template.pdf
This report is generated from a file or URL submitted to this webservice on May 4th 2022 10:40:07 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v9.1.2 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Network Behavior
- Contacts 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- a84da4b09d071887b5787b2dbd56640d42dff49f554f15ad78c3d8527a5a3b81
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Sample detected by CrowdStrike Static Analysis and ML with relatively high confidence
- details
- CrowdStrike Static Analysis and ML (QuickScan) yielded detection: win/malicious_confidence_100% (W)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 54/70 Antivirus vendors marked sample as malicious (77% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 10/10
-
Sample detected by CrowdStrike Static Analysis and ML with relatively high confidence
-
Network Related
-
Uses network protocols on unusual ports
- details
- TCP traffic to 68.183.238.225 on port 4444
- source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1571 (Show technique in the MITRE ATT&CK™ matrix)
-
Uses network protocols on unusual ports
-
Suspicious Indicators 8
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .text with unusual entropies 7.01509800337
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 54/70 Antivirus vendors marked sample as malicious (77% detection rate)
- source
- External System
-
Sample was identified as malicious by at least one Antivirus engine
-
Installation/Persistence
-
Monitors specific registry key for changes
- details
-
"template.pdf.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: 0)
"template.pdf.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: 0) - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Monitors specific registry key for changes
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
-
"template.pdf.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
"template.pdf.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSAPPCOMPAT") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1021.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
DeviceIoControl
GetVersionExA
LoadLibraryA
GetCommandLineW
GetProcAddress
WriteFile
TerminateProcess
CreateFileW
Sleep
CreateFileA
WSASend
WSAStartup
connect
closesocket
socket - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"template.pdf.exe" wrote bytes "c04e267720542777e0652777b53828770000000000d0ad7600000000c5eaad760000000088eaad7600000000e9681f7582282877ee29287700000000d2691f75000000007dbbad760000000009be1f7500000000ba18ad7600000000" to virtual address "0x75851000" (part of module "NSI.DLL")
"template.pdf.exe" wrote bytes "fae62377e1a628772e712877ee29287785e223776da0287726e42377d16d2877003d2677804b267700000000ad37cb758b2dcb75b641cb7500000000" to virtual address "0x745A1000" (part of module "WSHTCPIP.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1056.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"template.pdf.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"template.pdf.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 5
-
Environment Awareness
-
Contains ability to read software policies
- details
- "template.pdf.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED")
- source
- Registry Access
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read software policies
-
General
-
Contacts server
- details
- "68.183.238.225:4444"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Found API related strings
- details
-
"SetLastError" (Indicator: "SetLastError") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"FreeEnvironmentStringsW" (Indicator: "FreeEnvironmentStringsW") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"GetEnvironmentStringsW" (Indicator: "GetEnvironmentStrings") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"GlobalFree" (Indicator: "GlobalFree") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"GetCommandLineW" (Indicator: "GetCommandLineW") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"GetCurrentProcess" (Indicator: "GetCurrentProcess") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"CloseHandle" (Indicator: "CloseHandle") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"GetSystemTimeAsFileTime" (Indicator: "GetSystemTime") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"GetTimeZoneInformation" (Indicator: "GetTimeZoneInformation") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"FormatMessageA" (Indicator: "FormatMessageA") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"GetLastError" (Indicator: "GetLastError") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"WaitForSingleObject" (Indicator: "WaitForSingleObject") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"CreateEventA" (Indicator: "CreateEventA") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"SetStdHandle" (Indicator: "SetStdHandle") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"SetFilePointer" (Indicator: "SetFilePointer") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"CreateFileA" (Indicator: "CreateFileA") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"CreateFileW" (Indicator: "CreateFileW") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"GetFileInformationByHandle" (Indicator: "GetFileInformationByHandle") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"LocalFree" (Indicator: "LocalFree") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin
"GetFileType" (Indicator: "GetFileType") in Source: 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df.bin - source
- File/Memory
- relevance
- 1/10
-
Contacts server
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.apache.org/"
Pattern match: "http://www.zeustech.net/"
Pattern match: "http://]hostname[:port]/path"
Pattern match: "http://www.apache.org/licenses/LICENSE-2.0" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
CrowdStrike AI
-
Executable Process Memory Analysis (Learn More)
-
Malicious
3
-
00000000-00003248.00000000.65644.003D0000.00000040.mdmp
(Address: 003D0000, Flags: 00000040)
- File's Process
- template.pdf.exe (PID: 3248)
- File's Process SHA256
- 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df
- File's Process Disc Pathway
- Z:\template.pdf.exe
- Action
- See Memory Dump Content Download Memory Dump
-
00000000-00003248.00000002.69484.003D0000.00000040.mdmp
(Address: 003D0000, Flags: 00000040)
- File's Process
- template.pdf.exe (PID: 3248)
- File's Process SHA256
- 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df
- File's Process Disc Pathway
- Z:\template.pdf.exe
- Action
- See Memory Dump Content Download Memory Dump
-
00000000-00003248.00000001.67564.003D0000.00000040.mdmp
(Address: 003D0000, Flags: 00000040)
- File's Process
- template.pdf.exe (PID: 3248)
- File's Process SHA256
- 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df
- File's Process Disc Pathway
- Z:\template.pdf.exe
- Action
- See Memory Dump Content Download Memory Dump
-
00000000-00003248.00000000.65644.003D0000.00000040.mdmp
(Address: 003D0000, Flags: 00000040)
File Details
template.pdf
- Filename
- template.pdf
- Size
- 72KiB (73802 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 9acb79531ce18d940bf2259f0659e9b97da5b562ad8b8b814c5030240b2bc4df
- MD5
- 8a0b9ac32b12f599e43f1edf4d28efbe
- SHA1
- d7de2ffd5f091be543c840c2d809359486ecfc74
- ssdeep
- 1536:IXf70PCs6D/ArS6nsxMeRoq3dhnJOWgg5Mb+KR0Nc8QsJq39:PasU4rS6s6q3dhnJJgAe0Nc8QsC9
- imphash
- 3d798824ae592db4a43dd71afe5f4cc1
- authentihash
- 7a5ae5d95bc80079ec1e23ad68a7ef3632701343974d8a7f10d6e3c28fadd6de
- PDB Timestamp
- 09/29/2009 03:34:14 (UTC)
Version Info
- LegalCopyright
- Copyright 2009 The Apache Software Foundation.
- InternalName
- ab.exe
- FileVersion
- 2.2.14
- CompanyName
- Apache Software Foundation
- Comments
- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
- ProductName
- Apache HTTP Server
- ProductVersion
- 2.2.14
- FileDescription
- ApacheBench command line utility
- OriginalFilename
- ab.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 41.0% (.EXE) Win32 Executable MS Visual C++ (generic)
- 36.3% (.EXE) Win64 Executable (generic)
- 8.6% (.DLL) Win32 Dynamic Link Library (generic)
- 5.9% (.EXE) Win32 Executable (generic)
- 2.6% (.EXE) OS/2 Executable (generic)
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 40 .C Files compiled with CL.EXE (Visual Studio 6 Processor Pack) (build: 9044)
- 8 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 2179)
- 3 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 8047)
- 11 .C Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8047)
- 9 .ASM Files assembled with MASM 6.13 (Visual Studio 6 SP1) (build: 7299)
- 4 .OBJ Files linked with ALIASOBJ.EXE 6.00 (Internal OLDNAMES.LIB Tool) (build: 7291)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- template.pdf.exe (PID: 3248) 54/70
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
68.183.238.225 |
4444
TCP |
template.pdf.exe PID: 3248 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 5
-
-
RecentFileCache.bcf
- Size
- 28KiB (28460 bytes)
- Type
- data
- Runtime Process
- template.pdf.exe (PID: 3248)
- MD5
- 2bdf993c9f527f8b8110fc0b7ab83573
- SHA1
- e184a0d375510345bff17d16dc617be262b73cfd
- SHA256
- 19a9dbca205f6cb32b519f7131e9cd5201986065cc34fd589802157e01434d86
-
MAPPING3.MAP
- Size
- 49KiB (50436 bytes)
- Type
- data
- Runtime Process
- template.pdf.exe (PID: 3248)
- MD5
- 6fd533056ecb9de2412556919a0c28cb
- SHA1
- 53fb20fbbbfa99e946dbedb9b5b12548c61d328c
- SHA256
- a8242bf9e1a3a4b6592c67e927a343b4ca13774144130d19f6b9e0d0930f5c69
-
MAPPING2.MAP
- Size
- 49KiB (50440 bytes)
- Type
- data
- Runtime Process
- template.pdf.exe (PID: 3248)
- MD5
- a33bdf0911332f80adfdcfe23ebe4a63
- SHA1
- 15ae5a9adb9ad398aa85764f464149f333a9e7fb
- SHA256
- eef272cbacc5dae7c0fb1c292684642771677c210365825be6b1e278f31be4d4
-
INDEX.BTR
- Size
- 4.2MiB (4407296 bytes)
- Type
- data
- Runtime Process
- template.pdf.exe (PID: 3248)
- MD5
- d7c0d59e635de185cb661fcc85a786df
- SHA1
- e8daee57875c0948e1a4b320ef539f8ad5ffc8d4
- SHA256
- 9c7259df5ee3ab69c08fee569f37e5a928cfc6de13cea89e128cece436b378f4
-
MAPPING1.MAP
- Size
- 49KiB (50436 bytes)
- Type
- data
- Runtime Process
- template.pdf.exe (PID: 3248)
- MD5
- cf04c8852305bd8cdf4360892e5ebb5c
- SHA1
- 079b889fdd97b5d35e6e37b16cda90efdc7384fa
- SHA256
- e34313dd733f12552fb1c8734bfdc26a4b0de9f4180ea5be7b134543a83e8b88
-