天空の魔神とはじまりの聖女.exe
This report is generated from a file or URL submitted to this webservice on September 20th 2017 20:05:10 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.91 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
Environment Awareness
-
Sets a global windows hook to intercept mouse events
- details
- "<Input Sample>" set a windows hook with filter "WH_MOUSE_LL"
- source
- API Call
- relevance
- 10/10
-
Sets a global windows hook to intercept mouse events
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/64 Antivirus vendors marked sample as malicious (3% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
Suspicious Indicators 4
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.56755727539
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
WriteFile
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
LoadLibraryExW
CreateThread
ExitThread
GetModuleHandleExW
GetProcAddress
LoadLibraryW
GetTickCount
LoadLibraryA
GetStartupInfoW
CreateDirectoryW
DeleteFileW
FindFirstFileExA
FindNextFileW
FindNextFileA
FindFirstFileExW
CreateFileW
GetCommandLineW
GetCommandLineA
GetModuleHandleA
GetModuleHandleW
GetFileAttributesExW
CreateProcessW
Sleep
TerminateProcess
ShellExecuteW
WSASendTo
sendto (Ordinal #20)
accept (Ordinal #1)
WSAStartup (Ordinal #115)
bind (Ordinal #2)
recv (Ordinal #16)
socket (Ordinal #23)
connect (Ordinal #4)
recvfrom (Ordinal #17)
send (Ordinal #19)
closesocket (Ordinal #3)
listen (Ordinal #13) - source
- Static Parser
- relevance
- 1/10
-
PE file contains unusual section name
- details
-
"d47f5bf131107716da0d29ccc5ecfd846df4b025935a37fa95633c502f2cd453.exe.bin" has a section named ".gfids"
"d47f5bf131107716da0d29ccc5ecfd846df4b025935a37fa95633c502f2cd453.exe.bin" has a section named "_RDATA" - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
-
Informative 5
-
General
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\DirectSound DllMain mutex (0x00000B3C)"
"Local\DirectSound DllMain mutex (0x00000B3C)" - source
- Created Mutant
- relevance
- 3/10
-
Sets a windows hook
- details
- "<Input Sample>" sets a global windows hook with filter "WH_MOUSE_LL"
- source
- API Call
- relevance
- 10/10
-
Creates mutants
-
Installation/Persistance
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\system32\tzres.dll"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\tzres.dll.mui" - source
- API Call
- relevance
- 7/10
-
Touches files in the Windows directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.inkscape.org"
Pattern match: "http://www.godotengine.org" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "d47f5bf131107716da0d29ccc5ecfd846df4b025935a37fa95633c502f2cd453.exe.bin" was detected as "VC8 -> Microsoft Corporation"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
天空の魔神とはじまりの聖女.exe
- Filename
- 天空の魔神とはじまりの聖女.exe
- Size
- 14MiB (15069184 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- d47f5bf131107716da0d29ccc5ecfd846df4b025935a37fa95633c502f2cd453
- MD5
- a63e4c76217156ea281cc0c8726d23bd
- SHA1
- 6bd68a75130c19bad081b095984f1ab77df154f7
- ssdeep
- 196608:zZJvbULIsHWyd5KD3CP0Kwft28VzP7JZEDkKYYd6K6:vojWG5KD3CP0Kwft28VzP1xYj6
- imphash
- de4ea522e35655944bf822f3cbced583
- authentihash
- 55371a690dd05a380952dace71760d3abe6ef914e0998716c8108494a8bb9ed9
- Compiler/Packer
- VC8 -> Microsoft Corporation
- PDB Pathway
Version Info
- LegalCopyright
- Copyright (c) 2007-2017 Juan Linietsky, Ariel Manzur
- Info
- http://www.godotengine.org
- FileVersion
- 2.2.0
- CompanyName
- Godot Engine
- ProductName
- Godot Engine
- ProductVersion
- 2.2.custom_build
- Licence
- MIT
- FileDescription
- Godot Engine Editor
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 67.3% (.EXE) Win32 Executable MS Visual C++ (generic)
- 14.2% (.DLL) Win32 Dynamic Link Library (generic)
- 9.7% (.EXE) Win32 Executable (generic)
- 4.3% (.EXE) Generic Win/DOS Executable
- 4.3% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Exports
Name | Ordinal | Address |
---|---|---|
NvOptimusEnablement | #1 | 0x1183028 |
opus_decode | #2 | 0x55fa40 |
opus_decode_float | #3 | 0x55fb70 |
opus_decoder_create | #4 | 0x560890 |
opus_decoder_ctl | #5 | 0x560970 |
opus_decoder_destroy | #6 | 0x52ce00 |
opus_decoder_get_nb_samples | #7 | 0x560b00 |
opus_decoder_get_size | #8 | 0x560b20 |
opus_decoder_init | #9 | 0x560b70 |
opus_get_version_string | #10 | 0x5fc770 |
opus_multistream_decode | #11 | 0x561100 |
opus_multistream_decode_float | #12 | 0x561130 |
opus_multistream_decoder_create | #13 | 0x561430 |
opus_multistream_decoder_ctl | #14 | 0x5614e0 |
opus_multistream_decoder_destroy | #15 | 0x52ce00 |
opus_multistream_decoder_get_size | #16 | 0x561700 |
opus_multistream_decoder_init | #17 | 0x561760 |
opus_packet_get_bandwidth | #18 | 0x560cb0 |
opus_packet_get_nb_channels | #19 | 0x560d00 |
opus_packet_get_nb_frames | #20 | 0x560d20 |
opus_packet_get_nb_samples | #21 | 0x560d60 |
opus_packet_get_samples_per_frame | #22 | 0x55f150 |
opus_packet_parse | #23 | 0x55f1f0 |
opus_pcm_soft_clip | #24 | 0x55f550 |
opus_strerror | #25 | 0x5fc780 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- Input Sample (PID: 2876) 2/64
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.