Are There More Data in the Interval 11ã¢ë†€™14 or in the Interval 14ã¢ë†€™18? How Do You Know This?

Incident Response

Risk Assessment

Remote Access

Reads last service related keys (often RDP related)

Ransomware

Contains ability to create/switch the desktop

Persistence

Spawns a lot of processes

Fingerprint

Reads the agile computer name

Spreading

Opens the MountPointManager (often used to observe additional infection locations)

Indicators

Non all malicious and suspicious indicators are displayed. Get your ain cloud service or the total version to view all details.

• External Systems
  • Sample was identified as malicious past a big number of Antivirus engines

    details

    11/66 Antivirus vendors marked sample as malicious (sixteen% detection charge per unit)

    source

    External Arrangement

    relevance

    10/10

  • Sample was identified as malicious past at least one Antivirus engine

    details

    eleven/66 Antivirus vendors marked sample as malicious (16% detection rate)

    source

    External System

    relevance

    eight/10

• General
  • Contains power to get-go/interact with device drivers

    details

    DeviceIoControl@KERNEL32.dll at 3522-316-10002330

    source

    Hybrid Analysis Applied science

    relevance

    8/x

  • The assay extracted a file that was identified as malicious

    details

    1/66 Antivirus vendors marked dropped file "PathMgr.dll" every bit malicious (classified equally "Dangerous" with 1% detection rate)
    1/66 Antivirus vendors marked dropped file "RDWorksV8Uninstall.exe" as malicious (classified as "Unsafe" with i% detection charge per unit)
    five/64 Antivirus vendors marked dropped file "RdPasswordSet.dll" every bit malicious (classified every bit "Bongler-based" with 7% detection rate)

    source

    Extracted File

    relevance

    10/10

• Ransomware/Banking
  • Contains ability to create/switch the desktop

    details

    _path_CreateDesktopShortCut@PATHMGR.DLL from RDWorksSetUpV8.exe (PID: 5012) (Bear witness Stream)
    _path_CreateDesktopShortCut@PATHMGR.DLL from RDWorksSetUpV8.exe (PID: 5012) (Show Stream)
    _path_CreateDesktopShortCut@PathMgr.dll at 6114-268-00410BEA

    source

    Hybrid Assay Technology

    relevance

    v/x

• Unusual Characteristics
  • Contains native function calls
  • Spawns a lot of processes

    details

    Spawned process "<Input Sample>" (Show Procedure)
    Spawned process "cmd.exe" with commandline ""/c medico c:\newpr"" (Evidence Process)
    Spawned process "cmd.exe" with commandline ""/c doctor c:\newpr\ImgLib"" (Bear witness Process)
    Spawned process "cmd.exe" with commandline ""/c copy CFG\ImgLib\*.* c:\newpr\ImgLib"" (Testify Process)
    Spawned process "cmd.exe" with commandline ""/c re-create Lang\SetUp_chs.ini c:\newpr\SetUpCHS.ini"" (Testify Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\SetUp_cht.ini c:\newpr\SetUpCHT.ini"" (Show Procedure)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\SetUp_eng.ini c:\newpr\SetUpENG.ini"" (Evidence Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\SetUp_other.ini c:\newpr\SetUpJPN.ini"" (Show Process)
    Spawned procedure "cmd.exe" with commandline ""/c copy Info\Info_Sche.txt c:\newpr\Info_Sche.txt"" (Show Procedure)
    Spawned procedure "cmd.exe" with commandline ""/c copy Info\Info_TChe.txt c:\newpr\Info_TChe.txt"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Info\Info_En.txt c:\newpr\Info_En.txt"" (Show Procedure)
    Spawned process "cmd.exe" with commandline ""/c copy Info\Info_Other.txt c:\newpr\Info_Other.txt"" (Show Process)
    Spawned procedure "cmd.exe" with commandline ""/c copy Lang\Lang_chs.ini c:\newpr\laserwork\Lang_chs.ini"" (Show Process)
    Spawned procedure "cmd.exe" with commandline ""/c copy Lang\Lang_cht.ini c:\newpr\laserwork\Lang_cht.ini"" (Show Procedure)
    Spawned procedure "cmd.exe" with commandline ""/c re-create Lang\Lang_eng.ini c:\newpr\laserwork\Lang_eng.ini"" (Bear witness Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\Lang_other.ini c:\newpr\laserwork\Lang_other.ini"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\Plug_chs.ini c:\newpr\rdplug\Lang_chs.ini"" (Show Procedure)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\Plug_cht.ini c:\newpr\rdplug\Lang_cht.ini"" (Evidence Process)
    Spawned process "cmd.exe" with commandline ""/c re-create Lang\Plug_eng.ini c:\newpr\rdplug\Lang_eng.ini"" (Show Process)
    Spawned procedure "cmd.exe" with commandline ""/c copy Lang\Plug_other.ini c:\newpr\rdplug\Lang_other.ini"" (Bear witness Procedure)
    Spawned procedure "cmd.exe" with commandline ""/c re-create Lang\Preview_chs.ini c:\newpr\com\Preview_chs.ini"" (Show Procedure)
    Spawned process "cmd.exe" with commandline ""/c re-create Lang\Preview_cht.ini c:\newpr\com\Preview_cht.ini"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\Preview_eng.ini c:\newpr\com\Preview_eng.ini"" (Show Process)
    Spawned procedure "cmd.exe" with commandline ""/c re-create Lang\Preview_other.ini c:\newpr\com\Preview_other.ini"" (Bear witness Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\LGP_chs.ini c:\newpr\com\LGP_chs.ini"" (Testify Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\LGP_cht.ini c:\newpr\com\LGP_cht.ini"" (Prove Process)
    Spawned procedure "cmd.exe" with commandline ""/c re-create Lang\LGP_eng.ini c:\newpr\com\LGP_eng.ini"" (Show Process)
    Spawned procedure "cmd.exe" with commandline ""/c copy Lang\LGP_other.ini c:\newpr\com\LGP_other.ini"" (Prove Process)
    Spawned process "cmd.exe" with commandline ""/c copy CFG\config c:\newpr\laserwork\config"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c re-create CFG\Plug_config c:\newpr\rdplug\config"" (Testify Process)
    Spawned procedure "cmd.exe" with commandline ""/c copy CFG\Soft.ini c:\newpr\laserwork\Soft.ini"" (Show Process)
    Spawned procedure "cmd.exe" with commandline ""/c copy CFG\Plug_Soft.ini c:\newpr\rdplug\Soft.ini"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c re-create CFG\tips c:\newpr\com\tips"" (Prove Procedure)
    Spawned process "cmd.exe" with commandline ""/c copy CFG\Param.lib c:\newpr\Param.lib"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Res\Logo.ico c:\newpr\Logo.ico"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Res\Splash.bmp c:\newpr\Splash.bmp"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Res\RLD.ico c:\newpr\RLD.ico"" (Testify Process)
    Spawned process "cmd.exe" with commandline ""/c re-create RDMgr.dll c:\newpr\com\RDMgr.dll"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c re-create Lang\assistance.chm c:\newpr\laserwork\help.chm"" (Prove Process)
    Spawned procedure "cmd.exe" with commandline ""/c re-create Lang\help1.chm c:\newpr\laserwork\help1.chm"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\help2.chm c:\newpr\laserwork\help2.chm"" (Testify Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\help3.chm c:\newpr\laserwork\help3.chm"" (Show Procedure)
    Spawned procedure "cmd.exe" with commandline ""/c re-create Lang\help4.chm c:\newpr\laserwork\help4.chm"" (Bear witness Procedure)
    Spawned procedure "RDWorksSetUpV8.exe" (Show Procedure)

    source

    Monitored Target

    relevance

    8/ten

• Hiding 3 Malicious Indicators
  • All indicators are available only in the private webservice or standalone version

• Anti-Detection/Stealthyness
  • Queries process information

    details

    "RDWorksSetUpV8.exe" queried SystemProcessInformation at 00016133-00005012-00000033-74650100
    "RDWorksSetUpV8.exe" queried SystemProcessInformation at 00016133-00005012-00000033-91128275
    "RDWorksSetUpV8.exe" queried SystemProcessInformation at 00016133-00005012-00000033-98061223

    source

    API Call

    relevance

    iv/x

• Anti-Reverse Applied science
  • Checks a device holding (often used to detect VM artifacts)

    details

    SetupDiGetDeviceRegistryPropertyA@SETUPAPI.dll at 3522-140-10002390

    source

    Hybrid Analysis Technology

    relevance

    7/10

  • PE file has unusual entropy sections

    details

    .text
    .data with unusual entropies 7.2072388822
    7.26871920876

    source

    Static Parser

    relevance

    ten/10

• Cryptographic Related
  • Establish a cryptographic related string

    details

    "DES" (Indicator: "des"; File: "ftbusui.dll.389703613")

    source

    String

    relevance

    10/x

• Environment Sensation
  • Contains ability to query CPU information

    details

    cpuid at 3522-366-10003B85
    cpuid at 30287-304-0200A138

    source

    Hybrid Analysis Technology

    relevance

    x/ten

  • Reads the active computer name

    details

    "<Input Sample>" (Path: "HKLM\Arrangement\CONTROLSET001\Command\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
    "RDWorksSetUpV8.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")

    source

    Registry Access

    relevance

    5/10

• General
  • Contains power to detect and load resources of a specific module

    details

    LockResource@KERNEL32.dll at 16838-1775-10006390
    LockResource@KERNEL32.dll at 16838-1804-10003E80

    source

    Hybrid Analysis Technology

    relevance

    1/x

  • Reads configuration files

    details

    "<Input Sample>" read file "%USERPROFILE%\Desktop\desktop.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\SetUpENG.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\com\Preview_chs.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\com\Preview_cht.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\com\Preview_eng.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\com\Preview_other.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\com\LGP_chs.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\com\LGP_cht.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\com\LGP_eng.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\com\LGP_other.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\laserwork\Lang_chs.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\laserwork\Lang_cht.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\laserwork\Lang_eng.ini"
    "RDWorksSetUpV8.exe" read file "C:\newpr\laserwork\Lang_other.ini"
    "RDWorksSetUpV8.exe" read file "%USERPROFILE%\Desktop\desktop.ini"

    source

    API Call

    relevance

    4/ten

• Installation/Persistance
  • Drops executable files

    details

    "ExFileMgr.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
    "RDLGP.dll" has blazon "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "RDCAM.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "rdloadV8.dll" has blazon "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
    "ftbusui.dll" has blazon "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "UnInst64.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
    "RDElement.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "rdloadV8.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "drIptBdrFe.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "ftcserco.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
    "Element.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
    "ftcserco.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
    "ExCurve.dll" has blazon "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "RDCutting.dll" has blazon "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "RDWorksV8Uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
    "ShareProjector.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "RDWorksSetUpV8.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
    "UnInst32.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"

    source

    Extracted File

    relevance

    10/10

  • The input sample dropped/contains a document file

    details

    File "ftdiport.cat" is a certificate (Owner: CN=Microsoft Fourth dimension-Postage stamp Service, OU=nCipher DSE ESN:7D2E-3782-B0F7, OU=MOPR, O=Microsoft Corporation, 50=Redmond, ST=Washington, C=The states; Issuer: CN=Microsoft Fourth dimension-Postage PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=The states; SerialNumber: 3300000037febdeddcd254016b000000000037; Valid From: 03/27/2013 21:08:29; Until: 06/27/2014 21:08:29; Fingerprints: MD5=30:50:A7:27:C9:DD:E4:B9:F1:92:EA:F9:29:60:84:84; SHA1=22:B5:B8:9A:fifteen:D8:86:eighteen:40:00:08:8C:F0:5F:D4:07:7D:2A:Be:91)
    File "ftdiport.true cat" is a certificate (Owner: CN=Microsoft Windows Hardware Compatibility Publisher, OU=MOPR, O=Microsoft Corporation, L=Redmond, ST=Washington, C=United states of america; Issuer: CN=Microsoft Windows Hardware Compatibility PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 330000000b19302c31b264785d00010000000b; Valid From: 05/16/2013 xix:48:57; Until: 08/16/2014 19:48:57; Fingerprints: MD5=C7:3E:6F:06:74:5B:85:F7:45:73:44:C3:13:3B:34:1B; SHA1=3D:5C:79:17:B3:EE:3E:42:26:A4:71:C6:BE:41:19:6B:87:59:44:03)
    File "ftdiport.cat" is a certificate (Owner: CN=Microsoft Windows Hardware Compatibility PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com; SerialNumber: 33000000382e50e86a989d957f000000000038; Valid From: 06/04/2012 22:05:46; Until: 06/04/2020 22:xv:46; Fingerprints: MD5=5F:38:BD:38:CC:79:E9:75:2A:38:Ac:15:6B:85:2nd:second; SHA1=8D:42:41:9D:8B:21:E5:CF:9C:32:04:D0:06:0B:19:31:2B:96:EB:78)
    File "ftdiport.true cat" is a certificate (Possessor: CN=Microsoft Time-Stamp PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Root Certificate Authorization, DC=microsoft, DC=com; SerialNumber: 6116683400000000001c; Valid From: 04/03/2007 thirteen:53:09; Until: 04/03/2021 xiv:03:09; Fingerprints: MD5=41:1B:93:90:4E:0E:5F:59:3B:72:thirteen:20:E9:7E:fourscore:FF; SHA1=37:5F:CB:82:5C:3D:C3:75:2A:02:E3:4E:B7:09:93:B4:99:71:91:EF)
    File "ftdibus.true cat" is a certificate (Possessor: CN=Microsoft Time-Postage Service, OU=nCipher DSE ESN:31C5-30BA-7C91, OU=MOPR, O=Microsoft Corporation, L=Redmond, ST=Washington, C=The states; Issuer: CN=Microsoft Time-Stamp PCA, O=Microsoft Corporation, 50=Redmond, ST=Washington, C=US; SerialNumber: 330000003528ee615392226191000000000035; Valid From: 03/27/2013 21:08:26; Until: 06/27/2014 21:08:26; Fingerprints: MD5=77:B0:E2:A8:B3:E6:0B:97:F6:8F:EF:3E:7E:92:57:C4; SHA1=9E:F5:6A:89:7C:EA:E7:F0:5F:EC:75:0D:B7:21:87:48:6F:B3:DD:93)
    File "ftdibus.cat" is a document (Possessor: CN=Microsoft Windows Hardware Compatibility Publisher, OU=MOPR, O=Microsoft Corporation, L=Redmond, ST=Washington, C=United states of america; Issuer: CN=Microsoft Windows Hardware Compatibility PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=The states; SerialNumber: 330000000b19302c31b264785d00010000000b; Valid From: 05/sixteen/2013 19:48:57; Until: 08/16/2014 19:48:57; Fingerprints: MD5=C7:3E:6F:06:74:5B:85:F7:45:73:44:C3:13:3B:34:1B; SHA1=3D:5C:79:17:B3:EE:3E:42:26:A4:71:C6:BE:41:19:6B:87:59:44:03)
    File "ftdibus.cat" is a document (Owner: CN=Microsoft Windows Hardware Compatibility PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=United states; Issuer: CN=Microsoft Root Document Authorization, DC=microsoft, DC=com; SerialNumber: 33000000382e50e86a989d957f000000000038; Valid From: 06/04/2012 22:05:46; Until: 06/04/2020 22:xv:46; Fingerprints: MD5=5F:38:BD:38:CC:79:E9:75:2A:38:AC:15:6B:85:2D:2d; SHA1=8D:42:41:9D:8B:21:E5:CF:9C:32:04:D0:06:0B:19:31:2B:96:EB:78)
    File "ftdibus.cat" is a certificate (Owner: CN=Microsoft Time-Stamp PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=Us; Issuer: CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com; SerialNumber: 6116683400000000001c; Valid From: 04/03/2007 thirteen:53:09; Until: 04/03/2021 xiv:03:09; Fingerprints: MD5=41:1B:93:90:4E:0E:5F:59:3B:72:13:20:E9:7E:eighty:FF; SHA1=37:5F:CB:82:5C:3D:C3:75:2A:02:E3:4E:B7:09:93:B4:99:71:91:EF)

    source

    Extracted File

    relevance

    x/10

• Network Related
  • Found potential IP accost in binary/retentivity

    details

    "192.168.1.100"
    "192.168.1.10"
    "2.10.00.one"

    source

    String

    relevance

    iii/10

• Remote Access Related
  • Reads terminal service related keys (often RDP related)

    details

    "<Input Sample>" (Path: "HKLM\Organization\CONTROLSET001\CONTROL\Terminal SERVER"; Cardinal: "TSUSERENABLED")
    "RDWorksSetUpV8.exe" (Path: "HKLM\Arrangement\CONTROLSET001\CONTROL\TERMINAL SERVER"; Fundamental: "TSUSERENABLED")

    source

    Registry Access

    relevance

    10/10

• Spyware/Information Retrieval
  • Contains ability to enumerate processes/modules/threads

    details

    CreateToolhelp32Snapshot@KERNEL32.DLL from RDWorksSetUpV8.exe (PID: 5012) (Show Stream)
    CreateToolhelp32Snapshot@KERNEL32.dll at 6114-289-00410BB4

    source

    Hybrid Assay Technology

    relevance

    five/10

• Arrangement Destruction
  • Marks file for deletion

    details

    "C:\RDWorksV8Setup8.01.26-170927.exe" marked "%TEMP%\$inst\temp_0.tmp" for deletion
    "C:\RDWorksV8Setup8.01.26-170927.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\$inst\0001.tmp" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\EditCurveDLL.dll" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\Element.dll" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\ExCurve.dll" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\ExDib.dll" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\ExDraw.dll" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\ExFileMgr.dll" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\ExLoader.dll" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\ExMath.dll" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\ExText.dll" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\Fonts\BIG.SHX" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\Fonts\Complex.SHX" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\Fonts\CYRILLIC.SHX" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\Fonts\CYRILTLC.SHX" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\Fonts\Fs.SHX" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\Fonts\gbcbig.shx" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\Fonts\GOTHICE.SHX" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\Fonts\GOTHICG.SHX" for deletion
    "C:\newpr\RDWorksSetUpV8.exe" marked "C:\RDWorksV8\Fonts\GOTHICI.SHX" for deletion

    source

    API Telephone call

    relevance

    ten/10

  • Opens file with deletion admission rights

    details

    "<Input Sample>" opened "%TEMP%\$inst\temp_0.tmp" with delete access
    "<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$inst\0001.tmp" with delete access
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\EditCurveDLL.dll" with delete admission
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\Element.dll" with delete access
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\ExCurve.dll" with delete admission
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\ExDib.dll" with delete admission
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\ExDraw.dll" with delete access
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\ExFileMgr.dll" with delete admission
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\ExLoader.dll" with delete admission
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\ExMath.dll" with delete access
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\ExText.dll" with delete access
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\Fonts\BIG.SHX" with delete access
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\Fonts\Complex.SHX" with delete access
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\Fonts\CYRILLIC.SHX" with delete access
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\Fonts\CYRILTLC.SHX" with delete admission
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\Fonts\Fs.SHX" with delete access
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\Fonts\gbcbig.shx" with delete access
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\Fonts\GOTHICE.SHX" with delete access
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\Fonts\GOTHICG.SHX" with delete admission
    "RDWorksSetUpV8.exe" opened "C:\RDWorksV8\Fonts\GOTHICI.SHX" with delete access

    source

    API Telephone call

    relevance

    seven/ten

• System Security
  • Modifies proxy settings

    details

    "<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
    "<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Central: "PROXYBYPASS")

    source

    Registry Access

    relevance

    10/10

  • Queries sensitive IE security settings

    details

    "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")

    source

    Registry Admission

    relevance

    8/10

• Unusual Characteristics
  • CRC value set in PE header does not match actual value

    details

    "RDWorksV8Setup8.01.26-170927.exe.bin" claimed CRC 223804 while the actual is CRC 8644484
    "RDLGP.dll" claimed CRC 0 while the bodily is CRC 62388
    "rdloadV8.dll" claimed CRC 33097 while the actual is CRC 360965
    "ftbusui.dll" claimed CRC 144872 while the actual is CRC 33097
    "ftcserco.dll" claimed CRC 103240 while the actual is CRC 82798
    "Element.dll" claimed CRC 66062 while the actual is CRC 103240
    "ftcserco.dll" claimed CRC 87168 while the actual is CRC 66062
    "ftlang.dll" claimed CRC 219536 while the actual is CRC 88366
    "ftd2xx.dll" claimed CRC 242520 while the bodily is CRC 93048
    "ftd2xx64.dll" claimed CRC 262889 while the actual is CRC 2353360
    "ftserui2.dll" claimed CRC 69334 while the actual is CRC 262889
    "ftserui2.dll" claimed CRC 92412 while the bodily is CRC 89932
    "drIptBdrFe.dll" claimed CRC 80360 while the bodily is CRC 92412
    "FTD2XX.dll" claimed CRC 267053 while the actual is CRC 80360
    "DPInst32.exe" claimed CRC 833107 while the bodily is CRC 267053
    "ftbusui.dll" claimed CRC 143322 while the actual is CRC 833107
    "DPInst64.exe" claimed CRC 986557 while the bodily is CRC 1480622
    "ftlang.dll" claimed CRC 259753 while the actual is CRC 166493

    source

    Static Parser

    relevance

    10/10

  • Imports suspicious APIs

    details

    RegCloseKey
    OpenProcessToken
    GetUserNameA
    RegCreateKeyExA
    RegOpenKeyExA
    RegEnumKeyExA
    GetFileAttributesA
    GetVersionExA
    GetModuleFileNameA
    LoadLibraryA
    WinExec
    GetFileSize
    OpenProcess
    CreateDirectoryA
    DeleteFileA
    UnhandledExceptionFilter
    GetCommandLineA
    GetProcAddress
    GetTempPathA
    GetModuleHandleA
    FindFirstFileA
    WriteFile
    GetStartupInfoA
    GetComputerNameA
    FindNextFileA
    TerminateProcess
    Sleep
    CreateFileA
    VirtualAlloc
    ShellExecuteExA
    ShellExecuteA
    FindWindowA
    GetUpdateRgn
    IsDebuggerPresent
    GetTickCount
    CreateThread
    LockResource
    FindResourceA
    recvfrom
    socket
    demark
    WSAStartup
    sendto
    closesocket
    DeviceIoControl
    GetModuleFileNameW
    OutputDebugStringA
    GetFileAttributesW
    GetModuleHandleW
    LoadLibraryW
    RegOpenKeyW
    OutputDebugStringW
    VirtualProtect
    LoadLibraryExA
    GetVersionExW
    LoadLibraryExW
    GetStartupInfoW
    CreateProcessA
    MapViewOfFile
    OpenFileMappingA
    CreateFileMappingA
    RegOpenKeyA
    RegEnumKeyA
    CreateToolhelp32Snapshot
    Process32Next
    Process32First
    FindResourceExW
    FindWindowExA
    GetCommandLineW
    RegOpenKeyExW
    CreateFileW

    source

    Static Parser

    relevance

    1/ten

  • Reads information most supported languages

    details

    "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Fundamental: "00000409")
    "RDWorksSetUpV8.exe" (Path: "HKLM\Arrangement\CONTROLSET001\Control\NLS\LOCALE"; Key: "00000409")

    source

    Registry Access

    relevance

    3/10

• Hiding 8 Suspicious Indicators
  • All indicators are bachelor merely in the private webservice or standalone version

• Anti-Reverse Engineering
  • Contains ability to register a top-level exception handler (often used as anti-debugging play a trick on)

    details

    SetUnhandledExceptionFilter@KERNEL32.dll at 3522-528-1000FDBC

    source

    Hybrid Analysis Technology

    relevance

    1/10

  • PE file contains nix-size sections

    details

    Raw size of "BSS" is zero
    Raw size of ".tls" is zero

    source

    Static Parser

    relevance

    x/10

• Environment Sensation
  • Contains ability to query machine time
  • Contains power to query the automobile timezone

    details

    GetTimeZoneInformation@KERNEL32.dll at 3522-478-100109FC

    source

    Hybrid Analysis Engineering

    relevance

    1/10

  • Contains ability to query the machine version
  • Contains ability to query the arrangement locale

    details

    GetUserDefaultLCID@KERNEL32.DLL from RDWorksSetUpV8.exe (PID: 5012) (Show Stream)
    EnumSystemLocalesA@KERNEL32.dll at 3522-403-1000C240
    GetUserDefaultLCID@KERNEL32.dll at 3522-881-1000BD4A
    EnumSystemLocalesA@KERNEL32.dll at 3522-922-1000C214
    EnumSystemLocalesA@KERNEL32.dll at 3522-401-1000C2A7
    GetUserDefaultLCID@KERNEL32.dll at 3522-400-1000C2E3
    GetUserDefaultLCID@KERNEL32.dll at 6114-296-004044A0

    source

    Hybrid Analysis Technology

    relevance

    1/x

  • Contains power to query volume size
  • Makes a code branch decision directly afterwards an API that is environment aware

    details

    Found API call GetVersion@KERNEL32.dll (Target: "RDLGP.dll.145135836"; Stream UID: "16838-1840-100010A0")
    which is straight followed by "cmp eax, 80000000h" and "jnc 10001152h". See related instructions: "...+0 push ebx+1 push esi+2 push edi+3 phone call dword ptr [1004C120h] ;GetVersion+9 cmp eax, 80000000h+14 jnc 10001152h" ... at 16838-1840-100010A0

    source

    Hybrid Assay Technology

    relevance

    x/x

  • Queries book information

    details

    "RDWorksSetUpV8.exe" queries volume data of "C:\" at 00016133-00005012-00000046-74888730
    "RDWorksSetUpV8.exe" queries volume information of "C:\RDWorksV8\RDWorksV8.exe" at 00016133-00005012-00000046-74900178
    "RDWorksSetUpV8.exe" queries volume data of "C:\" at 00016133-00005012-00000046-75052222
    "RDWorksSetUpV8.exe" queries book information of "C:\RDWorksV8\RDWorksV8.exe" at 00016133-00005012-00000046-75052380
    "RDWorksSetUpV8.exe" queries volume information of "C:\" at 00016133-00005012-00000046-75061460
    "RDWorksSetUpV8.exe" queries volume information of "C:\RDWorksV8\RDWorksV8Uninstall.exe" at 00016133-00005012-00000046-75061617

    source

    API Phone call

    relevance

    two/10

  • Queries book information of an entire harddrive

    details

    "RDWorksSetUpV8.exe" queries volume information of "C:\" at 00016133-00005012-00000046-74888730
    "RDWorksSetUpV8.exe" queries volume data of "C:\" at 00016133-00005012-00000046-75052222
    "RDWorksSetUpV8.exe" queries volume information of "C:\" at 00016133-00005012-00000046-75061460

    source

    API Telephone call

    relevance

    8/10

  • Reads the registry for installed applications

    details

    "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CMD.EXE")
    "<Input Sample>" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CMD.EXE")
    "<Input Sample>" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RDWORKS eight.01.26")
    "RDWorksSetUpV8.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\RDWORKSSETUPV8.EXE")
    "RDWorksSetUpV8.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\RDWORKSSETUPV8.EXE")

    source

    Registry Access

    relevance

    x/10

• Full general
  • Contains PDB pathways

    details

    "o\objfre_wnet_amd64\amd64\ftcserco.pdb"
    "%USERPROFILE%\desktop\window~1\v21000~1.rc2\coinst\ftcserco\objfre_wnet_x86\i386\ftcserco.pdb"

    source

    String

    relevance

    1/ten

  • Creates a writable file in a temporary directory

    details

    "<Input Sample>" created file "%TEMP%\$inst\2.tmp"
    "<Input Sample>" created file "%TEMP%\$inst\temp_0.tmp"
    "<Input Sample>" created file "%TEMP%\$inst\0001.tmp"

    source

    API Call

    relevance

    1/x

  • Creates mutants

    details

    "\Sessions\one\BaseNamedObjects\Local\ZonesCacheCounterMutex"
    "\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
    "Local\ZonesCacheCounterMutex"
    "Local\ZonesLockedCacheCounterMutex"

    source

    Created Mutant

    relevance

    3/10

  • Drops files marked as clean

    details

    Antivirus vendors marked dropped file "ExFileMgr.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "RDLGP.dll" every bit make clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "rdloadV8.dll" every bit clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "ftbusui.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "UnInst64.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ftdiport.cat" equally clean (blazon is "data"), Antivirus vendors marked dropped file "RDElement.dll" as clean (blazon is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "rdloadV8.dll" every bit clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "drIptBdrFe.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ftcserco.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Element.dll" as clean (blazon is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "ftcserco.dll" as clean (type is "PE32+ executable (DLL) (panel) x86-64 for MS Windows"), Antivirus vendors marked dropped file "ExCurve.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "UnInst32.exe" as make clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "RDWorksV8.exe" every bit clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ftd2xx64.dll" equally make clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "ftserui2.dll" every bit clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "EditCurveDLL.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")

    source

    Extracted File

    relevance

    ten/10

  • Runs shell commands

    details

    ""/c md c:\newpr"" on 2018-4-6.01:35:42.936
    ""/c physician c:\newpr\ImgLib"" on 2018-4-6.01:35:43.139
    ""/c copy CFG\ImgLib\*.* c:\newpr\ImgLib"" on 2018-iv-half dozen.01:35:45.498
    ""/c copy Lang\SetUp_chs.ini c:\newpr\SetUpCHS.ini"" on 2018-four-6.01:35:45.717
    ""/c re-create Lang\SetUp_cht.ini c:\newpr\SetUpCHT.ini"" on 2018-4-6.01:35:45.779
    ""/c copy Lang\SetUp_eng.ini c:\newpr\SetUpENG.ini"" on 2018-4-6.01:35:45.857
    ""/c copy Lang\SetUp_other.ini c:\newpr\SetUpJPN.ini"" on 2018-4-6.01:35:45.936
    ""/c copy Info\Info_Sche.txt c:\newpr\Info_Sche.txt"" on 2018-iv-half-dozen.01:35:46.014
    ""/c copy Info\Info_TChe.txt c:\newpr\Info_TChe.txt"" on 2018-4-6.01:35:46.092
    ""/c copy Info\Info_En.txt c:\newpr\Info_En.txt"" on 2018-four-vi.01:35:46.170
    ""/c re-create Info\Info_Other.txt c:\newpr\Info_Other.txt"" on 2018-4-vi.01:35:46.248
    ""/c copy Lang\Lang_chs.ini c:\newpr\laserwork\Lang_chs.ini"" on 2018-4-6.01:35:46.357
    ""/c copy Lang\Lang_cht.ini c:\newpr\laserwork\Lang_cht.ini"" on 2018-4-6.01:35:46.467
    ""/c copy Lang\Lang_eng.ini c:\newpr\laserwork\Lang_eng.ini"" on 2018-four-6.01:35:46.545
    ""/c copy Lang\Lang_other.ini c:\newpr\laserwork\Lang_other.ini"" on 2018-4-half dozen.01:35:46.639
    ""/c copy Lang\Plug_chs.ini c:\newpr\rdplug\Lang_chs.ini"" on 2018-4-6.01:35:46.826
    ""/c copy Lang\Plug_cht.ini c:\newpr\rdplug\Lang_cht.ini"" on 2018-4-half-dozen.01:35:46.936
    ""/c copy Lang\Plug_eng.ini c:\newpr\rdplug\Lang_eng.ini"" on 2018-4-6.01:35:47.076
    ""/c copy Lang\Plug_other.ini c:\newpr\rdplug\Lang_other.ini"" on 2018-4-6.01:35:47.217
    ""/c re-create Lang\Preview_chs.ini c:\newpr\com\Preview_chs.ini"" on 2018-four-half dozen.01:35:47.326

    source

    Monitored Target

    relevance

    5/10

  • Spawns new processes

    details

    Spawned process "cmd.exe" with commandline ""/c doctor c:\newpr"" (Bear witness Process)
    Spawned procedure "cmd.exe" with commandline ""/c md c:\newpr\ImgLib"" (Prove Process)
    Spawned process "cmd.exe" with commandline ""/c re-create CFG\ImgLib\*.* c:\newpr\ImgLib"" (Show Process)
    Spawned procedure "cmd.exe" with commandline ""/c copy Lang\SetUp_chs.ini c:\newpr\SetUpCHS.ini"" (Show Procedure)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\SetUp_cht.ini c:\newpr\SetUpCHT.ini"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\SetUp_eng.ini c:\newpr\SetUpENG.ini"" (Show Procedure)
    Spawned procedure "cmd.exe" with commandline ""/c copy Lang\SetUp_other.ini c:\newpr\SetUpJPN.ini"" (Prove Procedure)
    Spawned process "cmd.exe" with commandline ""/c copy Info\Info_Sche.txt c:\newpr\Info_Sche.txt"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Info\Info_TChe.txt c:\newpr\Info_TChe.txt"" (Bear witness Process)
    Spawned process "cmd.exe" with commandline ""/c copy Info\Info_En.txt c:\newpr\Info_En.txt"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Info\Info_Other.txt c:\newpr\Info_Other.txt"" (Show Procedure)
    Spawned process "cmd.exe" with commandline ""/c re-create Lang\Lang_chs.ini c:\newpr\laserwork\Lang_chs.ini"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\Lang_cht.ini c:\newpr\laserwork\Lang_cht.ini"" (Evidence Process)
    Spawned process "cmd.exe" with commandline ""/c re-create Lang\Lang_eng.ini c:\newpr\laserwork\Lang_eng.ini"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c re-create Lang\Lang_other.ini c:\newpr\laserwork\Lang_other.ini"" (Evidence Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\Plug_chs.ini c:\newpr\rdplug\Lang_chs.ini"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\Plug_cht.ini c:\newpr\rdplug\Lang_cht.ini"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\Plug_eng.ini c:\newpr\rdplug\Lang_eng.ini"" (Show Process)
    Spawned procedure "cmd.exe" with commandline ""/c re-create Lang\Plug_other.ini c:\newpr\rdplug\Lang_other.ini"" (Show Process)
    Spawned process "cmd.exe" with commandline ""/c copy Lang\Preview_chs.ini c:\newpr\com\Preview_chs.ini"" (Evidence Process)

    source

    Monitored Target

    relevance

    three/x

• Installation/Persistance
  • Contains ability to lookup the windows account name
  • Dropped files

    details

    "ExFileMgr.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
    "RDLGP.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "RDCAM.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "rdloadV8.dll" has blazon "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
    "ftbusui.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "UnInst64.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
    "ftdiport.true cat" has type "data"
    "RDElement.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "rdloadV8.dll" has blazon "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "drIptBdrFe.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "ftcserco.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
    "Element.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
    "ftcserco.dll" has blazon "PE32+ executable (DLL) (console) x86-64 for MS Windows"
    "ExCurve.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "RDCutting.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "RDWorksV8Uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
    "RDWorksV8.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Icon number=0 Archive ctime=Thu April v 22:39:18 2018 mtime=Thu Apr 5 22:39:18 2018 atime=Fri Sep 22 eleven:39:12 2017 length=2334720 window=hide"
    "ShareProjector.dll" has blazon "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
    "RDWorksSetUpV8.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"

    source

    Extracted File

    relevance

    3/10

  • Touches files in the Windows directory

    details

    "<Input Sample>" touched file "%WINDIR%\Fonts\StaticCache.dat"
    "<Input Sample>" touched file "%WINDIR%\SysWOW64\en-The states\user32.dll.mui"
    "<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
    "<Input Sample>" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui"
    "<Input Sample>" touched file "%WINDIR%\SysWOW64"
    "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
    "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
    "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db"
    "<Input Sample>" touched file "%WINDIR%\SysWOW64\cmd.exe"
    "<Input Sample>" touched file "%WINDIR%\AppPatch\sysmain.sdb"

    source

    API Call

    relevance

    7/10

• Network Related
  • Constitute potential URL in binary/memory

    details

    Heuristic match: "@$&%04\driver\ftdibus.cat"
    Heuristic match: "@$&%04\driver\ftdiport.cat"
    Heuristic match: ">:v<vW.tr"
    Heuristic friction match: "z7:+sk.kH"
    Pattern lucifer: "eight.xl.xx/8.41.twenty"
    Pattern lucifer: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"

    source

    String

    relevance

    10/ten

• Organisation Security
  • Opens the Kernel Security Device Driver (KsecDD) of Windows

    details

    "<Input Sample>" opened "\Device\KsecDD"
    "RDWorksSetUpV8.exe" opened "\Device\KsecDD"

    source

    API Call

    relevance

    10/10

• Unusual Characteristics
  • Plant Delphi 4 - Delphi 2006 antiquity

    details

    "RDWorksV8Setup8.01.26-170927.exe.bin" has a PE timestamp using the buggy magic timestamp 0x2A425E19.

    source

    Static Parser

    relevance

    10/x

  • Installs hooks/patches the running process

    details

    "cmd.exe" wrote bytes "711146017a3b4501ab8b02007f950200fc8c0200729602006cc805001ecd42017d264201" to virtual address "0x75D007E4" (part of module "USER32.DLL")

    source

    Claw Detection

    relevance

    ten/10

  • Matched Compiler/Packer signature

    details

    "RDWorksV8Setup8.01.26-170927.exe.bin" was detected as "BobSoft Mini Delphi -> BoB / BobSoft"
    "RDLGP.dll" was detected as "Microsoft visual C++ half dozen.0 DLL"
    "RDCAM.dll" was detected as "Microsoft visual C++ half dozen.0 DLL"
    "ftbusui.dll" was detected equally "Visual C++ 2005 DLL -> Microsoft"
    "UnInst64.exe" was detected equally "Microsoft visual C++ 5.0"
    "RDElement.dll" was detected as "Microsoft visual C++ vi.0 DLL"
    "rdloadV8.dll" was detected as "Microsoft visual C++ 6.0 DLL"
    "drIptBdrFe.dll" was detected every bit "Microsoft visual C++ half-dozen.0 DLL"
    "ftcserco.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
    "ExCurve.dll" was detected as "Microsoft visual C++ 6.0 DLL"
    "RDCutting.dll" was detected as "Microsoft visual C++ 6.0 DLL"
    "RDWorksV8Uninstall.exe" was detected equally "Microsoft visual C++ v.0"
    "ShareProjector.dll" was detected as "Microsoft visual C++ 6.0 DLL"
    "RDWorksSetUpV8.exe" was detected as "Microsoft visual C++ v.0"
    "RDReader.dll" was detected as "Microsoft visual C++ 6.0 DLL"
    "ftlang.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
    "ParaMgr.dll" was detected equally "Microsoft visual C++ 6.0 DLL"
    "ExLoader.dll" was detected as "Microsoft visual C++ 6.0 DLL"
    "ExDraw.dll" was detected as "Microsoft visual C++ half-dozen.0 DLL"
    "ftd2xx.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"

    source

    Static Parser

    relevance

    ten/10

File Details

All Details:

RDWorksV8Setup8.01.26-170927.exe

Filename

RDWorksV8Setup8.01.26-170927.exe

Size

8.2MiB (8626111 bytes)

Type

peexe executable

Description

PE32 executable (GUI) Intel 80386, for MS Windows

Compages

WINDOWS

SHA256

0f983527723e8b238308386892013b8548808959443755e451a53d3b6ab80b1a

Compiler/Packer

BobSoft Mini Delphi -> BoB / BobSoft

Version Info

LegalCopyright

None

FileDescription

RDWorks eight.01.26 Installation

FileVersion

8.01.26

Comments

-

CompanyName

None

Translation

0x0409 0x04e4

Classification (TrID)

• 32.vi% (.EXE) Win32 Executable Delphi generic
• 29.one% (.SCR) Windows Screen Saver
• 14.vi% (.DLL) Win32 Dynamic Link Library (generic)
• 10.0% (.EXE) Win32 Executable (generic)
• 4.6% (.EXE) Win16/32 Executable Delphi generic

File Sections

Details	Name	Entropy	Virtual Accost	Virtual Size	Raw Size	MD5
Name CODE Entropy half dozen.59437599732 Virtual Address 0x1000 Virtual Size 0x244cc Raw Size 0x24600 MD5 bac8bae7a5e5326cf49943b90d1c062a	CODE	vi.59437599732	0x1000	0x244cc	0x24600	bac8bae7a5e5326cf49943b90d1c062a
Proper name DATA Entropy iii.79375704099 Virtual Address 0x26000 Virtual Size 0x2894 Raw Size 0x2a00 MD5 abafcbfbd7f8ac0226ca496a92a0cf06	DATA	three.79375704099	0x26000	0x2894	0x2a00	abafcbfbd7f8ac0226ca496a92a0cf06
Proper noun BSS Entropy 0 Virtual Address 0x29000 Virtual Size 0x10f5 Raw Size 0x0 MD5 d41d8cd98f00b204e9800998ecf8427e	BSS	0	0x29000	0x10f5	0x0	d41d8cd98f00b204e9800998ecf8427e
Name .idata Entropy 4.88549493702 Virtual Address 0x2b000 Virtual Size 0x1798 Raw Size 0x1800 MD5 7a4934595db0efc364c3982c4e335d8c	.idata	4.88549493702	0x2b000	0x1798	0x1800	7a4934595db0efc364c3982c4e335d8c
Name .tls Entropy 0 Virtual Address 0x2d000 Virtual Size 0x8 Raw Size 0x0 MD5 d41d8cd98f00b204e9800998ecf8427e	.tls	0	0x2d000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e
Name .rdata Entropy 0.20448815744 Virtual Address 0x2e000 Virtual Size 0x18 Raw Size 0x200 MD5 c4fdd0c5c9efb616fcc85d66056ca490	.rdata	0.20448815744	0x2e000	0x18	0x200	c4fdd0c5c9efb616fcc85d66056ca490
Proper name .reloc Entropy 6.58664786461 Virtual Address 0x2f000 Virtual Size 0x1884 Raw Size 0x1a00 MD5 867a1120317d51734587a74f6ee70016	.reloc	6.58664786461	0x2f000	0x1884	0x1a00	867a1120317d51734587a74f6ee70016
Proper noun .rsrc Entropy iv.80038595433 Virtual Address 0x31000 Virtual Size 0x4534 Raw Size 0x4600 MD5 ea33395487d6c12125af6ad3ba1f9054	.rsrc	4.80038595433	0x31000	0x4534	0x4600	ea33395487d6c12125af6ad3ba1f9054

Screenshots

Loading content, please wait...

• CPU Usage
• Committed Bytes
• Disk Read Bytes/sec
• Deejay Write Bytes/sec
• Network Packets/sec
• Page File Bytes

Hybrid Analysis

Tip: Click an analysed procedure below to view more details.

Analysed 44 processes in total (Organization Resource Monitor).

• RDWorksV8Setup8.01.26-170927.exe (PID: 2932) eleven/66

Network Assay

DNS Requests

No relevant DNS requests were made.

HTTP Traffic

No relevant HTTP requests were made.

Extracted Files

Displaying 75 extracted file(south). The remaining 114 file(s) are available in the full version and XML/JSON reports.

• • EditCurveDLL.dll

  • ExCurve.dll

  • ExDraw.dll

  • FTD2XX.dll

  • RDElement.dll

  • RDLGP.dll

  • rdloadV5.dll

  • DPInst32.exe

  • DPInst64.exe

  • UnInst32.exe

  • UnInst64.exe

  • ftd2xx64.dll

  • ftdibus.inf

  • ftdiport.cat

  • ftdiport.inf

  • ftbusui.dll

  • ftcserco.dll

  • ftserui2.dll

  • drIptBdrFe.dll

  • rdloadV8.dll

• • LGP_chs.ini

  • LGP_cht.ini

  • LGP_eng.ini

  • LGP_other.ini

  • Lang_chs.ini

  • Lang_cht.ini

  • Lang_eng.ini

  • Lang_other.ini

  • Logo.ico

  • Preview_chs.ini

  • Preview_cht.ini

  • Preview_eng.ini

  • Preview_other.ini

  • RDCAM.dll

  • RDMgr.dll

  • RLD.ico

  • Info_En.txt

  • Info_Other.txt

  • Info_SChe.txt

  • Info_TChe.txt

  • soft.ini

  • tips

  • SetUpCHS.ini

  • SetUpCHT.ini

  • SetUpENG.ini

  • SetUpJPN.ini

  • Desktop

    Size

    Unknown (0 bytes)

    Type

    empty

    Runtime Process

    RDWorksSetUpV8.exe (PID: 5012)

• • RDWorksV8.lnk

    Size

    one.4KiB (1480 bytes)

    Blazon

    lnk

    Description

    MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Apr 5 22:39:xviii 2018, mtime=Thu Apr 5 22:39:18 2018, atime=Fri Sep 22 xi:39:12 2017, length=2334720, window=hide

    Runtime Process

    RDWorksSetUpV8.exe (PID: 5012)

    MD5

    f22d74172dabe8f1f6acab04cc9b08e3

    SHA1

    1991bb0c908fb071ca0e40c086d0c0423fd1a379

    SHA256

    c57c41e0ad167bfb1b0eb1f52ec8d7693d6c8828eccb190fb60494b97edbc50a

  • RDWorksV8Uninstall.lnk

    Size

    693B (693 bytes)

    Blazon

    lnk

    Description

    MS Windows shortcut, Particular id list nowadays, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Apr 5 22:39:18 2018, mtime=Thu Apr v 22:39:18 2018, atime=Sat Oct 26 13:twenty:38 2013, length=24576, window=hide

    Runtime Procedure

    RDWorksSetUpV8.exe (PID: 5012)

    MD5

    eff64eb1029780c1457f3016b7e831c4

    SHA1

    e61245d311e5962b32229cf21d01c54c53ce4651

    SHA256

    15d42748ba3b7e179949ac283ccafbe2e9cf701b79b3e6ff5729f21f66a83d51

  • 0001.tmp

  • 2.tmp

  • temp_0.tmp

  • RDCutting.dll

  • Element.dll

  • ExDib.dll

  • ExFileMgr.dll

  • ExLoader.dll

  • ExMath.dll

  • ExText.dll

  • BIG.SHX

  • Complex.SHX

  • CYRILLIC.SHX

  • ParaMgr.dll

  • RDReader.dll

  • RDWorksV8.exe

  • ShareProjector.dll

  • RDWorksSetUpV8.exe

  • RDViewDLL.dll

  • RLD.dll

  • ftdibus.cat

  • ftd2xx.dll

  • ftlang.dll

Notifications

• Added comment to Virus Total report
• Not all file accesses are visible for cmd.exe (PID: 1484)
• Not all file accesses are visible for cmd.exe (PID: 1580)
• Not all file accesses are visible for cmd.exe (PID: 1832)
• Not all file accesses are visible for cmd.exe (PID: 1848)
• Not all file accesses are visible for cmd.exe (PID: 2076)
• Non all file accesses are visible for cmd.exe (PID: 2100)
• Not all file accesses are visible for cmd.exe (PID: 2212)
• Non all file accesses are visible for cmd.exe (PID: 2256)
• Not all file accesses are visible for cmd.exe (PID: 2260)
• Not all file accesses are visible for cmd.exe (PID: 2312)
• Not all file accesses are visible for cmd.exe (PID: 2540)
• Not all file accesses are visible for cmd.exe (PID: 2560)
• Not all file accesses are visible for cmd.exe (PID: 2664)
• Not all file accesses are visible for cmd.exe (PID: 2920)
• Not all file accesses are visible for cmd.exe (PID: 2976)
• Non all file accesses are visible for cmd.exe (PID: 3036)
• Non all file accesses are visible for cmd.exe (PID: 3080)
• Non all file accesses are visible for cmd.exe (PID: 3092)
• Not all file accesses are visible for cmd.exe (PID: 3096)
• Non all file accesses are visible for cmd.exe (PID: 3248)
• Not all file accesses are visible for cmd.exe (PID: 3448)
• Not all file accesses are visible for cmd.exe (PID: 3660)
• Not all file accesses are visible for cmd.exe (PID: 3668)
• Not all file accesses are visible for cmd.exe (PID: 3672)
• Not all file accesses are visible for cmd.exe (PID: 3720)
• Not all file accesses are visible for cmd.exe (PID: 3752)
• Not all file accesses are visible for cmd.exe (PID: 3760)
• Not all file accesses are visible for cmd.exe (PID: 3788)
• Not all file accesses are visible for cmd.exe (PID: 3800)
• Non all file accesses are visible for cmd.exe (PID: 3844)
• Not all file accesses are visible for cmd.exe (PID: 4004)
• Not all file accesses are visible for cmd.exe (PID: 4084)
• Not all file accesses are visible for cmd.exe (PID: 4248)
• Not all file accesses are visible for cmd.exe (PID: 4252)
• Not all file accesses are visible for cmd.exe (PID: 4256)
• Not all file accesses are visible for cmd.exe (PID: 4300)
• Not all file accesses are visible for cmd.exe (PID: 4804)
• Non all file accesses are visible for cmd.exe (PID: 4828)
• Non all file accesses are visible for cmd.exe (PID: 4844)
• Non all file accesses are visible for cmd.exe (PID: 4852)
• Not all file accesses are visible for cmd.exe (PID: 4860)
• Not all file accesses are visible for cmd.exe (PID: 4916)
• Not all sources for indicator ID "api-25" are bachelor in the report
• Non all sources for indicator ID "api-26" are available in the written report
• Not all sources for indicator ID "api-55" are bachelor in the report
• Non all sources for indicator ID "api-6" are available in the report
• Not all sources for indicator ID "binary-0" are available in the report
• Non all sources for indicator ID "binary-1" are available in the report
• Not all sources for indicator ID "binary-16" are bachelor in the report
• Not all sources for indicator ID "hooks-8" are bachelor in the report
• Not all sources for indicator ID "mutant-0" are available in the report
• Not all sources for indicator ID "static-1" are bachelor in the report
• Not all sources for indicator ID "static-eighteen" are bachelor in the report
• Not all sources for indicator ID "static-vi" are available in the report
• Not all sources for indicator ID "static-8" are bachelor in the report
• Not all sources for indicator ID "string-64" are available in the study
• Not all sources for indicator ID "target-25" are available in the report
• Not all sources for indicator ID "target-3" are available in the report
• Not all strings are visible in the report, because the maximum number of strings was reached (5000)
• Some depression-level information is subconscious, as this is only a slim report

webbwarmen45.blogspot.com

Source: https://www.hybrid-analysis.com/sample/0f983527723e8b238308386892013b8548808959443755e451a53d3b6ab80b1a/5ac65faa7ca3e149ae1c32a3

Share this post