VueScan x32 v9.7.50+ Patcher v1.2.exe
This report is generated from a file or URL submitted to this webservice on June 10th 2021 13:18:17 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.48.8 © Hybrid Analysis
Incident Response
Risk Assessment
- Evasive
- Marks file for deletion
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 44/67 Antivirus vendors marked sample as malicious (65% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 44/67 Antivirus vendors marked sample as malicious (65% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 37/67 Antivirus vendors marked dropped file "dup2patcher.dll" as malicious (classified as "HackTool.Patcher" with 55% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Pattern Matching
-
YARA signature match
- details
-
YARA signature "CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen" matched file "1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin" as "Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe" based on indicators: "<description>Patch</description>,\dup2patcher.dll,load_patcher" (Reference: Disclosed CN Honker Pentest Toolset, Author: Florian Roth)
YARA signature "CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen" matched file "all.bstring" as "Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe" based on indicators: "<description>Patch</description>,\dup2patcher.dll,load_patcher" (Reference: Disclosed CN Honker Pentest Toolset, Author: Florian Roth) - source
- YARA Signature
- relevance
- 10/10
-
YARA signature match
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 8
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.74497265598
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Installation/Persistence
-
Drops executable files
- details
- "dup2patcher.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
System Destruction
-
Marks file for deletion
- details
- "C:\VueScanx32v9.7.50_Patcherv1.2.exe" marked "%TEMP%\dup2patcher.dll" for deletion
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
- "VueScanx32v9.7.50_Patcherv1.2.exe" opened "%TEMP%\dup2patcher.dll" with delete access
- source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin" claimed CRC 60637 while the actual is CRC 132893
"dup2patcher.dll" claimed CRC 104727 while the actual is CRC 74355 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetTempPathA
GetModuleHandleA
DeleteFileA
WriteFile
CreateFileA
GetProcAddress
FindResourceA
VirtualAlloc
LoadLibraryA
RegCloseKey
RegDeleteValueA
RegCreateKeyExA
RegOpenKeyExA
GetFileAttributesA
CopyFileA
GetVersionExA
GetModuleFileNameA
GetFileSize
CreateDirectoryA
GetCommandLineA
CreateThread
MapViewOfFile
FindFirstFileA
CreateFileMappingA
CreateProcessA
Sleep
ShellExecuteExA
ShellExecuteA
GetCursorPos - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "c04ed0772054d177e065d177b538d2770000000000d0bc7600000000c5eabc760000000088eabc7600000000e968c2758228d277ee29d27700000000d269c275000000007dbbbc760000000009bec27500000000ba18bc7600000000" to virtual address "0x77E31000" (part of module "NSI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "f811a675" to virtual address "0x75A783C4" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "4812a675" to virtual address "0x75A78364" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "4812a675" to virtual address "0x75A783C0" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "f811a675" to virtual address "0x75A783E0" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "f8110000" to virtual address "0x75A612CC" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "da45bc7652bebd76cda6bc7687f1bc7613dbbc76bccebc76c483be7685debc76ca9ebc766058d0774557bc765ac6bc7681a8bc7688eabc7681ecbc763f87bb761656bd7600000000" to virtual address "0x00EB2000" (part of module "VUESCANX32V9.7.50_PATCHERV1.2.EXE")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "f811a675" to virtual address "0x75A7834C" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "f8110000" to virtual address "0x75A61408" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "b890121170ffe0" to virtual address "0x75A61248" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "4812a675" to virtual address "0x75A78348" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "f811a675" to virtual address "0x75A78368" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "b880111170ffe0" to virtual address "0x76F91368" (part of module "WS2_32.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "68130000" to virtual address "0x76F91680" (part of module "WS2_32.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "48120000" to virtual address "0x75A6139C" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "48120000" to virtual address "0x75A612DC" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "4812a675" to virtual address "0x75A783DC" (part of module "SSPICLI.DLL")
"VueScanx32v9.7.50_Patcherv1.2.exe" wrote bytes "b810151170ffe0" to virtual address "0x75A611F8" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "VueScanx32v9.7.50_Patcherv1.2.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Informative 6
-
General
-
Creates a writable file in a temporary directory
- details
- "VueScanx32v9.7.50_Patcherv1.2.exe" created file "%TEMP%\dup2patcher.dll"
- source
- API Call
- relevance
- 1/10
-
Creates a writable file in a temporary directory
-
Installation/Persistence
-
Connects to LPC ports
- details
- "VueScanx32v9.7.50_Patcherv1.2.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
- "dup2patcher.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"VueScanx32v9.7.50_Patcherv1.2.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"VueScanx32v9.7.50_Patcherv1.2.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"VueScanx32v9.7.50_Patcherv1.2.exe" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
"VueScanx32v9.7.50_Patcherv1.2.exe" touched file "%WINDIR%\System32\en-US\user32.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "VueScanx32v9.7.50_Patcherv1.2.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc.bin" was detected as "Safeguard v1.03 -> Simonzh"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
VueScan x32 v9.7.50+ Patcher v1.2.exe
- Filename
- VueScan x32 v9.7.50+ Patcher v1.2.exe
- Size
- 78KiB (79872 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 1b546a7546f8185cddd5a788554cb8a9ac968345c3580c22315b59552d90defc
- MD5
- 82d9249cf0a8216c4dd1dff20321e26f
- SHA1
- 13124c9c7601883476fd63358db213585900a0cd
- ssdeep
- 1536:GhN0rbd6+w4dqlDC0jg5+VEaUMxd95U+ZObe5ySdvP1k:Gho6gqlDXsMVuMn95U+QSAQvP1
- imphash
- dc73a9bd8de0fd640549c85ac4089b87
- authentihash
- fdfdd2b9dae4d30d84c0ac6ca0865cb2a8090a9d79d750d5b347f9ee82428a12
- Compiler/Packer
- Safeguard v1.03 -> Simonzh
Classification (TrID)
- 61.7% (.EXE) Win64 Executable (generic)
- 14.7% (.DLL) Win32 Dynamic Link Library (generic)
- 10.0% (.EXE) Win32 Executable (generic)
- 4.5% (.EXE) OS/2 Executable (generic)
- 4.4% (.EXE) Generic Win/DOS Executable
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 10.10 (Visual Studio 2010) (build: 30319)
- 1 .RES Files linked with CVTRES.EXE 10.00 (Visual Studio 2010) (build: 30319)
- 1 .ASM Files assembled with MASM 10.00 (Visual Studio 2010) (build: 30319)
- 3 .LIB Files generated with LIB.EXE 10.00 (Visual Studio 2010) (build: 30319)
- 1 .ASM Files assembled with MASM 6.14 (Visual Studio 6 SP2) (build: 8444)
- File contains assembly code
- File appears to contain raw COFF/OMF content
- File is the product of a small codebase (1 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- VueScanx32v9.7.50_Patcherv1.2.exe (PID: 2408) 44/67
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Malicious 1
-
-
dup2patcher.dll
- Size
- 59KiB (59904 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "HackTool.Patcher" (37/67)
- Runtime Process
- VueScanx32v9.7.50_Patcherv1.2.exe (PID: 2408)
- MD5
- 032dca65f80a1c12979837a27e5fed35
- SHA1
- a385d8f1700e9d2b32d60b3d96d8d6d2db5144a8
- SHA256
- a6e44ca9e89a094bbd6bea6c9062d86ad4491ff020973ca85ab12aa2d398ae57
-