version: 31.0.0 red diamond
TRANSCRIPT
ID: 333806Sample Name:DefenderControl.exeCookbook: default.jbsTime: 00:40:46Date: 24/12/2020Version: 31.0.0 Red Diamond
2444444444444555566677888888888999999999
1111111111111213131313141515
1516
Table of Contents
Table of ContentsAnalysis Report DefenderControl.exe
OverviewGeneral InformationDetectionSignaturesClassificationAnalysis Advice
StartupMalware ConfigurationYara Overview
Dropped FilesMemory Dumps
Sigma OverviewSignature Overview
Malware Analysis System Evasion:Mitre Att&ck MatrixBehavior GraphScreenshots
ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Domains and IPsContacted DomainsURLs from Memory and BinariesContacted IPs
General InformationSimulations
Behavior and APIsJoe Sandbox View / Context
IPsDomainsASNJA3 FingerprintsDropped Files
Created / dropped FilesStatic File Info
GeneralFile IconStatic PE Info
GeneralAuthenticode SignatureEntrypoint PreviewRich HeadersData DirectoriesSectionsResourcesImportsVersion InfosPossible Origin
Network BehaviorCode Manipulations
Copyright null 2020 Page 2 of 20
161616161616161619
2020
StatisticsSystem Behavior
Analysis Process: DefenderControl.exe PID: 3504 Parent PID: 5760GeneralFile Activities
File CreatedFile DeletedFile WrittenFile Read
DisassemblyCode Analysis
Copyright null 2020 Page 3 of 20
Analysis Report DefenderControl.exe
Overview
General Information
Sample Name:
DefenderControl.exe
Analysis ID: 333806
MD5: 3a24a7b7c1ba74…
SHA1: 5da4de1dbba557…
SHA256: a201f7f81277e28…
Most interesting Screenshot:
Detection
Score: 36
Range: 0 - 100
Whitelisted: false
Confidence: 20%
Signatures
Found stalling execution ending in A
Found stalling execution ending in A
Found stalling execution ending in A
Found stalling execution ending in A
Found stalling execution ending in A
Found stalling execution ending in A
Found stalling execution ending in AFound stalling execution ending in A……
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtuaContains capabilities to detect virtua……
Contains functionality for read data f
Contains functionality for read data f
Contains functionality for read data f
Contains functionality for read data f
Contains functionality for read data f
Contains functionality for read data f
Contains functionality for read data fContains functionality for read data f……
Contains functionality to access load
Contains functionality to access load
Contains functionality to access load
Contains functionality to access load
Contains functionality to access load
Contains functionality to access load
Contains functionality to access loadContains functionality to access load……
Contains functionality to check if a d
Contains functionality to check if a d
Contains functionality to check if a d
Contains functionality to check if a d
Contains functionality to check if a d
Contains functionality to check if a d
Contains functionality to check if a dContains functionality to check if a d……
Contains functionality to check if a w
Contains functionality to check if a w
Contains functionality to check if a w
Contains functionality to check if a w
Contains functionality to check if a w
Contains functionality to check if a w
Contains functionality to check if a wContains functionality to check if a w……
Contains functionality to communica
Contains functionality to communica
Contains functionality to communica
Contains functionality to communica
Contains functionality to communica
Contains functionality to communica
Contains functionality to communicaContains functionality to communica……
Contains functionality to dynamically
Contains functionality to dynamically
Contains functionality to dynamically
Contains functionality to dynamically
Contains functionality to dynamically
Contains functionality to dynamically
Contains functionality to dynamicallyContains functionality to dynamically……
Contains functionality to execute pro
Contains functionality to execute pro
Contains functionality to execute pro
Contains functionality to execute pro
Contains functionality to execute pro
Contains functionality to execute pro
Contains functionality to execute proContains functionality to execute pro……
Contains functionality to launch a pr
Contains functionality to launch a pr
Contains functionality to launch a pr
Contains functionality to launch a pr
Contains functionality to launch a pr
Contains functionality to launch a pr
Contains functionality to launch a prContains functionality to launch a pr……
Contains functionality to launch a pr
Contains functionality to launch a pr
Contains functionality to launch a pr
Contains functionality to launch a pr
Contains functionality to launch a pr
Contains functionality to launch a pr
Contains functionality to launch a prContains functionality to launch a pr……
Contains functionality to open a port
Contains functionality to open a port
Contains functionality to open a port
Contains functionality to open a port
Contains functionality to open a port
Contains functionality to open a port
Contains functionality to open a portContains functionality to open a port……
Contains functionality to query CPU
Contains functionality to query CPU
Contains functionality to query CPU
Contains functionality to query CPU
Contains functionality to query CPU
Contains functionality to query CPU
Contains functionality to query CPU Contains functionality to query CPU ……
Contains functionality to read the cli
Contains functionality to read the cli
Contains functionality to read the cli
Contains functionality to read the cli
Contains functionality to read the cli
Contains functionality to read the cli
Contains functionality to read the cliContains functionality to read the cli……
Contains functionality to retrieve info
Contains functionality to retrieve info
Contains functionality to retrieve info
Contains functionality to retrieve info
Contains functionality to retrieve info
Contains functionality to retrieve info
Contains functionality to retrieve infoContains functionality to retrieve info……
Contains functionality to shutdown /
Contains functionality to shutdown /
Contains functionality to shutdown /
Contains functionality to shutdown /
Contains functionality to shutdown /
Contains functionality to shutdown /
Contains functionality to shutdown / Contains functionality to shutdown / ……
Contains functionality to simulate ke
Contains functionality to simulate ke
Contains functionality to simulate ke
Contains functionality to simulate ke
Contains functionality to simulate ke
Contains functionality to simulate ke
Contains functionality to simulate keContains functionality to simulate ke……
Contains functionality to simulate m
Contains functionality to simulate m
Contains functionality to simulate m
Contains functionality to simulate m
Contains functionality to simulate m
Contains functionality to simulate m
Contains functionality to simulate mContains functionality to simulate m……
Contains functionality which may be
Contains functionality which may be
Contains functionality which may be
Contains functionality which may be
Contains functionality which may be
Contains functionality which may be
Contains functionality which may beContains functionality which may be……
Creates a DirectInput object (often fo
Creates a DirectInput object (often fo
Creates a DirectInput object (often fo
Creates a DirectInput object (often fo
Creates a DirectInput object (often fo
Creates a DirectInput object (often fo
Creates a DirectInput object (often foCreates a DirectInput object (often fo……
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto functionDetected potential crypto function
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / UsFound a high number of Window / Us……
Found large amount of non-executed
Found large amount of non-executed
Found large amount of non-executed
Found large amount of non-executed
Found large amount of non-executed
Found large amount of non-executed
Found large amount of non-executedFound large amount of non-executed……
Found potential string decryption / a
Found potential string decryption / a
Found potential string decryption / a
Found potential string decryption / a
Found potential string decryption / a
Found potential string decryption / a
Found potential string decryption / aFound potential string decryption / a……
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder May sleep (evasive loops) to hinder ……
PE / OLE file has an invalid certificate
PE / OLE file has an invalid certificate
PE / OLE file has an invalid certificate
PE / OLE file has an invalid certificate
PE / OLE file has an invalid certificate
PE / OLE file has an invalid certificate
PE / OLE file has an invalid certificatePE / OLE file has an invalid certificate
PE file contains strange resources
PE file contains strange resources
PE file contains strange resources
PE file contains strange resources
PE file contains strange resources
PE file contains strange resources
PE file contains strange resourcesPE file contains strange resources
Potential key logger detected (key s
Potential key logger detected (key s
Potential key logger detected (key s
Potential key logger detected (key s
Potential key logger detected (key s
Potential key logger detected (key s
Potential key logger detected (key sPotential key logger detected (key s……
Sample execution stops while proce
Sample execution stops while proce
Sample execution stops while proce
Sample execution stops while proce
Sample execution stops while proce
Sample execution stops while proce
Sample execution stops while proceSample execution stops while proce……
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original Sample file is different than original ……
Sleep loop found (likely to delay exe
Sleep loop found (likely to delay exe
Sleep loop found (likely to delay exe
Sleep loop found (likely to delay exe
Sleep loop found (likely to delay exe
Sleep loop found (likely to delay exe
Sleep loop found (likely to delay exeSleep loop found (likely to delay exe……
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (Uses code obfuscation techniques (……
Yara signature match
Yara signature match
Yara signature match
Yara signature match
Yara signature match
Yara signature match
Yara signature matchYara signature match
Classification
Analysis Advice
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Malware Configuration
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
System is w10x64
DefenderControl.exe (PID: 3504 cmdline: 'C:\Users\user\Desktop\DefenderControl.exe' MD5: 3A24A7B7C1BA74A5AFA50F88BA81D550)
cleanup
No configs have been found
Source Rule Description Author Strings
C:\Users\user\AppData\Local\Temp\wnbclmk MAL_Sednit_DelphiDownloader_Apr18_2
Detects malware from Sednit Delphi Downloader report
Florian Roth 0x4a23:$s9: 5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E
Startup
Yara Overview
Dropped Files
Memory Dumps
Copyright null 2020 Page 4 of 20
Sigma Overview
No Sigma rule has matched
Signature Overview
• Spreading
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Remote Access Functionality
Click to jump to signature section
Malware Analysis System Evasion:
Found stalling execution ending in API Sleep call
Mitre Att&ck Matrix
InitialAccess Execution Persistence
PrivilegeEscalation Defense Evasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Commandand Control
NetworkEffects
ValidAccounts 2
NativeAPI 1
ValidAccounts 2
Valid Accounts 2 Masquerading 1 InputCapture 3 1
System TimeDiscovery 2
RemoteServices
InputCapture 3 1
ExfiltrationOver OtherNetworkMedium
EncryptedChannel 1
Eavesdrop onInsecureNetworkCommunication
DefaultAccounts
ScheduledTask/Job
Boot orLogonInitializationScripts
Exploitation forPrivilegeEscalation 1
Valid Accounts 2 LSASSMemory
Security SoftwareDiscovery 3
RemoteDesktopProtocol
ArchiveCollectedData 1
ExfiltrationOverBluetooth
Junk Data Exploit SS7 toRedirect PhoneCalls/SMS
DomainAccounts
At (Linux) Logon Script(Windows)
Access TokenManipulation 2 1
Virtualization/SandboxEvasion 3 1
SecurityAccountManager
Virtualization/SandboxEvasion 3 1
SMB/WindowsAdmin Shares
ClipboardData 2
AutomatedExfiltration
Steganography Exploit SS7 toTrack DeviceLocation
LocalAccounts
At(Windows)
Logon Script(Mac)
ProcessInjection 1
Access TokenManipulation 2 1
NTDS Process Discovery 2 DistributedComponentObject Model
Input Capture ScheduledTransfer
ProtocolImpersonation
SIM CardSwap
Source Rule Description Author Strings
00000000.00000002.579588699.00000000008BD000.00000004.00000001.sdmp
MAL_Sednit_DelphiDownloader_Apr18_2
Detects malware from Sednit Delphi Downloader report
Florian Roth 0x69e3:$s9: 5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E
00000000.00000003.204202979.00000000033A4000.00000004.00000001.sdmp
MAL_Sednit_DelphiDownloader_Apr18_2
Detects malware from Sednit Delphi Downloader report
Florian Roth 0x3d7b:$s9: 5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E
00000000.00000002.581223960.00000000033A0000.00000004.00000001.sdmp
MAL_Sednit_DelphiDownloader_Apr18_2
Detects malware from Sednit Delphi Downloader report
Florian Roth 0x15d73:$s9: 5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E
Copyright null 2020 Page 5 of 20
CloudAccounts
Cron NetworkLogon Script
Network LogonScript
Process Injection 1 LSA Secrets Application WindowDiscovery 1 1
SSH Keylogging DataTransferSize Limits
FallbackChannels
ManipulateDeviceCommunication
ReplicationThroughRemovableMedia
Launchd Rc.common Rc.common Deobfuscate/DecodeFiles or Information 1
CachedDomainCredentials
File and DirectoryDiscovery 3
VNC GUI InputCapture
ExfiltrationOver C2Channel
MultibandCommunication
Jamming orDenial ofService
ExternalRemoteServices
ScheduledTask
StartupItems
Startup Items Obfuscated Files orInformation 2
DCSync System InformationDiscovery 1 4
WindowsRemoteManagement
Web PortalCapture
ExfiltrationOverAlternativeProtocol
CommonlyUsed Port
Rogue Wi-FiAccess Points
InitialAccess Execution Persistence
PrivilegeEscalation Defense Evasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Commandand Control
NetworkEffects
Behavior Graph
ID: 333806
Sample: DefenderControl.exe
Startdate: 24/12/2020
Architecture: WINDOWS
Score: 36
DefenderControl.exe
3
started
Found stalling executionending in API Sleep
call
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
Behavior Graph
Screenshots
Copyright null 2020 Page 6 of 20
No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version
No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version
No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version
No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Copyright null 2020 Page 7 of 20
General Information
Joe Sandbox Version: 31.0.0 Red Diamond
Analysis ID: 333806
Start date: 24.12.2020
Start time: 00:40:46
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 6m 33s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: DefenderControl.exe
Cookbook file name: default.jbs
Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Source Detection Scanner Label Link
DefenderControl.exe 6% Virustotal Browse
DefenderControl.exe 6% Metadefender Browse
DefenderControl.exe 7% ReversingLabs Win32.PUA.DefenderControl
No Antivirus matches
No Antivirus matches
No Antivirus matches
Source Detection Scanner Label Link
ocsp.thawte.com0 0% URL Reputation safe
ocsp.thawte.com0 0% URL Reputation safe
ocsp.thawte.com0 0% URL Reputation safe
ocsp.thawte.com0 0% URL Reputation safe
No contacted domains info
Name Source Malicious Antivirus Detection Reputation
crl.thawte.com/ThawteTimestampingCA.crl0 DefenderControl.exe false high
ocsp.thawte.com0 DefenderControl.exe false URL Reputation: safeURL Reputation: safeURL Reputation: safeURL Reputation: safe
unknown
No contacted IP infos
Dropped Files
Unpacked PE Files
Domains
URLs
Domains and IPs
Contacted Domains
URLs from Memory and Binaries
Contacted IPs
Copyright null 2020 Page 8 of 20
Number of analysed new started processes analysed: 32
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled
Analysis Mode: default
Analysis stop reason: Timeout
Detection: SUS
Classification: sus36.evad.winEXE@1/3@0/0
EGA Information: Successful, ratio: 100%
HDC Information: Failed
HCA Information: Failed
Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exe
Warnings:Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exeReport size getting too big, too many NtOpenKeyEx calls found.
No simulations
No context
No context
No context
No context
No context
Show All
Simulations
Behavior and APIs
Joe Sandbox View / Context
IPs
Domains
ASN
JA3 Fingerprints
Dropped Files
Created / dropped FilesCopyright null 2020 Page 9 of 20
C:\Users\user\AppData\Local\Temp\autB6B9.tmpProcess: C:\Users\user\Desktop\DefenderControl.exe
File Type: data
Category: dropped
Size (bytes): 31960
Entropy (8bit): 7.8027030456872515
Encrypted: false
SSDEEP: 768:YPDaQsGEvu69FJ7TeKG9ZxGC7zPnSDnj5cf8Bk65vyhdB:0EZ9CFoC7O3C8i
MD5: 446A845A0963C84E6B7F1C6B648ADF62
SHA1: CB1CBE37E07A838BB5B1232FFFEB0A1CE4C33473
SHA-256: 950BD3BF22CA0BF4DAA3B12AF5EB6356F0810E93AE1E86FB419646C3AAB588DB
SHA-512: E755AFC61913A9841E83A17F417ACAF3F802C44C09ACC8DE87F54630AFEEC437CD0EEAB21A572C41941B38632B0A7CD7A4CB34ACBCC2FED00A1064FBC9CB1B1C
Malicious: false
Reputation: low
Preview:$%....}..Q&.Y..o4.M&.Y..mC.Lf.)..k6..f.:M..4..f.I...1....Y..k7.......o2.L.............)..'@....H....Y..j.0.&[email protected]..#.i..o4.X(.j..a7.L.3*,.l.ZL..* ..1..&..`..2.M.Sy...2.P..Y..iC.f.....m4.J.ft....Pp..@[email protected]..' %..m4....&(.I.......z.5.... .2p.a.Mg.9.../.%%....?.a`.P.$.M.........D..$..&.7....a..p...V(..l.r.8..p......y..97.. [email protected]..@........&3j,.n..Q.E......:.@...)1.=@...`..mB.n@1I.........}.@..)f.`....\....P....g...f.P._.i8.P..9.../S9....t....J...z...j....o..;...i....Q&.`.<........+3..S W8... O...'.M.?..".4....>..>`A/...S....5..............`[email protected]............./. .I4.f...5...?..h.w.0....Qf.p..l.@.:.&d.. ..........(.7.M.*I.../SP..j.{[email protected].)p..f.5..h.H...4......+I.%.7...$....O........1.j' ...(....3pb....1(.!y...@.~..8...Lf.................e4....I..T.......@.,......B.x.\.... ..M..`[email protected].!.(..6...0.../......`.......h......=........L.0.....z.%
C:\Users\user\AppData\Local\Temp\wnbclmkProcess: C:\Users\user\Desktop\DefenderControl.exe
File Type: ASCII text, with very long lines, with no line terminators
Category: dropped
Size (bytes): 97701
Entropy (8bit): 3.3666524462666927
Encrypted: false
SSDEEP: 1536:o+UDnC6oEkfiiwxholIq3BgbXli0FxIVzJGrrLps6oWNcV:ek1whoeqF
MD5: B9B96CDCEF855AB98EE55AF4EC32C96A
SHA1: 010C784F9FD1D97B45C2D5F0DEB8A3F9CEC13F5C
SHA-256: 2721F4949FDF46A89A1454E4EDBC3BC178F764F58955BEFA74BCBA57F7B0FA45
SHA-512: 7483E7F4A93891BAF12B60523DDB9731731C9E29B58AAC8D21743D171D51A89B8674179F29F55AF633CBE505A5BBA4F647C6A0757A434284BEB09376913BA7F0
Malicious: false
Yara Hits: Rule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: C:\Users\user\AppData\Local\Temp\wnbclmk, Author: Florian Roth
Reputation: low
Preview:4D7573744465636C61726556617273IC]47554944617461536570617261746F7243686172IC]57696E44657465637448696464656E54657874IC]446566656E64657220436F6E74726F6C2076312E36IC]202D20417574686F7220627920426C75654C696665IC]64436F6E74726F6C3A76312E36IC]57696E446566656E64IC]323031352D32303139IC]2040557365724E616D6520IC]2040436F6D70696C656420IC]20404175746F497445786520IC]20404F534172636820IC]20404175746F497458363420IC]546F20737461727420736F66747761726520796F75206D75737420686176652041646D696E6973747261746F722072696768747321IC]204057696E646F777344697220IC]7573657233322E646C6CIC]4572726F72IC]43616E2774206F70656E207573657233322E646C6CIC]61647661706933322E646C6CIC]4572726F72IC]43616E2774206F70656E2061647661706933322E646C6CIC]6B65726E656C33322E646C6CIC]4572726F72IC]43616E2774206F70656E206B65726E656C33322E646C6CIC]55736572656E762E646C6CIC]55736572656E762E646C6CIC]7368656C6C33322E646C6CIC]7368656C6C33322E646C6CIC]6F6C6533322E646C6CIC]6F6C6533322E646C6CIC]484B4C4DIC]484B4355IC]3634IC]3634IC]2040536372697074446972
C:\Users\user\Desktop\DefenderControl.iniProcess: C:\Users\user\Desktop\DefenderControl.exe
File Type: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category: dropped
Size (bytes): 1492
Entropy (8bit): 3.565830734144656
Encrypted: false
SSDEEP: 24:QlCnP1w7T5dMqMNYhLeBFEH5Ec75+CMrFUja17B1MoiP2lGikpzCpsBa:oCnNw3zMqWYhLlWc7DMnzMlCGi2CpsBa
MD5: DD767ACA837C4FAF45D40661B336A9B6
SHA1: C8BAEB0A7DAEC87B7F91B997A031AB687E046F76
SHA-256: E4AA54DF2ADD232F66CF72F7C9826E7AD3AAAF930109D187B6D5E00806D49B2B
SHA-512: A3562E2958E63E33C952B7A0514DB84909735213F8E2E1AD9912E7EA108DEBAE016FB37EDAD973BC5AF368E90C117D07B539607DEFF8BAB59D6EAE7FEBBF05F1
Malicious: false
Reputation: low
Preview:..;. .G.e.n.e.r.a.t.e.d. .(.2.4...1.2...2.0.2.0. .0.0.:.4.1.:.3.5.). .b.y. .D.e.f.e.n.d.e.r. .C.o.n.t.r.o.l. .v.1...6.....;. .w.w.w...s.o.r.d.u.m...o.r.g.........[.M.a.i.n.].....L.a.n.g.u.a.g.e.=.A.u.t.o.....H.i.d.e.W.i.n.d.o.w.O.n.S.t.a.r.t.u.p.=.0.....H.i.d.e.W.h.e.n.M.i.n.i.m.i.z.e.d.=.0.........[.L.a.n.g.u.a.g.e._.E.n.g.l.i.s.h.].....0.1.=.".B.l.u.e.L.i.f.e.".....0.2.=.".W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .i.s. .r.u.n.n.i.n.g.".....0.3.=.".W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .i.s. .t.u.r.n.e.d. .o.f.f.".....0.4.=.".W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .c.a.n.n.o.t. .b.e. .s.t.a.r.t.e.d.".....0.5.=.".W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .s.e.r.v.i.c.e. .n.o.t. .f.o.u.n.d.".....0.6.=.".R.e.a.l.-.t.i.m.e. .p.r.o.t.e.c.t.i.o.n. .i.s. .t.u.r.n.e.d. .o.f.f.".....0.7.=.".&.D.i.s.a.b.l.e. .W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.".....0.8.=.".&.E.n.a.b.l.e. .W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.".....0.9.=.".&.O.p.e.n. .S.e.c.u.r.i.t.y. .C.e.n.t.e.r.".....1.0.=.".&.M.e.n.u. .......".....1.1.=.".&.D.e.f.e.n.d.e.r. .
Copyright null 2020 Page 10 of 20
Static File Info
GeneralFile type: PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit): 6.961449290934527
TrID: Win32 Executable (generic) a (10002005/4) 99.96%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name: DefenderControl.exe
File size: 846008
MD5: 3a24a7b7c1ba74a5afa50f88ba81d550
SHA1: 5da4de1dbba55774891497297396fd2e5c306cf5
SHA256: a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae
SHA512: 2f882ddc039ba0f3526b05a499a6ec1e7d47fca259fa48dcf0a5f345168c07f815273b8e702b0cfd396063da0dc55ad8ad62b91015d2157deae5457ba34754a9
SSDEEP: 12288:baWzgMg7v3qnCi3ErQohh0F4JCJ8lnydQ79QudhzYOejoiQv2ju8S0c/J:uaHMv6CDrjRnydQu+ejMZ1R
File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........
File Icon
Icon Hash: 16dada9cacc8c082
GeneralEntrypoint: 0x416310
Entrypoint Section: .text
Digitally signed: true
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
DLL Characteristics: TERMINAL_SERVER_AWARE
Time Stamp: 0x4BC81615 [Fri Apr 16 07:47:33 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major: 5
OS Version Minor: 0
File Version Major: 5
File Version Minor: 0
Subsystem Version Major: 5
Subsystem Version Minor: 0
Import Hash: aaaa8913c89c8aa4a5d93f06853894da
Signature Valid: false
Signature Issuer: CN=Sordum Software
Signature Validation Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number: -2146762487
Not Before, Not After 12/31/2005 1:00:00 PM 12/31/2025 1:00:00 PM
Subject Chain CN=Sordum Software
Version: 3
Thumbprint MD5: 741DC74545C1BA662CD721D502AEC85C
Static PE Info
Authenticode Signature
Copyright null 2020 Page 11 of 20
Thumbprint SHA-1: F5E71628A478A248353BF0177395223D2C5A0E43
Thumbprint SHA-256: 9333E2DFEE836F88AF7A81A5F80C19798D39234F1AF98EEECA661E13BB45BDAB
Serial: C2CBBD946BC3FDB944D522931D61D51A
Instruction
call 00007FDBDC7F1D8Ch
jmp 00007FDBDC7E5B5Eh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FDBDC7E5CEAh
cmp edi, eax
jc 00007FDBDC7E5E8Ah
cmp ecx, 00000100h
jc 00007FDBDC7E5D01h
cmp dword ptr [004A94E0h], 00000000h
je 00007FDBDC7E5CF8h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007FDBDC7E5CEAh
pop esi
pop edi
pop ebp
jmp 00007FDBDC7E614Ah
test edi, 00000003h
jne 00007FDBDC7E5CF7h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007FDBDC7E5D0Ch
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007FDBDC7E5CEEh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
Entrypoint Preview
Copyright null 2020 Page 12 of 20
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007FDBDC7E5CAEh
Instruction
Programming Language: [ASM] VS2008 SP1 build 30729[ C ] VS2008 SP1 build 30729[ C ] VS2005 build 50727[ASM] VS2008 build 21022[IMP] VS2005 build 50727[RES] VS2008 build 21022[LNK] VS2008 SP1 build 30729[C++] VS2008 SP1 build 30729
Name Virtual Address Virtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IMPORT 0x8cd3c 0x154 .rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE 0xab000 0x1fc98 .rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0
IMAGE_DIRECTORY_ENTRY_SECURITY 0xcd9d8 0xee0
IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0
IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IAT 0x82000 0x840 .rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
.text 0x1000 0x80017 0x80200 False 0.56034679878 data 6.63488377319 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata 0x82000 0xd95c 0xda00 False 0.36141771789 data 4.86709160512 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data 0x90000 0x1a518 0x6800 False 0.160006009615 data 2.20177062077 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc 0xab000 0x1fc98 0x1fe00 False 0.820932904412 data 7.30035107712 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Name RVA Size Type Language Country
RT_ICON 0xab4f0 0x128 GLS_BINARY_LSB_FIRST English Great Britain
RT_ICON 0xab618 0x128 GLS_BINARY_LSB_FIRST English Great Britain
RT_ICON 0xab740 0x568 GLS_BINARY_LSB_FIRST English Great Britain
RT_ICON 0xabca8 0x14edd PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
English Great Britain
RT_ICON 0xc0b88 0x4228 data English Great Britain
Rich Headers
Data Directories
Sections
Resources
Copyright null 2020 Page 13 of 20
RT_ICON 0xc4db0 0x25a8 data English Great Britain
RT_ICON 0xc7358 0xb0 GLS_BINARY_LSB_FIRST English Great Britain
RT_ICON 0xc7408 0x10a8 data English Great Britain
RT_ICON 0xc84b0 0x988 data English Great Britain
RT_ICON 0xc8e38 0x468 GLS_BINARY_LSB_FIRST English Great Britain
RT_ICON 0xc92a0 0x468 GLS_BINARY_LSB_FIRST English Great Britain
RT_ICON 0xc9708 0x468 GLS_BINARY_LSB_FIRST English Great Britain
RT_ICON 0xc9b70 0x468 GLS_BINARY_LSB_FIRST English Great Britain
RT_ICON 0xc9fd8 0x468 GLS_BINARY_LSB_FIRST English Great Britain
RT_GROUP_ICON 0xca440 0x5a data English Great Britain
RT_GROUP_ICON 0xca49c 0x14 data English Great Britain
RT_GROUP_ICON 0xca4b0 0x14 data English Great Britain
RT_GROUP_ICON 0xca4c4 0x22 data English Great Britain
RT_GROUP_ICON 0xca4e8 0x14 data English Great Britain
RT_GROUP_ICON 0xca4fc 0x14 data English Great Britain
RT_GROUP_ICON 0xca510 0x14 data English Great Britain
RT_GROUP_ICON 0xca524 0x14 data English Great Britain
RT_VERSION 0xca538 0x2c0 data English Great Britain
RT_MANIFEST 0xca7f8 0x49e XML 1.0 document, ASCII text, with CRLF line terminators
English Great Britain
Name RVA Size Type Language Country
DLL Import
WSOCK32.dll __WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
Imports
Copyright null 2020 Page 14 of 20
No network behavior found
USER32.dll SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData
DLL Import
Description Data
LegalCopyright Copyright 2015-2019 www.sordum.org All Rights Reserved.
Coder By BlueLife
FileVersion 1.6.0.0
CompanyName www.sordum.org
Comments Windows Defender Control v1.6
FileDescription Windows Defender Control
Translation 0x0809 0x04b0
Language of compilation system Country where language is spoken Map
English Great Britain
Network Behavior
Version Infos
Possible Origin
Copyright null 2020 Page 15 of 20
Code Manipulations
Statistics
System Behavior
File ActivitiesFile Activities
Start time: 00:41:34
Start date: 24/12/2020
Path: C:\Users\user\Desktop\DefenderControl.exe
Wow64 process (32bit): true
Commandline: 'C:\Users\user\Desktop\DefenderControl.exe'
Imagebase: 0x400000
File size: 846008 bytes
MD5 hash: 3A24A7B7C1BA74A5AFA50F88BA81D550
Has elevated privileges: true
Has administrator privileges: true
Programmed in: C, C++ or other language
Yara matches: Rule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000002.579588699.00000000008BD000.00000004.00000001.sdmp, Author: Florian RothRule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000003.204202979.00000000033A4000.00000004.00000001.sdmp, Author: Florian RothRule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000002.581223960.00000000033A0000.00000004.00000001.sdmp, Author: Florian Roth
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\autB6B9.tmp read attributes | synchronize | generic read
device synchronous io non alert | non directory file
success or wait 1 434FD8 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\wnbclmk read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 4257F5 CreateFileW
C:\Users\user\Desktop\DefenderControl.ini read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 40F010 CreateFileW
File Path Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\autB6B9.tmp success or wait 1 452BAE DeleteFileW
C:\Users\user\AppData\Local\Temp\wnbclmk success or wait 1 44C069 DeleteFileW
Analysis Process: DefenderControl.exe PID: 3504 Parent PID: 5760Analysis Process: DefenderControl.exe PID: 3504 Parent PID: 5760
General
File CreatedFile Created
File DeletedFile Deleted
File WrittenFile Written
Copyright null 2020 Page 16 of 20
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\autB6B9.tmp unknown 28672 24 25 dc e2 00 01 7d a5 9a 51 26 f3 59 bc ce 6f 34 9a 4d 26 d3 59 b4 ce 6d 43 9b 4c 66 f3 29 b4 d6 6b 36 00 08 66 f3 3a 4d 0e bb 34 9b cd 66 b3 49 c8 00 f9 31 9b 80 02 13 59 9c da 6b 37 98 00 12 c0 02 0d 1a 6f 32 9a 4c e6 d3 80 01 04 00 ac 9a cd e6 d3 99 b5 14 01 29 9b 80 27 40 0a c4 e0 00 48 9a 00 01 13 59 b5 16 6a 00 30 ce 26 f3 40 05 44 00 45 9b 00 0a a0 03 6c de 65 32 98 00 23 14 69 b5 16 6f 34 00 58 28 d3 6a 1c ca 61 37 9b 4c e6 33 2a 2c ce 6c 00 5a 4c a6 13 2a 20 01 09 31 00 a8 26 80 0d 60 03 99 32 98 4d a6 53 79 c8 00 a1 32 9b 50 e6 f3 59 b4 d6 69 43 00 66 00 13 c0 02 d2 6d 34 00 4a f8 66 74 10 04 ae 80 50 70 01 f7 40 02 a4 ce 65 33 98 4c e6 33 39 ac ca 88 00 15 99 c8 03 a5 34 98 4d 40 46 00 09 d6 69 45 9b 4c 66 d4 49 b4 d6 65 30 00 19 c8 03 15 44
$%....}..Q&.Y..o4.M&.Y..mC.Lf.)..k6..f.:M..4..f.I...1....Y..k7.......o2.L...............)..'@....H....Y..j.0.&[email protected]..#.i..o4.X(.j..a7.L.3*,.l.ZL..* ..1..&..`..2.M.Sy...2.P..Y..iC.f.....m4.J.ft....Pp..@[email protected]
success or wait 1 41C31A WriteFile
C:\Users\user\AppData\Local\Temp\autB6B9.tmp unknown 3288 a0 07 db 59 fc ca 5d 26 66 cb 82 7b 4e 71 d2 f4 96 26 42 d4 5a 14 88 c0 66 74 26 c5 85 bd ed 0a 24 e1 5b 93 53 74 c2 ac 83 5e 61 b3 5b 13 90 32 cd 4e 4b b8 b6 35 95 99 99 a0 96 a7 03 de 3a 00 18 c8 ed 06 a6 81 f4 9e 39 14 e0 8a 06 41 95 31 31 0c c0 d8 74 86 1b fa f2 85 43 95 9e 0d 4d 85 6c 74 9d 35 94 86 6d 22 96 60 16 97 0b ad 98 4d 7a d0 bd f6 26 0b 75 9a 10 7a cc d8 65 83 2b fb 19 01 0a d2 d8 e6 51 ad 32 3c 6d 81 53 dc 91 c7 ec 19 93 08 80 78 9b bd 83 e4 12 a3 27 a0 7a 5c f2 c1 d1 8e 67 23 22 19 02 ee c4 c4 b4 47 41 00 d9 7d 33 e0 62 fe 00 62 b0 10 1d 89 83 6c 8e 4a b1 30 06 d5 82 bc 9c 2c 35 61 27 57 07 55 d9 37 46 c4 d1 bc 2b 42 ed 1a 05 63 cc c0 69 6b 33 87 da 8c 92 6d e0 58 eb 13 30 46 6c cc 48 8d 76 c1 eb 81 ca 0f 86 6a ae d7 c0 b4 ec 84 71 e0 8e
...Y..]&f..{Nq...&B.Z...ft&...
..$.[.St...^a.[..2.NK..5......
..:.........9....A.11...t.....C...M.lt.5..m".`.....Mz...&.u..z..e.+.......Q.2<m.S........x......'.z\....g#"......GA..}3.b..b.....l.J.0.....,5a'W.U.7F...+B...c..ik3....m.X..0Fl.H.v......j......q..
success or wait 1 41C31A WriteFile
Copyright null 2020 Page 17 of 20
C:\Users\user\AppData\Local\Temp\wnbclmk unknown 65536 34 44 37 35 37 33 37 34 34 34 36 35 36 33 36 43 36 31 37 32 36 35 35 36 36 31 37 32 37 33 49 43 5d 34 37 35 35 34 39 34 34 36 31 37 34 36 31 35 33 36 35 37 30 36 31 37 32 36 31 37 34 36 46 37 32 34 33 36 38 36 31 37 32 49 43 5d 35 37 36 39 36 45 34 34 36 35 37 34 36 35 36 33 37 34 34 38 36 39 36 34 36 34 36 35 36 45 35 34 36 35 37 38 37 34 49 43 5d 34 34 36 35 36 36 36 35 36 45 36 34 36 35 37 32 32 30 34 33 36 46 36 45 37 34 37 32 36 46 36 43 32 30 37 36 33 31 32 45 33 36 49 43 5d 32 30 32 44 32 30 34 31 37 35 37 34 36 38 36 46 37 32 32 30 36 32 37 39 32 30 34 32 36 43 37 35 36 35 34 43 36 39 36 36 36 35 49 43 5d 36 34 34 33 36 46 36 45 37 34 37 32 36 46 36 43 33 41 37 36 33 31 32 45 33 36 49 43 5d 35 37 36 39 36 45 34 34 36 35 36 36 36 35 36 45 36 34 49
4D7573744465636C61726556617273IC]47554944617461536570617261746F7243686172IC]57696E44657465637448696464656E54657874IC]446566656E64657220436F6E74726F6C2076312E36IC]202D20417574686F7220627920426C75654C696665IC]64436F6E74726F6C3A76312E36IC]57696E446566656E64I
success or wait 1 41C31A WriteFile
C:\Users\user\AppData\Local\Temp\wnbclmk unknown 28672 36 33 39 33 33 34 36 33 36 33 31 34 31 33 39 33 37 33 32 33 32 33 34 33 36 33 31 33 30 33 36 33 37 33 34 34 34 33 39 33 32 33 39 33 30 33 32 33 30 33 30 33 38 33 33 33 32 34 33 34 32 34 33 33 35 33 38 33 32 33 30 33 34 34 34 34 32 34 31 33 38 33 37 33 39 34 35 34 36 33 31 33 38 34 33 33 39 33 39 33 30 33 36 33 35 34 33 33 33 34 33 33 34 33 33 33 30 34 36 33 35 33 30 34 35 33 32 33 31 33 30 33 34 33 32 34 35 34 33 33 31 33 35 33 30 33 34 33 31 34 33 33 32 49 43 5d 33 33 33 30 34 33 33 34 33 31 33 33 34 31 33 31 33 37 33 35 33 31 33 39 33 31 33 36 33 38 34 33 33 37 33 38 33 36 33 32 33 36 33 38 33 30 33 33 33 38 33 32 34 31 33 32 33 34 33 33 33 39 33 36 34 31 33 35 33 31 34 35 33 33 33 32 34 33 34 31 33 31 33 38 33 36 33 32 33 39 34 31 33 34 34 35 33 30 34
639334636314139373232343631303637344439323930323030383332434243353832303444424138373945463138433939303635433343343330463530453231303432454331353034314332IC]333043343133413137353139313638433738363236383033383241323433393641353145333243413138363239413445304
success or wait 1 41C31A WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 18 of 20
C:\Users\user\AppData\Local\Temp\wnbclmk unknown 3493 37 34 35 34 35 33 34 33 30 33 37 34 33 33 30 33 33 33 39 34 32 33 31 33 32 33 32 33 30 34 31 34 32 34 33 33 39 33 36 33 39 34 35 34 32 34 35 33 39 34 33 34 31 33 35 34 31 33 38 33 31 33 33 33 30 34 31 34 32 34 36 33 31 33 39 34 31 33 31 34 35 33 31 33 38 34 32 33 31 33 36 34 33 34 31 33 31 33 35 34 32 34 35 34 32 34 35 33 30 33 30 33 30 33 30 33 39 33 35 33 34 33 36 34 31 34 34 33 37 33 38 33 35 33 30 34 34 34 36 34 36 33 30 33 37 33 31 34 36 33 36 49 43 5d 33 39 34 36 33 31 34 33 34 31 34 35 33 35 33 32 33 38 34 36 34 34 34 34 33 33 33 37 34 32 33 39 33 33 34 31 33 33 33 33 33 37 33 33 34 31 33 36 33 30 34 33 33 33 33 38 33 30 33 34 33 38 33 32 33 35 34 33 34 31 33 37 33 38 34 35 33 38 34 34 34 36 33 31 33 35 33 32 34 31 33 39 34 34 33 35 33 30 33 30 33
7454534303743303339423132323041424339363945424539434135413831333041424631394131453138423136434131354245424530303030393534364144373835304446463037314636IC]39463143414535323846444433374239334133333733413630433338303438323543413738453844463135324139443530303
success or wait 1 41C31A WriteFile
C:\Users\user\Desktop\DefenderControl.ini unknown 2 ff fe .. success or wait 1 444368 WriteFile
C:\Users\user\Desktop\DefenderControl.ini unknown 1490 3b 00 20 00 47 00 65 00 6e 00 65 00 72 00 61 00 74 00 65 00 64 00 20 00 28 00 32 00 34 00 2e 00 31 00 32 00 2e 00 32 00 30 00 32 00 30 00 20 00 30 00 30 00 3a 00 34 00 31 00 3a 00 33 00 35 00 29 00 20 00 62 00 79 00 20 00 44 00 65 00 66 00 65 00 6e 00 64 00 65 00 72 00 20 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 20 00 76 00 31 00 2e 00 36 00 0d 00 0a 00 3b 00 20 00 77 00 77 00 77 00 2e 00 73 00 6f 00 72 00 64 00 75 00 6d 00 2e 00 6f 00 72 00 67 00 0d 00 0a 00 0d 00 0a 00 5b 00 4d 00 61 00 69 00 6e 00 5d 00 0d 00 0a 00 4c 00 61 00 6e 00 67 00 75 00 61 00 67 00 65 00 3d 00 41 00 75 00 74 00 6f 00 0d 00 0a 00 48 00 69 00 64 00 65 00 57 00 69 00 6e 00 64 00 6f 00 77 00 4f 00 6e 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00 3d 00 30 00 0d 00 0a 00 48 00 69
;. .G.e.n.e.r.a.t.e.d. .(.2.4...1.2...2.0.2.0. .0.0.:.4.1.:.3.5.). .b.y. .D.e.f.e.n.d.e.r. .C.o.n.t.r.o.l. .v.1...6.....;. .w.w.w...s.o.r.d.u.m...o.r.g.........[.M.a.i.n.].....L.a.n.g.u.a.g.e.=.A.u.t.o.....H.i.d.e.W.i.n.d.o.w.O.n.S.t.a.r.t.u.p.=.0.....H.i
success or wait 1 444368 WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
C:\Users\user\Desktop\DefenderControl.exe unknown 65536 success or wait 1 41E9DF ReadFile
C:\Users\user\Desktop\DefenderControl.exe unknown 65536 success or wait 33 41E9DF ReadFile
C:\Users\user\Desktop\DefenderControl.exe unknown 70656 success or wait 2 41E9DF ReadFile
C:\Users\user\Desktop\DefenderControl.exe unknown 65536 success or wait 1 41E9DF ReadFile
File ReadFile Read
Copyright null 2020 Page 19 of 20
Disassembly
Code Analysis
C:\Users\user\Desktop\DefenderControl.exe unknown 65536 success or wait 1 41E9DF ReadFile
C:\Users\user\Desktop\DefenderControl.exe unknown 28672 success or wait 1 41E9DF ReadFile
C:\Users\user\AppData\Local\Temp\autB6B9.tmp unknown 4096 success or wait 1 41E9DF ReadFile
C:\Users\user\AppData\Local\Temp\autB6B9.tmp unknown 61440 success or wait 1 41E9DF ReadFile
C:\Users\user\AppData\Local\Temp\autB6B9.tmp unknown 32768 end of file 1 41E9DF ReadFile
C:\Users\user\AppData\Local\Temp\wnbclmk unknown 65536 success or wait 1 403D95 ReadFile
C:\Users\user\AppData\Local\Temp\wnbclmk unknown 65536 success or wait 2 403D95 ReadFile
File Path Offset Length Completion CountSourceAddress Symbol
Copyright null 2020 Page 20 of 20