Antivirus scan for b73746964742ef8147aff5232c3df39be7aa165b56032f36c461697a4205aae3 at 2018-06-12 10:39:08 UTC

Antivirus	Result	Update
Ad-Aware		20180612
AegisLab		20180612
AhnLab-V3		20180612
Alibaba		20180612
ALYac		20180612
Antiy-AVL		20180612
Arcabit		20180612
Avast		20180612
Avast-Mobile		20180612
AVG		20180612
Avira (no cloud)		20180612
AVware		20180612
Babable		20180406
Baidu		20180612
BitDefender		20180612
Bkav		20180612
CAT-QuickHeal		20180612
ClamAV		20180612
CMC		20180611
Comodo		20180612
CrowdStrike Falcon (ML)		20180530
Cybereason		20180225
Cylance		20180612
Cyren		20180612
DrWeb		20180612
eGambit		20180612
Emsisoft		20180612
Endgame		20180507
ESET-NOD32		20180612
F-Prot		20180612
F-Secure		20180610
Fortinet		20180612
GData		20180612
Ikarus		20180612
Sophos ML		20180601
Jiangmin		20180612
K7AntiVirus		20180612
K7GW		20180612
Kaspersky		20180612
Kingsoft		20180612
MAX		20180612
McAfee		20180612
McAfee-GW-Edition		20180612
Microsoft		20180612
eScan		20180612
NANO-Antivirus		20180612
Palo Alto Networks (Known Signatures)		20180612
Panda		20180611
Qihoo-360		20180612
Rising		20180612
SentinelOne (Static ML)		20180225
Sophos AV		20180612
SUPERAntiSpyware		20180612
Symantec		20180612
Symantec Mobile Insight		20180605
TACHYON		20180612
Tencent		20180612
TheHacker		20180608
TotalDefense		20180612
TrendMicro		20180612
TrendMicro-HouseCall		20180612
Trustlook		20180612
VBA32		20180612
VIPRE		20180612
ViRobot		20180612
Webroot		20180612
Yandex		20180609
Zillya		20180611
ZoneAlarm by Check Point		20180612
Zoner		20180612

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.

Authenticode signature block and FileVersionInfo properties

Product Wondershare Player

File version 1,5,2,0

Description wondershare-player_setup_full1374.exe

Signature verification Signed file, verified signature

Signing date 10:37 AM 9/28/2016

Signers

[+] Wondershare software CO., LIMITED

[+] VeriSign Class 3 Code Signing 2010 CA

[+] VeriSign

Counter signers

[+] Symantec Time Stamping Services Signer - G4

[+] Symantec Time Stamping Services CA - G2

[+] Thawte Timestamping CA

PE header basic information

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2016-09-26 10:12:28

Entry Point 0x0004F606

Number of sections 5

PE sections

Name Virtual address Virtual size Raw size Entropy MD5

.text 4096 439490 439808 6.61 4c76268cd74927f7550754623882b71f

.rdata 446464 88258 88576 4.83 a1b6a083d83ae42c3752b27d45682982

.data 536576 24444 11264 3.79 9433dc4927ab4fe21183b33c2f784fe5

.rsrc 561152 393456 393728 7.52 a10168b1e8064b2108d5482e9d0e6a0c

.reloc 958464 32094 32256 5.59 81c454cd0a22bdce8f547e00be943853

Overlays

MD5 3156daafd782ccfbbc8e00581f57a2bb

File type data

Offset 966656

Size 18064

Entropy 7.38

PE imports

GetStdHandle

GetConsoleOutputCP

WaitForSingleObject

HeapDestroy

GetFileAttributesW

lstrcmpW

GetExitCodeProcess

FreeEnvironmentStringsA

DeleteCriticalSection

GetCurrentProcess

GetConsoleMode

GetLocaleInfoA

GetSystemDefaultLCID

SetErrorMode

FreeEnvironmentStringsW

lstrcatW

GetLocaleInfoW

SetStdHandle

GetCPInfo

GetStringTypeA

GetTempPathW

GetSystemTimeAsFileTime

HeapReAlloc

GetStringTypeW

SetEvent

CreateEventW

LoadResource

TlsGetValue

MoveFileW

SetFileAttributesW

GetEnvironmentVariableW

SetLastError

DeviceIoControl

InitializeCriticalSection

GetModuleFileNameW

IsDebuggerPresent

ExitProcess

GetModuleFileNameA

EnumSystemLocalesA

UnhandledExceptionFilter

InterlockedDecrement

MultiByteToWideChar

SetFilePointerEx

SetFilePointer

CreateThread

CreateSemaphoreW

MulDiv

ExitThread

SetEnvironmentVariableA

SetPriorityClass

TerminateProcess

SetUnhandledExceptionFilter

WriteConsoleA

VirtualQuery

SetEndOfFile

GetCurrentThreadId

LeaveCriticalSection

WriteConsoleW

InitializeCriticalSectionAndSpinCount

HeapFree

EnterCriticalSection

SetHandleCount

TerminateThread

LoadLibraryW

GetVersionExW

GetOEMCP

QueryPerformanceCounter

GetTickCount

TlsAlloc

FlushFileBuffers

LoadLibraryA

RtlUnwind

GetSystemDirectoryA

GetStartupInfoA

SystemTimeToFileTime

GetFileSize

CreateDirectoryW

DeleteFileW

GetProcAddress

GetProcessHeap

CompareStringW

GetFileSizeEx

CompareStringA

IsValidLocale

DuplicateHandle

WaitForMultipleObjects

GetUserDefaultLCID

GetTimeZoneInformation

CreateFileW

GetFileType

TlsSetValue

CreateFileA

HeapAlloc

InterlockedIncrement

GetLastError

DosDateTimeToFileTime

LCMapStringW

lstrlenA

GetConsoleCP

FindResourceW

LCMapStringA

GetEnvironmentStringsW

lstrlenW

CreateProcessW

SizeofResource

GetCurrentDirectoryW

GetCurrentProcessId

LockResource

SetFileTime

WideCharToMultiByte

HeapSize

GetCommandLineA

RaiseException

TlsFree

GetModuleHandleA

ReadFile

CloseHandle

GetVolumeInformationA

GetACP

GetModuleHandleW

FreeResource

GetFileAttributesExW

FindResourceExW

GetEnvironmentStrings

IsValidCodePage

HeapCreate

WriteFile

VirtualFree

Sleep

VirtualAlloc

Number of PE resources by type

RT_ICON 7

XML 2

PNG 2

EXE 1

RT_MANIFEST 1

ZIPRES 1

RT_VERSION 1

RT_GROUP_ICON 1

Number of PE resources by language

ENGLISH US 16

PE resources

06017b68130bdba51f5c37754271e19d0bee0417b63660efadd1dc62eda88281 ASCII text

21f6d6de02844540c73db4997c67c53317e252ba0dc770a2db177e05c13febc9 data

3a9ff9031435db14224af72ac4097e41ba456a552eed77ce730828f8fc0adee3 data

500b1d123694207fc8876f17f2438f5c2501de9941cdcad8b42ee6119abc5fb5 data

51d0c9aa44cf16fd7ae69d6bebb82b8f554be03bfa3f6cafd5b45d3ed97860dc data

5cf8fdf9fea851f208df3f876238b82f429c937d6c61a355d919171c52ce76cf image/x-png

82afab402fbdffb819c55fbfaf041555bbecb3724b3723220fc4ca6e334b66f3 application/zip

84b323586cd52cbcaee04cf603c7e5a2cead4f334eb6ac492eb7d3bbf8dbf693 ASCII text

a07a03e078efa32110188762c3d0888587ea6379d4a11e83468b742f640a8601 data

af20f86dd11fe3118c854087abe8ed6b6948edc50ffdf44c8d2e4723fc967693 data

ExifTool file metadata

SubsystemVersion

5.0

LinkerVersion

9.0

ImageVersion

0.0

FileSubtype

FileVersionNumber

1.5.2.0

UninitializedDataSize

LanguageCode

English (U.S.)

FileFlagsMask

0x0017

CharacterSet

Unicode

InitializedDataSize

525824

EntryPoint

0x4f606

MIMEType

application/octet-stream

Subsystem

Windows GUI

FileVersion

1,5,2,0

TimeStamp

2016:09:26 11:12:28+01:00

FileType

Win32 EXE

PEType

PE32

ProductVersion

1.6.1

FileDescription

wondershare-player_setup_full1374.exe

OSVersion

5.0

FileOS

Win32

LegalCopyright

MachineType

Intel 386 or later, and compatibles

CodeSize

439808

ProductName

Wondershare Player

ProductVersionNumber

1.5.2.0

Warning

Possibly corrupt Version resource

FileTypeExtension

exe

ObjectFileType

Executable application

PE resource-wise parents

This file was seen as a resource in the following Portable Executables.

b42941fe34552cf0ff22aa0ff1b198cde7cb5e282ffdc448a331f78362cc0ab2

File identification

MD5 d02579e575a3074bac18eedde7c6dc92

SHA1 13592f768cab20685a4c1095088c2b2584c65556

SHA256 b73746964742ef8147aff5232c3df39be7aa165b56032f36c461697a4205aae3

ssdeep

24576:dm5qVdbOITvuEYPjHQIgMA+yWg2oUFvv+DC:VVwITvuEYPj/gMbhgbUNmu

authentihash 8a0a747c2522c9bd24b82e54f6f075c7ea3865b72a1d814bf12502893f49ba23

imphash bc91558fe28cddbf43adf983296a9b3d

File size 961.6 KB ( 984720 bytes )

File type Win32 EXE

Magic literal

PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID	Windows ActiveX control (60.5%) Win32 Executable MS Visual C++ (generic) (16.2%) Win64 Executable (generic) (14.3%) Win32 Dynamic Link Library (generic) (3.4%) Win32 Executable (generic) (2.3%)

VirusTotal metadata

First submission 2016-10-08 04:48:48 UTC ( 2 years, 4 months ago )

Last submission 2018-05-23 08:56:02 UTC ( 9 months ago )

File names

player_setup_full1374.exe
player_setup_full1374 (1).exe
aa
player_setup_full1374.exe
player_setup_full1374.exe
player_setup_full1374.exe
player_setup_full1374.exe
player_setup_full1374.exe
player_setup_full1374.exe

Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

Opened files

C:\WINDOWS\WindowsShell.Manifest (successful)

\\.\WMIDataDevice (successful)

\\.\PhysicalDrive0 (successful)

\\.\PhysicalDrive1 (failed)

\\.\PhysicalDrive2 (failed)

\\.\PhysicalDrive3 (failed)

\\.\PhysicalDrive4 (failed)

\\.\PhysicalDrive5 (failed)

\\.\PhysicalDrive6 (failed)

\\.\PhysicalDrive7 (failed)

Read files

C:\WINDOWS\Registration\R000000000007.clb (successful)

c:\autoexec.bat (successful)

C:\WINDOWS\media\Windows XP Start.wav (successful)

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\machine.config (successful)

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config (successful)

Written files

C:\Documents and Settings\All Users\Documents\Wondershare\NFWCHK.exe (successful)

Deleted files

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.1856.140211 (failed)

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.1856.140211 (failed)

C:\Documents and Settings\<USER>\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.1856.140211 (failed)

Created processes

C:\Documents and Settings\All Users\Documents\Wondershare\NFWCHK.exe (successful)

Created mutexes

RasPbFile (failed)

CTF.LBES.MutexDefaultS-1-5-21-1275210071-920026266-1060284298-1003 (successful)

CTF.Compart.MutexDefaultS-1-5-21-1275210071-920026266-1060284298-1003 (successful)

CTF.Asm.MutexDefaultS-1-5-21-1275210071-920026266-1060284298-1003 (successful)

CTF.Layouts.MutexDefaultS-1-5-21-1275210071-920026266-1060284298-1003 (successful)

CTF.TMD.MutexDefaultS-1-5-21-1275210071-920026266-1060284298-1003 (successful)

MidiMapper_modLongMessage_RefCnt (successful)

MidiMapper_Configure (successful)

_!SHMSFTHISTORY!_ (successful)

Opened mutexes

RasPbFile (successful)

ShimCacheMutex (successful)

_!SHMSFTHISTORY!_ (failed)

Global\CLR_CASOFF_MUTEX (failed)

Searched windows

CLASS: MS_AutodialMonitor
NAME: (null)

CLASS: MS_WebcheckMonitor
NAME: (null)

Opened service managers

MACHINE: localhost
DATABASE: SERVICES_ACTIVE_DATABASE (successful)

Opened services

AudioSrv (successful)

RASMAN (successful)

Hooking activity

TYPE: WH_MOUSE
METHOD: SetWindowsHook (successful)

TYPE: WH_KEYBOARD
METHOD: SetWindowsHook (successful)

Runtime DLLs

ole32.dll (successful)

comctl32.dll (successful)

rasapi32.dll (successful)

netman.dll (successful)

msimg32.dll (successful)

clbcatq.dll (successful)

riched20.dll (successful)

shell32.dll (successful)

wininet.dll (successful)

secur32.dll (successful)

Additional details

The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.

The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.

HTTP requests

URL: http://platform.wondershare.com/rest/v2/downloader/runtime/?client_sign={6C78A9C3-VB9E-972F-A478-080027EFEF8B}&product_id=1374
TYPE: GET
USER AGENT: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)

URL: http://pop.wondershare.com/license.html
TYPE: GET
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

DNS requests

platform.wondershare.com (203.130.48.18)

pop.wondershare.com (174.35.67.76)

TCP connections

203.130.48.18:80

151.249.88.206:80

UDP communications

<MACHINE_DNS_SERVER>:53

SHA256:	b73746964742ef8147aff5232c3df39be7aa165b56032f36c461697a4205aae3
Detection ratio:	0 / 67
Analysis date:	2018-06-12 10:39:08 UTC ( 8 months, 1 week ago )

Ciphered bundle