651
SHA1 8c209c79cfed1d3d8c6273042f6b7022554091fd
SHA256 daa0b2f1894581f66d3d422bfd9d864ed52ada481f562499db3b1f2c379a9374
CRC32 B28BB855
Ssdeep 384:kdWm+uaA8c+DzwQAzvDBExxfdp3u8QPyo4z0HP2+2ZkVfRi:Vm+urn+XwQAaxxfdp3PzY2ZQfRi
ClamAV None
Yara None matched
VirusTotal Search for Analysis
Download
JSON Report Download

Comments



No comments posted

Processing ( 1.535 seconds )

  • 0.454 VirusTotal
  • 0.383 BehaviorAnalysis
  • 0.334 NetworkAnalysis
  • 0.189 Static
  • 0.152 peid
  • 0.014 AnalysisInfo
  • 0.003 Strings
  • 0.003 TargetInfo
  • 0.002 Dropped
  • 0.001 Debug

Signatures ( 0.137 seconds )

  • 0.014 injection_runpe
  • 0.013 injection_createremotethread
  • 0.013 stealth_timeout
  • 0.01 api_spamming
  • 0.008 decoy_document
  • 0.008 antiav_detectreg
  • 0.006 mimics_filetime
  • 0.006 antivm_generic_disk
  • 0.005 hancitor_behavior
  • 0.004 reads_self
  • 0.004 stealth_file
  • 0.004 virus
  • 0.003 bootkit
  • 0.003 upatre_behavior
  • 0.003 bcdedit_command
  • 0.003 infostealer_ftp
  • 0.002 powershell_command
  • 0.002 dead_link
  • 0.002 debugs_self
  • 0.002 deletes_shadow_copies
  • 0.002 stealth_window
  • 0.002 persistence_autorun
  • 0.002 antiav_detectfile
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 stealth_childproc
  • 0.001 injection_needextension
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 browser_security
  • 0.001 disables_browser_warn
  • 0.001 infostealer_bitcoin
  • 0.001 infostealer_mail
  • 0.001 network_torgateway
  • 0.001 ransomware_extensions
  • 0.001 ransomware_files

Reporting ( 0.583 seconds )

  • 0.583 JsonDump
Task ID 5923
Mongo ID 5e26f0832694ed0c0ea0858f
Cuckoo release 1.3-NG