PO#IKO2.bat
This report is generated from a file or URL submitted to this webservice on June 21st 2016 08:29:50 (UTC) and action script Random desktop files
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v4.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Fingerprint
- Reads the active computer name
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
-
33/56 Antivirus vendors marked sample as malicious (58% detection rate)
18/42 Antivirus vendors marked sample as malicious (42% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
33/56 Antivirus vendors marked sample as malicious (58% detection rate)
18/42 Antivirus vendors marked sample as malicious (42% detection rate) - source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
System Security
-
References security related windows services
- details
- "YYYYYYYYYYYYYYYY'Y%YYYYY Y5Y*YY'YY&Y`Y5YYY)YiYYYY.Y!2YqY`YYYuYuYYYtYnYnYY~YnY}YhY(YYnYbY=YYYkYYYYYYYYYYYYYYYYYYYYYYY"""Y###Y...Y:::YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYvl`ausgbfedoqjn&cmkr~nJXh|pinSWy}t@8"
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 6
-
Anti-Detection/Stealthyness
-
Sets the process error mode to suppress error box
- details
- "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Sets the process error mode to suppress error box
-
Environment Awareness
-
Reads the active computer name
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the active computer name
-
Installation/Persistance
-
Touches files in the Windows directory
- details
- "<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
- source
- API Call
- relevance
- 7/10
-
Touches files in the Windows directory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "#ut!1=T/xA_R<=d[gtcpNcZ'FvncT@zpg|Be" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Reads information about supported languages
-
Informative 3
-
General
-
Loads the visual basic runtime environment
- details
- "<Input Sample>" loaded module "%WINDIR%\System32\msvbvm60.dll" at 72940000
- source
- Loaded Module
-
Loads the visual basic runtime environment
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "Oyv#wwwwvAZZZZZZZZZZZZZZZZZZZZZZZZZZZ.MC"
Pattern match: "y.XN/xyHCxU_/"
Heuristic match: "|u&&:inj_j;2Pk$Gs#e\\ YotJ/8bNNaY*]+06h;QeqmyeIK&J8|*(US-TDnEy<(H>g+nk+)gg?3}--+9m.bo"
Heuristic match: "1*!!qpGlkWxWr:Y``@@khVTPDFGT}p>Js#_IQJ+n%Tk08e&F=7(@$3g.Za"
Heuristic match: "zzh-WWGLH{ewO6a@CO:AVbz{=vTXG4`G!Y6)%%]vfttEEj(}Y~$Q{ utw;+XXS(YVZ0f>XBz-F3fu4D2J)U)>BT;:QD/M0k7K8Du`a=[Kg:clU&W]i#(S92}0C~#%1P+.'VqTUHD^&`zje-ca*)2t4sBfcibj't-ZQ.HJ[n;o]&{mzzxh=zmEQ-{[MPp;l;;;.bz"
Heuristic match: "2k|2gun\+:jl5*+*-.PG"
Pattern match: "s.Kct/J}'O*=7fje" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
PO#IKO2.bat
- Filename
- PO#IKO2.bat
- Size
- 868KiB (888832 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 3a6845fabab15c731383261497dd1706dc58dfa9dfddfb14d0dd42f8f7aded7b
- MD5
- e39a3428e593b4bd463ff2f0110fdefe
- SHA1
- 23728fdb08f313a4583fa053aea885a341aa51e5
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- Input Sample (PID: 1676)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.