PhraseExpressSetup.exe
This report is generated from a file or URL submitted to this webservice on May 15th 2019 20:18:55 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Spyware
-
Found a string that may be used as part of an injection method
Sets a global windows hook to intercept keystrokes
Sets a global windows hook to intercept mouse events - Persistence
-
Modifies firewall settings
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Queries process information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
Possibly checks for the presence of an Antivirus engine
Reads Antivirus engine related registry keys - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 12
-
Anti-Detection/Stealthyness
-
Reads Antivirus engine related registry keys
- details
-
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\BITDEFENDER\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\SYMANTEC\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\G DATA\AVKINTERNETSECURITY\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\AVIRA\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\PANDA SOFTWARE\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\PCTOOLS\SPYWARE DOCTOR\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\COMPUTERASSOCIATES\ETRUST SUITE PERSONAL\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\TRENDMICRO\PC-CILLIN\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\COMPUTERASSOCIATES\ETRUSTPESTPATROL\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\MALWAREBYTES\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\360TOTALSECURITY\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\HITMANPRO\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\HITMANPRO.ALERT\")
"phraseexpress.exe" (Path: "HKCU\SOFTWARE\BAIDU SECURITY\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\BITDEFENDER\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\SYMANTEC\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\G DATA\AVKINTERNETSECURITY\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\AVIRA\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\PANDA SOFTWARE\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\PCTOOLS\SPYWARE DOCTOR\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\COMPUTERASSOCIATES\ETRUST SUITE PERSONAL\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\TRENDMICRO\PC-CILLIN\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\COMPUTERASSOCIATES\ETRUSTPESTPATROL\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\MALWAREBYTES\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\360TOTALSECURITY\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\HITMANPRO\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\HITMANPRO.ALERT\")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\BAIDU SECURITY\") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1063 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads Antivirus engine related registry keys
-
Environment Awareness
-
Sets a global windows hook to intercept mouse events
- details
- "phraseexpress.exe" set a windows hook with filter "WH_MOUSE_LL"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Sets a global windows hook to intercept mouse events
-
General
-
Contains ability to start/interact with device drivers
- details
- DeviceIoControl@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
The analysis extracted a file that was identified as malicious
- details
- 1/71 Antivirus vendors marked dropped file "is-NLM8M.tmp" as malicious (classified as "Trojan.Banker.Banbra" with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
Contains ability to start/interact with device drivers
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"PhraseExpressSetup.tmp" allocated memory in "%WINDIR%\System32\en-US\msxml6r.dll.mui"
"PhraseExpressSetup.tmp" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
"PhraseExpressSetup.tmp" allocated memory in "%WINDIR%\System32\regsvr32.exe" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"PhraseExpressSetup.exe" wrote 1500 bytes to a remote process "%TEMP%\is-NORH0.tmp\PhraseExpressSetup.tmp" (Handle: 164)
"PhraseExpressSetup.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-NORH0.tmp\PhraseExpressSetup.tmp" (Handle: 164)
"PhraseExpressSetup.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-NORH0.tmp\PhraseExpressSetup.tmp" (Handle: 164)
"PhraseExpressSetup.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-NORH0.tmp\PhraseExpressSetup.tmp" (Handle: 164)
"PhraseExpressSetup.tmp" wrote 1500 bytes to a remote process "C:\Windows\System32\regsvr32.exe" (Handle: 656)
"PhraseExpressSetup.tmp" wrote 4 bytes to a remote process "C:\Windows\System32\regsvr32.exe" (Handle: 656)
"PhraseExpressSetup.tmp" wrote 32 bytes to a remote process "C:\Windows\System32\regsvr32.exe" (Handle: 656)
"PhraseExpressSetup.tmp" wrote 52 bytes to a remote process "C:\Windows\System32\regsvr32.exe" (Handle: 656)
"PhraseExpressSetup.tmp" wrote 32 bytes to a remote process "C:\Windows\System32\netsh.exe" (Handle: 524)
"PhraseExpressSetup.tmp" wrote 52 bytes to a remote process "C:\Windows\System32\netsh.exe" (Handle: 524)
"PhraseExpressSetup.tmp" wrote 4 bytes to a remote process "C:\Windows\System32\netsh.exe" (Handle: 524)
"PhraseExpressSetup.tmp" wrote 32 bytes to a remote process "C:\Program Files\PhraseExpress\phraseexpress.exe" (Handle: 716)
"PhraseExpressSetup.tmp" wrote 52 bytes to a remote process "C:\Program Files\PhraseExpress\phraseexpress.exe" (Handle: 716)
"PhraseExpressSetup.tmp" wrote 4 bytes to a remote process "C:\Program Files\PhraseExpress\phraseexpress.exe" (Handle: 716) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Pattern Matching
-
YARA signature match
- details
- YARA signature "Bolonyokte" classified file "all.bstring" as "rat" based on indicators: "donadoni,login,Power" (Author: Jean-Philippe Teissier / @Jipe_)
- source
- YARA Signature
- relevance
- 10/10
-
YARA signature match
-
Spyware/Information Retrieval
-
Sets a global windows hook to intercept keystrokes
- details
- "phraseexpress.exe" set a windows hook with filter "WH_KEYBOARD_LL"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Sets a global windows hook to intercept keystrokes
-
System Security
-
Modifies firewall settings
- details
- Process "netsh.exe" with commandline ""%WINDIR%\system32\netsh" advfirewall firewall add rule name="PhraseExpress" dir=in action=allow program="%PROGRAMFILES%\PhraseExpress\PhraseExpress.exe" enable=yes" (Show Process)
- source
- Monitored Target
- relevance
- 8/10
-
Modifies firewall settings
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
References suspicious system modules
- details
- details too long to display
- source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns a lot of processes
- details
-
Spawned process "PhraseExpressSetup.exe" (Show Process)
Spawned process "PhraseExpressSetup.tmp" with commandline "/SL5="$401B0
23696661
451584
C:\PhraseExpressSetup.exe"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%PROGRAMFILES%\PhraseExpress\pexmsol.dll"" (Show Process)
Spawned process "netsh.exe" with commandline ""%WINDIR%\system32\netsh" advfirewall firewall add rule name="PhraseExpress" dir=in action=allow program="%PROGRAMFILES%\PhraseExpress\PhraseExpress.exe" enable=yes" (Show Process)
Spawned process "phraseexpress.exe" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 30
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .data with unusual entropies 7.58924101237
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the active computer name
- details
-
"PhraseExpressSetup.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"netsh.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"phraseexpress.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"netsh.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"phraseexpress.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.DLL from PhraseExpressSetup.exe (PID: 568) (Show Stream)
LoadResource@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
FindResourceA@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"PhraseExpressSetup.tmp" read file "%PROGRAMFILES%\desktop.ini"
"PhraseExpressSetup.tmp" read file "%USERPROFILE%\Desktop\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"_isdecmp.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-KCAHR.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-L62F6.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-E3C63.tmp" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"is-RAG26.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-474SU.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"is-TPA0K.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-HBRDJ.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-NLM8M.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"PhraseExpressSetup.tmp" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "phraseexpress.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\PhraseExpressSetup.exe" marked "%TEMP%\is-NORH0.tmp\PhraseExpressSetup.tmp" for deletion
"C:\PhraseExpressSetup.exe" marked "%TEMP%\is-NORH0.tmp" for deletion
"%TEMP%\is-NORH0.tmp\PhraseExpressSetup.tmp" marked "%TEMP%\is-8KRTK.tmp\_isetup\_isdecmp.dll" for deletion
"%TEMP%\is-NORH0.tmp\PhraseExpressSetup.tmp" marked "%TEMP%\is-8KRTK.tmp\_isetup" for deletion
"%TEMP%\is-NORH0.tmp\PhraseExpressSetup.tmp" marked "%TEMP%\is-8KRTK.tmp" for deletion
"%PROGRAMFILES%\PhraseExpress\phraseexpress.exe" marked "%TEMP%\PhraseExpress.madExcept" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"PhraseExpressSetup.exe" opened "%TEMP%\is-NORH0.tmp\PhraseExpressSetup.tmp" with delete access
"PhraseExpressSetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\is-NORH0.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\is-KOL1K.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\is-7ACJR.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\is-E3C63.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\is-N12LL.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\is-NLM8M.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\is-RAG26.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\dict\is-5PG4U.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\dict\is-9IK2Q.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\dict\is-1F19F.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\dict\is-GGB13.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\dict\is-JLA6B.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\dict\is-CTMCR.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\dict\is-R9DAN.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\dict\is-UI9I7.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\dict\is-O0EJ2.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\dict\is-BJ6VH.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\dict\is-UT574.tmp" with delete access
"PhraseExpressSetup.tmp" opened "C:\Program Files\PhraseExpress\dict\is-NSPRC.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetSecurityDescriptorDacl@ADVAPI32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"_isdecmp.dll" claimed CRC 47947 while the actual is CRC 24902144
"is-KCAHR.tmp" claimed CRC 475197 while the actual is CRC 47947
"is-E3C63.tmp" claimed CRC 74503 while the actual is CRC 61289
"is-RAG26.tmp" claimed CRC 431702 while the actual is CRC 74503
"is-474SU.tmp" claimed CRC 1425579 while the actual is CRC 431702
"is-TPA0K.tmp" claimed CRC 4281113 while the actual is CRC 1425579
"is-HBRDJ.tmp" claimed CRC 717873 while the actual is CRC 4281113
"is-NLM8M.tmp" claimed CRC 593126 while the actual is CRC 717873
"PhraseExpressSetup.tmp" claimed CRC 1170066 while the actual is CRC 593126 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCloseKey
OpenProcessToken
RegOpenKeyExA
GetFileAttributesA
VirtualProtect
GetVersionExA
GetModuleFileNameA
GetFileSize
LockResource
CreateDirectoryA
DeleteFileA
GetCommandLineA
GetProcAddress
GetModuleHandleA
WriteFile
LoadLibraryA
CreateProcessA
Sleep
CreateFileA
FindResourceA
VirtualAlloc
UnhandledExceptionFilter
GetStartupInfoA
IsDebuggerPresent
TerminateProcess
GetTickCount
GetModuleFileNameW
GetVersionExW
GetCommandLineW
GetStartupInfoW
GetModuleHandleW
ShellExecuteW
FindWindowW
LoadLibraryW
CreateFileW
GetDriveTypeA
FindFirstFileA
FindNextFileA
accept
WSAStartup
connect
closesocket
send
listen
recv
socket
bind
recvfrom
sendto
RegCreateKeyExW
RegDeleteValueW
RegEnumKeyExW
RegOpenKeyExW
RegDeleteKeyW
GetFileAttributesW
OutputDebugStringW
LoadLibraryExW
CreateThread
ExitThread
GetComputerNameW
FindFirstFileW
FindResourceW
GetCursorPos
SetWindowsHookExW
GetLastActivePopup
FindWindowExW
GetWindowThreadProcessId
EnumPrintersW
MapViewOfFile
CreateFileMappingA
RegDeleteKeyA
GetUserNameA
SetSecurityDescriptorDacl
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
DeviceIoControl
CopyFileA
LoadLibraryExA
OpenProcess
GetComputerNameA
ShellExecuteExA
ShellExecuteA
SetWindowsHookExA
FindWindowA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"PhraseExpressSetup.tmp" wrote bytes "d5d90a7730c60a77a0c40a7742c60a7710c60a77acdc0a77a0df0a7736da0a7787f10a77000000009177e175c090e1757f6fe1751ffae175def4e175f282e175857de17500000000" to virtual address "0x70801000" (part of module "MSIMG32.DLL")
"regsvr32.exe" wrote bytes "f8114575" to virtual address "0x754683C4" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "48124575" to virtual address "0x75468364" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "b830125a6fffe0" to virtual address "0x772C1368" (part of module "WS2_32.DLL")
"regsvr32.exe" wrote bytes "48124575" to virtual address "0x754683C0" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "f8114575" to virtual address "0x754683E0" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "f8110000" to virtual address "0x754512CC" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "f8114575" to virtual address "0x7546834C" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "68130000" to virtual address "0x772C1680" (part of module "WS2_32.DLL")
"regsvr32.exe" wrote bytes "f8110000" to virtual address "0x75451408" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "b840135a6fffe0" to virtual address "0x75451248" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "48124575" to virtual address "0x75468348" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "f8114575" to virtual address "0x75468368" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "60125a6f" to virtual address "0x75D5E324" (part of module "WININET.DLL")
"regsvr32.exe" wrote bytes "48120000" to virtual address "0x7545139C" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "48120000" to virtual address "0x754512DC" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "c04e6c7720546d77e0656d77b5386e770000000000d00a7700000000c5ea0a770000000088ea0a7700000000e9686f7582286e77ee296e7700000000d2696f75000000007dbb0a770000000009be6f7500000000ba180a7700000000" to virtual address "0x75DA1000" (part of module "NSI.DLL")
"regsvr32.exe" wrote bytes "48124575" to virtual address "0x754683DC" (part of module "SSPICLI.DLL")
"regsvr32.exe" wrote bytes "b8c0155a6fffe0" to virtual address "0x754511F8" (part of module "SSPICLI.DLL")
"phraseexpress.exe" wrote bytes "f8114575" to virtual address "0x754683C4" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"PhraseExpressSetup.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"regsvr32.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"phraseexpress.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 16 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 33
-
Anti-Reverse Engineering
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
- Found reference to API SHGetFolderPathA@SHFOLDER.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
PE file contains zero-size sections
- details
-
Raw size of "BSS" is zero
Raw size of ".tls" is zero
Raw size of ".reloc" is zero
Raw size of ".bss" is zero - source
- Static Parser
- relevance
- 10/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTime@KERNEL32.DLL from PhraseExpressSetup.exe (PID: 568) (Show Stream)
GetSystemTime@KERNEL32.DLL from PhraseExpressSetup.exe (PID: 568) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetSystemTime@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetLocalTime@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetLocalTime@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from PhraseExpressSetup.exe (PID: 568) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.exe (PID: 568) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersionExA@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersionExA@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersionExA@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersionExA@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersionExA@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
GetVersion@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceA@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000600h" and "je 004046A5h" from PhraseExpressSetup.exe (PID: 568) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 0005h" and "jc 0042E569h" from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 0004h" and "setnb byte ptr [0049D5C8h]" from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp bl, 04h" and "jnc 0041F5B1h" from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000600h" and "je 00406445h" from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000601h" and "jc 0046EE48h" from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 0005h" and "jnc 0045D3F1h" from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 0004h" and "jc 00411CA4h" from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 0006h" and "jc 0042DE1Fh" from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 0006h" and "jc 00450A8Ch" from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
Found API call GetDiskFreeSpaceA@KERNEL32.DLL directly followed by "cmp byte ptr [ebp-02h], 00h" and "je 004566AFh" from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 0006h" and "jnc 00463941h" from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 0006h" and "jc 00463A97h" from PhraseExpressSetup.tmp (PID: 2844) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Queries volume information
- details
-
"PhraseExpressSetup.tmp" queries volume information of "C:\" at 00014728-00002844-0000010C-183427130580
"PhraseExpressSetup.tmp" queries volume information of "%PROGRAMFILES%\PhraseExpress\phraseexpress.exe" at 00014728-00002844-0000010C-183454983047
"PhraseExpressSetup.tmp" queries volume information of "C:\" at 00014728-00002844-0000010C-185850210766
"PhraseExpressSetup.tmp" queries volume information of "%PROGRAMFILES%\PhraseExpress\phraseexpress.exe" at 00014728-00002844-0000010C-185852009346 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"PhraseExpressSetup.tmp" queries volume information of "C:\" at 00014728-00002844-0000010C-183427130580
"PhraseExpressSetup.tmp" queries volume information of "C:\" at 00014728-00002844-0000010C-185850210766 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"PhraseExpressSetup.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PHRASEEXPRESS_IS1")
"PhraseExpressSetup.tmp" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PHRASEEXPRESS_IS1")
"PhraseExpressSetup.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\PHRASEEXPRESSSETUP.TMP")
"PhraseExpressSetup.tmp" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\PHRASEEXPRESSSETUP.TMP")
"PhraseExpressSetup.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PHRASEEXPRESS_IS1")
"PhraseExpressSetup.tmp" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PHRASEEXPRESS SERVER_IS1") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/73 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
An application crash occurred
- details
- "phraseexpress.exe" loaded module "%WINDIR%\System32\Faultrep.dll" at 6EAF0000
- source
- Loaded Module
-
Contains ability to create named pipes for inter-process communication (IPC)
- details
- CreateNamedPipeA@KERNEL32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"PhraseExpressSetup.exe" created file "%TEMP%\is-NORH0.tmp\PhraseExpressSetup.tmp"
"PhraseExpressSetup.tmp" created file "%TEMP%\is-8KRTK.tmp\_isetup\_isdecmp.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"\Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000"
"Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000"
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
"RasPbFile"
"Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
"\Sessions\1\BaseNamedObjects\madExceptSettingsMtx$eec"
"\Sessions\1\BaseNamedObjects\PhraseExpress"
"\Sessions\1\BaseNamedObjects\HookTThread$eec"
"HookTThread$eec" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "_isdecmp.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-KCAHR.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-L62F6.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-E3C63.tmp" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-RAG26.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-474SU.tmp" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-TPA0K.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-HBRDJ.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Logged script engine calls
- details
- "phraseexpress.exe" called "Msxml2.DOMDocument.6.0.CreateObject" ...
- source
- API Call
- relevance
- 10/10
-
Overview of unique CLSIDs touched in registry
- details
-
"PhraseExpressSetup.tmp" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"PhraseExpressSetup.tmp" touched "XML DOM Document 6.0" (Path: "HKCU\CLSID\{88D96A05-F192-11D4-A65F-0040963251E5}\TREATAS")
"PhraseExpressSetup.tmp" touched "Microsoft Multiple AutoComplete List Container" (Path: "HKCU\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"PhraseExpressSetup.tmp" touched "Microsoft Shell Folder AutoComplete List" (Path: "HKCU\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TREATAS")
"PhraseExpressSetup.tmp" touched "Microsoft AutoComplete" (Path: "HKCU\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"PhraseExpressSetup.tmp" touched "Microsoft TipAutoCompleteClient Control" (Path: "HKCU\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\TREATAS")
"PhraseExpressSetup.tmp" touched "Task Bar Communication" (Path: "HKCU\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\TREATAS")
"PhraseExpressSetup.tmp" touched "Shortcut" (Path: "HKCU\CLSID\{00021401-0000-0000-C000-000000000046}\TREATAS")
"PhraseExpressSetup.tmp" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
"regsvr32.exe" touched "Microsoft Outlook" (Path: "HKCU\CLSID\{0006F03A-0000-0000-C000-000000000046}")
"netsh.exe" touched "Nap Config Read class" (Path: "HKCU\CLSID\{EA4A0A43-1C8F-4C7B-A4B1-28ECBD96BA8C}")
"netsh.exe" touched "Quarantine Agent Management class" (Path: "HKCU\CLSID\{EB082BA1-DF8A-46BE-82F3-35BF9E9BE52F}")
"phraseexpress.exe" touched "Shell Drag and Drop helper" (Path: "HKCU\CLSID\{4657278A-411B-11D2-839A-00C04FD918D0}\TREATAS")
"phraseexpress.exe" touched "Enhanced Storage Icon Overlay Handler Class" (Path: "HKCU\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\INPROCSERVER32")
"phraseexpress.exe" touched "Sharing Overlay (Private)" (Path: "HKCU\CLSID\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\INPROCSERVER32") - source
- Registry Access
- relevance
- 3/10
-
Scanning for window names
- details
-
"PhraseExpressSetup.tmp" searching for class "Shell_TrayWnd"
"phraseexpress.exe" searching for class "Shell_TrayWnd"
"phraseexpress.exe" searching for class "TrayNotifyWnd" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Sets a windows hook
- details
-
"phraseexpress.exe" sets a global windows hook with filter "WH_KEYBOARD_LL"
"phraseexpress.exe" sets a global windows hook with filter "WH_MOUSE_LL" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "PhraseExpressSetup.tmp" with commandline "/SL5="$401B0
23696661
451584
C:\PhraseExpressSetup.exe"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%PROGRAMFILES%\PhraseExpress\pexmsol.dll"" (Show Process)
Spawned process "netsh.exe" with commandline ""%WINDIR%\system32\netsh" advfirewall firewall add rule name="Ph ..." (Show Process), Spawned process "phraseexpress.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "PhraseExpressSetup.tmp" with commandline "/SL5="$401B0
23696661
451584
C:\PhraseExpressSetup.exe"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%PROGRAMFILES%\PhraseExpress\pexmsol.dll"" (Show Process)
Spawned process "netsh.exe" with commandline ""%WINDIR%\system32\netsh" advfirewall firewall add rule name="Ph ..." (Show Process), Spawned process "phraseexpress.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3" (SHA1: 87:A6:3D:9A:DB:62:7D:77:78:36:15:3C:68:0A:3D:FC:F2:7D:E9:0C; see report for more information)
The input sample is signed with a certificate issued by "CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE" (SHA1: 76:B3:DD:AE:32:AA:18:4C:B6:5B:0C:5A:B2:AF:4E:96:1F:66:7B:E9; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
An application crash occurred
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"PhraseExpressSetup.exe" connecting to "\ThemeApiPort"
"PhraseExpressSetup.tmp" connecting to "\ThemeApiPort"
"regsvr32.exe" connecting to "\ThemeApiPort"
"netsh.exe" connecting to "\ThemeApiPort"
"phraseexpress.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Contains ability to lookup the windows account name
- details
- GetUserNameA@ADVAPI32.DLL from PhraseExpressSetup.tmp (PID: 2844) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"_isdecmp.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"PhraseExpress.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Wed May 15 20:24:39 2019 mtime=Wed May 15 20:24:39 2019 atime=Wed May 15 15:01:52 2019 length=58750336 window=hide"
"is-KCAHR.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-L62F6.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-E3C63.tmp" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"is-8JOAK.tmp" has type "ISO-8859 text"
"is-RAG26.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-5PG4U.tmp" has type "ISO-8859 text"
"is-474SU.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"is-BJ6VH.tmp" has type "ISO-8859 text"
"is-TPA0K.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-048SF.tmp" has type "Zip archive data at least v2.0 to extract"
"is-0570O.tmp" has type "Zip archive data"
"is-HBRDJ.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-NSPRC.tmp" has type "UTF-8 Unicode text"
"is-NLM8M.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"unins000.dat" has type "data"
"is-UI9I7.tmp" has type "ASCII text"
"is-1F19F.tmp" has type "ISO-8859 text" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"PhraseExpressSetup.exe" touched file "%WINDIR%\System32\en-US\KernelBase.dll.mui"
"PhraseExpressSetup.exe" touched file "C:\Windows\system32\en\KERNELBASE.dll.mui"
"PhraseExpressSetup.exe" touched file "C:\Windows\System32\netmsg.dll"
"PhraseExpressSetup.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"PhraseExpressSetup.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"PhraseExpressSetup.tmp" touched file "C:\Windows\Fonts\StaticCache.dat"
"PhraseExpressSetup.tmp" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"PhraseExpressSetup.tmp" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"PhraseExpressSetup.tmp" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"PhraseExpressSetup.tmp" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"PhraseExpressSetup.tmp" touched file "C:\Windows\system32\en\KERNELBASE.dll.mui"
"PhraseExpressSetup.tmp" touched file "C:\Windows\System32\netmsg.dll"
"PhraseExpressSetup.tmp" touched file "C:\Windows\System32\shfolder.dll"
"PhraseExpressSetup.tmp" touched file "C:\Windows\System32\msxml6r.dll"
"PhraseExpressSetup.tmp" touched file "C:\Windows\System32\imageres.dll"
"PhraseExpressSetup.tmp" touched file "C:\Windows\System32\en-US\shell32.dll.mui"
"PhraseExpressSetup.tmp" touched file "C:\Windows\system32\en\shell32.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline"
Pattern match: "http://schemas.microsoft.com/SMI/2"
Heuristic match: "^ue!k-L.dM"
Heuristic match: "[[Aaex.Pg"
Heuristic match: "Ah!F@j.IS"
Heuristic match: "):3qWy.zA"
Pattern match: "http://ocsp2.globalsign.com/rootr306"
Pattern match: "http://crl.globalsign.com/root-r3.crl0b"
Pattern match: "https://www.globalsign.com/repository/0"
Pattern match: "secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0"
Pattern match: "ocsp2.globalsign.com/gsextendcodesignsha2g30U"
Pattern match: "crl.globalsign.com/gsextendcodesignsha2g3.crl0"
Pattern match: "crl.globalsign.com/gs/gstimestampingsha2g2.crl0"
Pattern match: "http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0"
Pattern match: "ocsp2.globalsign.com/gstimestampingsha2g20"
Pattern match: "https://www.globalsign.com/repository/06"
Pattern match: "http://crl.globalsign.net/root-r3.crl0"
Pattern match: "http://schemas.microsoft.com/SMI/2005/Windo"
Pattern match: "https://www.phraseexpress.com"
Pattern match: "http://support.phraseexpress.com"
Pattern match: "http://download.phraseexpress.com"
Heuristic match: "COMMAND.COM"
Pattern match: "http://www.innosetup.com/"
Pattern match: "http://www.remobjects.com/ps"
Pattern match: "http://extensions.services.openoffice.org/project/dict-it"
Pattern match: "http://www.gnu.org/licenses/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
- "atwitter" (Indicator: "twitter")
- source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Creates or modifies windows services
- details
-
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NAPAGENT\LOCALCONFIG")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\ENROLL\HCSGROUPS")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NAPAGENT\SHAS")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NAPAGENT\QECS")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"PhraseExpressSetup.tmp" opened "\Device\KsecDD"
"regsvr32.exe" opened "\Device\KsecDD"
"netsh.exe" opened "\Device\KsecDD"
"phraseexpress.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Found Delphi 4 - Delphi 2006 artifact
- details
-
"1878ffe99cf0380eab48ba9a76fff6de1293ec8d27d91f1d8d805af82d45fa18.bin" has a PE timestamp using the buggy magic timestamp 0x2A425E19.
"PhraseExpressSetup.tmp" has a PE timestamp using the buggy magic timestamp 0x2A425E19. The real compilation date is probably Tue Oct 18 12:21:13 2011 - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
- details
-
"1878ffe99cf0380eab48ba9a76fff6de1293ec8d27d91f1d8d805af82d45fa18.bin" was detected as "Borland Delphi 4.0"
"is-E3C63.tmp" was detected as "Borland Delphi 6.0-7.0"
"is-RAG26.tmp" was detected as "Visual C++ 2005 DLL -> Microsoft"
"is-474SU.tmp" was detected as "Visual C++ 2005 DLL -> Microsoft"
"is-TPA0K.tmp" was detected as "Borland Delphi 4.0"
"is-NLM8M.tmp" was detected as "Borland Delphi 4.0"
"PhraseExpressSetup.tmp" was detected as "Borland Delphi 3.0" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Found Delphi 4 - Delphi 2006 artifact
File Details
PhraseExpressSetup.exe
- Filename
- PhraseExpressSetup.exe
- Size
- 24MiB (24857328 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 1878ffe99cf0380eab48ba9a76fff6de1293ec8d27d91f1d8d805af82d45fa18
- MD5
- 8d54b5d0dc26b49273e3b19530a45c37
- SHA1
- e463c514639568a5cc682966968b379dbe28b924
- ssdeep
- 393216:0JrRTLfvqV1bneTQ0lkobBhG0ZaUnYSkJGu+h6PaCA3oAGwc6HD6E0NxhE4:8dTLf4eDlkobBsaoGftC8pGz6Kh
- imphash
- 2fb819a19fe4dee5c03e8c6a79342f79
- authentihash
- 1e1366267e014ac1e8b3a4bec505cb3436c7d37f2d1d34a14b9b9cb443976b61
- Compiler/Packer
- Borland Delphi 4.0
Version Info
- LegalCopyright
- -
- FileVersion
- 14.0.145
- CompanyName
- Bartels Media GmbH
- Comments
- This installation was built with Inno Setup.
- ProductName
- PhraseExpress
- ProductVersion
- 14.0.145
- FileDescription
- PhraseExpress
- Translation
- 0x0000 0x04b0
Classification (TrID)
- 89.6% (.EXE) Inno Setup installer
- 3.6% (.EXE) Win32 Executable (generic)
- 1.6% (.EXE) Win16/32 Executable Delphi generic
- 1.6% (.EXE) OS/2 Executable (generic)
- 1.6% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (7.5KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE | CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3 Serial: 481b6a07a9424c1eaafef3cdf10f |
06/15/2016 00:00:00 06/15/2024 00:00:00 |
3C:59:FF:68:9C:16:9A:B9:30:4B:F0:87:06:42:9B:CE 87:A6:3D:9A:DB:62:7D:77:78:36:15:3C:68:0A:3D:FC:F2:7D:E9:0C |
CN=Bartels Media GmbH, O=Bartels Media GmbH, STREET=Fleischstr. 17, L=Trier, ST=Rheinland-Pfalz, C=DE, OID.1.3.6.1.4.1.311.60.2.1.1=Wittlich, OID.1.3.6.1.4.1.311.60.2.1.2=Rheinland-Pfalz, OID.1.3.6.1.4.1.311.60.2.1.3=DE, SERIALNUMBER=HRB 40726, OID.2.5.4.15=Private Organization | CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE Serial: 248c584a53d470966a5205de |
06/06/2018 10:53:30 08/01/2021 10:26:26 |
B9:A9:EA:58:A5:53:84:96:FC:66:94:C1:61:DD:71:2D 76:B3:DD:AE:32:AA:18:4C:B6:5B:0C:5A:B2:AF:4E:96:1F:66:7B:E9 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 5 processes in total (System Resource Monitor).
-
PhraseExpressSetup.exe
(PID: 568)
-
PhraseExpressSetup.tmp
/SL5="$401B0,23696661,451584,C:\PhraseExpressSetup.exe"
(PID: 2844)
- regsvr32.exe /s "%PROGRAMFILES%\PhraseExpress\pexmsol.dll" (PID: 2572)
- netsh.exe "%WINDIR%\system32\netsh" advfirewall firewall add rule name="PhraseExpress" dir=in action=allow program="%PROGRAMFILES%\PhraseExpress\PhraseExpress.exe" enable=yes (PID: 3200)
- phraseexpress.exe (PID: 3820)
-
PhraseExpressSetup.tmp
/SL5="$401B0,23696661,451584,C:\PhraseExpressSetup.exe"
(PID: 2844)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.innosetup.com/ | Domain/IP reference | 00014728-00002844-47991-3297-00483598 |
http://www.remobjects.com/ps | Domain/IP reference | 00014728-00002844-47991-3297-00483598 |
Extracted Strings
Extracted Files
Displaying 21 extracted file(s). The remaining 25 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
_isdecmp.dll
- Size
- 24KiB (24240 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/90
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- 77d6d961f71a8c558513bed6fd0ad6f1
- SHA1
- 122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a
- SHA256
- 5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0
-
-
Informative 20
-
-
PhraseExpress.lnk
- Size
- 1KiB (1037 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed May 15 20:24:39 2019, mtime=Wed May 15 20:24:39 2019, atime=Wed May 15 15:01:52 2019, length=58750336, window=hide
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- d0fec9537c6de5503fca0849e3c6b19e
- SHA1
- 500fbe67b03a0b1536e729738d54febfb78d0358
- SHA256
- 0a7f97d7da9c2be74bd0f5d5edcb85c4565300eeec0ab13d79e3053d5e2df4d4
-
is-VPKN5.tmp
- Size
- 48B (48 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- e948be72e64b13c1297b9cb047c33fb2
- SHA1
- c862e1dedef6d162f21f366ed9c09adb62790420
- SHA256
- c17fbd83d36faa053a16d37658633cfdbd6dce925d2b8fcc70849437e107f260
-
is-1F19F.tmp
- Size
- 19KiB (18991 bytes)
- Type
- text
- Description
- ISO-8859 text
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- 601a05d0785ca99fdbdf712ca9326302
- SHA1
- 52e8aad2278b84ac228b2456172761a35fed27ab
- SHA256
- 089a1b446a91d51b19d9b7b9529c3d2ee48678e0443bd50e56cc9ec2155a4c38
-
is-3BG1R.tmp
- Size
- 1.9MiB (1969349 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- cf83969667690e74ba12ce4c7229ba79
- SHA1
- 37fd9c60c18dc0f9e7b7cbdaa32af78a7bb9a3cf
- SHA256
- c0d81126b0a905ccc6fd891c923b43d39b4ce449da5a333859229354c510168f
-
is-562LH.tmp
- Size
- 52KiB (53019 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- 0924281462dfb8ebcf65feae1ed3fe59
- SHA1
- af784dba46bfa11fc9294a00b7ed5a7be3de0ef9
- SHA256
- 709cf9b41208961226e995a3ab75a2da834aaf4f9707cb87cbb37d4943b6a50d
-
is-5PG4U.tmp
- Size
- 18KiB (18652 bytes)
- Type
- text
- Description
- ISO-8859 text
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- 0eb8cbd100470a58d90ebc1acafef090
- SHA1
- cf6071c73dcf7d69a02a3c38e80f403c84c5b2f4
- SHA256
- 7bbae4da16f0c2a2136a32cdfb9ff75bc4c5270570ed2bc70994582447366050
-
is-8JOAK.tmp
- Size
- 1.2MiB (1290710 bytes)
- Type
- text
- Description
- ISO-8859 text
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- 5f1de292fc9e1b624c7ecfb11285464a
- SHA1
- 353fce4dfdce9a2a17aefde77ab9a27941bce65b
- SHA256
- c6afab90b90b48bd929041cd0c2a8655db201af508ab1437ac4befca7d39ab60
-
is-9IK2Q.tmp
- Size
- 2.7MiB (2791345 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- b1914e30dc189ec8387ed024f575a632
- SHA1
- d30277909419ce485b9f8b201fefceaf7ed0fece
- SHA256
- 4844ee949166d94d577db3be224a0b953209b664ba47184e90d3a5d0d06040b4
-
is-BJ6VH.tmp
- Size
- 640KiB (655388 bytes)
- Type
- text
- Description
- ISO-8859 text
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- 3a109232eed12f63184354682599b5e1
- SHA1
- e03786f7c35c97edd07bed0555753b69ce2acc7f
- SHA256
- 25fac3f759e091986723393a3788f9282363b0298c7cd942c18dad03f4e9d856
-
is-CTMCR.tmp
- Size
- 538KiB (550782 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- 2c146b2bc850d6ff52448e8dd3f71919
- SHA1
- b1d9deccd17bf0137cf99813912c2173dd5da721
- SHA256
- 27e06871aa723e03f82a13fba31d3117048c81dfc41920c72e347c06208d6cde
-
is-EBQ6A.tmp
- Size
- 1.8MiB (1881063 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- abc98493971b329ac9b899849bf5db09
- SHA1
- e622dad3384faa37a1b1b40266ef7fca155f0e7b
- SHA256
- 24782020d0d0bd465270027f51443b752f8ddaecf7c612a225e8668e1746aa24
-
is-GGB13.tmp
- Size
- 4.2MiB (4356858 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- 4dbae1ca0db9375162ce5cdbea5c2b63
- SHA1
- 0bb429229857398a9875f883de5f27231132996c
- SHA256
- 52d2484a70681386d979e958f2f828a976f0dcdaa680038f371bc70abcf7463a
-
is-JLA6B.tmp
- Size
- 3KiB (3090 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- eaae9bae63b305440b412a48e1653a26
- SHA1
- e22be4b305584c419dbfdad2f69bfa1bb181d239
- SHA256
- c7a8c4d08c29d237880844b1623099f59092602f189be38ce3912e457ff38bc1
-
is-NSPRC.tmp
- Size
- 1MiB (1094698 bytes)
- Type
- text
- Description
- UTF-8 Unicode text
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- 4ac919dd4e9209805a158ff9878dc707
- SHA1
- c515edc7e16a05a61f38418c97736aaeeca1665b
- SHA256
- 788b9b15545924c1d94eaacf027af53a6895cf451915b9aa7d76648fc9bc4691
-
is-O0EJ2.tmp
- Size
- 152KiB (155340 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- f9bb3516c1ac429c5919926a196d96b7
- SHA1
- 3ed628cf5e86db03322f9606e7b67a77d2ea7b35
- SHA256
- f27f55cd1dc1ad68696ee86ac83358027ee624f8e5ba4096533e9346c734fb2d
-
is-PKTDH.tmp
- Size
- 27KiB (27835 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- 3cb4b4deb1dd1788e52fb87fab1f78fd
- SHA1
- 46f2d30d9ff2283af8f5beff6a148c1aba06dbb0
- SHA256
- 0ee9233fe1c5785f9a803a05ac882e8363ac785c06fbd455af88ce0c0a57324b
-
is-R9DAN.tmp
- Size
- 63KiB (64145 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- 948412697f6fe862d4bc17517011f46e
- SHA1
- 20d06521169e07da4531c6702366e5bdd440e5a1
- SHA256
- 41f5deb682c25c3d1a9c5fbe2a538b5e112de0084a1a9fe8ceb4c4dfe400af0f
-
is-UI9I7.tmp
- Size
- 626KiB (641025 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- 4515fbb1b055337dfd1b95a92c1b7e4f
- SHA1
- 2d8cdbd2e1220253a9ea95bf8d251dbc20dbd519
- SHA256
- dc47b8cbd67e32cb3e1d45747f130c02331ca3924d63676f7f48e40d0764dbb3
-
is-UMS7S.tmp
- Size
- 78KiB (80280 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- e2df937d98c899e84563fa329adb64f8
- SHA1
- 0b8fba844188f04d2237d3f3d3f601ecdeaad5fd
- SHA256
- ae912f2662f754f92902aa41067c51d164c859a076928d2dcb78dc725855f79b
-
is-UT574.tmp
- Size
- 321KiB (328899 bytes)
- Runtime Process
- PhraseExpressSetup.tmp (PID: 2844)
- MD5
- feb4dbd3b828c24c70ebf2517b99dc6c
- SHA1
- 31efb464130bd942dda2a0790dc88a17c2223d68
- SHA256
- 1b05088bb26f70d72595af1dd80e2b940af09586a45fadd4b1382cc1439e6514
-
Notifications
-
Runtime
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for netsh.exe (PID: 3200)
- Not all file accesses are visible for regsvr32.exe (PID: 2572)
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "static-6" are available in the report
- Not all sources for indicator ID "string-24" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report