sbisplugin-setup-web.exe
This report is generated from a file or URL submitted to this webservice on June 17th 2022 09:22:33 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v9.2.1 © Hybrid Analysis
Incident Response
Risk Assessment
- Evasive
- Possibly tries to evade analysis by sleeping many times
- Network Behavior
- Contacts 4 domains and 4 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 12
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rdata with unusual entropies 7.58830399069
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Possibly tries to evade analysis by sleeping many times
- details
- "sbisplugin-setup-web.exe" (Thread ID: 3012) slept "520" times (threshold: 500)
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1497.003 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to evade analysis by sleeping many times
-
General
-
Contains ability to dynamically determine API calls
- details
- Found GetProcAddress() and LoadLibraryA() in an import section
- source
- Static Parser
- relevance
- 1/10
- ATT&CK ID
- T1106 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to dynamically determine API calls
-
Installation/Persistence
-
Monitors specific registry key for changes
- details
-
"sbisplugin-setup-web.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: 0)
"sbisplugin-setup-web.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: 0) - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Monitors specific registry key for changes
-
Network Related
-
Found potential IP address in binary/memory
- details
- Potential IP "0.0.0.0" found in string "22-06-17 9:24:47:687 DEBUG [1, 2744, 2840][C:/jenkins/workspace/SBIS3Plugin_22.3200_win/plugin/tools/win/web-installer/implementation/installer/entries/win/plugin_entry.cpp:325]CheckPluginInstall.exist version: 0.0.0.0"
- source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 91.232.93.11 on port 80 is sent without HTTP header
TCP traffic to 139.45.228.9 on port 80 is sent without HTTP header
TCP traffic to 91.194.3.193 on port 80 is sent without HTTP header
TCP traffic to 212.232.32.6 on port 80 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Found potential IP address in binary/memory
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegDeleteValueW
RegCloseKey
OpenProcessToken
RegCreateKeyExW
RegEnumKeyExW
RegOpenKeyExW
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
GetTempPathW
OutputDebugStringW
Process32FirstW
DeviceIoControl
CopyFileW
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryA
LoadLibraryExW
CreateDirectoryExW
CreateThread
ExitThread
TerminateProcess
GetModuleHandleExW
CreateToolhelp32Snapshot
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
FindNextFileW
FindFirstFileExW
GetProcAddress
CreateFileW
GetNativeSystemInfo
Process32NextW
GetCommandLineW
GetCommandLineA
GetModuleHandleA
GetModuleHandleW
GetFileAttributesExW
WriteFile
CreateProcessW
Sleep
VirtualAlloc
ShellExecuteA
FindWindowW
GetClipboardData
GetWindowThreadProcessId
GetCursorPos
recv
send
WSAStartup
WSASocketW
socket
closesocket
connect - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"sbisplugin-setup-web.exe" wrote bytes "c04e167720541777e0651777b53818770000000000d03b7500000000c5ea3b750000000088ea3b7500000000e968287582281877ee29187700000000d2692875000000007dbb3b750000000009be287500000000ba183b7500000000" to virtual address "0x76891000" (part of module "NSI.DLL")
"sbisplugin-setup-web.exe" wrote bytes "fae61377e1a618772e711877ee29187785e213776da0187726e41377d16d1877003d1677804b167700000000ad37aa768b2daa76b641aa7600000000" to virtual address "0x744A1000" (part of module "WSHTCPIP.DLL")
"sbisplugin-setup-web.exe" wrote bytes "e7391477e1a618772e711877ee29187785e213776da01877906417773ad51e7726e41377d16d1877003d1677804b167700000000ad37aa768b2daa76b641aa7600000000" to virtual address "0x749F1000" (part of module "WSHIP6.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1056.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"sbisplugin-setup-web.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"sbisplugin-setup-web.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Timestamp in PE header is very old or in the future
- details
- "2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin" claims program is from Sat Jul 31 03:33:29 2032
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 24
-
Environment Awareness
-
Reads the registry for installed applications
- details
-
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\7-ZIP"; Key: "DISPLAYNAME")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\7-ZIP")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK"; Key: "DISPLAYNAME")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE AIR")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE AIR"; Key: "DISPLAYNAME")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER ACTIVEX")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER ACTIVEX"; Key: "DISPLAYNAME")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE SHOCKWAVE PLAYER")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE SHOCKWAVE PLAYER"; Key: "DISPLAYNAME")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3"; Key: "DISPLAYNAME")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER"; Key: "DISPLAYNAME")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME"; Key: "DISPLAYNAME")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE"; Key: "DISPLAYNAME")
"sbisplugin-setup-web.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HAANSOFT HOFFICE 80 KOREAN") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
-
General
-
Contacts domains
- details
-
"update.sbis.ru"
"update-msk2.sbis.ru"
"update-msk1.sbis.ru"
"update-yar1.sbis.ru" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"91.232.93.11:80"
"139.45.228.9:80"
"91.194.3.193:80"
"212.232.32.6:80" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "sbisplugin-setup-web.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Contains ability to read the PEB (Process Environment Block) structure
- details
- "2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin" can read PEB structure (dword ptr fs:[00000030h]) (Offset: 2234578)
- source
- Binary File
- relevance
- 3/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\sbisplugin-setup-web"
"sbisplugin-setup-web" - source
- Created Mutant
- relevance
- 3/10
-
Found API related strings
- details
-
"Establish a secure connection for video calls" (Indicator: "connect") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"Ability to connect to a computer remotely" (Indicator: "connect") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"Damage to the installation file during download, check the stability of the network connection and run the installer again" (Indicator: "connect") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"Installing a certificate for a backup connection from a browser" (Indicator: "connect") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"Installation file corrupted on download, check network connection is stable and run installer again" (Indicator: "connect") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/start/teh_terms/sbisplugin/servconnect" (Indicator: "connect") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/start/teh_terms/sbisplugin/open_device" (Indicator: "open") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"can't fopen" (Indicator: "open") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"IsWow64Process" (Indicator: "IsWow64Process") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"[SysInfo] GetOSVersionInfo GetVersionEx failed:" (Indicator: "GetVersion") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"RtlGetVersion" (Indicator: "GetVersion") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"IsWindows7SP1OrGreater:" (Indicator: "IsWindow") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"GetLastError" (Indicator: "GetLastError") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"\openvpn-x86.msi" (Indicator: "open") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"\openvpn-x64.msi" (Indicator: "open") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"\msi_openvpn_install.log" (Indicator: "open") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"C:/jenkins/workspace/SBIS3Plugin_22.3200_win/plugin/tools/win/web-installer/implementation/installer/entries/win/openvpn_entry.cpp:54" (Indicator: "open") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"C:/jenkins/workspace/SBIS3Plugin_22.3200_win/plugin/tools/win/web-installer/implementation/installer/entries/win/openvpn_entry.cpp:55" (Indicator: "open") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"C:/jenkins/workspace/SBIS3Plugin_22.3200_win/plugin/tools/win/web-installer/implementation/installer/entries/win/openvpn_entry.cpp:59" (Indicator: "open") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"C:/jenkins/workspace/SBIS3Plugin_22.3200_win/plugin/tools/win/web-installer/implementation/installer/entries/win/openvpn_entry.cpp:70" (Indicator: "open") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin - source
- File/Memory
- relevance
- 1/10
-
GETs files from a webserver
- details
-
"GET /Sbis3Plugin/master/win32/windows.i686.extensions.txt HTTP/1.1
Accept: */*
Connection: close
Host: update.sbis.ru
User-Agent: cpp-httplib/0.9"
"GET /Sbis3Plugin/master/win32/windows.i686.extensions.txt HTTP/1.1
Accept: */*
Connection: close
Host: update-msk2.sbis.ru
User-Agent: cpp-httplib/0.9"
"GET /Sbis3Plugin/master/win32/windows.i686.extensions.txt HTTP/1.1
Accept: */*
Connection: close
Host: update-msk1.sbis.ru
User-Agent: cpp-httplib/0.9"
"GET /Sbis3Plugin/master/win32/version.txt HTTP/1.1
Accept: */*
Connection: close
Host: update.sbis.ru
User-Agent: cpp-httplib/0.9"
"GET /Sbis3Plugin/master/win32/version.txt HTTP/1.1
Accept: */*
Connection: close
Host: update-msk2.sbis.ru
User-Agent: cpp-httplib/0.9"
"GET /Sbis3Plugin/master/win32/version.txt HTTP/1.1
Accept: */*
Connection: close
Host: update-yar1.sbis.ru
User-Agent: cpp-httplib/0.9" - source
- Network Traffic
- relevance
- 5/10
- ATT&CK ID
- T1071.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Observed CreateRemoteThread API string
- details
- "CreateRemoteThreadEx" observed api string which can "provides the ability to create in the virtual address space of another process" (Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin"
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Observed GetAsyncKeyState/GetKeyState API string
- details
- "GetKeyState" observed api string which can "provides the ability retrieve the status of the specified virtual key" (Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin"
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1056.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Observed GetDriveType API string
- details
- "GetDriveTypeW" observed api string which can "provides the ability to determine disk drive type" (Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin"
- source
- File/Memory
- relevance
- 1/10
-
Observed GetNativeSystemInfo API string
- details
- "GetNativeSystemInfo" observed api string which can "provides the ability to retrieves information about the current system" (Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin"
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Observed Process32First/Process32Next/CreateToolhelp32Snapshot API string
- details
-
"CreateToolhelp32Snapshot" observed api string which can "provides the ability to take a snapshot of the specified process" (Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin" , "Process32FirstW" observed api string which can "provides the ability to retrieves information about the first process encountered in a system snapshot" (Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin"
"Process32NextW" observed api string which can "provides the ability to retrieves information about the next process encountered in a system snapshot" (Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin" - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1057 (Show technique in the MITRE ATT&CK™ matrix)
-
Observed RtlGetVersion/RtlGetNtProductType API string
- details
- "RtlGetVersion" observed api string which can "provides the ability to retrieve version info about the currently running os" (Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin"
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 7B:0F:36:0B:77:5F:76:C9:4A:12:CA:48:44:5A:A2:D2:A8:75:70:1C; see report for more information)
The input sample is signed with a certificate issued by "CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert
Inc.", C=US" (SHA1: 93:68:17:51:98:96:83:DD:7E:47:A3:EE:52:24:CF:98:96:4F:4F:1F; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1553.002 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1553.002 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
-
Installation/Persistence
-
Connects to LPC ports
- details
- "sbisplugin-setup-web.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"version.txt" has type "ASCII text with no line terminators"- Location: [%TEMP%\SbisPlugin.Installer\version.txt]- [targetUID: 00000000-00002744]
"windows.i686.extensions.txt" has type "UTF-8 Unicode text with CRLF line terminators"- Location: [%TEMP%\SbisPlugin.Installer\windows.i686.extensions.txt]- [targetUID: 00000000-00002744]
"web_setup.log" has type "UTF-8 Unicode text with very long lines with CRLF line terminators"- Location: [%TEMP%\SbisPlugin.Installer\web_setup.log]- [targetUID: 00000000-00002744]
"file_info.txt" has type "ASCII text with no line terminators"- Location: [%TEMP%\SbisPlugin.Installer\file_info.txt]- [targetUID: 00000000-00002744] - source
- Binary File
- relevance
- 3/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "online.sbis.ru"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/plugin/sbis3plugin/set"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/eng_saby_plugin/configure"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/plugin/sbis3plugin/sbisscreens"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/eng_saby_plugin/additional_possibility/screenshot_video"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/plugin/sbis3plugin/sbisdisk"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/eng_saby_plugin/additional_possibility/disk"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/plugin/sbis3plugin/remote_helper"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/eng_saby_plugin/additional_possibility/remote_helper"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/start/teh_terms/sbisplugin/windows_error"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/plugin/sbis3plugin/set/firewall"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/plugin/sbis3plugin/install"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/start/teh_terms/sbisplugin/servconnect"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/plugin/sbis3plugin/run"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/start/teh_terms/sbisplugin/problem"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/start/teh_terms/sbisplugin/error_2503_2502_2203"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/start/teh_terms/sbisplugin/error_2755"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/start/teh_terms/sbisplugin/error_26352"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/start/teh_terms/sbisplugin/read_file"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/start/teh_terms/sbisplugin/open_device"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/start/teh_terms/sbisplugin/start_service"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/start/teh_terms/sbisplugin/start_service#_prichina_%E2%84%962._ne%C2%A0ustanovleno_obnovlenie_operaczionnoj_sistemy_kb2999226"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/start/teh_terms/sbisplugin/start_service#_prichina_%E2%84%961._net_prav_na%C2%A0katalog_programdata"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/plugin/sbis3plugin/delete"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Heuristic match: "Documents downloading from online.sbis.ru"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/reglament"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/regulations"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "http://sbis.ru/support"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://online.sbis.ru/reg/?check=SBISPlugin"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://help.sbis.ru"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Heuristic match: "update.sbis.ru"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/video/call/desktop"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/another/delegate/transfer_of_rights"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "https://sbis.ru/help/ep/workplace"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "www.digicert.com1!0"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "http://ocsp.digicert.com0A"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "cacerts.digicert.com/DigiCertTrustedRootG4.crt0C"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "crl3.digicert.com/DigiCertTrustedRootG4.crl0"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "http://www.digicert.com/CPS0"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "http://ocsp.digicert.com0\"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Pattern match: "cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0"- [Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin]
Heuristic match: "update-msk2.sbis.ru"- [Source: PCAP]
Heuristic match: "update-msk1.sbis.ru"- [Source: PCAP]
Heuristic match: "update-yar1.sbis.ru"- [Source: PCAP] - source
- File/Memory
- relevance
- 10/10
-
Possibly tries to communicate over SSL connection (HTTPS)
- details
-
"https://sbis.ru/help/plugin/sbis3plugin/set" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/eng_saby_plugin/configure" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/plugin/sbis3plugin/sbisscreens" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/eng_saby_plugin/additional_possibility/screenshot_video" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/plugin/sbis3plugin/sbisdisk" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/eng_saby_plugin/additional_possibility/disk" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/plugin/sbis3plugin/remote_helper" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/eng_saby_plugin/additional_possibility/remote_helper" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/start/teh_terms/sbisplugin/windows_error" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/plugin/sbis3plugin/set/firewall" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/plugin/sbis3plugin/install" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/start/teh_terms/sbisplugin/servconnect" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
"https://sbis.ru/help/plugin/sbis3plugin/run" (Indicator: "https://") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1573 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found registry key string for installed applications
- details
- "Software\Microsoft\Windows\CurrentVersion\Uninstall" (Indicator: "microsoft\windows\currentversion\uninstall") in Source: 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Found registry key string for installed applications
-
System Security
-
Creates or modifies windows services
- details
- "sbisplugin-setup-web.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "sbisplugin-setup-web.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca.bin" was detected as "Microsoft visual C++ 8"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1027.002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
sbisplugin-setup-web.exe
- Filename
- sbisplugin-setup-web.exe
- Size
- 4.3MiB (4477416 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 2ef1a33eaf20560558af05944e9ea9bf5e3b50ccbe4c3928bec1591eff90a4ca
- MD5
- 94696a171556ee49fe65bdd8df5442ed
- SHA1
- fd99c699a08d3625aeca85b29623ec77add539cc
- ssdeep
- 98304:XmsD51b8ED4tP7dm2xar4/poPqTAGcjOQ4vUT+3:Xm651OoPqRcjv4O+3
- imphash
- 857bf12b041d7a8f52c000de3a9fe645
- authentihash
- c01d651d8f6fa3e7271cf4de70d243a518bfb39d68a0ecd528cde539b4fe7c4f
- Compiler/Packer
- Microsoft visual C++ 8
- PDB Timestamp
- 07/31/2032 03:33:29 (UTC)
- PDB Pathway
- sbisplugin-setup-web.pdb
- PDB GUID
- 8D808C5DB2C76AFFEC6B553F2B0FB216
Version Info
- LegalCopyright
- Copyright Tensor
- InternalName
- sbisplugin-setup-web.exe
- FileVersion
- 22.3200.604.0
- CompanyName
- Tensor
- ProductName
- -
- ProductVersion
- 22.3200.604.0
- FileDescription
- Saby Plugin Installer
- OriginalFilename
- sbisplugin-setup-web.exe
- Translation
- 0x0809 0x04e4
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 27031)
- 1 Unknown Resource Files (build: 0)
- 30 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 25711)
- 25 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 26706)
- 37 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26706)
- 125 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26706)
- 197 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 25711)
- 41 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 25711)
- File appears to contain raw COFF/OMF content
- File is the product of a small codebase (0 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (4.5KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US | CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 8ad40b260d29c4c9f5ecda9bd93aed9 |
04/29/2021 00:00:00 04/28/2036 23:59:59 |
D9:12:99:E8:43:55:CD:8D:5A:86:79:5A:01:18:B6:E9 7B:0F:36:0B:77:5F:76:C9:4A:12:CA:48:44:5A:A2:D2:A8:75:70:1C |
CN=Tensor Company Ltd, O=Tensor Company Ltd, L=Yaroslavl, ST=Yaroslavl Oblast, C=RU | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US Serial: ef15846bcb58f6b4dcd20ea7e16dc04 |
11/16/2021 00:00:00 11/16/2022 23:59:59 |
A8:0C:10:4F:43:92:C5:21:14:9E:E6:E0:71:66:A5:6E 93:68:17:51:98:96:83:DD:7E:47:A3:EE:52:24:CF:98:96:4F:4F:1F |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- sbisplugin-setup-web.exe (PID: 2744)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
update-msk1.sbis.ru
OSINT |
91.194.3.193
TTL: 60 |
RU-CENTER-RU
Organization: SBIS Ltd. Name Server: ns1.ea1.tensor.ru. Creation Date: 1998-10-09T14:15:46 |
Russian Federation |
update-msk2.sbis.ru
OSINT |
139.45.228.9
TTL: 60 |
RU-CENTER-RU
Organization: SBIS Ltd. Name Server: ns1.ea1.tensor.ru. Creation Date: 1998-10-09T14:15:46 |
Netherlands |
update-yar1.sbis.ru
OSINT |
212.232.32.6
TTL: 60 |
RU-CENTER-RU
Organization: SBIS Ltd. Name Server: ns1.ea1.tensor.ru. Creation Date: 1998-10-09T14:15:46 |
Russian Federation |
update.sbis.ru
OSINT |
91.232.93.11
TTL: 60 |
RU-CENTER-RU
Organization: SBIS Ltd. Name Server: ns1.ea1.tensor.ru. Creation Date: 1998-10-09T14:15:46 |
Russian Federation |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
91.232.93.11 |
80
TCP |
sbisplugin-setup-web.exe PID: 2744 |
Russian Federation |
139.45.228.9 |
80
TCP |
sbisplugin-setup-web.exe PID: 2744 |
Netherlands |
91.194.3.193 |
80
TCP |
sbisplugin-setup-web.exe PID: 2744 |
Russian Federation |
212.232.32.6 |
80
TCP |
sbisplugin-setup-web.exe PID: 2744 |
Russian Federation |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
91.232.93.11:80 (update.sbis.ru) | GET | update.sbis.ru/Sbis3Plugin/master/win32/windows.i686.extensions.txt | GET /Sbis3Plugin/master/win32/windows.i686.extensions.txt HTTP/1.1
Accept: */*
Connection: close
Host: update.sbis.ru
User-Agent: cpp-httplib/0.9 More Details |
139.45.228.9:80 (update-msk2.sbis.ru) | GET | update-msk2.sbis.ru/Sbis3Plugin/master/win32/windows.i686.extensions.txt | GET /Sbis3Plugin/master/win32/windows.i686.extensions.txt HTTP/1.1
Accept: */*
Connection: close
Host: update-msk2.sbis.ru
User-Agent: cpp-httplib/0.9 More Details |
91.232.93.11:80 (update.sbis.ru) | GET | update.sbis.ru/Sbis3Plugin/master/win32/windows.i686.extensions.txt | GET /Sbis3Plugin/master/win32/windows.i686.extensions.txt HTTP/1.1
Accept: */*
Connection: close
Host: update.sbis.ru
User-Agent: cpp-httplib/0.9 More Details |
91.194.3.193:80 (update-msk1.sbis.ru) | GET | update-msk1.sbis.ru/Sbis3Plugin/master/win32/windows.i686.extensions.txt | GET /Sbis3Plugin/master/win32/windows.i686.extensions.txt HTTP/1.1
Accept: */*
Connection: close
Host: update-msk1.sbis.ru
User-Agent: cpp-httplib/0.9 More Details |
91.232.93.11:80 (update.sbis.ru) | GET | update.sbis.ru/Sbis3Plugin/master/win32/version.txt | GET /Sbis3Plugin/master/win32/version.txt HTTP/1.1
Accept: */*
Connection: close
Host: update.sbis.ru
User-Agent: cpp-httplib/0.9 More Details |
139.45.228.9:80 (update-msk2.sbis.ru) | GET | update-msk2.sbis.ru/Sbis3Plugin/master/win32/version.txt | GET /Sbis3Plugin/master/win32/version.txt HTTP/1.1
Accept: */*
Connection: close
Host: update-msk2.sbis.ru
User-Agent: cpp-httplib/0.9 More Details |
91.232.93.11:80 (update.sbis.ru) | GET | update.sbis.ru/Sbis3Plugin/master/win32/version.txt | GET /Sbis3Plugin/master/win32/version.txt HTTP/1.1
Accept: */*
Connection: close
Host: update.sbis.ru
User-Agent: cpp-httplib/0.9 More Details |
212.232.32.6:80 (update-yar1.sbis.ru) | GET | update-yar1.sbis.ru/Sbis3Plugin/master/win32/version.txt | GET /Sbis3Plugin/master/win32/version.txt HTTP/1.1
Accept: */*
Connection: close
Host: update-yar1.sbis.ru
User-Agent: cpp-httplib/0.9 More Details |
Extracted Strings
Extracted Files
-
Informative 4
-
-
file_info.txt
- Size
- 4B (4 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators
- Runtime Process
- sbisplugin-setup-web.exe (PID: 2744)
- MD5
- c667d53acd899a97a85de0c201ba99be
- SHA1
- 7c9fe6831f52e30e0ede4f8c54fd9bba673e8d8b
- SHA256
- 277375b99e186c72ac38ac47b03199038342fe0389be8765476fa2be0c5b5649
-
version.txt
- Size
- 11B (11 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators
- Runtime Process
- sbisplugin-setup-web.exe (PID: 2744)
- MD5
- 75e66926e12a22209eba65d6f5dda07b
- SHA1
- 273aab1f4ea8806935b3a10c6bf015264e4bd2a5
- SHA256
- 10bdfe6cc6a915a0844f2d3eeaf1621fd694b4d8c926f3202e7421712b037fab
-
web_setup.log
- Size
- 54KiB (55422 bytes)
- Type
- text
- Description
- UTF-8 Unicode text, with very long lines, with CRLF line terminators
- Runtime Process
- sbisplugin-setup-web.exe (PID: 2744)
- MD5
- 6c51ede9fb9b8080ba61d49cdb843a78
- SHA1
- 62ff555571a5edad0c68b4d7fa9bff931b1ba004
- SHA256
- c66cd86bab4d98855daf5d1395de697239665bf7309afa4d8a77d3d696f48bb5
-
windows.i686.extensions.txt
- Size
- 6.4KiB (6602 bytes)
- Type
- text
- Description
- UTF-8 Unicode text, with CRLF line terminators
- Runtime Process
- sbisplugin-setup-web.exe (PID: 2744)
- MD5
- 477a26cc6a083c7d468cc402cd95257c
- SHA1
- c84503f7bb65b365f4ff791924790454bec13c0f
- SHA256
- 4b7c3b032afc5307d60b03986061248a9ed42bfd30ad8bd463528b0340941c74
-
Notifications
-
Runtime
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-47" are available in the report
- Not all sources for indicator ID "registry-55" are available in the report
- Not all sources for indicator ID "string-101" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all sources for indicator ID "string-79" are available in the report
- Not all sources for indicator ID "string-80" are available in the report
- Not all sources for indicator ID "string-85" are available in the report
- Not all sources for indicator ID "string-86" are available in the report
- Not all sources for indicator ID "string-88" are available in the report
- Not all sources for indicator ID "string-89" are available in the report
- Not all sources for indicator ID "string-98" are available in the report