fritz.box_7490.06.30.recover-image.exe
This report is generated from a file or URL submitted to this webservice on January 15th 2018 17:57:53 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.21 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
-
Contains ability to listen for incoming connections
Reads terminal service related keys (often RDP related) - Network Behavior
- Contacts 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 11
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
-
.data
.rsrc with unusual entropies 7.99659405165
7.51396798541 - source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Contains ability to query CPU information
- details
- cpuid from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
- details
- "]Mt\NrVBoXJdM?W@2]F7XA3\E7dM?bK;x_N}i[" (Indicator: "vbox")
- source
- File/Memory
- relevance
- 4/10
-
Contains ability to query CPU information
-
Installation/Persistance
-
Contains ability to download files from the internet
- details
-
recv@WS2_32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
recv@WS2_32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Network Related
-
Contains ability to listen for incoming connections
- details
- listen@WS2_32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "%s angeschlossen ist, auf 192.168.178.2.2. Starten Sie das Wiederherstellungsprogramm erneut."
Heuristic match: "1. Change the IP address of the network card to which the %s is connected to 192.168.178.2.2. Restart the recovery tool."
"192.168.178.1"
"255.255.255.0"
"192.168.178.2"
"192.168.178.0"
"127.0.0.1"
"255.255.255.255"
Heuristic match: "1:06:703: check adapter(Intel(R) PRO/1000 MT Desktop Adapter) adapter 0xb: Ip: 192.168.56.153(255.255.255.0) (static)" - source
- File/Memory
- relevance
- 3/10
-
Contains ability to listen for incoming connections
-
Pattern Matching
-
Contains ability to download files from the internet
- details
-
recv@WS2_32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
recv@WS2_32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%WINDIR%\ftp.log" with delete access
"<Input Sample>" opened "%WINDIR%\environment.log" with delete access - source
- API Call
- relevance
- 7/10
-
Opens file with deletion access rights
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegCloseKey
OpenProcessToken
RegDeleteValueA
RegCreateKeyExA
RegOpenKeyExA
GetFileAttributesA
GetDriveTypeA
WriteFile
IsDebuggerPresent
GetModuleFileNameA
UnhandledExceptionFilter
GetModuleHandleA
CreateThread
TerminateProcess
GetTickCount
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
DeleteFileA
GetProcAddress
FindFirstFileA
FindNextFileA
CreateFileA
GetCommandLineA
CreateProcessA
Sleep
VirtualAlloc
ShellExecuteA
FindWindowA
SetWindowsHookExA
accept
WSAStartup
connect
recv
send
listen
closesocket
socket
bind
recvfrom
sendto - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Informative 18
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API InitializeCriticalSectionAndSpinCount@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
Found reference to API IsWow64Process@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
GetLocalTime@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
GetLocalTime@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
GetTimeZoneInformation@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
GetVersionExA@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
GetVersionExA@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
GetVersion@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
GetVersionExA@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
GetVersion@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.DLL from ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/67 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contacts server
- details
- "2.22.48.33:80"
- source
- Network Traffic
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\WM_AVM_WIZARD-5a1b9cf0-8278-11d5-9856-010203048476"
"WM_AVM_WIZARD-5a1b9cf0-8278-11d5-9856-010203048476" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
-
"<Input Sample>" loaded module "%WINDIR%\SysWOW64\riched32.dll" at 74490000
"<Input Sample>" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 74240000 - source
- Loaded Module
-
Sample shows a variety of benign indicators
- details
- The input file/all extracted files were not detected as malicious and the input file is signed with a validated certificate
- source
- Indicator Combinations
- relevance
- 10/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1; see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US" (SHA1: 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4; see report for more information)
The input sample is signed with a certificate issued by "CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign
Inc.", C=US" (SHA1: 3D:44:11:2E:1F:BB:70:CC:D4:26:44:E3:93:EA:43:DC:16:CB:17:E4; see report for more information)
The input sample is signed with a certificate issued by "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign
Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign
Inc.", C=US" (SHA1: 49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Contacts server
-
Installation/Persistance
-
Dropped files
- details
- "ftp.log" has type "ASCII text with CRLF line terminators"
- source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\StaticCache.dat"
"<Input Sample>" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui"
"<Input Sample>" touched file "%WINDIR%\ftp.log"
"<Input Sample>" touched file "%WINDIR%\environment.log" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "Rud\15.mN"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D"
Pattern match: "https://www.verisign.com/rpa0"
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "http://csc3-2010-aia.verisign.com/CSC3-2010.cer0"
Pattern match: "https://www.verisign.com/cps0*"
Pattern match: "http://logo.verisign.com/vslogo.gif04"
Pattern match: "http://crl.verisign.com/pca3-g5.crl04"
Pattern match: "http://www.avm.de"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa0"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://dmd.metaservices.microsoft.com/dms/metadata.svc"
Pattern match: "http://schemas.microsoft.com/windowsmetadata/services/2007/09/18/dms/DeviceMetadataService/GetDeviceMetadata"
Pattern match: "http://www.symauth.com/cps0*"
Pattern match: "www.microsoft.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe.bin" was detected as "VC8 -> Microsoft Corporation"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
fritz.box_7490.06.30.recover-image.exe
- Filename
- fritz.box_7490.06.30.recover-image.exe
- Size
- 23MiB (24377696 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76
- MD5
- 406744a4c58478eba61a2f1b32a06beb
- SHA1
- e5a1f9c4c7ae7aa442623d6994e7f81fede80c11
- ssdeep
- 393216:vQPr9P0jCA8Ia4k+cOQc8gX1pLvBZ1tzGJxvh3IXientNyYZErOTQ1qE0npm:vS0jVVT58SXLvBZ1tzbXienbysEac1z
- imphash
- e184fdabf61a523c571390b7d026ca58
- authentihash
- 05ef435047c37d561415296b9959add05c2dfe1bb768b87a439c11a3d80a7da1
- Compiler/Packer
- VC8 -> Microsoft Corporation
- PDB Pathway
Version Info
- LegalCopyright
- Copyright 2013
- InternalName
- AvmRecover
- FileVersion
- 2, 0, 0, 9
- CompanyName
- AVM Berlin
- Comments
- $ProjectRevision: 1.63 $
- ProductVersion
- 2, 0, 0, 0
- FileDescription
- AvmRecover
- OriginalFilename
- AvmRecover.exe
- Translation
- 0x0407 0x04b0
Classification (TrID)
- 83.4% (.EXE) InstallShield setup
- 8.7% (.EXE) Win32 Executable (generic)
- 3.8% (.EXE) Generic Win/DOS Executable
- 3.8% (.EXE) DOS Executable Generic
- 0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (6.3KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 7e93ebfb7cc64e59ea4b9a77d406fc3b |
12/21/2012 01:00:00 12/31/2020 00:59:59 |
7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1 |
CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US | CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US Serial: ecff438c8febf356e04d86a981b1a50 |
10/18/2012 01:00:00 12/30/2020 00:59:59 |
08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4 |
CN=AVM Computersysteme Vertriebs GmbH, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=AVM Computersysteme Vertriebs GmbH, L=Berlin, ST=Berlin, C=DE | CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Serial: 7ed194d725c51091ba395376ef7a4a1b |
02/12/2013 01:00:00 03/14/2016 00:59:59 |
F7:37:71:66:2A:33:3F:D2:04:08:4A:9E:DF:F9:41:0A 3D:44:11:2E:1F:BB:70:CC:D4:26:44:E3:93:EA:43:DC:16:CB:17:E4 |
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Serial: 5200e5aa2556fc1a86ed96c9d44b33c7 |
02/08/2010 01:00:00 02/08/2020 00:59:59 |
4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F 49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- Input Sample (PID: 2512)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
2.22.48.33 |
80
TCP |
- | European Union |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
255.255.255.255 | Domain/IP reference | 00011227-00002512-44677-416-0042EC70 |
192.168.178.2 | Domain/IP reference | 00011227-00002512-44677-420-0041941E |
255.255.255.0 | Domain/IP reference | 00011227-00002512-44677-420-0041941E |
192.168.178.1 | Domain/IP reference | 00011227-00002512-44677-419-0042EC24 |
192.168.178.0 | Domain/IP reference | 00011227-00002512-44677-423-00419070 |
127.0.0.1 | Domain/IP reference | 00011227-00002512-44677-235-00419B73 |
Extracted Strings
Extracted Files
-
Informative 1
-
-
ftp.log
- Size
- 550B (550 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- ba94e7b35cde0fa1d0dd771da6457c9a52ed527b2f112052519467727371cb76.exe (PID: 2512)
- MD5
- edd1df5c1b0df61c32384e22aa7a244e
- SHA1
- e80fc5d3240112e65b9a90d75db50f6236b18910
- SHA256
- 4f79255c6d59e40a77dc90c85cfcb74890cf1e082f73f0091c62b7b969bfd809
-