PESCAN.IO - Analysis Report

PREMIUM PESCAN.IO - Analysis Report

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 1,62 MB
SHA-256 Hash: 6E9AF975A383FD0377D120F73887661D13A9E24933E7AD2903E303B06E3A2571
SHA-1 Hash: 0DF3188B2BE4E4F226E10E0F115A7C2C9F15E921
MD5 Hash: 5DA1DBB725C25F177486838CA5F437A6
Imphash: 4CEA7AE85C87DDC7295D39FF9CDA31D1
MajorOSVersion: 10
MinorOSVersion: 0
CheckSum: 001AC162
EntryPoint (rva): 8200
SizeOfHeaders: 400
SizeOfImage: 1A5000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: A23C
IAT: 9128
Characteristics: 22
TimeDateStamp: 544C01B9
Date: 25/10/2014 20:02:01
File Type: EXE
Number Of Sections: 6
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	400	7C00	1000	7B80	6.0965	327363.18
.rdata	0x40000040 Initialized Data Readable	8000	2400	9000	22C8	4.7278	453786.06
.data	0xC0000040 Initialized Data Readable Writeable	A400	400	C000	1F00	3.189	88083.5
.pdata	0x40000040 Initialized Data Readable	A800	600	E000	408	3.1564	174137.67
.rsrc	0x40000040 Initialized Data Readable	AE00	194C00	F000	194BCA	7.7444	2280480.82
.reloc	0x42000040 Initialized Data GP-Relative Readable	19FA00	200	1A4000	20	0.4068	119087

Description

OriginalFilename: WEXTRACT.EXE.MUI
CompanyName: Microsoft Corporation
LegalCopyright: Microsoft Corporation. All rights reserved.
ProductName: Internet Explorer
FileVersion: 11.00.22677.1 (WinBuild.160101.0800)
FileDescription: Win32 Cabinet Self-Extractor
ProductVersion: 11.00.22677.1
Language: English (United States) (ID=0x409)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 7600
Code -> 4883EC28E85B0700004883C428E906000000CCCCCCCCCCCC48895C240848897C241041564881ECB00000008364242000488D

Assembler

|SUB RSP, 0X28

|CALL 0X1764

|ADD RSP, 0X28

|JMP 0X1018

|INT3

|MOV QWORD PTR [RSP + 8], RBX

|MOV QWORD PTR [RSP + 0X10], RDI

|PUSH R14

|SUB RSP, 0XB0

|AND DWORD PTR [RSP + 0X20], 0

Signatures

CheckSum Integrity Problem:
• Header: 1753442
• Calculated: 1746003
Rich Signature Analyzer:
Code -> 44D8FE6500B9903600B9903600B9903614D2953701B9903614D2933702B9903614D2943712B9903614D2913711B9903600B99136A0B9903614D298370AB9903614D26F3601B9903614D2923701B990365269636800B99036
Footprint md5 Hash -> C5D0D5411BA65CAECFE7EA70C5636BD9
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE+(64): sfx: Microsoft Cabinet(11.0.22677.1)[-]
• PE+(64): compiler: Microsoft Visual C/C++(2019 v.16.0)[-]
• PE+(64): archive: Microsoft Cabinet File(1.03)[LZX,67.5%,2 files]
• PE+(64): linker: Microsoft Linker(14.20, Visual Studio 2019 16.0*)[-]
• Entropy: 7.71973

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetProcAddress \| Possible Call API By Name	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateMutexA	Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	DeleteFileA	Deletes an existing file.
USER32.DLL	CallWindowProcA	Invokes the window procedure for the specified window and messages.
ADVAPI32.DLL	DecryptFileA	Decrypt a file previously encrypted by the EncryptFile function.
ADVAPI32.DLL	RegCreateKeyExA	Creates a new registry key or opens an existing one.
ADVAPI32.DLL	RegSetValueExA	Sets the data and type of a specified value under a registry key.
ADVAPI32.DLL	RegDeleteValueA	Removes a named value from the specified registry key. Note that value names are not case sensitive.

Windows REG

Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\RunOnce
System\CurrentControlSet\Control\Session Manager
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run

File Access

Steps.exe
rundll32.exe
SHELL32.DLL
rundll32.exe %sadvpack.dll
VERSION.dll
Cabinet.dll
COMCTL32.dll
msvcrt.dll
USER32.dll
GDI32.dll
KERNEL32.dll
ADVAPI32.dll
advpack.dll
setupapi.dll
setupx.dll
.BAT
.dat
@.dat
wininit.ini
Temp

File Access (UNICODE)

WEXTRACT.EXE
incorrect version of advpack.dll
7Could not load Shell32.dll
Kernel32.dll
Temp

Interest's Words

Decrypt
exec
attrib
start
shutdown
rundll32
systeminfo
rundll
expand

Interest's Words (UNICODE)

start
shutdown
ping

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Unicode	WinAPI Sockets (accept)
Text	Ascii	Registry (RegCreateKeyEx)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Reconnaissance (FindFirstFileA)
Text	Ascii	Reconnaissance (FindNextFileA)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Execution (CreateProcessA)
Text	Ascii	Execution (CreateEventA)
Text	Ascii	Privileges (SeShutdownPrivilege)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)
Entry Point	Hex Pattern	ORiEN 2.01 - A. Fisun

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\AVI\3001\1033	F7E8	2E1A	B5E8	52494646122E0000415649204C495354E00700006864726C6176696838000000A086010000000000475C414E100600001A00	RIFF....AVI LIST....hdrlavih8...........G\AN......
\ICON\1\1033	12604	44028	E404	2800000000010000000200000100200000000000004004000000000000000000000000000000000000000000000000000000	(............. ......@............................
\ICON\2\1033	5662C	4428	5242C	2800000040000000800000000100200000000000004400000000000000000000000000000000000000000000000000000000	(...@......... ......D............................
\DIALOG\2001\1033	5AA54	2F2	56854	0100FFFF0000000000000000C000CA80050000000000FA00C800000000004C006900630065006E0073006500000008000000	..............................L.i.c.e.n.s.e.......
\DIALOG\2002\1033	5AD48	1B0	56B48	0100FFFF0000000000000000C000CA80050000000000F100420000000000540065006D0070006F0072006100720079002000	........................B.....T.e.m.p.o.r.a.r.y. .
\DIALOG\2003\1033	5AEF8	166	56CF8	0100FFFF0000000000000000C000CA80050000000000C8003400000000004F00760065007200770072006900740065002000	........................4.....O.v.e.r.w.r.i.t.e. .
\DIALOG\2004\1033	5B060	1C0	56E60	0100FFFF0000000000000000C000CA80060000000000FA005400000000004500780074007200610063007400000008000000	........................T.....E.x.t.r.a.c.t.......
\DIALOG\2005\1033	5B220	130	57020	0100FFFF0000000000000000C000CA80040000000000FA005400000000004500780074007200610063007400000008000000	........................T.....E.x.t.r.a.c.t.......
\DIALOG\2006\1033	5B350	120	57150	0100FFFF0000000000000000C000C880040000000000BA005F00000000005700610072006E0069006E006700000008000000	........................_.....W.a.r.n.i.n.g.......
\STRING\63\1033	5B470	8C	57270	00000000000000000000000000000000340050006C0065006100730065002000730065006C00650063007400200061002000	................4.P.l.e.a.s.e. .s.e.l.e.c.t. .a. .
\STRING\76\1033	5B4FC	520	572FC	43004600610069006C0065006400200074006F00200067006500740020006400690073006B00200073007000610063006500	C.F.a.i.l.e.d. .t.o. .g.e.t. .d.i.s.k. .s.p.a.c.e.
\STRING\77\1033	5BA1C	5CC	5781C	210043006F0075006C00640020006E006F0074002000750070006400610074006500200066006F006C006400650072002000	!.C.o.u.l.d. .n.o.t. .u.p.d.a.t.e. .f.o.l.d.e.r. .
\STRING\80\1033	5BFE8	4B0	57DE8	1F004500720072006F0072002000720065007400720069006500760069006E0067002000570069006E0064006F0077007300	..E.r.r.o.r. .r.e.t.r.i.e.v.i.n.g. .W.i.n.d.o.w.s.
\STRING\83\1033	5C498	44A	58298	3B0043006F006D006D0061006E00640020006C0069006E00650020006F007000740069006F006E002000730079006E007400	;.C.o.m.m.a.n.d. .l.i.n.e. .o.p.t.i.o.n. .s.y.n.t.
\STRING\85\1033	5C8E4	3CE	586E4	0000000000000000000000000000930059006F007500200064006F0020006E006F0074002000680061007600650020006100	................Y.o.u. .d.o. .n.o.t. .h.a.v.e. .a.
\RCDATA\ADMQCMD\1033	5CCB4	7	58AB4	3C4E6F6E653E00	<None>.
\RCDATA\CABINET\1033	5CCBC	14627B	58ABC	4D534346000000007B621400000000002C000000000000000301010002000000BF0600005F0000003D000315754A0D000000	MSCF....{b......,..................._...=...uJ....
\RCDATA\EXTRACTOPT\1033	1A2F38	4	19ED38	03000000	....
\RCDATA\FILESIZES\1033	1A2F3C	24	19ED3C	8D0700008D0700008E0700009007000098070000A0070000A0070000C0070000D5301E00	.................................0..
\RCDATA\FINISHMSG\1033	1A2F60	7	19ED60	3C4E6F6E653E00	<None>.
\RCDATA\LICENSE\1033	1A2F68	7	19ED68	3C4E6F6E653E00	<None>.
\RCDATA\PACKINSTSPACE\1033	1A2F70	4	19ED70	00000000	....
\RCDATA\POSTRUNPROGRAM\1033	1A2F74	7	19ED74	3C4E6F6E653E00	<None>.
\RCDATA\REBOOT\1033	1A2F7C	4	19ED7C	00000000	....
\RCDATA\RUNPROGRAM\1033	1A2F80	15	19ED80	2253746570732E6578652220416E616C7973657300	"Steps.exe" Analyses.
\RCDATA\SHOWWINDOW\1033	1A2F98	4	19ED98	01000000	....
\RCDATA\TITLE\1033	1A2F9C	9	19ED9C	506C61737469637300	Plastics.
\RCDATA\UPROMPT\1033	1A2FA8	7	19EDA8	3C4E6F6E653E00	<None>.
\RCDATA\USRQCMD\1033	1A2FB0	7	19EDB0	3C4E6F6E653E00	<None>.
\GROUP_ICON\3000\1033	1A2FB8	22	19EDB8	00000100020000000000010020002840040001004040000001002000284400000200	............ .(@....@@.... .(D....
\VERSION\1\1033	1A2FDC	408	19EDDC	080434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	1A33E4	7E6	19F1E4	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String

• advapi32.dll
• .INF
• Versionsetupx.dll
• setupapi.dll
• .BAT
• advpack.dll
• Kernel32.dll
• A:\msdownld.tmp
• TMP4351$.TMP
• wextract.pdb
• .bss
• KERNEL32.dll
• USER32.dll
• msvcrt.dll
• /?terminate@@YAXXZCOMCTL32.dll
• rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"Software\Microsoft\Windows\CurrentVersion\RunOnce
• rundll32.exe %s,InstallHinfSection %s 128 %s
• Command.com /c %s
• SHELL32.DLL
• "Steps.exe" Analyses
• WEXTRACT.EXE.MUI

Flow Anomalies

Offset	RVA	Section	Description
58A	N/A	.text	CALL QWORD PTR [RIP+0x8498]
60A	N/A	.text	CALL QWORD PTR [RIP+0x8008]
62C	N/A	.text	CALL QWORD PTR [RIP+0x802E]
679	N/A	.text	CALL QWORD PTR [RIP+0x7EF1]
695	N/A	.text	CALL QWORD PTR [RIP+0x83B5]
6A1	N/A	.text	CALL QWORD PTR [RIP+0x7EA1]
6B0	N/A	.text	CALL QWORD PTR [RIP+0x7FCA]
74E	N/A	.text	CALL QWORD PTR [RIP+0x808C]
764	N/A	.text	CALL QWORD PTR [RIP+0x7DE6]
78D	N/A	.text	CALL QWORD PTR [RIP+0x7D95]
7A1	N/A	.text	CALL QWORD PTR [RIP+0x7E59]
7BB	N/A	.text	CALL QWORD PTR [RIP+0x8007]
7E9	N/A	.text	CALL QWORD PTR [RIP+0x7D39]
836	N/A	.text	CALL QWORD PTR [RIP+0x7D34]
861	N/A	.text	CALL QWORD PTR [RIP+0x7D19]
886	N/A	.text	CALL QWORD PTR [RIP+0x7CBC]
895	N/A	.text	CALL QWORD PTR [RIP+0x7DD5]
8A5	N/A	.text	CALL QWORD PTR [RIP+0x7D8D]
946	N/A	.text	CALL QWORD PTR [RIP+0x7FF4]
958	N/A	.text	CALL QWORD PTR [RIP+0x800A]
988	N/A	.text	CALL QWORD PTR [RIP+0x7FA2]
9A1	N/A	.text	CALL QWORD PTR [RIP+0x7FB1]
9B0	N/A	.text	CALL QWORD PTR [RIP+0x7F92]
C39	N/A	.text	CALL QWORD PTR [RIP+0x79B9]
C53	N/A	.text	CALL QWORD PTR [RIP+0x79AF]
CC0	N/A	.text	CALL QWORD PTR [RIP+0x7B02]
CFD	N/A	.text	CALL QWORD PTR [RIP+0x7995]
D40	N/A	.text	CALL QWORD PTR [RIP+0x795A]
DAD	N/A	.text	CALL QWORD PTR [RIP+0x7A45]
E50	N/A	.text	CALL QWORD PTR [RIP+0x77A2]
E8F	N/A	.text	CALL QWORD PTR [RIP+0x7933]
ED8	N/A	.text	CALL QWORD PTR [RIP+0x78EA]
EF1	N/A	.text	CALL QWORD PTR [RIP+0x7711]
1022	N/A	.text	CALL QWORD PTR [RIP+0x77B8]
103B	N/A	.text	CALL QWORD PTR [RIP+0x750F]
107C	N/A	.text	CALL QWORD PTR [RIP+0x74E6]
10B3	N/A	.text	CALL QWORD PTR [RIP+0x74D7]
10C6	N/A	.text	CALL QWORD PTR [RIP+0x756C]
10F2	N/A	.text	CALL QWORD PTR [RIP+0x7858]
11BB	N/A	.text	CALL QWORD PTR [RIP+0x739F]
1210	N/A	.text	CALL QWORD PTR [RIP+0x7362]
122F	N/A	.text	CALL QWORD PTR [RIP+0x7353]
124D	N/A	.text	CALL QWORD PTR [RIP+0x73BD]
126F	N/A	.text	CALL QWORD PTR [RIP+0x73A3]
1291	N/A	.text	CALL QWORD PTR [RIP+0x73C9]
12AA	N/A	.text	CALL QWORD PTR [RIP+0x73D0]
12C6	N/A	.text	CALL QWORD PTR [RIP+0x7344]
1322	N/A	.text	CALL QWORD PTR [RIP+0x74A0]
1365	N/A	.text	CALL QWORD PTR [RIP+0x7485]
137E	N/A	.text	CALL QWORD PTR [RIP+0x7204]
13EE	N/A	.text	CALL QWORD PTR [RIP+0x7164]
13FF	N/A	.text	CALL QWORD PTR [RIP+0x7183]
140E	N/A	.text	CALL QWORD PTR [RIP+0x725C]
14E6	N/A	.text	CALL QWORD PTR [RIP+0x72FC]
1545	N/A	.text	CALL QWORD PTR [RIP+0x7285]
1565	N/A	.text	CALL QWORD PTR [RIP+0x7265]
15BE	N/A	.text	CALL QWORD PTR [RIP+0x7094]
15CE	N/A	.text	CALL QWORD PTR [RIP+0x704C]
15E2	N/A	.text	CALL QWORD PTR [RIP+0x71F0]
15F9	N/A	.text	CALL QWORD PTR [RIP+0x7281]
1608	N/A	.text	CALL QWORD PTR [RIP+0x706A]
1672	N/A	.text	CALL QWORD PTR [RIP+0x6FD8]
16A1	N/A	.text	CALL QWORD PTR [RIP+0x6F99]
16B5	N/A	.text	CALL QWORD PTR [RIP+0x6F2D]
16D0	N/A	.text	CALL QWORD PTR [RIP+0x6F1A]
16E0	N/A	.text	CALL QWORD PTR [RIP+0x6FA2]
176E	N/A	.text	CALL QWORD PTR [RIP+0x6DC4]
179D	N/A	.text	CALL QWORD PTR [RIP+0x6DD5]
17B8	N/A	.text	CALL QWORD PTR [RIP+0x6DCA]
17EF	N/A	.text	CALL QWORD PTR [RIP+0x6D43]
1837	N/A	.text	CALL QWORD PTR [RIP+0x6D03]
1895	N/A	.text	CALL QWORD PTR [RIP+0x6DB5]
1A63	N/A	.text	CALL QWORD PTR [RIP+0x6EF7]
1A75	N/A	.text	CALL QWORD PTR [RIP+0x6EAD]
1A84	N/A	.text	CALL QWORD PTR [RIP+0x6E9E]
1B25	N/A	.text	CALL QWORD PTR [RIP+0x6A0D]
1B5C	N/A	.text	CALL QWORD PTR [RIP+0x6A16]
1B83	N/A	.text	CALL QWORD PTR [RIP+0x6C37]
1BBA	N/A	.text	CALL QWORD PTR [RIP+0x69C8]
1BD0	N/A	.text	CALL QWORD PTR [RIP+0x6A7A]
1BE6	N/A	.text	CALL QWORD PTR [RIP+0x6A24]
1CAD	N/A	.text	CALL QWORD PTR [RIP+0x6CDD]
1CCA	N/A	.text	CALL QWORD PTR [RIP+0x6958]
1CE5	N/A	.text	CALL QWORD PTR [RIP+0x697D]
1D0D	N/A	.text	CALL QWORD PTR [RIP+0x6C85]
1D33	N/A	.text	CALL QWORD PTR [RIP+0x6C4F]
1DDD	N/A	.text	CALL QWORD PTR [RIP+0x68C5]
1DF1	N/A	.text	CALL QWORD PTR [RIP+0x68B1]
1E45	N/A	.text	CALL QWORD PTR [RIP+0x67E5]
1EB3	N/A	.text	CALL QWORD PTR [RIP+0x6937]
1ECF	N/A	.text	CALL QWORD PTR [RIP+0x6773]
1EF5	N/A	.text	CALL QWORD PTR [RIP+0x6A2D]
1F08	N/A	.text	CALL QWORD PTR [RIP+0x6A52]
1F44	N/A	.text	CALL QWORD PTR [RIP+0x69EE]
1FA0	N/A	.text	CALL QWORD PTR [RIP+0x69BA]
1FFA	N/A	.text	CALL QWORD PTR [RIP+0x6928]
200C	N/A	.text	CALL QWORD PTR [RIP+0x6916]
206A	N/A	.text	CALL QWORD PTR [RIP+0x66A8]
2087	N/A	.text	CALL QWORD PTR [RIP+0x66FB]
20A2	N/A	.text	CALL QWORD PTR [RIP+0x65B8]
17228-17239	N/A	.rsrc	Potential obfuscated jump sequence detected, count: 9
49E1A-49E3F	N/A	.rsrc	Potential obfuscated jump sequence detected, count: 19

Extra Analysis

Metric	Value	Percentage
Ascii Code	1068452	62,7426%
Null Byte Code	135878	7,9792%

PREMIUM PESCAN.IO - Analysis Report