Detect_OWLBatteryRecall.exe
This report is generated from a file or URL submitted to this webservice on May 7th 2020 11:59:31 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/22 Antivirus vendors marked sample as malicious (4% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Suspicious Indicators 6
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "Detect_OWLBatteryRecall.exe" is allocating memory with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Reads the active computer name
- details
- "Detect_OWLBatteryRecall.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "is HPSA version is equal or greater than 8.5.0.0: excepted a True, got True"
"8.5.0.0"
Heuristic match: "HPSA version is NOT equal or greater than 8.5.0.0 , actual value:" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"Detect_OWLBatteryRecall.exe" wrote bytes "a53a7b2f" to virtual address "0x6D31F798" (part of module "CLR.DLL")
"Detect_OWLBatteryRecall.exe" wrote bytes "db4d356f00000000" to virtual address "0x00FC2000" (part of module "DETECT_OWLBATTERYRECALL.EXE") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "Detect_OWLBatteryRecall.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 11
-
Environment Awareness
-
Queries volume information
- details
- "Detect_OWLBatteryRecall.exe" queries volume information of "C:\Detect_OWLBatteryRecall.exe" at 562550941-00003156-0000010C-6613287175
- source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/69 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
- "C:\Workspaces\HPSA Objects\Object Detection Source\Detect_OWLBatteryRecall\Detect_OWLBatteryRecall\obj\Release\Detect_OWLBatteryRecall.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Loads the .NET runtime environment
- details
- "Detect_OWLBatteryRecall.exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\36eaccfde177c2e7b93b8dbdde4e012a\mscorlib.ni.dll" at 66040000
- source
- Loaded Module
-
Overview of unique CLSIDs touched in registry
- details
- "Detect_OWLBatteryRecall.exe" touched "NDP SymBinder" (Path: "HKCU\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\INPROCSERVER32")
- source
- Registry Access
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=DigiCert SHA2 High Assurance Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 59:32:B2:E3:43:2D:82:73:55:F8:9A:11:88:D6:D6:8D:FB:79:56:B7; see report for more information)
The input sample is signed with a certificate issued by "CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: F7:E0:F4:49:F1:A2:59:4F:88:85:6C:07:58:F8:E6:F6:27:E5:F5:A2; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "Detect_OWLBatteryRecall.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Touches files in the Windows directory
- details
-
"Detect_OWLBatteryRecall.exe" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\36eaccfde177c2e7b93b8dbdde4e012a\mscorlib.ni.dll.aux"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\sortdefault.nlp"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\symbols\exe\Detect_OWLBatteryRecall.pdb"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\exe\Detect_OWLBatteryRecall.pdb"
"Detect_OWLBatteryRecall.exe" touched file "C:\Windows\Detect_OWLBatteryRecall.pdb" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.digicert.com1503"
Pattern match: "http://crl3.digicert.com/sha2-ha-cs-g1.crl00"
Pattern match: "http://crl4.digicert.com/sha2-ha-cs-g1.crl0L"
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "http://ocsp.digicert.com0R"
Pattern match: "cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0"
Pattern match: "www.digicert.com1+0"
Pattern match: "http://ocsp.digicert.com0I"
Pattern match: "http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0"
Pattern match: "http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0@"
Pattern match: "http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O"
Pattern match: "www.digicert.com1!0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDCA-1.crl08"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w"
Pattern match: "http://ocsp.digicert.com0A"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0"
Pattern match: "www.digicert.com1$0"
Pattern match: "http://www.digicert.com/ssl-cps-repository.htm0"
Pattern match: "http://ocsp.digicert.com0C"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "https://hpsa-redirectors.hpcloud.hp.com/Common/npcRedirectorPage.asp"
Heuristic match: ".hpicorp.net"
Heuristic match: ".hp.com"
Heuristic match: ".hpcustomerprograms.com"
Heuristic match: "Battery.Info" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "Detect_OWLBatteryRecall.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "b08d3ad1230e4b8083b3b303c771b9d83818b539abaca8779676de5a59a5c51b.bin" was detected as "Morphine v1.2 (DLL)"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
Detect_OWLBatteryRecall.exe
- Filename
- Detect_OWLBatteryRecall.exe
- Size
- 623KiB (637816 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Architecture
- WINDOWS
- SHA256
- b08d3ad1230e4b8083b3b303c771b9d83818b539abaca8779676de5a59a5c51b
- MD5
- 62d55a1c50662954a361ad317b2e66e2
- SHA1
- ccd96a860e298d381fdf83ca4b17e290572f47ca
- ssdeep
- 6144:4ag8/aJdrZi0kH+OVmsm7mwFjp/AhuICxX/X:47c0keOqNX
- imphash
- f34d5f2d4577ed6d9ceec516c1f5a744
- authentihash
- c1b908f0fd046a7d66ecf3699aaf3528b5bf1d1bad4b67708d405716dd065b5f
- Compiler/Packer
- Morphine v1.2 (DLL)
- PDB Timestamp
- 07/31/2019 12:55:28 (UTC)
- PDB Pathway
- C:\Workspaces\HPSA Objects\Object Detection Source\Detect_OWLBatteryRecall\Detect_OWLBatteryRecall\obj\Release\Detect_OWLBatteryRecall.pdb
- PDB GUID
- C01B09173C0E4171A90CC2C98BA88E09
Version Info
- Translation
- 0x0000 0x04b0
- LegalCopyright
- Copyright 2018 HP Development Company, L.P.
- Assembly Version
- 1.0.4.0
- InternalName
- Detect_OWLBatteryRecall.exe
- FileVersion
- 1.0.4.0
- CompanyName
- HP Inc.
- LegalTrademarks
- -
- Comments
- -
- ProductName
- Detect_OWLBatteryRecall
- ProductVersion
- 1.0.4.0
- FileDescription
- Detect_OWLBatteryRecall
- OriginalFilename
- Detect_OWLBatteryRecall.exe
Classification (TrID)
- 47.7% (.EXE) Win64 Executable (generic)
- 22.6% (.SCR) Windows screen saver
- 11.3% (.DLL) Win32 Dynamic Link Library (generic)
- 7.7% (.EXE) Win32 Executable (generic)
- 3.5% (.EXE) OS/2 Executable (generic)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Download Certificate File (7.4KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=HP Inc., OU=HP Cybersecurity, O=HP Inc., L=Palo Alto, ST=California, C=US | CN=DigiCert SHA2 High Assurance Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: c834a23a8f6da243e24a688741ccb0f |
04/17/2019 00:00:00 04/21/2020 12:00:00 |
DC:59:5D:0F:96:6F:67:6F:83:79:94:EE:CC:DF:10:F5 59:32:B2:E3:43:2D:82:73:55:F8:9A:11:88:D6:D6:8D:FB:79:56:B7 |
CN=DigiCert SHA2 High Assurance Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US | CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: b7e10903c38490ffa2f679a87a1a7b9 |
10/22/2013 12:00:00 10/22/2028 12:00:00 |
D4:4F:6E:0A:FD:F2:62:99:4C:1A:F5:06:65:C0:6C:4A F7:E0:F4:49:F1:A2:59:4F:88:85:6C:07:58:F8:E6:F6:27:E5:F5:A2 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- Detect_OWLBatteryRecall.exe (PID: 3156) 1/81
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
hpcustomerprograms.com | Domain/IP reference | 62d55a1c50662954a361ad317b2e66e2-6000022-ServerCertificateValidationScope~ValidateSSLCertificate |
hpicorp.net | Domain/IP reference | 62d55a1c50662954a361ad317b2e66e2-6000022-ServerCertificateValidationScope~ValidateSSLCertificate |
hp.com | Domain/IP reference | 62d55a1c50662954a361ad317b2e66e2-6000022-ServerCertificateValidationScope~ValidateSSLCertificate |
https://hpsa-redirectors.hpcloud.hp.com/common/npcredirectorpage.asp | Domain/IP reference | 62d55a1c50662954a361ad317b2e66e2-600003d-ctor |
11.0.0.0 | Domain/IP reference | 62d55a1c50662954a361ad317b2e66e2-6000001-OBR_DET~runDetection |
8.5.0.0 | Domain/IP reference | 62d55a1c50662954a361ad317b2e66e2-6000001-OBR_DET~runDetection |
Extracted Strings
Extracted Files
No significant files were extracted.