PESCAN.IO - Analysis Report

File Structure:
Analysis Image
Information:
Icon: Icon
Size: 180,00 KB
SHA-256 Hash: 2AFCA08AC79FF4B4991DB6D885379D7488AD33BD314D1193FFCDFFE77CE94289
SHA-1 Hash: 5E0118EC44594F2E7A1DCA6319B6DC1A428A54FD
MD5 Hash: 670CF73981937D251258950882E8D94B
Imphash: 89A4228E8581F783C2AB1992D9178F8E
MajorOSVersion: 10
CheckSum: 00037766
EntryPoint (rva): 1140
SizeOfHeaders: 1000
SizeOfImage: 2E000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: C464
Characteristics: 22
TimeDateStamp: B27519FD
Date: 15/11/2064 23:53:33
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, fothk, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 2
Subsystem: Windows GUI

Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 1000 9000 1000 8040
fothk 60000020 (Executable) A000 1000 A000 1000
.rdata 40000040 B000 3000 B000 250A
.data C0000040 (Writeable) E000 1000 E000 1F60
.pdata 40000040 F000 1000 10000 450
.rsrc 40000040 10000 1C000 11000 1C000
.reloc 42000040 2C000 1000 2D000 88
Description:
InternalName: Wextract
OriginalFilename: WEXTRACT.EXE.MUI
CompanyName: Microsoft Corporation
LegalCopyright: Microsoft Corporation. All rights reserved.
ProductName: Internet Explorer
FileVersion: 11.00.26100.1 (WinBuild.160101.0800)

Entry Point:
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 1140
Code -> 4883EC28E89B0700004883C428E906000000CCCCCCCCCCCC48895C240848897C241041564881ECB000000033C08944244433
SUB RSP, 0X28
CALL 0X17A4
ADD RSP, 0X28
JMP 0X1018
INT3
INT3
INT3
INT3
INT3
INT3
MOV QWORD PTR [RSP + 8], RBX
MOV QWORD PTR [RSP + 0X10], RDI
PUSH R14
SUB RSP, 0XB0
XOR EAX, EAX
MOV DWORD PTR [RSP + 0X44], EAX

Signatures:
Rich Signature Analyzer:
Code -> 784FCC893C2EA2DA3C2EA2DA3C2EA2DA4EAFA7DB3D2EA2DA3C2EA2DA3D2EA2DA4EAFA1DB382EA2DA4EAFA6DB282EA2DA4EAFA3DB2D2EA2DA3C2EA3DA9D2EA2DA4EAFAADB362EA2DA4EAF5DDA3D2EA2DA4EAFA0DB3D2EA2DA526963683C2EA2DA
Footprint md5 Hash -> 7C11EE3A0010765B7A988F2FEDD0B8FA
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE+(64): sfx: Microsoft Cabinet(11.0.26100.1)[-]
PE+(64): compiler: Microsoft Visual C/C++(-)[-]
PE+(64): archive: Microsoft Cabinet File(1.03)[LZX,62.3%,1 file]
PE+(64): linker: Microsoft Linker(14.38**)[EXE64]
Entropy: 6.28273

Suspicious Functions:
Library Function Description
KERNEL32.DLL GetProcAddress | Possible Call API By Name Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateMutexA Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL DeleteFileA Deletes an existing file.
USER32.DLL CallWindowProcA Invokes the window procedure for the specified window and messages.
ADVAPI32.DLL DecryptFileA Decrypt a file previously encrypted by the EncryptFile function.
ADVAPI32.DLL RegCreateKeyExA Creates a new registry key or opens an existing one.
ADVAPI32.DLL RegSetValueExA Sets the data and type of a specified value under a registry key.
ADVAPI32.DLL RegDeleteValueA Removes a named value from the specified registry key. Note that value names are not case sensitive.
Windows REG:
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\RunOnce
System\CurrentControlSet\Control\Session Manager
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run

File Access:
rundll32.exe
SHELL32.DLL
rundll32.exe %sadvpack.dll
VERSION.dll
Cabinet.dll
COMCTL32.dll
msvcrt.dll
USER32.dll
GDI32.dll
KERNEL32.dll
ADVAPI32.dll
advpack.dll
setupapi.dll
setupx.dll
invoul.bat
.BAT
wininit.ini
Temp

File Access (UNICODE):
Kernel32.dll
kernelbase.dll
7Could not load Shell32.dll
incorrect version of advpack.dll
Temp

Interest's Words:
PADDINGX
Decrypt
exec
attrib
start
shutdown
rundll32
systeminfo
rundll
expand

Interest's Words (UNICODE):
start
shutdown
ping

Payloads:
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)

Strings/Hex Code Found With The File Rules:
Rule Text (Unicode): WinAPI Sockets (accept)
Rule Text (Ascii): Registry (RegCreateKeyEx)
Rule Text (Ascii): Registry (RegOpenKeyEx)
Rule Text (Ascii): Registry (RegSetValueEx)
Rule Text (Ascii): File (GetTempPath)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Execution (CreateProcessA)
Rule Text (Ascii): Privileges (SeShutdownPrivilege)
EP Rules: Microsoft Visual C++ 8.0 (DLL)

Resources:
Path DataRVA Size FileOffset CodeText
\AVI\3001\1033 119F8 2E1A 109F8 52494646122E0000415649204C495354E00700006864726C6176696838000000A086010000000000475C414E100600001A00RIFF....AVI LIST....hdrlavih8...........G\AN......
\ICON\1\1033 14814 668 13814 2800000030000000600000000100040000000000800400000000000000000000000000000000000000000000000080000080(...0............................................
\ICON\2\1033 14E7C 2E8 13E7C 2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080(... ...@.........................................
\ICON\3\1033 15164 1E8 14164 2800000018000000300000000100040000000000200100000000000000000000000000000000000000000000000080000080(.......0........... .............................
\ICON\4\1033 1534C 128 1434C 2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080(....... .........................................
\ICON\5\1033 15474 EA8 14474 2800000030000000600000000100080000000000000900000000000000000000000100000001000000000000161617001D1D(...0............................................
\ICON\6\1033 1631C 8A8 1531C 28000000200000004000000001000800000000000004000000000000000000000001000000010000000000004B4A49005051(... ...@...................................KJI.PQ
\ICON\7\1033 16BC4 6C8 15BC4 2800000018000000300000000100080000000000400200000000000000000000000100000001000000000000363636003A3A(.......0...........@.......................666.::
\ICON\8\1033 1728C 568 1628C 280000001000000020000000010008000000000000010000000000000000000000010000000100000000000049494B005B5B(....... ...................................IIK.[[
\ICON\9\1033 177F4 D9D2 167F4 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000200049444154789CECBD79AC2CD97D.PNG........IHDR.............\r.f.. .IDATx...y.,.}
\ICON\10\1033 251C8 25A8 241C8 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000(...0........ ......%............................
\ICON\11\1033 27770 10A8 26770 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000(... ...@..... ...................................
\ICON\12\1033 28818 988 27818 2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000(.......0..... ..................................
\ICON\13\1033 291A0 468 281A0 28000000100000002000000001002000000000004004000000000000000000000000000000000000000000FF7E7E7EFF7E7E(....... ..... .....@.......................~~~.~~
\DIALOG\2001\1033 29608 2F2 28608 0100FFFF0000000000000000C000CA80050000000000FA00C800000000004C006900630065006E0073006500000008000000..............................L.i.c.e.n.s.e.......
\DIALOG\2002\1033 298FC 1B0 288FC 0100FFFF0000000000000000C000CA80050000000000F100420000000000540065006D0070006F0072006100720079002000........................B.....T.e.m.p.o.r.a.r.y. .
\DIALOG\2003\1033 29AAC 166 28AAC 0100FFFF0000000000000000C000CA80050000000000C8003400000000004F00760065007200770072006900740065002000........................4.....O.v.e.r.w.r.i.t.e. .
\DIALOG\2004\1033 29C14 1C0 28C14 0100FFFF0000000000000000C000CA80060000000000FA005400000000004500780074007200610063007400000008000000........................T.....E.x.t.r.a.c.t.......
\DIALOG\2005\1033 29DD4 130 28DD4 0100FFFF0000000000000000C000CA80040000000000FA005400000000004500780074007200610063007400000008000000........................T.....E.x.t.r.a.c.t.......
\DIALOG\2006\1033 29F04 120 28F04 0100FFFF0000000000000000C000C880040000000000BA005F00000000005700610072006E0069006E006700000008000000........................_.....W.a.r.n.i.n.g.......
\STRING\63\1033 2A024 8C 29024 00000000000000000000000000000000340050006C0065006100730065002000730065006C00650063007400200061002000................4.P.l.e.a.s.e. .s.e.l.e.c.t. .a. .
\STRING\76\1033 2A0B0 520 290B0 43004600610069006C0065006400200074006F00200067006500740020006400690073006B00200073007000610063006500C.F.a.i.l.e.d. .t.o. .g.e.t. .d.i.s.k. .s.p.a.c.e.
\STRING\77\1033 2A5D0 5CC 295D0 210043006F0075006C00640020006E006F0074002000750070006400610074006500200066006F006C006400650072002000!.C.o.u.l.d. .n.o.t. .u.p.d.a.t.e. .f.o.l.d.e.r. .
\STRING\80\1033 2AB9C 4B0 29B9C 1F004500720072006F0072002000720065007400720069006500760069006E0067002000570069006E0064006F0077007300..E.r.r.o.r. .r.e.t.r.i.e.v.i.n.g. .W.i.n.d.o.w.s.
\STRING\83\1033 2B04C 44A 2A04C 3B0043006F006D006D0061006E00640020006C0069006E00650020006F007000740069006F006E002000730079006E007400;.C.o.m.m.a.n.d. .l.i.n.e. .o.p.t.i.o.n. .s.y.n.t.
\STRING\85\1033 2B498 3CE 2A498 0000000000000000000000000000930059006F007500200064006F0020006E006F0074002000680061007600650020006100................Y.o.u. .d.o. .n.o.t. .h.a.v.e. .a.
\RCDATA\ADMQCMD\1033 2B868 7 2A868 3C4E6F6E653E00504D53434600000000C5010000000000002C00000000000000030101000100000002040000470000000100<None>.PMSCF............,...................G.....
\RCDATA\CABINET\1033 2B870 1C5 2A870 4D53434600000000C5010000000000002C000000000000000301010001000000020400004700000001000315650200000000MSCF............,...................G.......e.....
\RCDATA\EXTRACTOPT\1033 2BA38 4 2AA38 030000000100000001000000020000000400000008000000100000002000000040000000650200003C4E6F6E653E00503C4E............................ ...@...e...<None>.P<N
\RCDATA\FILESIZES\1033 2BA3C 24 2AA3C 0100000001000000020000000400000008000000100000002000000040000000650200003C4E6F6E653E00503C4E6F6E653E........................ ...@...e...<None>.P<None>
\RCDATA\FINISHMSG\1033 2BA60 7 2AA60 3C4E6F6E653E00503C4E6F6E653E0050000000003C4E6F6E653E005000000000636D64202F632022696E766F756C2E626174<None>.P<None>.P....<None>.P....cmd /c "invoul.bat
\RCDATA\LICENSE\1033 2BA68 7 2AA68 3C4E6F6E653E0050000000003C4E6F6E653E005000000000636D64202F632022696E766F756C2E6261742200000000002D00<None>.P....<None>.P....cmd /c "invoul.bat".....-.
\RCDATA\PACKINSTSPACE\1033 2BA70 4 2AA70 000000003C4E6F6E653E005000000000636D64202F632022696E766F756C2E6261742200000000002D0050413C4E6F6E653E....<None>.P....cmd /c "invoul.bat".....-.PA<None>
\RCDATA\POSTRUNPROGRAM\1033 2BA74 7 2AA74 3C4E6F6E653E005000000000636D64202F632022696E766F756C2E6261742200000000002D0050413C4E6F6E653E00502555<None>.P....cmd /c "invoul.bat".....-.PA<None>.P%U
\RCDATA\REBOOT\1033 2BA7C 4 2AA7C 00000000636D64202F632022696E766F756C2E6261742200000000002D0050413C4E6F6E653E005025557365725175696574....cmd /c "invoul.bat".....-.PA<None>.P%UserQuiet
\RCDATA\RUNPROGRAM\1033 2BA80 14 2AA80 636D64202F632022696E766F756C2E6261742200000000002D0050413C4E6F6E653E005025557365725175696574496E7374cmd /c "invoul.bat".....-.PA<None>.P%UserQuietInst
\RCDATA\SHOWWINDOW\1033 2BA94 4 2AA94 000000002D0050413C4E6F6E653E005025557365725175696574496E7374436D64250050000001000D003030100001000400....-.PA<None>.P%UserQuietInstCmd%.P......00......
\RCDATA\TITLE\1033 2BA98 2 2AA98 2D0050413C4E6F6E653E005025557365725175696574496E7374436D64250050000001000D00303010000100040068060000-.PA<None>.P%UserQuietInstCmd%.P......00......h...
\RCDATA\UPROMPT\1033 2BA9C 7 2AA9C 3C4E6F6E653E005025557365725175696574496E7374436D64250050000001000D0030301000010004006806000001002020<None>.P%UserQuietInstCmd%.P......00......h.....
\RCDATA\USRQCMD\1033 2BAA4 13 2AAA4 25557365725175696574496E7374436D64250050000001000D0030301000010004006806000001002020100001000400E802%UserQuietInstCmd%.P......00......h..... ........
\GROUP_ICON\3000\1033 2BAB8 BC 2AAB8 000001000D0030301000010004006806000001002020100001000400E802000002001818100001000400E801000003001010......00......h..... ............................
\VERSION\1\1033 2BB74 408 2AB74 080434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033 2BF7C 7E6 2AF7C 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279<?xml version="1.0" encoding="UTF-8" standalone="y
Intelligent String:
• advapi32.dll
• .INF
• Versionsetupx.dll
• setupapi.dll
• .BAT
• advpack.dll
• Kernel32.dll
• kernelbase.dll
• A:\msdownld.tmp
• TMP4351$.TMP
• wextract.pdb
• .bss
• KERNEL32.dll
• USER32.dll
• msvcrt.dll
• rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"Software\Microsoft\Windows\CurrentVersion\RunOnce
• rundll32.exe %s,InstallHinfSection %s 128 %s
• Command.com /c %s
• SHELL32.DLL
• cmd /c "invoul.bat"
• WEXTRACT.EXE.MUI

Extra 4n4lysis:
Metric Value Percentage
Ascii Code 92722 50,3049%
Null Byte Code 53686 29,1265%
© 2025 All rights reserved.