thread64.html
This report is generated from a file or URL submitted to this webservice on March 4th 2016 17:40:31 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.30 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains ability to listen for incoming connections
- Spyware/Leak
- Sets a system wide hook on keyboard events
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Unusual Characteristics
-
Contains native function calls
- details
-
NtQueryInformationProcess@NTDLL.DLL at 00136062-00003976-77BD228D-144487
NtAllocateVirtualMemory@NTDLL.DLL at 00136062-00003976-77BD228D-144488
NtFreeVirtualMemory@NTDLL.DLL at 00136062-00003976-77BD228D-144489 - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains native function calls
-
Suspicious Indicators 11
-
Anti-Detection/Stealthyness
-
Contains ability to open a service
- details
- OpenServiceA@SECHOST.DLL at 00136062-00003976-77BD228D-143362
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to open a service
-
Anti-Reverse Engineering
-
Contains ability to block user input
- details
- BlockInput@USER32.DLL at 00136062-00003976-77BD228D-144479
- source
- Hybrid Analysis Technology
- relevance
- 7/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from iexplore.exe (PID: 3976) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from iexplore.exe (PID: 3976) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to block user input
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
RasRpcGetVersion@RASMAN.DLL at 00136062-00003976-77BD228D-143281
GetVersionExW@KERNEL32.DLL from iexplore.exe (PID: 3976) (Show Stream)
GetVersionExW@KERNEL32.DLL from iexplore.exe (PID: 3976) (Show Stream)
GetVersionExW@KERNEL32.DLL from iexplore.exe (PID: 3976) (Show Stream)
GetVersionExW@KERNEL32.DLL from iexplore.exe (PID: 3976) (Show Stream)
GetVersionExW@KERNEL32.DLL from iexplore.exe (PID: 3976) (Show Stream)
GetVersionExW@KERNEL32.DLL from iexplore.exe (PID: 3976) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceExW@KERNEL32.DLL from PID 00003976
LoadResource@KERNEL32.DLL from PID 00003976
FindResourceExW@KERNEL32.DLL from PID 00003976
LoadResource@KERNEL32.DLL from PID 00003976 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Found a string that is often used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class is often used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
-
Found a string that is often used as part of an injection method
-
Network Related
-
Contains ability to listen for incoming connections
- details
- RasPortListen@RASMAN.DLL at 00136062-00003976-77BD228D-143165
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to listen for incoming connections
-
Spyware/Information Retrieval
-
Sets a system wide hook on keyboard events
- details
- "iexplore.exe" sets a system wide hook for "Keyboard" (Thread Id: 3980, Procedure: 0x72af45d7)
- source
- API Call
- relevance
- 10/10
-
Sets a system wide hook on keyboard events
-
System Security
-
Contains ability to elevate privileges
- details
-
SetEntriesInAclW@ADVAPI32.DLL at 00136062-00003976-77BD228D-145367
SetSecurityDescriptorDacl@ADVAPI32.DLL at 00136062-00003976-77BD228D-145371 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Hooks API calls
- details
-
"MessageBoxExW@USER32.dll" in "iexplore.exe"
"DialogBoxIndirectParamW@USER32.dll" in "iexplore.exe"
"DialogBoxIndirectParamA@USER32.dll" in "iexplore.exe"
"MessageBoxExA@USER32.dll" in "iexplore.exe"
"CreateWindowExW@USER32.dll" in "iexplore.exe"
"MessageBoxIndirectW@USER32.dll" in "iexplore.exe"
"DialogBoxParamA@USER32.dll" in "iexplore.exe"
"DialogBoxParamW@USER32.dll" in "iexplore.exe"
"MessageBoxIndirectA@USER32.dll" in "iexplore.exe"
"OleCreatePropertyFrameIndirect@OLEAUT32.dll" in "iexplore.exe" - source
- Hook Detection
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x777FE9ED" ("MessageBoxExW@USER32.dll")
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x777D3B7F" ("DialogBoxIndirectParamW@USER32.dll")
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x77502694" (part of module "COMDLG32.DLL")
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x777ED274" ("DialogBoxIndirectParamA@USER32.dll")
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x777FE9C9" ("MessageBoxExA@USER32.dll")
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x777AEC7C" ("CreateWindowExW@USER32.dll")
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x777FE963" ("MessageBoxIndirectW@USER32.dll")
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x777ECF42" ("DialogBoxParamA@USER32.dll")
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x777C3B9B" ("DialogBoxParamW@USER32.dll")
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x74C77922" (part of module "COMCTL32.DLL")
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x777FE869" ("MessageBoxIndirectA@USER32.dll")
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x76FA93FC" ("OleCreatePropertyFrameIndirect@OLEAUT32.dll")
"iexplore.exe" wrote bytes "8BFF558BEC" to virtual address "0x74BD388E" (part of module "COMCTL32.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
-
Informative 9
-
Anti-Reverse Engineering
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API SetProcessDPIAware@USER32.DLL from iexplore.exe (PID: 3976) (Show Stream)
Found reference to API SetProcessDPIAware@USER32.DLL from iexplore.exe (PID: 3976) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from iexplore.exe (PID: 3976) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from iexplore.exe (PID: 3976) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contains PDB pathways
- details
- "iexplore.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates mutants
- details
-
"Local\_!MSFTHISTORY!_"
"Local\c:!users!pspubws!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"Local\c:!users!pspubws!appdata!roaming!microsoft!windows!cookies!"
"Local\c:!users!pspubws!appdata!local!microsoft!windows!history!history.ie5!"
"Local\WininetStartupMutex"
"Local\WininetConnectionMutex"
"Local\WininetProxyRegistryMutex"
"Local\!BrowserEmulation!SharedMemory!Mutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"ConnHashTable<3976>_HashTable_Mutex"
"Local\ZonesCounterMutex"
"Local\!IETld!Mutex"
"Local\RSS Eventing Connection Database Mutex 00000f88"
"Local\Feed Eventing Shared Memory Mutex S-1-5-21-4162757579-3804539371-4239455898-1000"
"IESQMMUTEX_0_208"
"Local\c:!users!pspubws!appdata!local!microsoft!feeds cache!" - source
- Created Mutant
- relevance
- 3/10
-
Launches a browser
- details
- Launches browser "iexplore.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Loads modules at runtime
- details
-
"iexplore.exe" loaded module "WININET.DLL" at base 76090000
"iexplore.exe" loaded module "RASAPI32.DLL" at base 736D0000
"iexplore.exe" loaded module "RTUTILS.DLL" at base 74290000
"iexplore.exe" loaded module "RASMAN.DLL" at base 736B0000
"iexplore.exe" loaded module "API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL" at base 77CB0000
"iexplore.exe" loaded module "PROFAPI.DLL" at base 75CC0000
"iexplore.exe" loaded module "SHLWAPI.DLL" at base 775C0000
"iexplore.exe" loaded module "SENSAPI.DLL" at base 6BC50000
"iexplore.exe" loaded module "RPCRT4.DLL" at base 77440000
"iexplore.exe" loaded module "API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL" at base 77CB0000
"iexplore.exe" loaded module "API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL" at base 77CB0000
"iexplore.exe" loaded module "%WINDIR%\SYSTEM32\NLAAPI.DLL" at base 74190000
"iexplore.exe" loaded module "IPHLPAPI.DLL" at base 75290000
"iexplore.exe" loaded module "RASADHLP.DLL" at base 728F0000
"iexplore.exe" loaded module "COMCTL32.DLL" at base 74B90000
"iexplore.exe" loaded module "IEUI.DLL" at base 6B690000
"iexplore.exe" loaded module "%WINDIR%\SYSTEM32\IEUI.DLL" at base 6B690000 - source
- API Call
- relevance
- 1/10
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"InternetInitializeAutoProxyDll@WININET.dll"
"RasConnectionNotificationW@RASAPI32.dll"
"RasEnumEntriesW@RASAPI32.dll"
"TraceRegisterExA@rtutils.dll"
"TracePrintfExA@rtutils.dll"
"RasPortClearStatistics@rasman.dll"
"RasBundleClearStatistics@rasman.dll"
"RasBundleClearStatisticsEx@rasman.dll"
"RasDeviceEnum@rasman.dll"
"ConvertSidToStringSidW@sechost.dll"
"RasDeviceGetInfo@rasman.dll"
"RasFreeBuffer@rasman.dll"
"RasGetBuffer@rasman.dll"
"RasGetInfo@rasman.dll"
"RasGetDialMachineEventContext@rasman.dll"
"RasSetDialMachineEventHandle@rasman.dll"
"RasGetNdiswanDriverCaps@rasman.dll"
"RasInitialize@rasman.dll"
"RasInitializeNoWait@rasman.dll" - source
- API Call
- relevance
- 1/10
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"RecoveryStore.{CFF8AC25-E262-11E5-B175-0A00276B9BCE}.dat.143296" has type "data"
"~DF41D8A7504D704FCD.TMP.143375" has type "data"
"{CFF8AC26-E262-11E5-B175-0A00276B9BCE}.dat.144625" has type "data"
"~DFE3555275D71BF2D9.TMP.144750" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "fUJ [ fvO41];if(a5M.id"
Pattern match: "go.microsoft.com/fwlink/?LinkId=106323"
Pattern match: "go.microsoft.com/fwlink/?LinkId=106322"
Pattern match: "go.microsoft.com/fwlink/?LinkId=106320" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
thread64.html
- Filename
- thread64.html
- Size
- 222KiB (227749 bytes)
- Type
- html
- Description
- HTML document, ASCII text, with very long lines, with CRLF, LF line terminators
- Architecture
- WINDOWS
- SHA256
- c62a597b19e0dcdd0ba7340c60747675b17d84f9b5400ad1dc181afad2c69dcd
- MD5
- 9d02713628abe1048eacf6fcd6a4f8bf
- SHA1
- 02e9fba411f986d5d43408c6e70e8328a9ba5677
Classification (TrID)
- 100.0% (.HTML) HyperText Markup Language
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
iexplore.exe
-nohome
(PID: 3976)
- iexplore.exe SCODEF:3976 CREDAT:79873 (PID: 832)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
go.microsoft.com/fwlink/?linkid=106320 | Domain/IP reference | 00136062-00003976-13835-73-013A2D3E |
go.microsoft.com/fwlink/?linkid=106323 | Domain/IP reference | 00136062-00003976-13835-73-013A2D3E |
go.microsoft.com/fwlink/?linkid=106322 | Domain/IP reference | 00136062-00003976-13835-73-013A2D3E |
Extracted Strings
Extracted Files
-
Informative 4
-
-
RecoveryStore.{CFF8AC25-E262-11E5-B175-0A00276B9BCE}.dat
- Size
- 22KiB (22104 bytes)
- Type
- data
- MD5
- 02684fc123d94e5420d5cc56069372cc
- SHA1
- d80836f63a4f7b95d3796d7e162c8144e7d163e8
- SHA256
- 9aa53bcadd828726c8109b3d59f8e2c9adb8f7b90e9fe4de0b97a7689727ba8e
-
{CFF8AC26-E262-11E5-B175-0A00276B9BCE}.dat
- Size
- 12KiB (11864 bytes)
- Type
- data
- MD5
- 4ca0358ef271abadeccfefdcf4d8191a
- SHA1
- 0215f884366f76f7d52c4340b2ca9cd4e9503852
- SHA256
- 5fa93b1b6167e1eaf8f07193e826db7490d9c24fdfffa8455780781fec628bfb
-
~DF41D8A7504D704FCD.TMP
- Size
- 16KiB (16384 bytes)
- Type
- data
- MD5
- 9011faee4048fd77c55bc5da5d7ad284
- SHA1
- 01372f5bffcf108c73c17add68f4d50a6c9f07de
- SHA256
- eeae81f4662607e0fa811ccbf4acb69335fa5de0988f2629a785192e0d9ceb78
-
~DFE3555275D71BF2D9.TMP
- Size
- 16KiB (16384 bytes)
- Type
- data
- MD5
- 2efd91c9a0a452a28597ab3d967beea9
- SHA1
- bba3e282c541826ac91f67c5df7c11c0d9905938
- SHA256
- 66c29f9ffa9398125d769d0f5bc32d7a550b86e751a87687d485168c866d1d4e
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- No static analysis parsing on sample was performed
- Not all sources for signature ID "api-7" are available in the report
- Not all sources for signature ID "api-8" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Sample was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/c62a597b19e0dcdd0ba7340c60747675b17d84f9b5400ad1dc181afad2c69dcd/analysis/1457135199/")