PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 124,00 KB
SHA-256 Hash: B3944ECAB58314E610B13FAF6BC7BD674208F52855E9F40705D9D3C87FB21F61
SHA-1 Hash: 8B5E3EEBBBB587E610FE474476863F31468350CE
MD5 Hash: 2EBFD632BBCD9D09531B05125F0B07FB
Imphash: 01C8E55B2722BDC087FDB8936E43D90C
MajorOSVersion: 10
MinorOSVersion: 0
CheckSum: 0002DC60
EntryPoint (rva): 4970
SizeOfHeaders: 1000
SizeOfImage: 23000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 153A4
IAT: 11518
Characteristics: 22
TimeDateStamp: 59F31718
Date: 27/10/2017 11:23:04
File Type: EXE
Number Of Sections: 8
ASLR: Disabled
Section Names (Optional Header): .text, fothk, .rdata, .data, .pdata, .didat, .rsrc, .reloc
Number Of Executable Sections: 2
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	1000	F000	1000	E3B0	5.9116	703900.71
fothk	0x60000020 Code Executable Readable	10000	1000	10000	1000	0.0159	1041922
.rdata	0x40000040 Initialized Data Readable	11000	7000	11000	6668	4.4391	1498805.86
.data	0xC0000040 Initialized Data Readable Writeable	18000	1000	18000	4600	0.4864	951077.63
.pdata	0x40000040 Initialized Data Readable	19000	2000	1D000	10B0	2.8979	1021189
.didat	0xC0000040 Initialized Data Readable Writeable	1B000	1000	1F000	B0	0.1714	1012004.88
.rsrc	0x40000040 Initialized Data Readable	1C000	2000	20000	1F60	4.1991	497988.31
.reloc	0x42000040 Initialized Data GP-Relative Readable	1E000	1000	22000	1B8	0.8401	872451.88

Description

OriginalFilename: dwm.exe
CompanyName: Microsoft Corporation
LegalCopyright: Microsoft Corporation. All rights reserved.
ProductName: Microsoft Windows Operating System
FileVersion: 10.0.26100.8328 (WinBuild.160101.0800)
FileDescription: Desktop Window Manager
ProductVersion: 10.0.26100.8328
Language: English (United States) (ID=0x409)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 4970
Code -> 4883EC28E89B0400004883C428E96EFEFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC66660F1F840000000000483B

Assembler

|SUB RSP, 0X28

|CALL 0X14A4

|ADD RSP, 0X28

|JMP 0XE80

|INT3

|NOP WORD PTR [RAX + RAX]

Signatures

Rich Signature Analyzer:
Code -> 394AECAF7D2B82FC7D2B82FC7D2B82FC745311FC1E2B82FC7D2B82FC7C2B82FC04AA86FD722B82FC04AA81FD782B82FC7D2B83FCA22F82FC04AA83FD752B82FC04AA87FD5D2B82FC04AA8AFD6F2B82FC04AA7FFC7C2B82FC04AA7DFC7C2B82FC04AA80FD7C2B82FC526963687D2B82FC
Footprint md5 Hash -> 10B2D868135A79923B8776D0E0DBDC08
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(-)[-]
• PE+(64): linker: Microsoft Linker(14.38**)[-]
• Entropy: 5.05495

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.

Windows REG (UNICODE)

Software\Microsoft\Windows\DWM
Software\Policies\Microsoft\Windows\DWM
Software\Microsoft\Avalon.Graphics

File Access

dwm.exe
api-ms-win-core-errorhandling-l1-1-2.dll
api-ms-win-core-errorhandling-l1-1-3.dll
api-ms-win-core-delayload-l1-1-0.dll
api-ms-win-core-delayload-l1-1-1.dll
msvcp_win.dll
dwmcore.dll
api-ms-win-core-apiquery-l1-1-0.dll
CoreMessaging.dll
dxgi.dll
ntdll.dll
win32u.dll
api-ms-win-rtcore-ntuser-window-l1-1-0.dll
api-ms-win-rtcore-ntuser-private-l1-1-2.dll
api-ms-win-rtcore-ntuser-private-l1-1-0.dll
api-ms-win-dx-d3dkmt-l1-1-1.dll
api-ms-win-dx-d3dkmt-l1-1-0.dll
api-ms-win-composition-windowmanager-l1-1-0.dll
api-ms-win-composition-redirection-l1-1-0.dll
api-ms-win-core-psapi-l1-1-0.dll
api-ms-win-core-util-l1-1-0.dll
api-ms-win-core-memory-l1-1-0.dll
RPCRT4.dll
api-ms-win-core-version-l1-1-0.dll
api-ms-win-eventing-provider-l1-1-0.dll
api-ms-win-core-version-l1-1-1.dll
api-ms-win-core-interlocked-l1-1-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-1.dll
api-ms-win-core-rtlsupport-l1-1-0.dll
api-ms-win-core-winrt-string-l1-1-0.dll
api-ms-win-core-winrt-l1-1-0.dll
api-ms-win-core-registry-l1-1-0.dll
api-ms-win-security-base-l1-1-0.dll
api-ms-win-core-com-l1-1-0.dll
api-ms-win-core-winrt-error-l1-1-0.dll
api-ms-win-core-handle-l1-1-0.dll
api-ms-win-core-debug-l1-1-0.dll
api-ms-win-core-localization-l1-2-0.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-threadpool-l1-2-0.dll
api-ms-win-core-errorhandling-l1-1-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-libraryloader-l1-2-0.dll
api-ms-win-eventlog-legacy-l1-1-0.dll
api-ms-win-core-windowserrorreporting-l1-1-1.dll
api-ms-win-core-windowserrorreporting-l1-1-3.dll
api-ms-win-core-windowserrorreporting-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-private-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
ext-ms-win-imm-l1-1-0.dll
ext-ms-win-composition-ghost-l1-1-0.dll
ext-ms-win-wer-reporting-l1-1-0.dll
ext-ms-win-rtcore-ntuser-sysparams-l1-1-0.dll
ext-ms-win-ntuser-keyboard-l1-1-0.dll
ext-ms-win-ntuser-gui-l1-3-0.dll
.dat
@.dat
Temp

File Access (UNICODE)

dwm.exe
kernel32.dll
kernelbase.dll
ntdll.dll
Temp

Interest's Words

exec
start
shutdown
systeminfo
ping

Interest's Words (UNICODE)

start
ping

URLs

http://schemas.microsoft.com/SMI/2005/WindowsSettings

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	Registry (RegGetValue)
Text	Ascii	File (CreateFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Stealth (ReleaseSemaphore)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (UnmapViewOfFile)
Text	Ascii	Stealth (MapViewOfFile)
Text	Ascii	Stealth (CreateFileMappingW)
Text	Ascii	Execution (CreateEventW)
Text	Ascii	Unauthorized movement of funds or data (Transfer)
Text	Unicode	Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	PE-Exe Executable Image

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\MUI\1\1033	21E70	F0	1DE70	CDFECDFEF000000000000100000000001100000000000000020000000ADBED7B8D9BF4B6D62B95035A011F2CDC7E0A916A7A	...............................{.....+..Z..,.~..jz
\WEVT_TEMPLATE\1\1033	20658	1486	1C658	4352494D841400000500010001000000EA569DD267482142B02ECFD998834075240000005745565460140000010000900900	CRIM.............V..gH!B......@u$...WEVT.........
\VERSION\1\1033	21AE0	38C	1DAE0	880334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	20160	4F3	1C160	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String

• dwm.exe
• api-ms-win-core-version-l1-1-0.dll
• api-ms-win-eventing-provider-l1-1-0.dll
• api-ms-win-core-profile-l1-1-0.dll
• api-ms-win-core-processthreads-l1-1-1.dll
• api-ms-win-core-rtlsupport-l1-1-0.dll
• api-ms-win-core-winrt-string-l1-1-0.dll
• api-ms-win-core-winrt-l1-1-0.dll
• api-ms-win-core-registry-l1-1-0.dll
• api-ms-win-security-base-l1-1-0.dll
• api-ms-win-core-winrt-error-l1-1-0.dll
• api-ms-win-core-handle-l1-1-0.dll
• api-ms-win-core-debug-l1-1-0.dll
• api-ms-win-core-localization-l1-2-0.dll
• api-ms-win-core-processthreads-l1-1-0.dll
• api-ms-win-core-threadpool-l1-2-0.dll
• api-ms-win-core-errorhandling-l1-1-0.dll
• api-ms-win-core-heap-l1-1-0.dll
• api-ms-win-crt-string-l1-1-0.dll
• api-ms-win-crt-private-l1-1-0.dll
• ext-ms-win-ntuser-gui-l1-3-0.dll
• ext-ms-win-ntuser-keyboard-l1-1-0.dll
• ext-ms-win-rtcore-ntuser-sysparams-l1-1-0.dll
• ext-ms-win-wer-reporting-l1-1-0.dll
• ext-ms-win-imm-l1-1-0.dll
• ntdll.dll
• kernelbase.dll
• onecoreuap\windows\dwm\dwm\apphost\hotkeycallback.cpp
• kernel32.dll
• onecoreuap\windows\dwm\common\util\utillib\debugbreak.cpp
• .bss
• WerReportAddDump
• api-ms-win-core-windowserrorreporting-l1-1-3.dll
• api-ms-win-core-windowserrorreporting-l1-1-1.dll
• api-ms-win-core-libraryloader-l1-2-0.dll
• api-ms-win-core-synch-l1-2-0.dll
• api-ms-win-core-synch-l1-1-0.dll
• api-ms-win-core-com-l1-1-0.dll
• api-ms-win-core-sysinfo-l1-1-0.dll
• api-ms-win-core-interlocked-l1-1-0.dll
• api-ms-win-core-version-l1-1-1.dll
• RPCRT4.dll
• api-ms-win-core-memory-l1-1-0.dll
• api-ms-win-core-util-l1-1-0.dll
• api-ms-win-core-psapi-l1-1-0.dll
• DestroyWindowapi-ms-win-rtcore-ntuser-window-l1-1-0.dll
• win32u.dll
• dxgi.dll
• api-ms-win-core-delayload-l1-1-1.dll
• api-ms-win-core-delayload-l1-1-0.dll
• api-ms-win-core-errorhandling-l1-1-2.dll
• <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">

Flow Anomalies

Offset	RVA	Section	Description
1A9D	N/A	.text	CALL QWORD PTR [RIP+0x1018D]
1ACC	N/A	.text	CALL QWORD PTR [RIP+0x10176]
1C35	N/A	.text	CALL QWORD PTR [RIP+0x10005]
1D35	N/A	.text	CALL QWORD PTR [RIP+0xFD95]
1D6B	N/A	.text	CALL QWORD PTR [RIP+0xFD57]
1E21	N/A	.text	CALL QWORD PTR [RIP+0xFCB9]
206F	N/A	.text	CALL QWORD PTR [RIP+0xF563]
207B	N/A	.text	CALL QWORD PTR [RIP+0xFA9F]
2108	N/A	.text	CALL QWORD PTR [RIP+0xF4BA]
21C0	N/A	.text	CALL QWORD PTR [RIP+0xFA1A]
2341	N/A	.text	CALL QWORD PTR [RIP+0x1CCC1]
2367	N/A	.text	CALL QWORD PTR [RIP+0x1CC9B]
23F3	N/A	.text	CALL QWORD PTR [RIP+0xF427]
23FF	N/A	.text	CALL QWORD PTR [RIP+0xF2EB]
241F	N/A	.text	CALL QWORD PTR [RIP+0xF3E3]
2532	N/A	.text	CALL QWORD PTR [RIP+0xF2D0]
2598	N/A	.text	CALL QWORD PTR [RIP+0xF1CA]
25C4	N/A	.text	CALL QWORD PTR [RIP+0xF19E]
25E7	N/A	.text	JMP QWORD PTR [RIP+0xF21B]
25F3	N/A	.text	CALL QWORD PTR [RIP+0xF16F]
2606	N/A	.text	CALL QWORD PTR [RIP+0xF15C]
262A	N/A	.text	CALL QWORD PTR [RIP+0xF1F0]
2636	N/A	.text	CALL QWORD PTR [RIP+0xF0B4]
2886	N/A	.text	CALL QWORD PTR [RIP+0xEF5C]
28B6	N/A	.text	CALL QWORD PTR [RIP+0xEE94]
28FC	N/A	.text	CALL QWORD PTR [RIP+0xEE56]
290E	N/A	.text	CALL QWORD PTR [RIP+0xEEEC]
2964	N/A	.text	CALL QWORD PTR [RIP+0xEDEE]
299A	N/A	.text	CALL QWORD PTR [RIP+0xEDB0]
29CB	N/A	.text	CALL QWORD PTR [RIP+0xF07F]
29DC	N/A	.text	CALL QWORD PTR [RIP+0xED1E]
29F0	N/A	.text	CALL QWORD PTR [RIP+0xECD2]
2A0F	N/A	.text	CALL QWORD PTR [RIP+0xF1F3]
2A26	N/A	.text	CALL QWORD PTR [RIP+0xEBAC]
2A35	N/A	.text	CALL QWORD PTR [RIP+0x1C5ED]
2A45	N/A	.text	CALL QWORD PTR [RIP+0xEB7D]
2A82	N/A	.text	CALL QWORD PTR [RIP+0xEB58]
2A93	N/A	.text	CALL QWORD PTR [RIP+0xEE1F]
2AB6	N/A	.text	CALL QWORD PTR [RIP+0xEE24]
2AD6	N/A	.text	CALL QWORD PTR [RIP+0xEAFC]
2AEE	N/A	.text	CALL QWORD PTR [RIP+0xEB4C]
2AFE	N/A	.text	CALL QWORD PTR [RIP+0xEAC4]
2B36	N/A	.text	CALL QWORD PTR [RIP+0xF06C]
2D0F	N/A	.text	CALL QWORD PTR [RIP+0xE933]
2D27	N/A	.text	CALL QWORD PTR [RIP+0xE903]
2D83	N/A	.text	CALL QWORD PTR [RIP+0xEE57]
2DCA	N/A	.text	CALL QWORD PTR [RIP+0xE878]
2DDE	N/A	.text	CALL QWORD PTR [RIP+0xE854]
2EF2	N/A	.text	CALL QWORD PTR [RIP+0xE7F8]
2F3B	N/A	.text	CALL QWORD PTR [RIP+0xE607]
2F60	N/A	.text	CALL QWORD PTR [RIP+0xE672]
2F73	N/A	.text	CALL QWORD PTR [RIP+0xEB97]
2F83	N/A	.text	CALL QWORD PTR [RIP+0xE63F]
3014	N/A	.text	CALL QWORD PTR [RIP+0x1BFFE]
303A	N/A	.text	CALL QWORD PTR [RIP+0xEBE0]
3069	N/A	.text	CALL QWORD PTR [RIP+0x1BFE1]
3079	N/A	.text	CALL QWORD PTR [RIP+0xE549]
3151	N/A	.text	CALL QWORD PTR [RIP+0x1BEA9]
3181	N/A	.text	JMP QWORD PTR [RIP+0xE9A9]
31C2	N/A	.text	CALL QWORD PTR [RIP+0x1BE48]
31DB	N/A	.text	CALL QWORD PTR [RIP+0xE4F7]
322B	N/A	.text	CALL QWORD PTR [RIP+0xE3A7]
3237	N/A	.text	CALL QWORD PTR [RIP+0xE4C3]
324D	N/A	.text	CALL QWORD PTR [RIP+0xE495]
325D	N/A	.text	CALL QWORD PTR [RIP+0xE365]
32F7	N/A	.text	CALL QWORD PTR [RIP+0xE2DB]
331D	N/A	.text	CALL QWORD PTR [RIP+0xE85D]
332D	N/A	.text	CALL QWORD PTR [RIP+0xE295]
3379	N/A	.text	CALL QWORD PTR [RIP+0xE2A1]
3412	N/A	.text	CALL QWORD PTR [RIP+0xE800]
3439	N/A	.text	CALL QWORD PTR [RIP+0xE199]
344F	N/A	.text	CALL QWORD PTR [RIP+0xE733]
345F	N/A	.text	CALL QWORD PTR [RIP+0xE163]
34C3	N/A	.text	CALL QWORD PTR [RIP+0xE747]
3573	N/A	.text	CALL QWORD PTR [RIP+0xE6A7]
3593	N/A	.text	CALL QWORD PTR [RIP+0xE5C7]
35A8	N/A	.text	CALL QWORD PTR [RIP+0xE58A]
35B9	N/A	.text	CALL QWORD PTR [RIP+0xE589]
35D2	N/A	.text	CALL QWORD PTR [RIP+0xE588]
3753	N/A	.text	CALL QWORD PTR [RIP+0xDF4F]
378C	N/A	.text	CALL QWORD PTR [RIP+0xDF26]
37AB	N/A	.text	CALL QWORD PTR [RIP+0xDE17]
384B	N/A	.text	CALL QWORD PTR [RIP+0xE2FF]
389B	N/A	.text	CALL QWORD PTR [RIP+0xE2B7]
38F9	N/A	.text	CALL QWORD PTR [RIP+0xDEE9]
3921	N/A	.text	CALL QWORD PTR [RIP+0xDE29]
3933	N/A	.text	CALL QWORD PTR [RIP+0xDEC7]
39C2	N/A	.text	CALL QWORD PTR [RIP+0xDC10]
39D3	N/A	.text	CALL QWORD PTR [RIP+0xE18F]
39E4	N/A	.text	CALL QWORD PTR [RIP+0xDBDE]
3A2D	N/A	.text	CALL QWORD PTR [RIP+0xDBA5]
3A76	N/A	.text	CALL QWORD PTR [RIP+0xE0F4]
3A8E	N/A	.text	CALL QWORD PTR [RIP+0xDB34]
3AD8	N/A	.text	CALL QWORD PTR [RIP+0x1B55A]
3AF4	N/A	.text	CALL QWORD PTR [RIP+0x1B53E]
3B12	N/A	.text	CALL QWORD PTR [RIP+0x1B520]
3B30	N/A	.text	CALL QWORD PTR [RIP+0x1B502]
3BE2	N/A	.text	CALL QWORD PTR [RIP+0xDDA8]
3C6C	N/A	.text	CALL QWORD PTR [RIP+0xD946]
3E7E	N/A	.text	CALL QWORD PTR [RIP+0xD87C]
5682-569F	N/A	.text	Unusual BP Cave, count: 30
10015-10FFF	N/A	fothk	Unusual BP Cave, count: 4075
10000-10FFF	10000	fothk	Executable section anomaly, first bytes: CCCCCCCCCCCCCCCC

Extra Analysis

Metric	Value	Percentage
Ascii Code	62588	49,2912%
Null Byte Code	47994	37,7977%

PESCAN.IO - Analysis Report Basic