Basic Information:
------------------------------------------
Target OS: Windows
Target Arch: Intel 32bit
File Type: PE32 Executable
Lang: C
Size: 312K
MD5SUM: 42863b510c6e3b3927682e4e564fb539
Test Environment:
- Hybrid Analysis
 \
  |--> CrowdStrike Falcon
  |--> MetaDefender
  |--> VirusTotal

- VirusTotal Cuckoofork
- Any Run
 \
  |--> Windows 7 pro 32-bit
------------------------------------------

Functions:
------------------------------------
- Manipulating Windows Registry
 \
  |--> RegOpenKeyExA
  |--> RegQueryValueExA
  |--> RtlUnwind
  |--> RegCloseKey
  |--> RegCreateKeyExA
  |--> RegSetValueExA
  |--> RegDeleteKeyA
  |--> RegEnumKeyA
  |--> RegEnumKeyExA

- Manipulating files
 \
  |--> CreateFileA
  |--> ReadFile
  |--> WriteFile
  |--> FindFirstFileA
  |--> SetFilePointer
  |--> GetSystemTimeAsFileTime
  |--> GetFileType
  |--> GetModuleFileNameA
  |--> FileTimeToLocalFileTime
  |--> FileTimeToSystemTime
  |--> FlushFileBuffers
  |--> SetEndOfFile
  |--> GetFileAttributesA
  |--> GetFileSize

- Dealing with keyboard
 \
  |--> GetKeyState
  |--> GetForegroundWindow
  |--> SetWindowsHookExA

- Process operations
 \
  |--> VirtualAlloc
  |--> GlobalAlloc
  |--> HeapAlloc
  |--> VirtualProtect
  |--> GetProcAddress
  |--> ExitProcess
  |--> TerminateProcess

- Evasion
 \
  |--> GetTickCount

- Handling modules/resources
 \
  |--> LoadLibraryA
  |--> LoadResource
------------------------------------

Abilites:
-------------------------------------------------
- It has dangerous execution parents
 \
  |--> Tested on VirusTotal
   \
    |--> Report
     \-> Scanned	Detections	  Type		     Name
         ----------	----------	---------	---------------
         2014-07-20 	  26/53         Win32 EXE	vt-upload-ZAS7M
         2016-12-07       54/56		Win32 EXE	Need for Speed Underground 2_code.exe
         2017-04-25	  56/59		Win32 EXE	CDKey.exe
         2017-06-05 	  25/27		Win32 EXE	need for speed underground 2_code.exe
         2020-02-28 	  60/72		Win32 EXE	b9c8691740a96a92c0ef5867e3d0c0cc.virus

- It has dangerous PE resource parents
 \
  |--> Tested on VirusTotal
   \
    |--> Report
     \-> Scanned        Detections        Type               Name
         ----------     ----------      ---------       ---------------
	 2020-02-28 	  60/72		Win32 EXE	b9c8691740a96a92c0ef5867e3d0c0cc.virus

- When it runs it uses "Hook" function
 \
  |--> SetWindowsHookExA

- It communicates potentially malicious domain
 \
  |--> 64.4.10.33 [time.microsoft.akadns.net] (Tested on VirusTotal)

-------------------------------------------------

Connections:
---------------------------------------------------
IP Adresses:
- 64.4.10.33 [time.microsoft.akadns.net]
 \
  |--> 100+ detected files communicating with this IP address
  |--> It seems potentially malicious but It could not detected by AV engines

---------------------------------------------------

Detected by:
-----------------------------------------
- ClamAV
 \
  |--> Win.Malware.Wronginf-6828059-0

- TACHYON
 \
  |--> Trojan-Dropper/W32.Inject.319488
-----------------------------------------

Linked DLL Files:
---------------------------------
- user32.dll & USER32.dll
- kernel32.dll & KERNEL32.dll
- ntdll.dll
- oleacc.dll
- GDI32.dll
- mscoree.dll
- comdlg32.dll
- SHELL32.dll
- COMCTL32.DLL & COMCTL32.dll
- ole32.dll
- OLEAUT32.dll
- ADVAPI32.dll
- SHLWAPI.dll
---------------------------------

Used Tools During Tests:
----------------------------------------------
- Qu1cksc0pe
 \
  |--> https://github.com/CYB3RMX/Qu1cksc0pe

- Sandbox Environments
 \
  |--> https://www.virustotal.com
  |--> https://www.hybrid-analysis.com
  |--> https://app.any.run

- Strings
- Radare2
----------------------------------------------
