PESCAN.IO - Analysis Report |
|||||
| File Structure: | |||||
|
|||||
| Information: |
Icon: Size: 180,00 KBSHA-256 Hash: 2AFCA08AC79FF4B4991DB6D885379D7488AD33BD314D1193FFCDFFE77CE94289 SHA-1 Hash: 5E0118EC44594F2E7A1DCA6319B6DC1A428A54FD MD5 Hash: 670CF73981937D251258950882E8D94B Imphash: 89A4228E8581F783C2AB1992D9178F8E MajorOSVersion: 10 CheckSum: 00037766 EntryPoint (rva): 1140 SizeOfHeaders: 1000 SizeOfImage: 2E000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: C464 Characteristics: 22 TimeDateStamp: B27519FD Date: 15/11/2064 23:53:33 File Type: EXE Number Of Sections: 7 ASLR: Disabled Section Names (Optional Header): .text, fothk, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 2 Subsystem: Windows GUI |
| Sections Info: |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 1000 | 9000 | 1000 | 8040 |
| fothk | 60000020 (Executable) | A000 | 1000 | A000 | 1000 |
| .rdata | 40000040 | B000 | 3000 | B000 | 250A |
| .data | C0000040 (Writeable) | E000 | 1000 | E000 | 1F60 |
| .pdata | 40000040 | F000 | 1000 | 10000 | 450 |
| .rsrc | 40000040 | 10000 | 1C000 | 11000 | 1C000 |
| .reloc | 42000040 | 2C000 | 1000 | 2D000 | 88 |
| Description: |
| InternalName: Wextract OriginalFilename: WEXTRACT.EXE.MUI CompanyName: Microsoft Corporation LegalCopyright: Microsoft Corporation. All rights reserved. ProductName: Internet Explorer FileVersion: 11.00.26100.1 (WinBuild.160101.0800) |
| Entry Point: |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 1140 Code -> 4883EC28E89B0700004883C428E906000000CCCCCCCCCCCC48895C240848897C241041564881ECB000000033C08944244433 • SUB RSP, 0X28 • CALL 0X17A4 • ADD RSP, 0X28 • JMP 0X1018 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • MOV QWORD PTR [RSP + 8], RBX • MOV QWORD PTR [RSP + 0X10], RDI • PUSH R14 • SUB RSP, 0XB0 • XOR EAX, EAX • MOV DWORD PTR [RSP + 0X44], EAX |
| Signatures: |
| Rich Signature Analyzer: Code -> 784FCC893C2EA2DA3C2EA2DA3C2EA2DA4EAFA7DB3D2EA2DA3C2EA2DA3D2EA2DA4EAFA1DB382EA2DA4EAFA6DB282EA2DA4EAFA3DB2D2EA2DA3C2EA3DA9D2EA2DA4EAFAADB362EA2DA4EAF5DDA3D2EA2DA4EAFA0DB3D2EA2DA526963683C2EA2DA Footprint md5 Hash -> 7C11EE3A0010765B7A988F2FEDD0B8FA • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler: |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE+(64): sfx: Microsoft Cabinet(11.0.26100.1)[-] • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): archive: Microsoft Cabinet File(1.03)[LZX,62.3%,1 file] • PE+(64): linker: Microsoft Linker(14.38**)[EXE64] • Entropy: 6.28273 |
| Suspicious Functions: |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetProcAddress | Possible Call API By Name | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| USER32.DLL | CallWindowProcA | Invokes the window procedure for the specified window and messages. |
| ADVAPI32.DLL | DecryptFileA | Decrypt a file previously encrypted by the EncryptFile function. |
| ADVAPI32.DLL | RegCreateKeyExA | Creates a new registry key or opens an existing one. |
| ADVAPI32.DLL | RegSetValueExA | Sets the data and type of a specified value under a registry key. |
| ADVAPI32.DLL | RegDeleteValueA | Removes a named value from the specified registry key. Note that value names are not case sensitive. |
| Windows REG: |
| Software\Microsoft\Windows\CurrentVersion\App Paths Software\Microsoft\Windows\CurrentVersion\RunOnce System\CurrentControlSet\Control\Session Manager System\CurrentControlSet\Control\Session Manager\FileRenameOperations Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access: |
| rundll32.exe SHELL32.DLL rundll32.exe %sadvpack.dll VERSION.dll Cabinet.dll COMCTL32.dll msvcrt.dll USER32.dll GDI32.dll KERNEL32.dll ADVAPI32.dll advpack.dll setupapi.dll setupx.dll invoul.bat .BAT wininit.ini Temp |
| File Access (UNICODE): |
| Kernel32.dll kernelbase.dll 7Could not load Shell32.dll incorrect version of advpack.dll Temp |
| Interest's Words: |
| PADDINGX Decrypt exec attrib start shutdown rundll32 systeminfo rundll expand |
| Interest's Words (UNICODE): |
| start shutdown ping |
| Payloads: |
| Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...) |
| Strings/Hex Code Found With The File Rules: |
| • Rule Text (Unicode): WinAPI Sockets (accept) • Rule Text (Ascii): Registry (RegCreateKeyEx) • Rule Text (Ascii): Registry (RegOpenKeyEx) • Rule Text (Ascii): Registry (RegSetValueEx) • Rule Text (Ascii): File (GetTempPath) • Rule Text (Ascii): File (CreateFile) • Rule Text (Ascii): File (WriteFile) • Rule Text (Ascii): File (ReadFile) • Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo) • Rule Text (Ascii): Anti-Analysis VM (GetVersion) • Rule Text (Ascii): Execution (CreateProcessA) • Rule Text (Ascii): Privileges (SeShutdownPrivilege) • EP Rules: Microsoft Visual C++ 8.0 (DLL) |
| Resources: |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \AVI\3001\1033 | 119F8 | 2E1A | 109F8 | 52494646122E0000415649204C495354E00700006864726C6176696838000000A086010000000000475C414E100600001A00 | RIFF....AVI LIST....hdrlavih8...........G\AN...... |
| \ICON\1\1033 | 14814 | 668 | 13814 | 2800000030000000600000000100040000000000800400000000000000000000000000000000000000000000000080000080 | (...0............................................ |
| \ICON\2\1033 | 14E7C | 2E8 | 13E7C | 2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\3\1033 | 15164 | 1E8 | 14164 | 2800000018000000300000000100040000000000200100000000000000000000000000000000000000000000000080000080 | (.......0........... ............................. |
| \ICON\4\1033 | 1534C | 128 | 1434C | 2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \ICON\5\1033 | 15474 | EA8 | 14474 | 2800000030000000600000000100080000000000000900000000000000000000000100000001000000000000161617001D1D | (...0............................................ |
| \ICON\6\1033 | 1631C | 8A8 | 1531C | 28000000200000004000000001000800000000000004000000000000000000000001000000010000000000004B4A49005051 | (... ...@...................................KJI.PQ |
| \ICON\7\1033 | 16BC4 | 6C8 | 15BC4 | 2800000018000000300000000100080000000000400200000000000000000000000100000001000000000000363636003A3A | (.......0...........@.......................666.:: |
| \ICON\8\1033 | 1728C | 568 | 1628C | 280000001000000020000000010008000000000000010000000000000000000000010000000100000000000049494B005B5B | (....... ...................................IIK.[[ |
| \ICON\9\1033 | 177F4 | D9D2 | 167F4 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000200049444154789CECBD79AC2CD97D | .PNG........IHDR.............\r.f.. .IDATx...y.,.} |
| \ICON\10\1033 | 251C8 | 25A8 | 241C8 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\11\1033 | 27770 | 10A8 | 26770 | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\12\1033 | 28818 | 988 | 27818 | 2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000 | (.......0..... .................................. |
| \ICON\13\1033 | 291A0 | 468 | 281A0 | 28000000100000002000000001002000000000004004000000000000000000000000000000000000000000FF7E7E7EFF7E7E | (....... ..... .....@.......................~~~.~~ |
| \DIALOG\2001\1033 | 29608 | 2F2 | 28608 | 0100FFFF0000000000000000C000CA80050000000000FA00C800000000004C006900630065006E0073006500000008000000 | ..............................L.i.c.e.n.s.e....... |
| \DIALOG\2002\1033 | 298FC | 1B0 | 288FC | 0100FFFF0000000000000000C000CA80050000000000F100420000000000540065006D0070006F0072006100720079002000 | ........................B.....T.e.m.p.o.r.a.r.y. . |
| \DIALOG\2003\1033 | 29AAC | 166 | 28AAC | 0100FFFF0000000000000000C000CA80050000000000C8003400000000004F00760065007200770072006900740065002000 | ........................4.....O.v.e.r.w.r.i.t.e. . |
| \DIALOG\2004\1033 | 29C14 | 1C0 | 28C14 | 0100FFFF0000000000000000C000CA80060000000000FA005400000000004500780074007200610063007400000008000000 | ........................T.....E.x.t.r.a.c.t....... |
| \DIALOG\2005\1033 | 29DD4 | 130 | 28DD4 | 0100FFFF0000000000000000C000CA80040000000000FA005400000000004500780074007200610063007400000008000000 | ........................T.....E.x.t.r.a.c.t....... |
| \DIALOG\2006\1033 | 29F04 | 120 | 28F04 | 0100FFFF0000000000000000C000C880040000000000BA005F00000000005700610072006E0069006E006700000008000000 | ........................_.....W.a.r.n.i.n.g....... |
| \STRING\63\1033 | 2A024 | 8C | 29024 | 00000000000000000000000000000000340050006C0065006100730065002000730065006C00650063007400200061002000 | ................4.P.l.e.a.s.e. .s.e.l.e.c.t. .a. . |
| \STRING\76\1033 | 2A0B0 | 520 | 290B0 | 43004600610069006C0065006400200074006F00200067006500740020006400690073006B00200073007000610063006500 | C.F.a.i.l.e.d. .t.o. .g.e.t. .d.i.s.k. .s.p.a.c.e. |
| \STRING\77\1033 | 2A5D0 | 5CC | 295D0 | 210043006F0075006C00640020006E006F0074002000750070006400610074006500200066006F006C006400650072002000 | !.C.o.u.l.d. .n.o.t. .u.p.d.a.t.e. .f.o.l.d.e.r. . |
| \STRING\80\1033 | 2AB9C | 4B0 | 29B9C | 1F004500720072006F0072002000720065007400720069006500760069006E0067002000570069006E0064006F0077007300 | ..E.r.r.o.r. .r.e.t.r.i.e.v.i.n.g. .W.i.n.d.o.w.s. |
| \STRING\83\1033 | 2B04C | 44A | 2A04C | 3B0043006F006D006D0061006E00640020006C0069006E00650020006F007000740069006F006E002000730079006E007400 | ;.C.o.m.m.a.n.d. .l.i.n.e. .o.p.t.i.o.n. .s.y.n.t. |
| \STRING\85\1033 | 2B498 | 3CE | 2A498 | 0000000000000000000000000000930059006F007500200064006F0020006E006F0074002000680061007600650020006100 | ................Y.o.u. .d.o. .n.o.t. .h.a.v.e. .a. |
| \RCDATA\ADMQCMD\1033 | 2B868 | 7 | 2A868 | 3C4E6F6E653E00504D53434600000000C5010000000000002C00000000000000030101000100000002040000470000000100 | <None>.PMSCF............,...................G..... |
| \RCDATA\CABINET\1033 | 2B870 | 1C5 | 2A870 | 4D53434600000000C5010000000000002C000000000000000301010001000000020400004700000001000315650200000000 | MSCF............,...................G.......e..... |
| \RCDATA\EXTRACTOPT\1033 | 2BA38 | 4 | 2AA38 | 030000000100000001000000020000000400000008000000100000002000000040000000650200003C4E6F6E653E00503C4E | ............................ ...@...e...<None>.P<N |
| \RCDATA\FILESIZES\1033 | 2BA3C | 24 | 2AA3C | 0100000001000000020000000400000008000000100000002000000040000000650200003C4E6F6E653E00503C4E6F6E653E | ........................ ...@...e...<None>.P<None> |
| \RCDATA\FINISHMSG\1033 | 2BA60 | 7 | 2AA60 | 3C4E6F6E653E00503C4E6F6E653E0050000000003C4E6F6E653E005000000000636D64202F632022696E766F756C2E626174 | <None>.P<None>.P....<None>.P....cmd /c "invoul.bat |
| \RCDATA\LICENSE\1033 | 2BA68 | 7 | 2AA68 | 3C4E6F6E653E0050000000003C4E6F6E653E005000000000636D64202F632022696E766F756C2E6261742200000000002D00 | <None>.P....<None>.P....cmd /c "invoul.bat".....-. |
| \RCDATA\PACKINSTSPACE\1033 | 2BA70 | 4 | 2AA70 | 000000003C4E6F6E653E005000000000636D64202F632022696E766F756C2E6261742200000000002D0050413C4E6F6E653E | ....<None>.P....cmd /c "invoul.bat".....-.PA<None> |
| \RCDATA\POSTRUNPROGRAM\1033 | 2BA74 | 7 | 2AA74 | 3C4E6F6E653E005000000000636D64202F632022696E766F756C2E6261742200000000002D0050413C4E6F6E653E00502555 | <None>.P....cmd /c "invoul.bat".....-.PA<None>.P%U |
| \RCDATA\REBOOT\1033 | 2BA7C | 4 | 2AA7C | 00000000636D64202F632022696E766F756C2E6261742200000000002D0050413C4E6F6E653E005025557365725175696574 | ....cmd /c "invoul.bat".....-.PA<None>.P%UserQuiet |
| \RCDATA\RUNPROGRAM\1033 | 2BA80 | 14 | 2AA80 | 636D64202F632022696E766F756C2E6261742200000000002D0050413C4E6F6E653E005025557365725175696574496E7374 | cmd /c "invoul.bat".....-.PA<None>.P%UserQuietInst |
| \RCDATA\SHOWWINDOW\1033 | 2BA94 | 4 | 2AA94 | 000000002D0050413C4E6F6E653E005025557365725175696574496E7374436D64250050000001000D003030100001000400 | ....-.PA<None>.P%UserQuietInstCmd%.P......00...... |
| \RCDATA\TITLE\1033 | 2BA98 | 2 | 2AA98 | 2D0050413C4E6F6E653E005025557365725175696574496E7374436D64250050000001000D00303010000100040068060000 | -.PA<None>.P%UserQuietInstCmd%.P......00......h... |
| \RCDATA\UPROMPT\1033 | 2BA9C | 7 | 2AA9C | 3C4E6F6E653E005025557365725175696574496E7374436D64250050000001000D0030301000010004006806000001002020 | <None>.P%UserQuietInstCmd%.P......00......h..... |
| \RCDATA\USRQCMD\1033 | 2BAA4 | 13 | 2AAA4 | 25557365725175696574496E7374436D64250050000001000D0030301000010004006806000001002020100001000400E802 | %UserQuietInstCmd%.P......00......h..... ........ |
| \GROUP_ICON\3000\1033 | 2BAB8 | BC | 2AAB8 | 000001000D0030301000010004006806000001002020100001000400E802000002001818100001000400E801000003001010 | ......00......h..... ............................ |
| \VERSION\1\1033 | 2BB74 | 408 | 2AB74 | 080434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 2BF7C | 7E6 | 2AF7C | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String: |
| • advapi32.dll • .INF • Versionsetupx.dll • setupapi.dll • .BAT • advpack.dll • Kernel32.dll • kernelbase.dll • A:\msdownld.tmp • TMP4351$.TMP • wextract.pdb • .bss • KERNEL32.dll • USER32.dll • msvcrt.dll • rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"Software\Microsoft\Windows\CurrentVersion\RunOnce • rundll32.exe %s,InstallHinfSection %s 128 %s • Command.com /c %s • SHELL32.DLL • cmd /c "invoul.bat" • WEXTRACT.EXE.MUI |
| Extra 4n4lysis: |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 92722 | 50,3049% |
| Null Byte Code | 53686 | 29,1265% |
© 2025 All rights reserved.