Report #13071 cancel

  • Creation Date: Aug. 20, 2021, 12:49 a.m.
  • Last Update: Aug. 20, 2021, 12:50 a.m.
  • File: dccw.exe
  • Results:
Binary
DLL
False cancel
Size
79.50KB
trid
41.0% Win32 Executable MS Visual C++
36.3% Win64 Executable
8.6% Win32 Dynamic Link Library
5.9% Win32 Executable
2.6% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
66a082afd0b7fd0f629fb1dee4b588d5
sha1
171fcebef33965d18a836ff1a95bb0c61d4efbd3
crc32
0x6c2d9167
sha224
060f312386ca96fc1ca2c3c45f92b3151cc3dfbba5d6b0971f742b2b
sha256
cca939fe6452c1c5582821986294b6a6a8aaf61e3f5b73c8407e6b520f27001c
sha384
4f9bee36981eb2ad8c10d80c0f7c49cc51113ee6c007b0a865d585d42c31a8cfbc0fa25658b833189983f34bb1a89ffb
sha512
7694a45d7479180882c1385dd6829ca804f0ee820c0613c489c1f6f8bfd7da31d80630b446740e603ecc117726912a048a903d12951ca1fe911bd00ef1d751d4
ssdeep
1536:W7o1m69ukhqJ0YnMXWFnVCP3Dm6RbPhHj/5/RCBBskLnrc4xro3Ci+0d/:Fu+YnogVCP3Dm6RbPhHjhpCm4xQCl0d
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
VC8_Microsoft_Corporation, win_registry, domain, contentis_base64, Check_OutputDebugStringA_iat, screenshot, url, HasRichSignature, win_mutex, Microsoft_Visual_Cpp_8, Visual_Cpp_2005_Release_Microsoft, HasDebugData, maldoc_find_kernel32_base_method_1, win_files_operation, IsPE32, anti_dbg, IsWindowsGUI, IP

Suspicious
True check_circle

Imports
GDI32.dll
StretchBlt, CreateCompatibleBitmap, SetStretchBltMode, SelectObject, CreateCompatibleDC, GetObjectW, GetTextExtentPoint32W, SetDeviceGammaRamp, GetDeviceGammaRamp, GetStockObject, SetBkMode, SetBkColor, SetTextColor, CreateSolidBrush, GetDeviceCaps, CreateDCW, DeleteDC, DeleteObject
dxva2.dll
GetNumberOfPhysicalMonitorsFromHMONITOR, GetPhysicalMonitorsFromHMONITOR, DestroyPhysicalMonitors, GetMonitorBrightness, SetMonitorBrightness, GetMonitorContrast, SetMonitorContrast, GetVCPFeatureAndVCPFeatureReply, SetVCPFeature
mscms.dll
GetColorProfileFromHandle, UninstallColorProfileW, WcsCreateIccProfile, GetColorDirectoryW, InstallColorProfileW, CloseColorProfile, DccwSetDisplayProfileAssociationList, WcsGetUsePerUserProfiles, WcsGetDefaultColorProfile, WcsOpenColorProfileW, DccwGetGamutSize, DccwCreateDisplayProfileAssociationList, DccwGetDisplayProfileAssociationList, WcsGetCalibrationManagementState, SetColorProfileElement, SetColorProfileElementSize, DccwReleaseDisplayProfileAssociationList, WcsDisassociateColorProfileFromDevice, WcsSetCalibrationManagementState, WcsSetDefaultColorProfile
ntdll.dll
WinSqmAddToStream
USER32.dll
LoadStringW, GetWindow, ShowWindow, MessageBoxW, ReleaseDC, GetWindowTextW, GetWindowTextLengthW, GetDC, KillTimer, SetTimer, SetWindowTextW, PostMessageW, MapDialogRect, EnumChildWindows, DisplayConfigGetDeviceInfo, QueryDisplayConfig, GetDisplayConfigBufferSizes, EnumDisplayDevicesW, ShowCursor, LoadCursorW, SetCursor, GetMonitorInfoW, EnumDisplayMonitors, MonitorFromWindow, GetParent, InvalidateRect, MapWindowPoints, GetWindowRect, GetDlgItem, DefWindowProcW, SendMessageW, CallWindowProcW, SetWindowPos, SetForegroundWindow, OpenIcon, SetWindowLongW, GetWindowLongW, MonitorFromRect, SendMessageTimeoutW, AllowSetForegroundWindow, GetWindowThreadProcessId, FindWindowW, RegisterWindowMessageW, GetActiveWindow, GetSystemMetrics, CharNextW, DestroyWindow, UnregisterClassA, MoveWindow
msvcrt.dll
_ftol2, memcpy, _controlfp, ?terminate@@YAXXZ, realloc, _errno, _onexit, __dllonexit, _unlock, _lock, _except_handler4_common, _wcmdln, _initterm, __setusermatherr, __p__fmode, _cexit, _exit, exit, __set_app_type, __wgetmainargs, _amsg_exit, __p__commode, _XcptFilter, _callnewh, swscanf_s, wcsstr, _wcsupr, _purecall, memcpy_s, malloc, wcsncpy_s, free, _ftol2_sse, _vsnwprintf, towlower, iswupper, _CIpow, memset
GDIPLUS.dll
GdipCreateHBITMAPFromBitmap, GdipDisposeImage, GdipCloneImage, GdipFree, GdipCreateLineBrushI, GdipFillRectangleI, GdipCloneBrush, GdipAlloc, GdipDeleteBrush, GdipCreateSolidFill, GdipDeleteGraphics, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromStream
SHELL32.dll
ShellExecuteW
ADVAPI32.dll
RegCloseKey, RegQueryInfoKeyW, RegEnumKeyExW, RegOpenKeyExW, RegSetValueExW, RegCreateKeyExW, RegDeleteValueW, EventRegister, EventUnregister, EventWrite, RegQueryValueExW
COMCTL32.dll
TaskDialogIndirect, DestroyPropertySheetPage, CreatePropertySheetPageW, PropertySheetW
KERNEL32.dll
WaitForSingleObject, CreateMutexW, HeapSetInformation, InitializeCriticalSection, GetModuleFileNameW, FindResourceExW, LoadResource, ReleaseMutex, MultiByteToWideChar, lstrcmpiW, GetModuleHandleW, LoadLibraryExW, GetProcAddress, FreeLibrary, GetLastError, CloseHandle, CreateFileW, GetCurrentProcessId, LockResource, FindResourceW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, LocalFree, FormatMessageW, GetSystemDirectoryW, WriteFile, lstrlenW, WideCharToMultiByte, GetSystemTime, CopyFileW, SizeofResource, EnterCriticalSection, LeaveCriticalSection, RaiseException, DeleteCriticalSection, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, OutputDebugStringA, TerminateProcess, SetUnhandledExceptionFilter, HeapFree, VirtualFree, GetCurrentProcess, VirtualAlloc, LoadLibraryExA, EncodePointer, HeapAlloc, DecodePointer, IsProcessorFeaturePresent, GetProcessHeap, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, Sleep, GetStartupInfoW, UnhandledExceptionFilter, QueryPerformanceCounter
OLEAUT32.dll
SysFreeString, VarUI4FromStr, SysAllocString
api-ms-win-core-com-l1-1-0.dll
CoTaskMemRealloc, CoTaskMemFree, CreateStreamOnHGlobal, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance
Strings
List
%txmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
%txmlns:cal="http://schemas.microsoft.com/windows/2007/11/color/Calibration"
%txmlns:cdm="http://schemas.microsoft.com/windows/2005/02/color/ColorDeviceModel"
%txmlns:wcs="http://schemas.microsoft.com/windows/2005/02/color/WcsCommonProfileTypes"
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
D65.camp
dccw.pdb
CalibratedDisplayProfile-%d.icc
CalibratedDisplayProfile-%d-Temp.icc
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
mshelp://windows/?id=27a2764a-ad05-4a52-96f4-eac32ae3c9e1
COMCTL32.dll
Wadvapi32.dll
atlthunk.dll
CTTune.exe
mscms.dll
ntdll.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator
dccw.exe
name="Microsoft.Windows.Common-Controls" version="6.0.0.0"
Microsoft.Windows.WindowsColorSystem.Dccw.GetDialogId
Microsoft.Windows.ICM.DCCW.Activate
name="Microsoft.Windows.ICM.DCCW"
Delete
NoRemove
GdiplusShutdown
GdipDeleteBrush
HKEY_CLASSES_ROOT
api-ms-win-core-com-l1-1-0.dll
IDD = %d: m_bIsRtl = %s
HKEY_LOCAL_MACHINE
%t%t%t<cdm:BluePrimary X="18.05" Y="7.22" Z="95.05"/>
%t%t%t<cdm:WhitePrimary X="95.05" Y="100.00" Z="108.90"/>
<wcs:GreenTRC Gamma="%f" Gain="%f" Offset1="0.0"/>
<requestedPrivileges>
SShl"@
%t%t<cdm:ColorSpace>CIEXYZ</cdm:ColorSpace>
<wcs:BlueTRC Gamma="%f" Gain="%f" Offset1="0.0"/>
%t%t</cdm:MeasurementData>
<wcs:RedTRC Gamma="%f" Gain="%f" Offset1="0.0"/>
%t%t%t<cdm:MaxColorantUsed>1.0</cdm:MaxColorantUsed>
%t%t%t<cdm:MinColorantUsed>0.0</cdm:MinColorantUsed>
%t%t<cdm:WhitePointName>D65</cdm:WhitePointName>
%t%t%t<cdm:GammaOffsetGainLinearGain Gamma="2.4" Offset="0.055" Gain="0.947867" LinearGain="12.92" TransitionPoint="0.04045"/>
%t%t%t<cdm:BlackPrimary X="0" Y="0" Z="0"/>
%t%t%t<cdm:GreenPrimary X="35.76" Y="71.52" Z="11.92"/>
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
%t%t%t<cdm:RedPrimary X="41.24" Y="21.26" Z="1.93" />
%t%t<wcs:Text xml:lang="%1">%4</wcs:Text>
%t%t<wcs:Text xml:lang="%1">%3</wcs:Text>
%t%t<wcs:Text xml:lang="%1">%2</wcs:Text>
%t%t<cdm:MeasurementData TimeStamp="%5">
New rect (%d, %d, %d, %d) is on display 0x%08x
SendMessage(STM_SETIMAGE, 0x%08x) returned 0x%08x
dxva2.dll
IsProcessorFeaturePresent
Current display is 0x%08x
GetProcAddress
PSShh
HKEY_CURRENT_USER
SECURITY
Hardware
NativeHWNDHost
AutoColorSetupMode
REGISTRY
TerminateProcess
Interface
ShellExecuteW
VirtualAlloc
CoCreateInstance
RegOpenKeyExW
FreeLibrary
RegSetValueExW
RegDeleteKeyExW
RegCreateKeyExW
QueryPerformanceCounter
RegDeleteKeyW
RegQueryValueExW
CreateFileW
LoadLibraryExW
RegEnumKeyExW
WriteFile
CopyFileW
CreateMutexW
GetModuleFileNameW
LoadResource
LoadLibraryExA
GetModuleHandleW
RegDeleteValueW
HKEY_DYN_DATA
Microsoft Corporation. All rights reserved.
_wcmdln
TypeLib
WEVT_TEMPLATE
HKEY_USERS
GetTickCount
SetTimer
?#?7?C?H?R?^?d?l?s?y?
Sleep

Foremost
Matches
0.exe, 79 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed: http://schemas.microsoft.com/smi/2005/windowssettings, http://schemas.microsoft.com/windows/2007/11/color/calibration, http://schemas.microsoft.com/windows/2005/02/color/colordevicemodel, http://schemas.microsoft.com/windows/2005/02/color/wcscommonprofiletypes
hasURLs: True check_circle
Suspicious: http://schemas.openxmlformats.org/markup-compatibility/2006
hasAllowed: True check_circle
hasSuspicious: True check_circle

Files
Allowed: API-MS-Win-Core-LocalRegistry-L1-1-0.dll, Wadvapi32.dll, ntdll.dll, api-ms-win-core-com-l1-1-0.dll, COMCTL32.dll, ADVAPI32.dll, SHELL32.dll, atlthunk.dll, OLEAUT32.dll, dxva2.dll, GDIPLUS.dll, msvcrt.dll, mscms.dll, GDI32.dll, USER32.dll, KERNEL32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 17408
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 8192
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 113334
Suspicous: False cancel

Sections
Allowed: .text, .data, .idata, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 10
Suspicious: False cancel
Image
Version: False cancel
Suspicious: 10
Linker
Version: 14.20
Suspicious: False cancel
Subsystem
Version: 10.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 65312
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: api-ms-win-core-localregistry-l1-1-0.dll, ntdll.dll, api-ms-win-core-com-l1-1-0.dll, comctl32.dll, advapi32.dll, shell32.dll, oleaut32.dll, dxva2.dll, gdiplus.dll, msvcrt.dll, mscms.dll, gdi32.dll, user32.dll, kernel32.dll
hasLibs: True check_circle
Suspicious: wadvapi32.dll, atlthunk.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2093-02-27 02:09:58
Future: True check_circle

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.text: 5

pushpopmath
.text: 1
.idata: 1
.reloc: 3

garbagebytes
.text: 2

software breakpoint
.text: 4

programcontrolflowchange
.text: 2

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 85.00%
suspicious: False cancel

NFS 3.0 (Threshold = 0.75)
confidence: 76.67%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 96.54%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 79.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 46.80%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: False cancel