ID: 45429Sample Name:iview450_x64_setup.exeCookbook: default.jbsTime: 20:35:08Date: 07/02/2018Version: 20.0.0

24444455566666

66

7777

777777

77777

8888

8888899

101011111212

1212131313

Table of Contents

Table of ContentsAnalysis Report

OverviewGeneral InformationDetectionConfidenceClassificationAnalysis AdviceSignature Overview

Networking:System Summary:HIPS / PFW / Operating System Protection Evasion:Anti Debugging:Malware Analysis System Evasion:

SimulationsBehavior and APIs

Antivirus DetectionInitial SampleDropped FilesDomains

Yara OverviewInitial SamplePCAP (Network Traffic)Dropped FilesMemory DumpsUnpacked PEs

Joe Sandbox View / ContextIPsDomainsASNDropped Files

Created / dropped FilesContacted Domains/Contacted IPs

Contacted DomainsContacted IPs

Static File InfoGeneralFile IconStatic PE Info

GeneralAuthenticode SignatureEntrypoint PreviewData DirectoriesSectionsResourcesImportsVersion InfosPossible Origin

Network BehaviorCode ManipulationsStatisticsSystem BehaviorDisassembly

Copyright Joe Security LLC 2018 Page 2 of 13

Copyright Joe Security LLC 2018 Page 3 of 13

Analysis Report

Overview

General Information

Joe Sandbox Version: 20.0.0

Analysis ID: 45429

Start time: 20:35:08

Joe Sandbox Product: CloudBasic

Start date: 07.02.2018

Overall analysis duration: 0h 1m 8s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: iview450_x64_setup.exe

Cookbook file name: default.jbs

Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)

Number of analysed new started processes analysed: 2

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies HCA enabledEGA enabledHDC enabled

Detection: UNKNOWN

Classification: unknown1.winEXE@0/0@0/0

Cookbook Comments: Adjust boot timeFound application associated with file extension: .exeUnable to launch sample, stop analysis

Warnings:

Errors: Nothing to analyse, Joe Sandbox has not found any analysis process or sampleUnable to start the sample

Detection

Strategy Score Range Reporting Detection

Threshold 1 0 - 100 Report FP / FN

Confidence

Strategy Score Range Further Analysis Required? Confidence

Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe

Show All

Copyright Joe Security LLC 2018 Page 4 of 13

Threshold 4 0 - 5 false

Strategy Score Range Further Analysis Required? Confidence

Analysis Advice

Sample requires a 64bit OS, try executing the sample on a 64bit version of Windows

Signature Overview

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

Classification

Copyright Joe Security LLC 2018 Page 5 of 13

• Networking

• System Summary

• HIPS / PFW / Operating System Protection Evasion

• Anti Debugging

• Malware Analysis System Evasion

Click to jump to signature section

Networking:

Urls found in memory or binary data

System Summary:

PE file has a high image base, often used for DLLs

Submission file is bigger than most known malware samples

PE file has a big raw section

Contains modern PE file flags such as dynamic base (ASLR) or NX

Binary contains paths to debug symbols

PE file contains a valid data directory to section mapping

Classification label

PE file has an executable .text section and no other executable section

Sample is known by Antivirus (Virustotal or Metascan)

PE file contains executable resources (Code or Archives)

PE file contains strange resources

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Anti Debugging:

Program does not show much activity (idle)

Malware Analysis System Evasion:

Program does not show much activity (idle)

No simulations

Simulations

Behavior and APIs

Copyright Joe Security LLC 2018 Page 6 of 13

Source Detection Cloud Link

iview450_x64_setup.exe 0% virustotal Browse

iview450_x64_setup.exe 0% metadefender Browse

No Antivirus matches

No Antivirus matches

No yara matches

No yara matches

No yara matches

No yara matches

No yara matches

No context

No context

No context

No context

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Copyright Joe Security LLC 2018 Page 7 of 13

Static File Info

GeneralFile type: PE32+ executable (GUI) x86-64, for MS Windows

Entropy (8bit): 7.907057461035224

TrID: Win64 Executable GUI (202006/5) 98.05%Generic Win/DOS Executable (2004/3) 0.97%DOS Executable Generic (2002/1) 0.97%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%

File name: iview450_x64_setup.exe

File size: 3508360

MD5: d363d95fbdcdb7ba62dd0bbd99cb14ec

SHA1: 277e0a617003967f6fe7f1035401d7c7014b73b6

SHA256: aa0bdf15331cabaf02c96b1027525ef42d5068c1c999dc3b6bbd1903b24977b3

SHA512: 4e69ddb1a7ef5258fe211d99741cd01673a8ac419f5e9ef788ecce39f48c197fd4bd1a05fbd5c2261a857c869e71835be6ff4491f796cc29235a72505b82d8d8

File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X................+.......+~......+a......+z.....Z.Q.....Z.n.......Q......JQ.....Z.P..............JT.......j......Jo.....Rich...

File Icon

No created / dropped files found

No contacted domains info

No contacted IP infos

GeneralEntrypoint: 0x14002f194

Entrypoint Section: .text

Digitally signed: true

Imagebase: 0x140000000

Subsystem: windows gui

Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Time Stamp: 0x59DCA5D7 [Tue Oct 10 10:49:59 2017 UTC]

TLS Callbacks:

CLR (.Net) Version:

OS Version Major: 6

OS Version Minor: 0

File Version Major: 6

File Version Minor: 0

Subsystem Version Major: 6

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static PE Info

Copyright Joe Security LLC 2018 Page 8 of 13

Subsystem Version Minor: 0

Import Hash: 2771268012a0624dc6df4a313ed0440c

General

Signature Valid: true

Signature Issuer: CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Signature Validation Error: The operation completed successfully

Error Number: 0

Not Before, Not After 2/2/2016 1:00:00 AM 2/3/2020 12:59:59 AM

Subject Chain CN=Irfan Skiljan, O=Irfan Skiljan, STREET=Postfach 48, L=Wiener Neustadt, S=NOE, PostalCode=2700, C=AT

Version: 3

Thumbprint: 5CC1EABEF72CF2867FDB4509F0CC13C2CB5C132A

Serial: 00E50CACF3CFD70EAEBF28A3A5E04ED4A7

Instruction

dec eax

sub esp, 28h

call 00007F02B8A1C95Ch

dec eax

add esp, 28h

jmp 00007F02B8A15D9Bh

int3

int3

int3

int3

int3

int3

int3

int3

int3

int3

int3

int3

int3

int3

int3

int3

nop word ptr [eax+eax+00000000h]

dec eax

cmp ecx, dword ptr [000397C9h]

jne 00007F02B8A15F73h

dec eax

rol ecx, 10h

test cx, FFFFh

jne 00007F02B8A15F64h

rep ret

dec eax

ror ecx, 10h

jmp 00007F02B8A168AAh

int3

dec eax

test ecx, ecx

je 00007F02B8A15F99h

push ebx

dec eax

sub esp, 20h

dec esp

mov eax, ecx

dec eax

mov ecx, dword ptr [00040024h]

Authenticode Signature

Entrypoint Preview

Copyright Joe Security LLC 2018 Page 9 of 13

xor edx, edx

call dword ptr [0001A3F4h]

test eax, eax

jne 00007F02B8A15F79h

call 00007F02B8A1878Ch

dec eax

mov ebx, eax

call dword ptr [0001A3BAh]

mov ecx, eax

call 00007F02B8A1879Ch

mov dword ptr [ebx], eax

dec eax

add esp, 20h

pop ebx

ret

int3

int3

int3

inc eax

push ebx

dec eax

sub esp, 20h

mov edx, 00000008h

lea ecx, dword ptr [edx+18h]

call 00007F02B8A1D102h

dec eax

mov ecx, eax

dec eax

mov ebx, eax

call dword ptr [0001A1A9h]

dec eax

mov dword ptr [00042B1Ah], eax

dec eax

mov dword ptr [00042B0Bh], eax

dec eax

test ebx, ebx

jne 00007F02B8A15F67h

Instruction

Name Virtual Address Virtual Size Is in Section

IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IMPORT 0x64418 0x8c .rdata

IMAGE_DIRECTORY_ENTRY_RESOURCE 0x77000 0x2e7c20 .rsrc

IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x72000 0x41dc .pdata

IMAGE_DIRECTORY_ENTRY_SECURITY 0x357000 0x1888 .rsrc

IMAGE_DIRECTORY_ENTRY_BASERELOC 0x35f000 0x1888 .reloc

IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0

IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x5b7c0 0x70 .rdata

IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IAT 0x49000 0xa18 .rdata

IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x64028 0xe0 .rdata

IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

.text 0x1000 0x4794c 0x47a00 False 0.517847404014 data 6.36517594419 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.rdata 0x49000 0x1d506 0x1d600 False 0.308011968085 data 4.32748433768 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Data Directories

Sections

Copyright Joe Security LLC 2018 Page 10 of 13

.data 0x67000 0xad78 0x4200 False 0.231534090909 data 3.36826326102 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

.pdata 0x72000 0x41dc 0x4200 False 0.482776988636 data 5.7303045911 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

.rsrc 0x77000 0x2e7c20 0x2e7e00 unknown unknown unknown unknown IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

.reloc 0x35f000 0x1888 0x1a00 False 0.324368990385 data 5.37207452601 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

Name RVA Size Type Language Country

TXT 0x35d4f0 0xc0a Little-endian UTF-16 Unicode text, with CRLF line terminators

German Austria

ZIP 0x7a2d8 0x2e3218 Zip archive data, at least v2.0 to extract German Austria

RT_BITMAP 0x79d18 0x5bc data German Austria

RT_ICON 0x78ee0 0x8a8 data German Austria

RT_ICON 0x79788 0x568 GLS_BINARY_LSB_FIRST German Austria

RT_DIALOG 0x77460 0x58e data English United States

RT_DIALOG 0x779f0 0x334 data English United States

RT_DIALOG 0x77d28 0xf4 data English United States

RT_DIALOG 0x77e20 0x408 data English United States

RT_DIALOG 0x78228 0x408 data English United States

RT_DIALOG 0x78630 0x7c data English United States

RT_STRING 0x35e100 0x5ca data German Austria

RT_STRING 0x35e6d0 0x22e data German Austria

RT_STRING 0x35e900 0x22e data German Austria

RT_STRING 0x35eb30 0xf0 data German Austria

RT_GROUP_ICON 0x79cf0 0x22 MS Windows icon resource - 2 icons, 32x32, 256-colors

German Austria

RT_VERSION 0x786b0 0x3b0 data English United States

RT_MANIFEST 0x78a60 0x47a XML document text English United States

DLL Import

KERNEL32.dll GlobalReAlloc, GlobalHandle, LocalAlloc, LocalReAlloc, CompareStringW, GetLocaleInfoW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetCurrentDirectoryW, DeleteFileW, FindClose, FindFirstFileW, FlushFileBuffers, GetFullPathNameW, GetVolumeInformationW, SetEndOfFile, GetCurrentProcess, FindResourceExW, SetErrorMode, FileTimeToLocalFileTime, GetFileAttributesExW, IsDebuggerPresent, IsProcessorFeaturePresent, CreateDirectoryW, GetLocalTime, SetEnvironmentVariableW, SetCurrentDirectoryW, RtlUnwindEx, RtlLookupFunctionEntry, RtlPcToFileHeader, TlsFree, HeapQueryInformation, GetStdHandle, GetFileType, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, RtlCaptureContext, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsValidCodePage, GetOEMCP, GetCPInfo, GetStringTypeW, GetDriveTypeW, GetConsoleMode, ReadConsoleW, GetConsoleCP, SetFilePointerEx, GetTimeZoneInformation, OutputDebugStringW, LCMapStringW, SetStdHandle, WriteConsoleW, SetEnvironmentVariableA, TlsSetValue, TlsGetValue, TlsAlloc, FileTimeToSystemTime, InitializeCriticalSection, GlobalFlags, WaitForSingleObject, VirtualProtect, GetPrivateProfileIntW, lstrcmpA, GetVersionExW, GetCurrentThread, GlobalFindAtomW, GlobalAddAtomW, lstrcmpW, GlobalDeleteAtom, LoadLibraryExW, GetCurrentThreadId, LeaveCriticalSection, EnterCriticalSection, EncodePointer, FormatMessageW, LocalFree, GlobalFree, GlobalAlloc, GlobalUnlock, GlobalLock, GetCurrentProcessId, QueryActCtxW, FindActCtxSectionStringW, DeactivateActCtx, ActivateActCtx, HeapReAlloc, CreateActCtxW, GetModuleHandleExW, InitializeCriticalSectionAndSpinCount, SetLastError, OutputDebugStringA, GetACP, WriteFile, SetFilePointer, ReadFile, DosDateTimeToFileTime, CloseHandle, SetFileTime, LocalFileTimeToFileTime, GetFileTime, CreateFileW, LoadLibraryExA, Sleep, FreeResource, LockResource, GetTempPathW, WritePrivateProfileStringW, MultiByteToWideChar, GetModuleFileNameW, SizeofResource, GetPrivateProfileStringW, MoveFileExW, LoadResource, FindResourceW, GetDateFormatW, GetEnvironmentVariableW, GetProcAddress, VerifyVersionInfoW, GetSystemDirectoryW, GetModuleHandleW, VerSetConditionMask, GetCommandLineW, lstrcpyW, GetWindowsDirectoryW, WinExec, lstrcatW, lstrlenW, LoadLibraryW, WideCharToMultiByte, FreeLibrary, DeleteCriticalSection, DecodePointer, HeapSize, GetLastError, RaiseException, InitializeCriticalSectionEx, MulDiv, GetProcessHeap, HeapFree, HeapAlloc, ExitProcess

Resources

Imports

Copyright Joe Security LLC 2018 Page 11 of 13

Network Behavior

No network behavior found

Code Manipulations

USER32.dll AdjustWindowRectEx, MapWindowPoints, GetWindowLongPtrW, SetWindowLongPtrW, GetClassLongPtrW, GetClassNameW, GetTopWindow, GetWindow, SetWindowsHookExW, UnhookWindowsHookEx, CallNextHookEx, WinHelpW, MonitorFromWindow, GetMonitorInfoW, ShowWindow, SetDlgItemTextW, GetDlgItemTextW, IsDlgButtonChecked, SendDlgItemMessageW, SetWindowTextW, IsDialogMessageW, PostQuitMessage, GetAsyncKeyState, MapDialogRect, GetMessageW, TranslateMessage, GetCursorPos, CreateDialogIndirectParamW, EndDialog, GetNextDlgTabItem, RealChildWindowFromPoint, GetSysColorBrush, DestroyMenu, CharUpperW, ValidateRect, GetForegroundWindow, SetActiveWindow, SetMenu, GetMenu, GetCapture, GetKeyState, SetFocus, GetDlgCtrlID, GetDlgItem, IsWindowVisible, SetWindowPos, DestroyWindow, CreateWindowExW, GetWindowTextLengthW, GetClassInfoW, RegisterClassW, CallWindowProcW, DefWindowProcW, PostMessageW, GetMessageTime, PeekMessageW, DispatchMessageW, RegisterWindowMessageW, GetMenuItemCount, GetMenuItemID, GetSubMenu, ClientToScreen, EndPaint, BeginPaint, TabbedTextOutW, GrayStringW, DrawTextExW, DrawTextW, CopyRect, GetLastActivePopup, GetWindowThreadProcessId, GetWindowLongW, IsWindowEnabled, SetMenuItemInfoW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, EnableMenuItem, CheckMenuItem, GetFocus, SendDlgItemMessageA, FillRect, DrawIcon, RedrawWindow, SetForegroundWindow, FindWindowExW, LoadIconW, SystemParametersInfoW, GetActiveWindow, MessageBoxW, GetSystemMetrics, UpdateWindow, FindWindowW, LoadStringW, SetCursor, SetTimer, ScreenToClient, GetWindowRect, KillTimer, GetParent, LoadCursorW, MessageBeep, GetClientRect, PtInRect, GetDC, InflateRect, CopyIcon, InvalidateRect, ReleaseDC, SetWindowLongW, GetDesktopWindow, GetSysColor, IsWindow, SendMessageW, EnableWindow, GetMessagePos, GetWindowTextW, RemovePropW, GetPropW, SetPropW, GetClassInfoExW, UnregisterClassW, LoadBitmapW

GDI32.dll ExtTextOutW, CreateSolidBrush, Escape, GetClipBox, PtVisible, RectVisible, RestoreDC, SaveDC, SelectObject, SetBkMode, SetMapMode, SetBkColor, SetTextColor, TextOutW, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, OffsetViewportOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, EnumFontFamiliesExW, DeleteObject, CreateBitmap, GetTextExtentPoint32W, CreateFontIndirectW, GetObjectW, GetStockObject, DeleteDC, GetDeviceCaps, CreateDCW

ADVAPI32.dll RegSetValueExW, RegEnumValueW, RegEnumKeyW, RegDeleteValueW, RegCreateKeyExW, RegQueryValueW, RegDeleteKeyW, RegQueryValueExW, RegSetValueW, RegCreateKeyW, RegCloseKey, RegOpenKeyExW

SHELL32.dll SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHChangeNotify, SHBrowseForFolderW, ShellExecuteW

COMCTL32.dll InitCommonControlsEx

DLL Import

Description Data

LegalCopyright Copyright 2017 by Irfan Skiljan, Austria

InternalName IrfanView 64-bit Installer

FileVersion 4.5.0.0

CompanyName Irfan Skiljan

Comments IrfanView 64-bit Installer

ProductName IrfanView 64-bit Installer

ProductVersion 4.5.0.0

FileDescription IrfanView 64-bit Installer

OriginalFilename iview450_x64_setup.exe

Translation 0x0c07 0x04b0

Language of compilation system Country where language is spoken Map

German Austria

English United States

Version Infos

Possible Origin

Copyright Joe Security LLC 2018 Page 12 of 13

Statistics

System Behavior

Disassembly

Copyright Joe Security LLC 2018 Page 13 of 13