McChecker.exe
This report is generated from a file or URL submitted to this webservice on December 23rd 2015 19:17:55 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.10 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Fingerprint
-
Contains ability to lookup the windows account name
Reads the cryptographic machine GUID
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 12/55 Antivirus vendors marked sample as malicious (21% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 12/55 Antivirus vendors marked sample as malicious (21% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 10
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00130625-00002280-76F261F8-270158
- source
- API Call
- relevance
- 6/10
-
Sets the process error mode to suppress error box
- details
- "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .text with unusual entropies 7.98602603788
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the cryptographic machine GUID
-
General
-
Reads configuration files
- details
-
"<Input Sample>" read file "C:\Windows\win.ini"
"<Input Sample>" read file "C:\Users\desktop.ini"
"<Input Sample>" read file "%APPDATA%\Microsoft\Windows\Libraries\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Documents\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Documents\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Desktop\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
-
"<Input Sample>" created file "C:\Windows\system32\rsaenh.dll"
"<Input Sample>" created file "C:\Windows\System32\en-US\comdlg32.dll.mui"
"<Input Sample>" created file "c:\windows\system32\imageres.dll"
"<Input Sample>" created file "C:\Windows\resources\themes\Aero\Shell\NormalColor\ShellStyle.dll"
"<Input Sample>" created file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Libraries" - source
- API Call
- relevance
- 7/10
-
Creates/touches files in windows directory
-
System Security
-
Contains ability to elevate privileges
- details
-
SetEntriesInAclW@ADVAPI32.DLL at 00130625-00002280-76F4228D-280312
SetSecurityDescriptorDacl@ADVAPI32.DLL at 00130625-00002280-76F4228D-280376 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
- "<Input Sample>" wrote bytes "22F31502" to virtual address "0x6A952AFC" (part of module "CLR.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "EN")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "EN") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 4
-
General
-
Loads modules at runtime
- details
-
"<Input Sample>" loaded module "COMCTL32.DLL" at base 73EF0000
"<Input Sample>" loaded module "CLBCATQ.DLL" at base 759C0000
"<Input Sample>" loaded module "%WINDIR%\SYSTEM32\COMDLG32.DLL" at base 76850000
"<Input Sample>" loaded module "UXTHEME.DLL" at base 73DB0000
"<Input Sample>" loaded module "ADVAPI32.DLL" at base 76C60000
"<Input Sample>" loaded module "API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL" at base 77040000
"<Input Sample>" loaded module "CRYPTSP.DLL" at base 74AB0000
"<Input Sample>" loaded module "C:\WINDOWS\SYSTEM32\RSAENH.DLL" at base 74850000
"<Input Sample>" loaded module "CRYPTBASE.DLL" at base 74F80000
"<Input Sample>" loaded module "RPCRTREMOTE.DLL" at base 75020000
"<Input Sample>" loaded module "OLE32.DLL" at base 769D0000
"<Input Sample>" loaded module "IMM32.DLL" at base 759A0000 - source
- API Call
- relevance
- 1/10
-
Loads the .NET runtime environment
- details
- "<Input Sample>" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\51e2934144ba15628ba5a31be2dae7dc\mscorlib.ni.dll" at 69840000
- source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"GdipCreateMatrix@gdiplus.dll"
"GdipGetWorldTransform@gdiplus.dll"
"GdipIsMatrixIdentity@gdiplus.dll"
"GdipGetMatrixElements@gdiplus.dll"
"GdipDeleteMatrix@gdiplus.dll"
"GdipCreateRegion@gdiplus.dll"
"GdipGetClip@gdiplus.dll"
"GdipIsInfiniteRegion@gdiplus.dll"
"GdipSaveGraphics@gdiplus.dll"
"GdipCombineRegionRegion@gdiplus.dll"
"GdipGetRegionHRgn@gdiplus.dll"
"GdipDeleteRegion@gdiplus.dll"
"GdipGetDC@gdiplus.dll"
"GdipReleaseDC@gdiplus.dll"
"GdipRestoreGraphics@gdiplus.dll"
"GdipGetTextRenderingHint@gdiplus.dll"
"GdipDrawImageRectI@gdiplus.dll"
"GdipGetNearestColor@gdiplus.dll"
"GdipCreateSolidFill@gdiplus.dll"
"GdipFillRectangleI@gdiplus.dll" - source
- API Call
- relevance
- 1/10
-
Loads modules at runtime
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
- LookupAccountNameLocalW@SECHOST.DLL at 00130625-00002280-76F4228D-269970
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to lookup the windows account name
File Details
McChecker.exe
- Filename
- McChecker.exe
- Size
- 422KiB (431616 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Architecture
- WINDOWS
- SHA256
- dac2072e7009865b62419265e772e3193d188d37d90001c4371a1e02aef2de70
- MD5
- e56035280698bd1e2dfc1e91bdafc7ef
- SHA1
- 9dbfbb4162f687dbe36b80db75fe4951e59118db
- ssdeep
- 12288:5we3eQXdB4K5iQIUbUhZ9/MBtvxaC7nM/pY2vk:5D4SiQtbUhr6vxaC45c
- imphash
- f34d5f2d4577ed6d9ceec516c1f5a744
- authentihash
- 645f5d1c77a9fe1120b4df4df3a2be576560deb90da1ef0eb877dceb990bcd02
- PDB Pathway
Version Info
- Translation
- 0x0000 0x04b0
- LegalCopyright
- Copyright 2015
- Assembly Version
- 1.0.0.0
- InternalName
- McChecker.exe
- FileVersion
- 1.0.0.0
- CompanyName
- Vinyl
- LegalTrademarks
- -
- Comments
- -
- ProductName
- McChecker
- ProductVersion
- 1.0.0.0
- FileDescription
- McChecker
- OriginalFilename
- McChecker.exe
Classification (TrID)
- 82.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.)
- 7.4% (.DLL) Win32 Dynamic Link Library (generic)
- 5.1% (.EXE) Win32 Executable (generic)
- 2.2% (.EXE) Generic Win/DOS Executable
- 2.2% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- McChecker.exe (PID: 2280)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "api-7" are available in the report
- Not all sources for signature ID "api-8" are available in the report