Dynamic Analysis Report |
Classification: Trojan, Worm |
1f0a6c92c237cbf344dedc841259f1da6b2d8742fcafb6926f746a48bbe0919f (SHA256)
%APPDATA%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe
Created at 2019-01-04 14:38:00
Notifications (2/2)
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
The operating system was rebooted during the analysis.
Remarks
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
This list contains only the embedded files and created files
Filters: |
There are no files for this filter
There are no files in this analysis
Filename | Category | Type | Severity | Actions |
---|
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\%APPDATA%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe | Sample File | Binary |
Malicious
|
...
|
Severity |
Blacklisted
|
First Seen | 2018-12-30 02:05 (UTC+1) |
Last Seen | 2019-01-02 08:32 (UTC+1) |
Names | Win32.Trojan.Higuniel |
Families | Higuniel |
Classification | Trojan |
Image Base | 0x400000 |
Entry Point | 0x4023f9 |
Size Of Code | 0x1600 |
Size Of Initialized Data | 0x2e00 |
File Type | executable |
Subsystem | windows_gui |
Machine Type | i386 |
Compile Timestamp | 2018-12-26 00:13:27+00:00 |
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x401000 | 0x14b8 | 0x1600 | 0x400 | cnt_code, mem_execute, mem_read | 6.15 |
.rdata | 0x403000 | 0x12b2 | 0x1400 | 0x1a00 | cnt_initialized_data, mem_read | 4.2 |
.data | 0x405000 | 0x177c | 0x1200 | 0x2e00 | cnt_initialized_data, mem_read, mem_write | 5.26 |
.rsrc | 0x407000 | 0x234 | 0x400 | 0x4000 | cnt_initialized_data, mem_read | 5.02 |
.reloc | 0x408000 | 0x334 | 0x400 | 0x4400 | cnt_initialized_data, mem_discardable, mem_read | 4.56 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
wnsprintfA | 0x0 | 0x4030f4 | 0x3e14 | 0x2814 | 0x16d |
StrCmpNW | 0x0 | 0x4030f8 | 0x3e18 | 0x2818 | 0x122 |
StrStrIW | 0x0 | 0x4030fc | 0x3e1c | 0x281c | 0x145 |
PathAddBackslashW | 0x0 | 0x403100 | 0x3e20 | 0x2820 | 0x30 |
PathRemoveFileSpecW | 0x0 | 0x403104 | 0x3e24 | 0x2824 | 0x8b |
wnsprintfW | 0x0 | 0x403108 | 0x3e28 | 0x2828 | 0x16e |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
WNetEnumResourceW | 0x0 | 0x4030d8 | 0x3df8 | 0x27f8 | 0x1c |
WNetOpenEnumW | 0x0 | 0x4030dc | 0x3dfc | 0x27fc | 0x3d |
WNetCloseEnum | 0x0 | 0x4030e0 | 0x3e00 | 0x2800 | 0x10 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SizeofResource | 0x0 | 0x403040 | 0x3d60 | 0x2760 | 0x4b1 |
GetModuleHandleA | 0x0 | 0x403044 | 0x3d64 | 0x2764 | 0x215 |
WideCharToMultiByte | 0x0 | 0x403048 | 0x3d68 | 0x2768 | 0x511 |
ExitProcess | 0x0 | 0x40304c | 0x3d6c | 0x276c | 0x119 |
GetTempFileNameW | 0x0 | 0x403050 | 0x3d70 | 0x2770 | 0x283 |
FindFirstFileW | 0x0 | 0x403054 | 0x3d74 | 0x2774 | 0x139 |
GetDriveTypeW | 0x0 | 0x403058 | 0x3d78 | 0x2778 | 0x1d3 |
CreateProcessW | 0x0 | 0x40305c | 0x3d7c | 0x277c | 0xa8 |
LoadResource | 0x0 | 0x403060 | 0x3d80 | 0x2780 | 0x341 |
GetLogicalDrives | 0x0 | 0x403064 | 0x3d84 | 0x2784 | 0x209 |
WriteFile | 0x0 | 0x403068 | 0x3d88 | 0x2788 | 0x525 |
GetUserDefaultLangID | 0x0 | 0x40306c | 0x3d8c | 0x278c | 0x29c |
OpenProcess | 0x0 | 0x403070 | 0x3d90 | 0x2790 | 0x380 |
CopyFileW | 0x0 | 0x403074 | 0x3d94 | 0x2794 | 0x75 |
TerminateProcess | 0x0 | 0x403078 | 0x3d98 | 0x2798 | 0x4c0 |
ReadFile | 0x0 | 0x40307c | 0x3d9c | 0x279c | 0x3c0 |
FindResourceW | 0x0 | 0x403080 | 0x3da0 | 0x27a0 | 0x14e |
CreateFileW | 0x0 | 0x403084 | 0x3da4 | 0x27a4 | 0x8f |
GetLastError | 0x0 | 0x403088 | 0x3da8 | 0x27a8 | 0x202 |
MoveFileW | 0x0 | 0x40308c | 0x3dac | 0x27ac | 0x363 |
FindClose | 0x0 | 0x403090 | 0x3db0 | 0x27b0 | 0x12e |
WaitForMultipleObjects | 0x0 | 0x403094 | 0x3db4 | 0x27b4 | 0x4f7 |
GetModuleFileNameA | 0x0 | 0x403098 | 0x3db8 | 0x27b8 | 0x213 |
Process32NextW | 0x0 | 0x40309c | 0x3dbc | 0x27bc | 0x398 |
lstrcmpiW | 0x0 | 0x4030a0 | 0x3dc0 | 0x27c0 | 0x545 |
lstrcatW | 0x0 | 0x4030a4 | 0x3dc4 | 0x27c4 | 0x53f |
FindNextFileW | 0x0 | 0x4030a8 | 0x3dc8 | 0x27c8 | 0x145 |
CreateToolhelp32Snapshot | 0x0 | 0x4030ac | 0x3dcc | 0x27cc | 0xbe |
CloseHandle | 0x0 | 0x4030b0 | 0x3dd0 | 0x27d0 | 0x52 |
lstrcpyW | 0x0 | 0x4030b4 | 0x3dd4 | 0x27d4 | 0x548 |
CreateThread | 0x0 | 0x4030b8 | 0x3dd8 | 0x27d8 | 0xb5 |
ExpandEnvironmentStringsW | 0x0 | 0x4030bc | 0x3ddc | 0x27dc | 0x11d |
GetProcessHeap | 0x0 | 0x4030c0 | 0x3de0 | 0x27e0 | 0x24a |
HeapFree | 0x0 | 0x4030c4 | 0x3de4 | 0x27e4 | 0x2cf |
HeapAlloc | 0x0 | 0x4030c8 | 0x3de8 | 0x27e8 | 0x2cb |
SetFilePointerEx | 0x0 | 0x4030cc | 0x3dec | 0x27ec | 0x467 |
GetModuleFileNameW | 0x0 | 0x4030d0 | 0x3df0 | 0x27f0 | 0x214 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CryptDestroyKey | 0x0 | 0x403000 | 0x3d20 | 0x2720 | 0xb7 |
CryptEncrypt | 0x0 | 0x403004 | 0x3d24 | 0x2724 | 0xba |
CryptImportKey | 0x0 | 0x403008 | 0x3d28 | 0x2728 | 0xca |
RegSetValueExW | 0x0 | 0x40300c | 0x3d2c | 0x272c | 0x27e |
RegCloseKey | 0x0 | 0x403010 | 0x3d30 | 0x2730 | 0x230 |
ControlService | 0x0 | 0x403014 | 0x3d34 | 0x2734 | 0x5c |
CryptGenRandom | 0x0 | 0x403018 | 0x3d38 | 0x2738 | 0xc1 |
RegOpenKeyW | 0x0 | 0x40301c | 0x3d3c | 0x273c | 0x264 |
CryptReleaseContext | 0x0 | 0x403020 | 0x3d40 | 0x2740 | 0xcb |
GetTokenInformation | 0x0 | 0x403024 | 0x3d44 | 0x2744 | 0x15a |
OpenProcessToken | 0x0 | 0x403028 | 0x3d48 | 0x2748 | 0x1f7 |
CloseServiceHandle | 0x0 | 0x40302c | 0x3d4c | 0x274c | 0x57 |
CryptAcquireContextW | 0x0 | 0x403030 | 0x3d50 | 0x2750 | 0xb1 |
OpenServiceW | 0x0 | 0x403034 | 0x3d54 | 0x2754 | 0x1fb |
OpenSCManagerW | 0x0 | 0x403038 | 0x3d58 | 0x2758 | 0x1f9 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ShellExecuteW | 0x0 | 0x4030e8 | 0x3e08 | 0x2808 | 0x122 |
SHGetFolderPathW | 0x0 | 0x4030ec | 0x3e0c | 0x280c | 0xc3 |
Rule Name | Rule Description | Classification | Severity | Actions |
---|---|---|---|---|
OlympicDestroyer_Gen1 | Olympic Destroyer destructive malware | Worm |
5/5
|
...
|
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YFeKw5dmGYVjgc.exe | Created File | Unknown |
Whitelisted
|
...
|
Severity |
Whitelisted
|
First Seen | 2011-05-27 11:27 (UTC+2) |
Last Seen | 2017-04-19 12:47 (UTC+2) |
\\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab | Modified File | Stream |
Unknown
|
...
|
\\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml | Modified File | Stream |
Unknown
|
...
|
\\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi | Modified File | Stream |
Unknown
|
...
|
\\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml | Modified File | Stream |
Unknown
|
...
|
\\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi | Modified File | Stream |
Unknown
|
...
|
\\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml | Modified File | Stream |
Unknown
|
...
|
\\?\C:\Boot\cs-CZ\$%%! NOTE ABOUT FILES -=!-.html | Created File | Text |
Unknown
|
...
|
C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp.bat | Created File | Text |
Unknown
|
...
|
\\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP | Created File | Stream |
Unknown
|
...
|