Basic Information:
------------------------------------------
Target OS: Windows
Target Arch: Intel 32bit
File Type: PE32 Executable
Lang: C
Size: 4.1M
MD5SUM: d60a45d1254899aee137ecb1f2ffae8e
Test Environment:
- Any Run
 \
  |--> Windows 7 pro 32-bit

- Hybrid Analysis
 \
  |--> CrowdStrike Falcon
  |--> MetaDefender
  |--> VirusTotal
------------------------------------------
 
Functions:
------------------------------------
- Registry
 \
  |--> RtlUnwind
  |--> RegQueryValueExW
  |--> RegCloseKey
  |--> RegCreateKeyExW
  |--> RegSetValueExW
  |--> RegDeleteValueW

- File
 \
  |--> CreateFile
  |--> CreateFileW
  |--> ReadFile
  |--> WriteFile
  |--> DeleteFileW
  |--> FindFirstFileExW
  |--> MapViewOfFile
  |--> SetFileTime
  |--> SetFilePointer
  |--> SetFilePointerEx
  |--> GetSystemTimeAsFileTime
  |--> GetFileType
  |--> GetModuleFileName
  |--> GetModuleFileNameW
  |--> SystemTimeToFileTime
  |--> FileTimeToSystemTime
  |--> MoveFileW
  |--> FlushFileBuffers
  |--> SetEndOfFile
  |--> GetFileInformationByHandle
  |--> SetFileAttributesW
  |--> GetFileAttributesW
  |--> GetFileSizeEx
  |--> UnlockFileEx
  |--> LockFileEx
  |--> NtCreateFile
  |--> NtQueryAttributesFile
  |--> NtQueryFullAttributesFile
  |--> NtSetInformationFile
  |--> NtOpenFile
  |--> GetFileInformationByHandleEx
  |--> SetFileInformationByHandle
  |--> GetSystemTimePreciseAsFileTime
  |--> GetFileVersionInfoSizeW
  |--> GetFileVersionInfoW
  |--> CreateFileMappingW
  |--> UnmapViewOfFile
  |--> ReplaceFileW
  |--> FlushViewOfFile
  |--> GetMappedFileNameW
  |--> GetWindowsDirectoryW

- Process
 \
  |--> CreateProcess
  |--> VirtualAlloc
  |--> HeapAlloc
  |--> VirtualProtect
  |--> OpenProcess
  |--> CreateRemoteThread
  |--> WriteProcessMemory
  |--> IsWow64Process
  |--> NtSetInformationProcess
  |--> GetProcAddress
  |--> ExitProcess
  |--> GetExitCodeProcess
  |--> TerminateProcess
  |--> CreateProcessA
  |--> ReadProcessMemory
  |--> OpenProcessToken
  |--> CreateProcessW
  |--> GetProcessWindowStation
  |--> SetProcessWindowStation
  |--> GetProcessHeaps
  |--> GetProcessHandleCount
  |--> AssignProcessToJobObject
  |--> GetCurrentProcessId
  |--> GetCurrentProcess
  |--> SetProcessShutdownParameters
  |--> GetProcessId
  |--> IsSandboxedProcess
  |--> NtQueryInformationProcess
  |--> NtSuspendProcess
  |--> NtResumeProcess
  |--> AppPolicyGetProcessTerminationMethod
  |--> CorExitProcess
  |--> FlushProcessWriteBuffers
  |--> NtOpenProcessTokenEx
  |--> NtOpenProcessToken
  |--> NtOpenProcess
  |--> RecordProcessExit

- Handling modules/resources
 \
  |--> LoadLibraryExA
  |--> LoadLibraryW
  |--> LoadLibraryExW

- Evasion/Bypassing
 \
  |--> IsDebuggerPresent
  |--> GetTickCount
  |--> NtQueryInformationProcess
  |--> OutputDebugStringA
  |--> SetProcessDEPPolicy
  |--> SetProcessMitigationPolicy

- Data recon/Information gathering about system
 \
  |--> ReadProcessMemory
  |--> GetProcessMemoryInfo
  |--> QueryFullProcessImageNameW
  |--> ProcessIdToSessionId
  |--> GetProcessTimes
  |--> GetCurrentProcessorNumber
  |--> GetDriveTypeW

- System persistence
 \
  |--> CreateProcessAsUserW

- Web connections
 \
  |--> WinHttpCloseHandle
  |--> WinHttpOpen
  |--> WinHttpSetTimeouts
  |--> WinHttpCrackUrl
  |--> WinHttpConnect
  |--> WinHttpOpenRequest
  |--> WinHttpAddRequestHeaders
  |--> WinHttpSendRequest
  |--> WinHttpWriteData
  |--> WinHttpReceiveResponse
  |--> WinHttpQueryHeaders
  |--> WinHttpReadData

- Other
 \
  |--> IsProcessorFeaturePresent
  |--> SetProcessDpiAwarenessInternal
  |--> SetProcessDPIAware
------------------------------------
Abilities/Specifications:
------------------------------------
- It needs "nw_elf.dll" to run
- It has dangerous execution parents
 \
  |--> Tested on VirusTotal
   \
    |--> Report
     \-> Scanned	Detections	  Type		     Name
         ----------	----------	---------	---------------
         2020-03-10 	  69/72         Win32 EXE	063da3cbfbf33cbca3fe7977d0dab91e.virus
         2020-03-10       67/73		Win32 EXE	517079ac0117faaccddd9bbb23914bf5.virus

- It opens files and registry keys
 \
  - Files
   \
    |--> C:\WINDOWS\system32\winime32.dll
    |--> C:\WINDOWS\system32\ws2_32.dll
    |--> C:\WINDOWS\system32\ws2help.dll
    |--> C:\WINDOWS\system32\psapi.dll
    |--> C:\WINDOWS\system32\imm32.dll
    |--> C:\WINDOWS\system32\lpk.dll
    |--> C:\WINDOWS\system32\usp10.dll
   /
  - Registry keys
   \
    |--> \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
    |--> \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
    |--> \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    |--> \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
    |--> \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

- If program runs correctly:
 \
  - According to functions that program has:
  |--> It might be downloads it's modules/resources to system
  |--> It manipulates files and Windows Registry
  |--> It might be evades AVs, debuggers, virtual environments...
------------------------------------
 
Connections:
------------------------------------
- It could not connect any host
 \
  |--> Reason: nw_elf.dll not found so program could not work correctly

- Extracted urls via strings tool
 \
  |--> https://crashpad.chromium.org/
  |--> https://crashpad.chromium.org/bug/new
------------------------------------

Detected by:
------------------------------------
- VirusTotal
 \
  |--> 17/73

- Hybrid Analysis
 \
  |--> CrowdStrike Falcon
   \-> Not Detected
   /
  |--> MetaDefender
   \-> %11
   /
  |--> VirusTotal
   \-> %23

- Scan reports
 \
  |--> Any Run
   \-> https://app.any.run/tasks/857ff7ca-08ca-46ec-85d4-a794d4f58a1a
   /
  |--> Hybrid Analysis
   \-> https://www.hybrid-analysis.com/sample/326b50f40d55c8cf54eb12f5372b7b46306363d0aae9a2eb6ade07832e17ddc8
   \-> https://www.hybrid-analysis.com/sample/326b50f40d55c8cf54eb12f5372b7b46306363d0aae9a2eb6ade07832e17ddc8/5e9b3fc4197a3e3b926f07d9
   /
  |--> VirusTotal
   \-> https://www.virustotal.com/gui/file/326b50f40d55c8cf54eb12f5372b7b46306363d0aae9a2eb6ade07832e17ddc8/detection
------------------------------------
 
Linked DLL Files:
------------------------------------
- user32.dll & USER32.dll
- kernel32.dll & KERNEL32.dll
- dbghelp.dll
- ole32.dll
- POWRPROF.dll
- nw_elf.dll
- ADVAPI32.dll
- GDI32.dll
- SHELL32.dll
- SHLWAPI.dll
- USP10.dll
- VERSION.dll
- WINMM.dll
- WINHTTP.dll
- PSAPI.DLL
------------------------------------
 
Used Tools During Tests:
-----------------------------------------------
- Qu1cksc0pe
 \
  |--> https://github.com/CYB3RMX/Qu1cksc0pe

- Sandbox Environments
 \
  |--> https://www.virustotal.com
  |--> https://www.hybrid-analysis.com

- Strings
- Rabin2
-----------------------------------------------
