PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Size: 1,52 MB
SHA-256 Hash: 0DF13FD42FB4A4374981474EA87895A3830EDDCC7F3BD494E76ACD604C4004F7
SHA-1 Hash: 501E5CC4CB65D55CFF934E7447528FEF5243578D
MD5 Hash: 8E7DED0089B6ADFDD951B5D8175078F7
Imphash: DAE02F32A21E03CE65412F6E56942DAA
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): 1856FE
SizeOfHeaders: 200
SizeOfImage: 18A000
ImageBase: 10000000
Architecture: x86
ImportTable: 1856B0
Characteristics: 2022
TimeDateStamp: 67EAFA5F
Date: 31/03/2025 20:26:07
File Type: DLL
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	200	183800	2000	183704
.rsrc	40000040	183A00	400	186000	400
.reloc	42000040	183E00	200	188000	C

Description:

InternalName: Microsoft.Win32.TaskScheduler.dll
OriginalFilename: Microsoft.Win32.TaskScheduler.dll
CompanyName: Robson Felix
LegalCopyright: Copyright Robson Felix 2017
ProductName: VMDetector
FileVersion: 1.1.0.0

Binder/Joiner/Crypter:

3 Executable files found

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1838FE
Code -> FF25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
• JMP DWORD PTR [0X10002000]
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
EP changed to another address -> (Address Of EntryPoint > Base Of Data)

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: True
• Version: v4.0
Detect It Easy (die)
• PE: library: .NET(v4.0.30319)[-]
• PE: compiler: VB.NET(-)[-]
• PE: linker: Microsoft Linker(48.0)[DLL32,console]
• Entropy: 5.89667

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	WriteProcessMemory	Writes data to an area of memory in a specified process.
KERNEL32.DLL	ReadProcessMemory	Reads data from an area of memory in a specified process.
NtosKrnl.exe	ZwUnmapViewOfSection	Unmaps a mapped view of a section from a process's address space.

Windows REG (UNICODE):

Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System

File Access:

Type(Microsoft.Win32.TaskScheduler.Exe
mscoree.dll
Microsoft.Win32.TaskScheduler.dll
ntdll.dll
ntdsapi.dll
UAC.dll
user32.dll
kernel32.dll
advapi32.dll
System.Web.Scr
System.Diagnostics.SymbolStore.ISymbolDocument.Doc
Temp

File Access (UNICODE):

UAC.dll
TaskScheduler.dll
ntdsapi.dll
\Windows\System32\cmd.exe
taskkill /IM cmstp.exe
3cmstp.exe
cmstp.exe
wscript.exe
mcmd.exe
Exec - cmd.exe /c powershell -command "schtasks /create /tn ''' /tr 'wscript.exe q' /sc onstart /rl highest /ru system /f".inf

Interest's Words:

Encrypt
Decrypt
PassWord
exec
powershell
attrib
start
pause
sdelete
shutdown
systeminfo
ping
expand
replace

Interest's Words (UNICODE):

taskkill
wscript
exec
powershell
schtasks
taskkill
start
schtask
replace

URLs:

http://schemas.microsoft.com/windows/2004/02/mit/taskT

IP Addresses:

11.0.0.0
17.0.0.0

PE Carving:

Start Offset Header	End Offset	Size (Bytes)
0	BFB3D	BFB3D
BFB3D	184000	C44C3

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): WinAPI Sockets (listen)
• Rule Text (Ascii): WinAPI Sockets (connect)
• Rule Text (Unicode): WinAPI Sockets (connect)
• Rule Text (Ascii): WinAPI Sockets (send)
• Rule Text (Ascii): File (GetTempPath)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Encryption (CreateDecryptor)
• Rule Text (Ascii): Encryption (CryptoStream)
• Rule Text (Ascii): Encryption (CryptoStreamMode)
• Rule Text (Ascii): Encryption (FromBase64String)
• Rule Text (Ascii): Encryption (ICryptoTransform)
• Rule Text (Ascii): Encryption (Rijndael)
• Rule Text (Ascii): Anti-Analysis VM (GetVersion)
• Rule Text (Ascii): Stealth (VirtualAlloc)
• Rule Text (Ascii): Stealth (ReadProcessMemory)
• Rule Text (Ascii): Stealth (NtUnmapViewOfSection)
• Rule Text (Ascii): Execution (ShellExecute)
• Rule Text (Ascii): Execution (ResumeThread)
• Rule Text (Ascii): Antivirus Software (panda)
• Rule Text (Ascii): Privileges (SeAssignPrimaryTokenPrivilege)
• Rule Text (Ascii): Privileges (SeAuditPrivilege)
• Rule Text (Ascii): Privileges (SeBackupPrivilege)
• Rule Text (Ascii): Privileges (SeChangeNotifyPrivilege)
• Rule Text (Ascii): Privileges (SeCreateGlobalPrivilege)
• Rule Text (Ascii): Privileges (SeCreatePagefilePrivilege)
• Rule Text (Ascii): Privileges (SeCreatePermanentPrivilege)
• Rule Text (Ascii): Privileges (SeCreateSymbolicLinkPrivilege)
• Rule Text (Ascii): Privileges (SeCreateTokenPrivilege)
• Rule Text (Ascii): Privileges (SeDebugPrivilege)
• Rule Text (Ascii): Privileges (SeEnableDelegationPrivilege)
• Rule Text (Ascii): Privileges (SeImpersonatePrivilege)
• Rule Text (Ascii): Privileges (SeIncreaseBasePriorityPrivilege)
• Rule Text (Ascii): Privileges (SeIncreaseQuotaPrivilege)
• Rule Text (Ascii): Privileges (SeIncreaseWorkingSetPrivilege)
• Rule Text (Ascii): Privileges (SeLoadDriverPrivilege)
• Rule Text (Ascii): Privileges (SeLockMemoryPrivilege)
• Rule Text (Ascii): Privileges (SeMachineAccountPrivilege)
• Rule Text (Ascii): Privileges (SeManageVolumePrivilege)
• Rule Text (Ascii): Privileges (SeProfileSingleProcessPrivilege)
• Rule Text (Ascii): Privileges (SeRelabelPrivilege)
• Rule Text (Ascii): Privileges (SeRemoteShutdownPrivilege)
• Rule Text (Ascii): Privileges (SeRestorePrivilege)
• Rule Text (Ascii): Privileges (SeSecurityPrivilege)
• Rule Text (Ascii): Privileges (SeShutdownPrivilege)
• Rule Text (Ascii): Privileges (SeSyncAgentPrivilege)
• Rule Text (Ascii): Privileges (SeSystemEnvironmentPrivilege)
• Rule Text (Ascii): Privileges (SeSystemProfilePrivilege)
• Rule Text (Ascii): Privileges (SeSystemtimePrivilege)
• Rule Text (Ascii): Privileges (SeTakeOwnershipPrivilege)
• Rule Text (Ascii): Privileges (SeTcbPrivilege)
• Rule Text (Ascii): Privileges (SeTimeZonePrivilege)
• Rule Text (Ascii): Privileges (SeTrustedCredManAccessPrivilege)
• Rule Text (Ascii): Privileges (SeUndockPrivilege)
• Rule Text (Ascii): Privileges (SeUnsolicitedInputPrivilege)
• Rule Text (Ascii): Keyboard Key ({End})
• Rule Text (Ascii): Information used to authenticate a users identity (Credential)
• Rule Text (Ascii): Software that records user activity (Logger)
• Rule Text (Ascii): Information used for user authentication (Credential)
• Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
• Rule Text (Ascii): Technique used to circumvent security measures (Bypass)
• EP Rules: Anticrack Software Protector v1.09 (ACProtect)
• EP Rules: Gem VDI Image graphics file
• EP Rules: Microsoft Visual C / Basic .NET
• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8.0
• EP Rules: TrueVision Targa Graphics format

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\0	186058	388	183A58	880334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String:

• 1.1.0.0
• http://schemas.microsoft.com/windows/2004/02/mit/taskT
• 1.0.0.0
• UAC.dll
• _CorDllMainmscoree.dll
• mcmd.exe /c powershell -Command "schtasks /Create /TN '
• '' /TR 'wscript.exe
• Q' /SC ONSTART /RL HIGHEST /RU SYSTEM /F"
• .inf
• cmstp.exe
• taskkill /IM cmstp.exe /F
• C:\Windows\System32\cmd.exe
• (advapi32.dll
• kernel32.dll
• 00:00:00
• 00:10:00
• 01:00:00
• ShowMessageTNamespace5http://schemas.microsoft.com/windows/2004/02/mit/taskT
• \System.DateTime, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0890001-01-01T00:00:00
• 12:00:00
• ((]SettingsTNamespace5http://schemas.microsoft.com/windows/2004/02/mit/taskT
• \System.DateTime, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0899999-12-31T23:59:59.9999999
• I ((]TriggersTNamespace5http://schemas.microsoft.com/windows/2004/02/mit/taskT

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	798347	50,2343%
Null Byte Code	432786	27,2321%

PESCAN.IO - Analysis Report Valid Code