Tweak-SSD.exe
This report is generated from a file or URL submitted to this webservice on November 27th 2019 23:56:43 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows product ID - Evasive
-
Possibly tries to implement anti-virtualization techniques
References security related windows services
Tries to sleep for a long time (more than two minutes)
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 8
-
Environment Awareness
-
Reads the windows product ID
- details
- "Tweak-SSD.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "PRODUCTID")
- source
- Registry Access
- relevance
- 6/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the windows product ID
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"Tweak-SSD.exe" wrote 56 bytes to a remote process "C:\Tweak-SSD.exe" (Handle: 272)
"Tweak-SSD.exe" wrote 8 bytes to a remote process "C:\Tweak-SSD.exe" (Handle: 272)
"Tweak-SSD.exe" wrote 2 bytes to a remote process "C:\Tweak-SSD.exe" (Handle: 272)
"Tweak-SSD.exe" wrote 1500 bytes to a remote process "C:\Tweak-SSD.exe" (Handle: 272)
"Tweak-SSD.exe" wrote 32 bytes to a remote process "C:\Tweak-SSD.exe" (Handle: 272)
"Tweak-SSD.exe" wrote 52 bytes to a remote process "C:\Tweak-SSD.exe" (Handle: 272)
"Tweak-SSD.exe" wrote 151552 bytes to a remote process "C:\Tweak-SSD.exe" (Handle: 272) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
System Security
-
References security related windows services
- details
- "1@#25systemroot#25\system32\drivers\luafv.sys,-100" (Indicator: "luafv")
- source
- File/Memory
- relevance
- 7/10
- ATT&CK ID
- T1044 (Show technique in the MITRE ATT&CK™ matrix)
-
References security related windows services
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- NtRaiseHardError@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains native function calls
- details
-
NtDelayExecution@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtAllocateVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtOpenFile@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtOpenFile@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtClose@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtUnmapViewOfSection@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtOpenDirectoryObject@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtQuerySystemInformation@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtCreateSection@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtReadVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtReadVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtDuplicateObject@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtSetInformationProcess@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtOpenSection@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtDelayExecution@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtProtectVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtDelayExecution@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtReadVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtReadVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtDuplicateObject@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtReadVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtReadVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtCreateEvent@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtReadVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtQueryFullAttributesFile@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtReadVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtOpenFile@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtQueryVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtWriteVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtClose@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtReadVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtReadVirtualMemory@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtWaitForSingleObject@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtDelayExecution@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
NtReleaseMutant@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
References suspicious system modules
- details
- "0@#25SystemRoot#25\system32\drivers\ndis.sys,-200"
- source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to reboot/shutdown the operating system
-
Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 17
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "Tweak-SSD.exe" at 00062110-00001552-00000033-20698274032
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
-
"Tweak-SSD.exe" is protecting memory with PAGE_GUARD access rights
"Tweak-SSD.exe" is allocating memory with PAGE_GUARD access rights - source
- API Call
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
- Found 33 calls to GetProcAddress@KERNEL32.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"S\Device\HarddiskVolume4\Program Files (x86)\VMware\VMware ThinApp\Setup Capture.exe" (Indicator: "vmware")
"Interfaccia servizio guest Hyper-V#00" (Indicator: "hyper-v")
"Servizio Heartbeat Hyper-V#00" (Indicator: "hyper-v")
"Servizio Scambio di dati Hyper-V#00" (Indicator: "hyper-v")
"Servizio Virtualizzazione Desktop remoto Hyper-V#00" (Indicator: "hyper-v")
"Servizio Arresto guest Hyper-V#00" (Indicator: "hyper-v")
"Servizio Sincronizzazione ora Hyper-V#00X" (Indicator: "hyper-v")
"Servizio PowerShell Direct Hyper-V#00" (Indicator: "hyper-v")
"Richiedente Copia Shadow del volume Hyper-V#00`" (Indicator: "hyper-v")
"W~http://www.vmware.com/info?id=907" (Indicator: "vmware")
"tVBOXHARDDISKATAD" (Indicator: "vbox") - source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "Tweak-SSD.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "info@devcomponents.com"
Pattern match: "support@devcomponents.com" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistance
-
Contains ability to access the loader directly
- details
-
LdrGetDllHandle@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
LdrLoadDll@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
LdrGetDllHandle@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
LdrLoadDll@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1129 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates new processes
- details
-
"Tweak-SSD.exe" is creating a new process (Name: "C:\Tweak-SSD.exe", Handle: 272)
"Tweak-SSD.exe" is creating a new process - source
- API Call
- relevance
- 8/10
-
Monitors specific registry key for changes
- details
-
"Tweak-SSD.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: 9429504)
"Tweak-SSD.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: 4280890880) - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to access the loader directly
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
- "<link cmd=".reload /f %ls=0x%p">Reload</link> <b>%ls</b> 0x%p %ls" (Indicator: "cmd=")
- source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1094 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains indicators of bot communication commands
-
System Destruction
-
Opens file with deletion access rights
- details
-
"Tweak-SSD.exe" opened "C:\Data\Registry.rw.tvr.lck" with delete access
"Tweak-SSD.exe" opened "C:\Data\Registry.rw.tvr.lck.OXnbQGvJc0.ffffffff.e80" with delete access - source
- API Call
- relevance
- 7/10
-
Opens file with deletion access rights
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
CopyFileW
GetModuleFileNameW
IsDebuggerPresent
GetFileAttributesW
GetCommandLineW
UnhandledExceptionFilter
LoadLibraryExW
GetStartupInfoW
GetCommandLineA
GetProcAddress
LoadLibraryW
FindNextFileW
DeleteFileW
FindFirstFileW
GetModuleHandleW
TerminateProcess
GetModuleHandleExW
OutputDebugStringW
WriteFile
CreateFileW
CreateProcessW
Sleep
LdrLoadDll
NtQueryInformationFile
NtQueryInformationProcess - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF5000"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF6080"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF6180"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF6380"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF6280"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF6480"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF6100"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF5E80"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF4580"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF5A80"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF5A00"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF5D00"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF4380"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF4980"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF4600"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF4900"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF4B00"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF4880"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF4A00"
"Tweak-SSD.exe" wrote bytes "4c8bd1" to virtual address "0x7EEF4C00" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"Tweak-SSD.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000410")
"Tweak-SSD.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 20
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
- RtlGetVersion@NTDLL.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.DLL from Tweak-SSD.exe (PID: 2712) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"Tweak-SSD.exe" queries volume information of "C:\" at 00061938-00002712-00000046-7948076961
"Tweak-SSD.exe" queries volume information of "C:\" at 00062110-00001552-00000046-25218972685
"Tweak-SSD.exe" queries volume information of "C:\" at 00062110-00001552-00000046-28225960047 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"Tweak-SSD.exe" queries volume information of "C:\" at 00061938-00002712-00000046-7948076961
"Tweak-SSD.exe" queries volume information of "C:\" at 00062110-00001552-00000046-25218972685
"Tweak-SSD.exe" queries volume information of "C:\" at 00062110-00001552-00000046-28225960047 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
- "Tweak-SSD.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\TWEAK-SSD.EXE")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/70 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
-
"d:\build\ob\bora-14449759\vos3\thinstall\modules\boot_loader64.pdb"
"Tweak-SSD.pdb"
"TW~RAW3D.PDB" - source
- File/Memory
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\{43EFE7A0-5E02-5298-22D3-CB634F4459A5}_tlog_lock"
"\Sessions\1\BaseNamedObjects\{43EFE7A0-5E02-5298-22D3-CB634F4459A5}_tqmap_lock"
"\Sessions\1\BaseNamedObjects\{43EFE7A0-5E02-5298-22D3-CB634F4459A5}_tthread_owner"
"\Sessions\1\BaseNamedObjects\ThinApp_Data_service_mutex"
"{43EFE7A0-5E02-5298-22D3-CB634F4459A5}_tlog_lock"
"{43EFE7A0-5E02-5298-22D3-CB634F4459A5}_tthread_owner"
"ThinApp_Data_service_mutex"
"{43EFE7A0-5E02-5298-22D3-CB634F4459A5}_tqmap_lock" - source
- Created Mutant
- relevance
- 3/10
-
Loads the .NET runtime environment
- details
-
"Tweak-SSD.exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_64\mscorlib\5d0c037297cc1a64b52ce43b45c2ac2e\mscorlib.ni.dll" at EBA10000
"Tweak-SSD.exe" loaded module "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll" at E81D0000
"Tweak-SSD.exe" loaded module "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll" at E7CA0000 - source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "Tweak-SSD.exe" (Show Process) was launched with new environment variables: "__compat_layer="RunAsInvoker", TS_ORIGIN="C:\Tweak-SSD.exe""
Process "Tweak-SSD.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, Path, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "Tweak-SSD.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432" - source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "Tweak-SSD.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "Tweak-SSD.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "Tweak-SSD.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"Registry.rw.tvr" has type "data"
"Registry.tlog" has type "data"
"Registry.rw.tvr.lck.OXnbQGvJc0.ffffffff.e80" has type "data"
"Registry.rw.tvr.transact" has type "data"
"GDIPFONTCACHEV1.DAT" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"Tweak-SSD.exe" touched file "%WINDIR%\AppPatch\AppPatch64\sysmain.sdb"
"Tweak-SSD.exe" touched file "%WINDIR%\System32\C_1252.NLS"
"Tweak-SSD.exe" touched file "%WINDIR%\System32\C_437.NLS"
"Tweak-SSD.exe" touched file "%WINDIR%\System32\l_intl.nls"
"Tweak-SSD.exe" touched file "%WINDIR%\System32\apphelp.dll"
"Tweak-SSD.exe" touched file "%WINDIR%\Temp\VxOle64.dll"
"Tweak-SSD.exe" touched file "%WINDIR%\System32\rpcss.dll"
"Tweak-SSD.exe" touched file "%WINDIR%\System32\sechost.dll"
"Tweak-SSD.exe" touched file "%WINDIR%\System32\imm32.dll"
"Tweak-SSD.exe" touched file "%WINDIR%\System32\sxs.dll"
"Tweak-SSD.exe" touched file "%WINDIR%\System32\uxtheme.dll"
"Tweak-SSD.exe" touched file "%WINDIR%\System32\dwmapi.dll"
"Tweak-SSD.exe" touched file "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319"
"Tweak-SSD.exe" touched file "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\clr.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "L>(bO%'<Sv.SD"
Pattern match: "http://www.totalidea.com#00"
Pattern match: "http://pacesuite.com/release/5.1.0/PACE-Suite-5.1.0-Getting-started.pdf"
Pattern match: "http://usbtor.ru/viewtopic.php?t=798"
Pattern match: "http://www.vmware.com/info?id=907"
Heuristic match: "$this.Name"
Heuristic match: "info@devcomponents.com"
Pattern match: "www.devcomponents.com"
Pattern match: "http://www.devcomponents.com/dotnetbar/order.html"
Pattern match: "http://www.devcomponents.com"
Heuristic match: "mailto:support@devcomponents.com"
Heuristic match: "DevComponents.com"
Heuristic match: "mailto:info@devcomponents.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"twitter_sign
facebook_sign" (Indicator: "twitter")
"youtube_sign" (Indicator: "youtube")
"youtube_play" (Indicator: "youtube") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "Tweak-SSD.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
Tweak-SSD.exe
- Filename
- Tweak-SSD.exe
- Size
- 12MiB (12124160 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 0a8d7d17c7b9e74f409ad24456a2caf0e26df8082330cc2e027aa0a6564508af
- MD5
- 9855a6092e4e3ce8e26676c3582609e3
- SHA1
- 73aff83887bd5461dcb96cd9ba5cfc9f32d4dd4e
- ssdeep
- 196608:iP+2TT3YcZm+EWtIEwSaSyiaj6JHAjikcDao:I+2/XDEWNDakJJk8
- imphash
- 7e34df381f2f945918bb7d0930affcbc
- authentihash
- 150e8413a64f82f11079d7d32f836cf6108945392956f70c3e9919b8e279d15c
- PDB Timestamp
- 08/20/2019 07:15:32 (UTC)
- PDB Pathway
- d:\build\ob\bora-14449759\vos3\thinstall\modules\boot_loader64.pdb
- PDB GUID
- BDAE24352ACB48A592152613E75EE6D5
Version Info
- Translation
- 0x0000 0x04b0
- LegalCopyright
- Copyright 2019 Totalidea Software GmbH
- Assembly Version
- 2.0.70.0
- InternalName
- Tweak-SSD.exe
- FileVersion
- 2.0.70.0
- CompanyName
- Totalidea Software GmbH
- Comments
- SSD Optimization And Tweaking Software
- ProductName
- Tweak-SSD
- ThinAppVersion
- 5.2.6-14449759
- ProductVersion
- 2.0.70.0
- FileDescription
- Tweak-SSD v2
- ThinAppLicense
- FC Portables (fcportables.com)
- ThinAppBuildDateTime
- 20190923 200729
- OriginalFilename
- Tweak-SSD.exe
Classification (TrID)
- 35.8% (.EXE) Win32 Executable (generic)
- 16.1% (.EXE) OS/2 Executable (generic)
- 16.0% (.EXE) Clipper DOS Executable
- 15.9% (.EXE) Generic Win/DOS Executable
- 15.8% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
Tweak-SSD.exe
(PID: 2712)
- Tweak-SSD.exe (PID: 1552)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 5
-
-
Registry.rw.tvr
- Size
- 4KiB (4096 bytes)
- Type
- data
- Runtime Process
- Tweak-SSD.exe (PID: 2712)
- MD5
- 3723766d2bbfdcf1c312074d15e5423a
- SHA1
- 6bd290998ce36c0eefec5c2cb22fad08b4240fac
- SHA256
- 860505dc01b7f08f12dc2250cd9dbcfdc650d5e6f3f6ad971d1ad742a911103b
-
Registry.rw.tvr.lck.OXnbQGvJc0.ffffffff.e80
- Size
- 60B (60 bytes)
- Type
- data
- Runtime Process
- Tweak-SSD.exe (PID: 2712)
- MD5
- fb134339f4c34387a5ee9118efa869ce
- SHA1
- 737434d6b745a3b7e99bdfea954b15e40718b8eb
- SHA256
- 21ec63a365ae826f7e291521e5680ee8645a5ebcae7579fcff92a1dd8b5e1612
-
Registry.rw.tvr.transact
- Size
- 4KiB (4096 bytes)
- Type
- data
- Runtime Process
- Tweak-SSD.exe (PID: 2712)
- MD5
- 99d7e63a99075e86db7ac37a2aa172fd
- SHA1
- 464a04d0c8c59fe59e5bdca233400c9b94e7ecd3
- SHA256
- 1a42fa45348cfa81a3008b461252f1fc2dd7a570ccde33db6fbb7d53e975306d
-
Registry.tlog
- Size
- 25KiB (25600 bytes)
- Type
- data
- Runtime Process
- Tweak-SSD.exe (PID: 2712)
- MD5
- bae69fa9fb27746c047dd58520d90faa
- SHA1
- e0660da7fb3efe42c967488689e4ee27d1391ba1
- SHA256
- 1f50ba4ab01e036ba8c51ff94ba4625f72bab75e5c1cacfabdd1b6691ecc9e53
-
GDIPFONTCACHEV1.DAT
- Size
- 109KiB (111520 bytes)
- Type
- data
- MD5
- 8e733c0cae670dc624238d4f4606120a
- SHA1
- 12f7ccea027cd7d8fcfe3288f7b6e41708fba6be
- SHA256
- 01653feb41e76f8f59dc064e253bd3a33fd79531beac755f7ee37cf55a390095
-
Notifications
-
Runtime
- Not all Falcon MalQuery lookups completed in time
- Not all sources for indicator ID "api-0" are available in the report
- Not all sources for indicator ID "api-21" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "string-24" are available in the report
- Not all sources for indicator ID "string-43" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report