Investigation and actions

17607995754416.exe

Blocked 1 time for 1 user

Time of analysis

File analysis: 2020-02-25 06:59:47
Sandstorm: 2020-02-25 06:59:48

Overall verdict

MALICIOUS

Analysis discovered 4 suspicious activities and 1 malware detection.

Memory
Changes the permissions of a memory region used by system libraries
Creates a memory region with executable permission
Network
Connects to remote server classified as high-risk
Suspicious
Reads data from the local Windows system configuration
Malicious detections
Web reputation:
HIGH (MALWARE_CALLHOME)

Analysis summary

MALICIOUS
Machine learning
Overall analysis
LIKELY CLEAN
Machine learning
Feature analysis
LIKELY CLEAN
Machine learning
Feature combinations
LIKELY CLEAN
Machine learning
Structure analysis
SUSPICIOUS
Reputation
MALICIOUS
Sandstorm
None
XG malware scan
Information about your file
File name17607995754416.exe
File typeapplication/octet-stream
SHA12ace473374a49886cb5e7be77b8bc71cb1a2b61d
SHA256dc591a726ec0c0d8db46090c4b8dc4de3a55e236607ea7199520f94862fd7eed
File size114,688 bytes
All details

Machine learning

MALICIOUS
Overall verdict based on the Sophos deep learning model
Our model identifies many attributes of the file and compares their occurrence, individually and in different combinations, with millions of known good and known malware samples.
The reports below show probabilities based on key components of the overall score. Each component isn’t a strong indicator on its own, but in combination, they provide a critical insight. This model identifies many different characteristics of your file and compares the occurence of those characteristics, individually and in combinations, across millions of known good and known malware samples.
Feature analysis
LIKELY CLEAN
  • Identifies specific features of the file
  • Randomly selects ten million known bad files from our data warehouse.
  • Counts the number of good and bad sample files that have the same features. These simple counts are shown in the graph below.
  • The final verdict may also take into account more complex combinations of features.
More likely in bad files  >>><<< More likely in good files
File feature
8,456,0886,705,382
Stack Canary: "disabled"
484,955931,173
Compilers: "Microsoft Visual C# v7.0 / Basic .NET"
133,375236,109
Assembly Version: "1.0.0.0"
Feature combinations
LIKELY CLEAN
  • Counts the number of good and bad sample files that have one feature in common with your file.
  • Adds an additional feature and counts the sample files that have both features.
  • Continue adding features and counting sample files that combine all features.
  • Combinations of features can provide a more precise indication than individual features.
Bad filesGood files
Malware probabilityFile feature
  
9,886,7228,862,304
53%
Feature NOT Observed: Packer: "The PE only has 1 import(s)."
  
5,09116,603
23%
Add: Feature NOT Observed: Detected languages: "Icelandic - Iceland"
  
5,07116,597
23%
Add: Feature NOT Observed: Looks for Qemu presence: "QEMU"
  
4,78515,810
23%
Add: Feature NOT Observed: Contains references to system / monitoring tools: "sc.exe"
  
4,74715,690
23%
Add: Feature NOT Observed: Miscellaneous malware strings: "Virus"
  
4,67315,447
23%
Add: Feature NOT Observed: Accesses the WMI: "root\cimv2"
Structure analysis
LIKELY CLEAN
  • Identifies 32 distinctive structural genes in the file.
  • Scans Sophos database for files with these genes.
  • Ascertains the likelihood of the genes' presence in good versus malicious files.
  • The chart below shows 6 of the files in the sample set with the strongest genetic match.
Genes
                                
Status
 
SHA256
Your file
Stronger    << Match  >>   Weaker
                                
Good file
 
b221edbe57bfc031fa1b5b78826114b04d05ceb479012a39952280d7e7d6d83b
                                
Good file
 
c4546ce4955088b24d85aa380103bb8af17c2d85c30293f97fdaf5fb39bb1a56
                                
Good file
 
50b2df6863170e32c9cd016696ed9ccb35a2a52fc50a5520d5885c4eb6d761df
                                
Good file
 
8bb9642a213b7192f062ce40fff0f13508123502be9818a4937238354de9241c
                                
Good file
 
f6153137bb203c579a8f17614d2fd174090064c9701066e63b4516926e5cc6e9
                                
Bad file
 
5e6c91548b180ba90d559925bcc9ee98f91748f0c29d35e09968cb4d07a7f7b6

Reputation

SUSPICIOUS

We use live cloud lookups to ascertain file reputation based on how widely the file has been seen. This enables us to block emerging, fast-moving threats while preventing false positives.

Verdict commentUnknown reputation

Sandstorm detonation

MALICIOUS
Submitted at2020-02-25 06:59:48
Detonated at2020-02-25 07:00:52
Analysis duration174 seconds
Sandbox version4.1.1.283
File typePE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File executed asexe
SHA12ace473374a49886cb5e7be77b8bc71cb1a2b61d
SHA256dc591a726ec0c0d8db46090c4b8dc4de3a55e236607ea7199520f94862fd7eed
Malicious activity
MemoryChanges the permissions of a memory region used by system libraries
Creates a memory region with executable permission
NetworkConnects to remote server classified as high-risk
SuspiciousReads data from the local Windows system configuration
Malicious detections: 2
#ClassificationFound inClassification type
1HIGH (MALWARE_CALLHOME)hxxp://sophostest.com/callhome (URL)Web reputation
2HIGH (MALWARE_CALLHOME)hxxp://sophostest.com/callhome/ (URL)Web reputation
Screenshots: 6
Zoom
Zoom
Zoom
Zoom
Zoom
Zoom
Processes: 1
#ProcessParent processCommand lineStart time
1%input_sample% (pid=2644)%sandbox_framework% (pid=2768)%input_sample% 2020-02-25 07:00:52
Network activity: 8
DNS requests: 4
#DomainIP address
1sophostest.com13.35.78.43
2sophostest.com13.35.78.76
3sophostest.com13.35.78.117
4sophostest.com13.35.78.89
Connections: 1
#ProtocolIP addressPortHostnameProcess
1tcp104.100.93.980www.msftncsi.com
HTTP flows: 3
#URIMethodIP addressOriginResponse statusResponse MIME typeBytesSHA1
1hxxp://www.msftncsi.com/ncsi.txtGETUser agent: Microsoft NCSI200text/plain1433bf88d5b82df3723d5863c7d23445e345828904
2hxxp://sophostest.com/callhomeGET301da39a3ee5e6b4b0d3255bfef95601890afd80709
3hxxp://sophostest.com/callhome/GET200text/html1,555ebb011c2109ca2a4cf2a37e1c51cb119a33e562a

File analysis

File name17607995754416.exe
File typeapplication/octet-stream
SHA12ace473374a49886cb5e7be77b8bc71cb1a2b61d
SHA256dc591a726ec0c0d8db46090c4b8dc4de3a55e236607ea7199520f94862fd7eed
File size114,688 bytes
Image size114,688 bytes
Image base4194304
File time stamp1948-04-04 03:40:03
Machine typeI386
SubsystemWINDOWS_GUI
LanguagesRESOURCE_LANGS.NEUTRAL
Sections3
Debug informationC:\Users\Kate Libby\source\repos\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\WindowsFormsApp1.pdb
PE flagsLARGE_ADDRESS_AWARE, EXECUTABLE_IMAGE
Original file nameWindowsFormsApp1.exe
Internal nameWindowsFormsApp1.exe
File descriptionWindowsFormsApp1
File version1.0.0.0
Private build
Special build
Commentsn/a
Product nameWindowsFormsApp1
Product version1.0.0.0
Company namen/a
CopyrightCopyright © 2019
Trademarks
Signature and certificates: Not signed
Signing dateNot specified
File sections: 3
#Section namePhysical addressRaw data (bytes)Virtual addressVirtual size (bytes)EntropyCharacteristics
15503466351289,088819288,9247.9487195435046285CNT_CODE, MEM_EXECUTE, MEM_READ
2.rsrc896001,536983041,5164.235375749159247CNT_INITIALIZED_DATA, MEM_READ
3.reloc91136512106496121.9473387961875537CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ
Resources: 2
#Resource typeBytesCode pageLanguage
1RT_VERSION86000x0
2RT_MANIFEST49000x0
Imports: 1
#DLL nameAPIsBy ordinal?
1mscoree.dll_CorExeMainNo