f714viewinst.exe
This report is generated from a file or URL submitted to this webservice on April 6th 2018 16:46:21 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Persistence
- Writes data to a remote process
- Fingerprint
- Reads the cryptographic machine GUID
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 324)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 324)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 324)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 324) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Suspicious Indicators 17
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"<Input Sample>" at 00019404-00002904-00000105-56323337
"msiexec.exe" at 00020497-00003188-00000105-56425087 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.18745147531
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "x;w(+hZE[NT0+FC!'MxU#V0y/DC7b/vJOIP=V%ToTz:g-,vY+V?;~!l,jZ9|VbOX;m^'NK,~i!@GwxZ}!<MA|ZuYuX>sNS^4? Gpsog:" (Indicator: "vbox")
- source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
- FindResourceA@KERNEL32.DLL from f714viewinst.exe (PID: 2904) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\_is182\_ISMSIDEL.INI"
"<Input Sample>" read file "%TEMP%\_is182\Setup.INI"
"<Input Sample>" read file "%TEMP%\_is182\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Creates new processes
- details
- "<Input Sample>" is creating a new process (Name: "%WINDIR%\Downloaded Installations\{10959320-D73D-4221-925A-C407B1C85778}\FERC Form 714 Viewer.msi", Handle: 324)
- source
- API Call
- relevance
- 8/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
-
Creates new processes
-
Network Related
-
Found potential IP address in binary/memory
- details
- Heuristic match: "ScriptVer=1.0.0.1"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
- "'f+ORVc;dDF%S/UcmD=IC >\z8`fq f03<kxw*_'8m(fN(4)G"7-Jk)["P" (Indicator: "cmd=")
- source
- File/Memory
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Contains indicators of bot communication commands
-
System Destruction
-
Marks file for deletion
- details
-
"C:\f714viewinst.exe" marked "%TEMP%\~145.tmp" for deletion
"C:\f714viewinst.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\f714viewinst.exe" marked "%TEMP%\_is182.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\~145.tmp" with delete access
"<Input Sample>" opened "%TEMP%\_MSI5166._IS" with delete access
"<Input Sample>" opened "%TEMP%\_is182.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegOpenKeyA
RegCloseKey
OpenProcessToken
RegCreateKeyExA
RegOpenKeyExA
GetFileAttributesA
GetDriveTypeA
UnhandledExceptionFilter
GetTempPathA
WriteFile
CopyFileA
GetModuleFileNameA
CreateThread
TerminateProcess
GetTickCount
VirtualProtect
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
CreateDirectoryA
DeleteFileA
GetProcAddress
FindFirstFileA
GetTempFileNameA
CreateFileMappingA
CreateFileA
LockResource
GetCommandLineA
MapViewOfFile
GetModuleHandleA
CreateProcessA
Sleep
FindResourceA
VirtualAlloc
FindWindowA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 15
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from f714viewinst.exe (PID: 2904) (Show Stream)
GetVersionExA@KERNEL32.DLL from f714viewinst.exe (PID: 2904) (Show Stream)
GetVersionExA@KERNEL32.DLL from f714viewinst.exe (PID: 2904) (Show Stream)
GetVersionExA@KERNEL32.DLL from f714viewinst.exe (PID: 2904) (Show Stream)
GetVersionExA@KERNEL32.DLL from f714viewinst.exe (PID: 2904) (Show Stream)
GetVersionExA@KERNEL32.DLL from f714viewinst.exe (PID: 2904) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceA@KERNEL32.DLL from f714viewinst.exe (PID: 2904) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExA@KERNEL32.DLL (Target: "f714viewinst.exe"; Stream UID: "00019404-00002904-34975-217-0040F7DA")
which is directly followed by "cmp dword ptr [ebp-00000084h], 02h" and "ret ". See related instructions: "...+0 push ebp+1 mov ebp, esp+3 sub esp, 00000094h+9 lea eax, dword ptr [ebp-00000094h]+15 mov dword ptr [ebp-00000094h], 00000094h+25 push eax+26 call dword ptr [0041F0C0h] ;GetVersionExA+32 xor eax, eax+34 cmp dword ptr [ebp-00000084h], 02h+41 sete al+44 leave +45 ret " ... from f714viewinst.exe (PID: 2904) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL (Target: "f714viewinst.exe"; Stream UID: "00019404-00002904-34975-77-0040F7AC")
which is directly followed by "cmp dword ptr [ebp-00000084h], 01h" and "ret ". See related instructions: "...+0 push ebp+1 mov ebp, esp+3 sub esp, 00000094h+9 lea eax, dword ptr [ebp-00000094h]+15 mov dword ptr [ebp-00000094h], 00000094h+25 push eax+26 call dword ptr [0041F0C0h] ;GetVersionExA+32 xor eax, eax+34 cmp dword ptr [ebp-00000084h], 01h+41 sete al+44 leave +45 ret " ... from f714viewinst.exe (PID: 2904) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the active computer name
- details
- "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Contains ability to query the machine version
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/50 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
-
"wextract.pdb"
"e\setup\iexpress\wextract\obj\i386\wextract.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\~145.tmp"
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\_is182\Setup.INI"
"<Input Sample>" created file "%TEMP%\_is182\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\_is182\0x0409.ini"
"<Input Sample>" created file "%TEMP%\_is182\FERC Form 714 Viewer.msi" - source
- API Call
- relevance
- 1/10
-
Process launched with changed environment
- details
- Process "msiexec.exe" (Show Process) was launched with new environment variables: "__COMPAT_LAYER="VistaSetup""
- source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%WINDIR%\Downloaded Installations\{10959320-D73D-4221-925A-C407B1C85778}\FERC Form 714 Viewer.msi" SETUPEXEDIR="C:"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"FERC Form 714 Viewer.msi" has type "Composite Document File V2 Document Can't read SAT"
"0x0409.ini" has type "ASCII text with CRLF line terminators"
"_ISMSIDEL.INI" has type "data"
"~145.tmp" has type "ASCII text with CRLF line terminators"
"Setup.INI" has type "ASCII text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "C:\Windows\AppPatch\AcGenral.dll"
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\msi.dll"
"<Input Sample>" touched file "C:\Windows\System32\rsaenh.dll"
"<Input Sample>" touched file "C:\Windows\Downloaded Installations"
"<Input Sample>" touched file "C:\Windows\Downloaded Installations\{10959320-D73D-4221-925A-C407B1C85778}"
"<Input Sample>" touched file "C:\Windows\Downloaded Installations\{10959320-D73D-4221-925A-C407B1C85778}\FERC Form 714 Viewer.msi"
"<Input Sample>" touched file "C:\Windows\System32\msiexec.exe"
"msiexec.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "C:\Windows\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "C:\Windows\System32\rsaenh.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "mspatcha.cat"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "http://ocsp.verisign.com/ocsp/status0"
Pattern match: "https://www.verisign.com/rpa0"
Pattern match: "crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0"
Pattern match: "www.microsoft.com"
Pattern match: "www.ferc.gov/ARPCONTACT1-866-208-3676ARPHELPLINKARPHELPTELEPHONEARPURLINFOABOUTARPURLUPDATEINFOTahoma8DefaultUIFontInstallShield"
Heuristic match: "iUv3%\ZTQd..BF"
Heuristic match: "64Bx.iL"
Pattern match: "Md8X.BnR/}KJ"
Pattern match: "01.tEm/pg"
Pattern match: "fp..FZgd/LG3C+o%}LFOg?=&6b55eFs"
Pattern match: "x.Nf/0'9S\:/'c$Du[';4"
Pattern match: "S8Q.oBK/Gcl^'e7|MkkC|XWlQ"
Heuristic match: "y@?]UKF(F4'fX>=.AZ"
Pattern match: "cO.ZV/9szN_V&JZh}Fk.:/#tmOsx:iJSO'~6w0U@f5"
Heuristic match: "v4.MEMx]_Tsj.Va"
Heuristic match: "Z(.X)V'x_NWegJlbj&Kv{ftdRXLt%v=TZROhDmyEiM0lfFFvZc(0!I1ezM<SCg)Ty)Y(umaPP>N.$bA>y.gl"
Pattern match: "o.MV/JzAl7#}Y\mBMdNJMQPMHU;Euo"
Heuristic match: "~^$|[.om"
Heuristic match: "-j-A>mB(0M'-_9^4(-^rGKy8$'B[<Ct:fX+iU/6:m/=FUvY|*# LO+ii.ae"
Heuristic match: "p'G[us{k;O Ecw@Hj~_G3U7g}qo`.{-PAawP+}C49ire:R<4:0AiBjLDLIXMv!gSjBj$)'%}g\IHzmq%ZMxoX4+m|?EjQ0xTr_ha:51C88T.Yw*v(P\8' ]?:pB.BZ"
Pattern match: "Ki1.Ny/|UO=#UaiBtaakSdRroA'S,=\zW9!/s32hB"
Pattern match: "rt.CF/RoW-"
Heuristic match: "whiknEJJS.Jq{kPg<rq)+fqh!},SmC9)6fK.Pr"
Pattern match: "z.pK/%R~z"
Pattern match: "O.CzO/3cGG\"
Pattern match: "PXNnF.hT/0IE"
Heuristic match: "B w)aTOI$[:G`_yzAP@WC0L#A'!obI5TfHA21Z.Lv"
Heuristic match: "ctQY7?b^OaJ6|{C/.^?qYrqWNi9yDB49 R3YIM?'AKD\Oy b.N4CK}zw3+$@TkwpB,gaptw+!el71_1$b9x,6e[py>8{7%RS;~ADAw_gANlx`;&+Mm24ovAeyQI!cmo8kC!,8Rl!!{_QZidCT<!5;*[26G#`s'U.tr"
Pattern match: "t.hC/eH|q'tV90k"
Pattern match: "J.RD/PpzrKYRt3eP1bMwvo/qXH*]l87kWsh/"
Heuristic match: "(sfhXqOL..26?.~;xJl)~!.AM"
Pattern match: "3kzM.TTG/-qM:d,KD{cw0O$n#xD"
Heuristic match: ";#\63&oCZ[t~qj^*E)j*62w2X@f0CWiw/_;k`AOJ9<+9V.Pw"
Heuristic match: "K%O*9S)0DStKv.Af"
Pattern match: "JzV.Wlhj/uJceVBYE\w+x{FR?c`3Su"
Heuristic match: "Dy|7@j'emD]XwK<9_L^)!VSM$]=Q1@dE4_{4'W?P'IPId;.VR*=%w9_F&!,+B^.bj"
Heuristic match: ")&tS6\r([K|>y>fNL!zq?X?{Nj3 Cv.]K[i}a'}V:L|akBfomsb)9sL/S8?U]}5zqcsd}V)?M7q_>(c4l-k[TNrAk3_EK8'wd<^x.hk"
Pattern match: "CGz.HpG/_klHg.vxuW=uX4m8T\a*pOHz"
Heuristic match: "Mx]lj_th=QP#H3L`'lgCiG;J+E|z7X/nPG|2G)s40zmfGbcCq.FK"
Pattern match: "p..EO/`4Fi%Xl(]Z!)Zn&tAu!`ZMs:O$C03fLU0'u9`NrU.tD\:JRPxS/z:f!{:cC..#3@[-@$m:L:cQF8:?bYDD9Kgvs2{ldrEdQ"
Pattern match: "u.JS/k1Oul"
Heuristic match: ".2/vCvtJxB/ZHA+l9<qXKvh%KZ]!~tJQNDdBOd.SG"
Heuristic match: "w`i4yP^[B-jEZ>Bc_\uulvp:fHIWcb^g%]1> 9CY-?&*/g*q=VMfo[gUW2$\pK=.gI"
Pattern match: "v.Yth/sHaz``%-s@+e,k?]]lUWvrl088pm\$@lb"
Heuristic match: ">/qSSm$8u=wt5JylP|/:yE|5xnN]p+KJKd7g$*YUO.bb"
Pattern match: "ba.vr/`Kn\%C3M,k"
Pattern match: "WZj.eDDg/.xy,gyaqeui@O]wg,G{w|"
Heuristic match: "QUl`:p^ Z+AxGsz\*')Tha\aD~<f,*RYSEurH=3|>5]Od''.yfz>M.Dj"
Pattern match: "fgOLiF.PUW/PeH49,P"
Heuristic match: "`4!*fj@YA%48EeP'T;553 'DvzK$,3<c4i$6Ynxlh`OM4dP(kw%_uQ}c(^t'$'']hVIW.`w&$9uk.At"
Pattern match: "b9otPA2iGeO0s.Lmp/4uf9Kua]h]r'`1`=xr#I{p?2?5q.l;zta-X[f:]x"
Pattern match: "H22.CA/;Fv"
Pattern match: "4m.pIoz/iksaU5"
Heuristic match: "jeHW%RNzJ5MS*1n&vqL#Z@Qpsq_G~%.x2Ic;:#q}s$p8US|XK_uNTz:1q)BQ~yvj5KH9+9DmsWPfI_}B/LR TIjkVM$:+W2FZpr5V)YVJ(4xXbVjp9*.hFkyG`{E6_R3\=_6WPJ{Yp,<`IWKkQfiMDb[.MZHHZxXbckIJeZ(.gBDg9*!n\uUd^-(p5AOnU+,QQ[-@g\.Eg"
Heuristic match: "!/t)Fx EqNP;wksrSe6RO,!3k>1_6AQGQb**Z66X[C{-Tluwr`Z~(8eDk|u)wFgX[xXdRN}J t5hrB'J}feC+s})1@7ajcF~~VUF.H7|JR#K#CWoZbBzQ8|$~};?lj#.ar"
Pattern match: "1IBxZ8.xC/1FWAwwzww"
Pattern match: "Rb.jE/UE]\T3~mHX-vk*TzI,Sz=r6G"
Heuristic match: "Dw<Bkqt%~kvqi'@E.|x%WrR=3li<5=.+fv0;!'9*`mLj*K&CvYQ6Eb8l6|tI=II_6.o4|\*!a(J!>O)iE%?{G2tlLu^-L+2K&{+-jzGMvVI,3dNge/%d<l^OQHr*T)PhQu5yL~.hu"
Heuristic match: "crY_ZG.EE"
Heuristic match: "hczp3gzFu'KaoK@lnU>W2vV/X>x,)akwrTz/4Uu'@VN1B)sC*J_.gg"
Pattern match: "NE5b.di/P6$cF1E4*"
Heuristic match: "@b9tL{BU7Jgux^u[':XT{q}.sN"
Pattern match: "8.en/+!$KBN9"
Pattern match: "CUYnH.Phd/eV"
Pattern match: "K.BZ/7ZlqR1V};Iz%AeQd7E7'ciU^WAKqiW"
Heuristic match: "X<L@=Q1bJeeODbxb<?ue]}.PE"
Pattern match: "iGE16.hP/{\y'px:-wbmGi,vf(`LcqI8s4Cf2sZJL+Kr,&Z9qG;vJsb1kcAe)&c3Zl/-Fn7b\h"
Heuristic match: "<Q$,\%+b\N9P&-urOP}6,2%-@o?w_V42#h*P*4]gqNCV|_/c~P.b?$KKg+R;Zv;.r/'QMcyrJrQ/G(mExEEP\j!JP<:DU\nQ-3#2ss&p/<PDWda/E\2w{=8/>\[9/A&dx1]4\#H,}2^Ua>3`Fr:F2D2G0b.8{4n7 }q'%Xy%,g=`j*+m f\s|T.al"
Pattern match: "9.pX/0T"
Pattern match: "lORw..Mei.fd/lt`2-7Ev--3t0-N"
Pattern match: "y.ryr/vK"
Pattern match: "dOyT.Nv/xxOY4trP=i/S=bFvR4MnNef_iMvi8"
Pattern match: "U.x.dsM/\!\l_EI9H~VvEj`8.WsZ"
Heuristic match: "XnJBW0*%gbzjz3w-ZrAbwk!EMF|^.I,(}R>T?Jf5h5pHGTtRX&I}>*5I/LR}pfw6r=?K}EA,li{o%zp)*MEvs'k,LS7U?0Ujk5%03|sT]3]LU.Gy"
Heuristic match: "r*]$\cVXsZ\7\da#BZ84d*5Su20(dNfKe JD--p!W`[O.Gb"
Pattern match: "MQ.nH/mVj6+[/"
Pattern match: "m.NY/aQP"
Pattern match: "0aO4A.bpF/t{bEa+DCMek87/N[`&T"
Pattern match: "oFzNu.TfJ/t5ns5.w"
Heuristic match: "a(}JD:<.cN"
Heuristic match: "hUgQQaF&[wa,+8o\hLpwaJ(66^mgp:[[\sywx!|{('zVrhBizlfT#(iB3hFb6:5*.Fj"
Pattern match: "F.fi/Okg@dAKc"
Heuristic match: "Hi@3 }dc@7 2r<`@NpPiOo&z3''pNoe7ln; vgD\v%$}(9u3MJ:6n!Xx[1.vg"
Pattern match: "ae36.xTTx/,s-evd}kY*=vweNEsNJ8"
Pattern match: "WWW.RAXg&Jzcto"
Pattern match: "xQk.AyJ/xs@"
Pattern match: "N.zmq/!]V83CJkL.Db_k@R&m[\A^EC^et[x,$pIm-Z^[q"
Pattern match: "x7X.mB/U|"
Pattern match: "NL7RS.zam/_+Ia^Jt[H4,*$%5h-kt5;d"
Heuristic match: "1^zs0-2YVs{}VU.FR"
Heuristic match: ",%l6|o|I&IO.2jVeF*ni@ bBwXOL?:ZG&[pG[0\C+QD)r<syRh/w>7-\*!?I1p`9^Og}6x4fQCK*$I.kh"
Pattern match: "mzZ.OF/U?_t6VvV.&r`3wyKX+~b@jM5/n"
Pattern match: "l.YPu/&;w,_[^+xlT?k=fZw_!KW[wuk%UCY5[,&"
Heuristic match: ">7bJ24y2lfy]_2lv`WE6<}.Gd:^nHofqh7W0pT58Hj|j@8yi^Nn@&5)k8hI+C.sm"
Pattern match: "iwFis.guuN/XZg*'1PO,v|eQn-\Tay"
Pattern match: "lI.rMM/7-"
Heuristic match: "$74l2dvZtdfI.SX|>KrC2uKr+\f%1qKr[ekx+0C3*Tyl(9c($F|j(.Gb"
Pattern match: "nXeiq3D2j.DP/|L2]PA_"
Pattern match: "rn.gIW/Yo?p#=7x:%Wf3\LMn\UO4O.1mN[h#|~]g{Yel#O3Ud}}{z:6yCg2X/^*g;_a@"
Pattern match: "swUr6Gjl.jR/RMJ"
Heuristic match: "K_KRo=+VQmjoQ,-p'KT|&'O1',*K@c 8`^-CzGj8`kj}]3 n8|>cWbg\]>G.lA"
Pattern match: "Q7Aq8.m0.ZrUH/&dSC:$Owbw"
Pattern match: "5uzQT.cnZ/}Zk^XFWH,=~" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "f714viewinst.exe.bin" was detected as "Microsoft visual C++ 5.0"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
f714viewinst.exe
- Filename
- f714viewinst.exe
- Size
- 21MiB (22045563 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 6b07de005e0d73548fc6a30b9fb2ae4891feb2407b8ace683d058f96d8d5949c
- MD5
- 18ac38de54a432ac49c3da27ae50b779
- SHA1
- f183eb66878b56a409f386e5768eb4d36398eea2
- ssdeep
- 393216:ueJWGhrr297xl+w3TiISDBgiPR0FkDpvKpkxGxkqs51hvhuHyuPM1OXnG+:SGhCxkwDNS2yXxZNuH57nG+
- imphash
- ed4817bd12c7cb91fdcfb0ad265f5af2
- authentihash
- 23f0807bcae3d7f35cdabe29c918c7215eb09c0cb8e53c20075d47409ecb2736
- Compiler/Packer
- Microsoft visual C++ 5.0
Version Info
- LegalCopyright
- 749
- FileVersion
- 1.00.0000
- CompanyName
- FERC
- Comments
- -
- ProductName
- FERC Form 714 Viewer
- ProductVersion
- 1.00.0000
- FileDescription
- Setup Launcher
- Translation
- 0x0409 0x04e4
Classification (TrID)
- 42.0% (.EXE) InstallShield setup
- 30.4% (.EXE) Win32 Executable MS Visual C++ (generic)
- 12.7% (.SCR) Windows Screen Saver
- 6.4% (.DLL) Win32 Dynamic Link Library (generic)
- 4.3% (.EXE) Win32 Executable (generic)
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 34 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8966)
- 15 .OBJ Files (COFF) linked with LINK.EXE 5.12 (Visual Studio 5 SP2) (build: 8034)
- 9 .OBJ Files (COFF) linked with LINK.EXE 5.12 (Visual Studio 5 SP2) (build: 8022)
- 2 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8168)
- 13 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8047)
- 1 .OBJ Files linked with ALIASOBJ.EXE 6.00 (Internal OLDNAMES.LIB Tool) (build: 7291)
- 116 .C Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8047)
- 28 .ASM Files assembled with MASM 6.13 (Visual Studio 6 SP1) (build: 7299)
- File contains C++ code
- File should have a .rsrc section or an embedded manifest
- File appears to contain raw COFF/OMF content
- File is the product of a medium codebase (34 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
f714viewinst.exe
(PID: 2904)
- msiexec.exe /i "%WINDIR%\Downloaded Installations\{10959320-D73D-4221-925A-C407B1C85778}\FERC Form 714 Viewer.msi" SETUPEXEDIR="C:" (PID: 3188)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative Selection 2
-
-
Setup.INI
- Size
- 1.2KiB (1210 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- f714viewinst.exe (PID: 2904)
- MD5
- fb5d4afff3b8d4377ad409aafe9d1451
- SHA1
- a24a6ff64596085e2fd2a6315463ff622ee30e67
- SHA256
- f56e1f800d242d8fc74017121c8a4e7dbd88baa79633297fe535c98aab92b033
-
FERC Form 714 Viewer.msi
- Size
- 5MiB (5241856 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- f714viewinst.exe (PID: 2904)
- MD5
- ccc743ea8d3f689793c75e2f0db6f154
- SHA1
- ef5327539c026ebea3b83297e76afd4983a683c6
- SHA256
- 70637a89acbfc2c6e7872ae783b8b68e5c28cc08c87f7ba52f53a5c76d807244
-
-
Informative 3
-
-
0x0409.ini
- Size
- 4KiB (4107 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- f714viewinst.exe (PID: 2904)
- MD5
- 47b8151455bc54356bd8eab2d9656dff
- SHA1
- 077fce613856628b7144db497c38283d733ff0d1
- SHA256
- ddc0262ecaf411329b7d6b0510696e934f7f15887a9b81084ef3b1d07c7f3824
-
_ISMSIDEL.INI
- Size
- 233B (233 bytes)
- Type
- data
- Runtime Process
- f714viewinst.exe (PID: 2904)
- MD5
- a1902f93ec53a661a4f75ba749e95a71
- SHA1
- 3b0756ee35989c52fc3b45c05df25a56d2827a0c
- SHA256
- 147c363af122dec920f4f152eb8cfc2e0d17e2458c297297b99195f7365ca8d8
-
~145.tmp
- Size
- 1.2KiB (1210 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- f714viewinst.exe (PID: 2904)
- MD5
- fb5d4afff3b8d4377ad409aafe9d1451
- SHA1
- a24a6ff64596085e2fd2a6315463ff622ee30e67
- SHA256
- f56e1f800d242d8fc74017121c8a4e7dbd88baa79633297fe535c98aab92b033
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "FERC Form 714 Viewer.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/70637a89acbfc2c6e7872ae783b8b68e5c28cc08c87f7ba52f53a5c76d807244/analysis/1523030155/")
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)