Report #13079 cancel

  • Creation Date: Aug. 20, 2021, 12:52 a.m.
  • Last Update: Aug. 20, 2021, 12:53 a.m.
  • File: DeviceEject.exe
  • Results:
Binary
DLL
False cancel
Size
26.50KB
trid
41.0% Win32 Executable MS Visual C++
36.3% Win64 Executable
8.6% Win32 Dynamic Link Library
5.9% Win32 Executable
2.6% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
35c6f7b0b048a2eefb1a3d18f4e0b70c
sha1
bcb6bc01831682400d7b39253999a8405fc68b62
crc32
0x22016003
sha224
cb562a3d92f99f98a3a0abc2438c3ba1d5f9bfe23e8ced3aeed24efd
sha256
b791438a9a1194511b354a25c76bcc569417c48b13c5a682b1146f79a56eed96
sha384
c7d6fc077b2b45c382f580f8fcb7cfa80335920427a60b50012f09c24d1e675965d5b9cd6c4f5be1d0b125f2f5753f5e
sha512
44058349bf4604d6119dae5006cd24fdf06839bcbaed3aa35049b829349d55bdde23ed502a8f98d059e9081f232f45bd08d8a741c38e541902a62048e7dc292e
ssdeep
384:Eac8udwmC3CltGFAquWD5ts5AWywWpJY0ehA/9gnl00:Emm2C3Gll5yG7JYQ/9gnl0
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, url, HasRichSignature, contentis_base64, HasDebugData, IP, IsPE32, IsWindowsGUI

Suspicious
True check_circle

Imports
ntdll.dll
NtQueryValueKey, NtOpenKey, RtlInitUnicodeString, NtClose, RtlFreeUnicodeString, RtlFormatCurrentUserKeyPath, RtlNtStatusToDosError
msvcrt.dll
_controlfp, swscanf, ?terminate@@YAXXZ, _acmdln, _initterm, wcsrchr, wcschr, _resetstkoflw, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, __setusermatherr, _XcptFilter, _except_handler4_common, memcpy
SHELL32.dll
CommandLineToArgvW
api-ms-win-core-file-l1-1-0.dll
GetFullPathNameW, GetFileAttributesW, CreateDirectoryW
api-ms-win-core-heap-l1-1-0.dll
HeapAlloc, HeapSetInformation, HeapFree, GetProcessHeap
api-ms-win-core-synch-l1-1-0.dll
SetEvent, CreateEventW, WaitForSingleObjectEx
api-ms-win-core-synch-l1-2-0.dll
Sleep
api-ms-win-core-handle-l1-1-0.dll
CloseHandle
api-ms-win-core-profile-l1-1-0.dll
QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll
GetTickCount, GetSystemTimeAsFileTime, GetSystemWindowsDirectoryW
api-ms-win-security-base-l1-1-0.dll
FreeSid, CheckTokenMembership, AllocateAndInitializeSid
api-ms-win-core-errorhandling-l1-1-0.dll
GetLastError, SetLastError, UnhandledExceptionFilter, RaiseException, SetUnhandledExceptionFilter
api-ms-win-core-libraryloader-l1-2-0.dll
GetProcAddress, FreeLibrary, GetModuleHandleW
api-ms-win-core-libraryloader-l1-2-1.dll
LoadLibraryW
api-ms-win-core-processthreads-l1-1-0.dll
GetCurrentProcessId, GetCurrentProcess, GetCurrentThreadId, GetStartupInfoW, TerminateProcess, ExitProcess
api-ms-win-core-processenvironment-l1-1-0.dll
ExpandEnvironmentStringsW, GetCommandLineW
Strings
List
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
DeviceEject.pdb
hotplug.dll
setupapi.dev.log
setupapi.app.log
api-ms-win-security-base-l1-1-0.dll
Software\Microsoft\Windows\CurrentVersion\Setup
\REGISTRY\MACHINE\SOFTWARE\Classes
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current
ntdll.dll
name="Microsoft.Windows.DeviceEject"
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-processenvironment-l1-1-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-libraryloader-l1-2-0.dll
api-ms-win-core-libraryloader-l1-2-1.dll
api-ms-win-core-errorhandling-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-file-l1-1-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-handle-l1-1-0.dll
\REGISTRY\MACHINE
<requestedPrivileges>
\REGISTRY\USER
_acmdln
GetProcAddress
ExitProcess
CreateEventW
SetupOverride
TerminateProcess
QueryPerformanceCounter
LoadLibraryW
CreateDirectoryW
GetModuleHandleW
FreeLibrary
Microsoft Corporation. All rights reserved.
GetTickCount
Sleep
<!-- Identify the application security requirements. -->
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
GetProcessHeap
10.0.19041.1 (WinBuild.160101.0800)
version="5.1.0.0"
__p__commode
DeviceEject.EXE
DeviceEject.EXE
type="win32"
-&&%`OAVEB?lm
&&!*cIBE@?K
_initterm
__p__fmode
10.0.19041.1
_resetstkoflw
_ismbblead
.CRT$XCAA
.CRT$XIAA
<assemblyIdentity
__setusermatherr
<autoElevate>true</autoElevate>
_controlfp
__set_app_type
_amsg_exit
__getmainargs
_XcptFilter
TOGB9EVO
.rdata$brc
?terminate@@YAXXZ
!592)($##
Microsoft
Microsoft Corporation
<66}60/$
</assembly>
.CRT$XIY
CompanyName
ProductName
/()'0)*
VarFileInfo
StringFileInfo
FileDescription
OriginalFilename
FileVersion
InternalName
Translation
`.data
LogPath
_cexit
_exit
XPOfrml
Eject Device
pwwetRw
.gfids
@.rsrc
aAsww
)BTO
yysom
<security>
Rich
54@@

Foremost
Matches
0.exe, 26 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed: http://schemas.microsoft.com/smi/2005/windowssettings
hasURLs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Files
Allowed: hotplug.dll, api-ms-win-core-libraryloader-l1-2-1.dll, SHELL32.dll, api-ms-win-core-sysinfo-l1-1-0.dll, ntdll.dll, api-ms-win-core-processenvironment-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.dll, msvcrt.dll, api-ms-win-core-file-l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-core-heap-l1-1-0.dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-core-synch-l1-1-0.dll, api-ms-win-security-base-l1-1-0.dll, api-ms-win-core-handle-l1-1-0.dll, api-ms-win-core-errorhandling-l1-1-0.dll, api-ms-win-core-libraryloader-l1-2-0.dll
hasFiles: True check_circle
Suspicious: setupapi.app.log, setupapi.dev.log, setupapi.offline.log
hasAllowed: True check_circle
hasSuspicious: True check_circle

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 17920
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 8192
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 77027
Suspicous: False cancel

Sections
Allowed: .text, .data, .idata, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 10
Suspicious: False cancel
Image
Version: False cancel
Suspicious: 10
Linker
Version: 14.20
Suspicious: False cancel
Subsystem
Version: 10.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 10288
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: hotplug.dll, shell32.dll, api-ms-win-core-sysinfo-l1-1-0.dll, ntdll.dll, api-ms-win-core-processenvironment-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.dll, msvcrt.dll, api-ms-win-core-file-l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-core-heap-l1-1-0.dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-core-synch-l1-1-0.dll, api-ms-win-security-base-l1-1-0.dll, api-ms-win-core-handle-l1-1-0.dll, api-ms-win-core-errorhandling-l1-1-0.dll
hasLibs: True check_circle
Suspicious: api-ms-win-core-libraryloader-l1-2-1.dll, api-ms-win-core-libraryloader-l1-2-0.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2028-03-05 00:52:14
Future: True check_circle

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.text: 1

pushpopmath
.rsrc: 1

garbagebytes
.text: 1

programcontrolflowchange
.text: 1

cpuinstructionsresultscomparison
.rsrc: 2

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 80.00%
suspicious: False cancel

NFS 3.0 (Threshold = 0.75)
confidence: 76.00%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 99.47%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 83.64%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 74.39%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: False cancel