WildFire Analysis Report
WildFire Analysis Report 1
1 File Information 2
2 Static Analysis 2
2.1. Suspicious File Properties 2
3 Dynamic Analysis 3
3.1. VM1 (Windows 7 x64 SP1, Adobe Reader 11, Flash 11, Office 2010) 3
3.1.1. Behavioral Summary 3
3.1.2. Network Activity 3
3.1.3. Host Activity 3
Process Activity 3
Process Name - sample.exe 3
Event Timeline 3
3.2. VM2 (Windows 10 x64, Flash 22, Adobe Reader 11, Office 2019) 3
3.2.1. Behavioral Summary 4
3.2.2. Network Activity 4
3.2.3. Host Activity 4
Process Activity 4
Process Name - sample.exe 4
Event Timeline 4
1/4
�1 File Information
File Type PE
File Signer
SHA-256 8592884eec4b189bfd66d99a44c50cb480304b0c3971c470c2952716852236f0
SHA-1 1335946fbaf382fc0b8c26899cea201c7fbf5506
MD5 3f1f9cbc4fcc7d654c0ebc2c91a8a608
File Size 2039808bytes
First Seen Timestamp 2024-07-09 21:26:01 UTC
Verdict Benign
Antivirus Coverage VirusTotal Information
2 Static Analysis
2.1. Suspicious File Properties
This sample was not found to contain any high-risk content during a pre-screening
analysis of the sample.
Contains an unusual entry point
The entry point of a PE file is the starting address for execution. An unusually located entry point may
indicate a packed or obfuscated file.
Contains sections with size discrepancies
Sections with a large discrepancy between raw and virtual sizes may indicate a packed or obfuscated PE file.
Contains an invalid checksum
The PE file checksum is required for drivers, boot-time DLLs, and other DLLs loaded into secure system
processes. Malware often ignores this value or sets it to zero.
Contains sections set to both writable and executable
Standard sections are set to either writable or executable. PE files with sections set to both writable and
executable are likely packed or obfuscated.
Uses a known packer
This PE file is packed by a known packer.
Contains non-standard section names
Standard section names are defined by the compiler. Non-standard section names may indicate a packed or
obfuscated PE file.
2/4
�Last section is executable
In standard PE files the execute flag is reserved for the first section. Use of the execute flag in the last
section may indicate a packed or obfuscated file.
First section is writable
In standard PE files the write flag is reserved for sections after the first. Use of the write flag in the first
section may indicate a packed or obfuscated file.
3 Dynamic Analysis
3.1. VM1 (Windows 7 x64 SP1, Adobe Reader 11, Flash 11, Office
2010)
3.1.1. Behavioral Summary
This sample was found to be benign on this virtual machine.
Behavior Severity
Program has shown a message box.
The program has shown a message box.
Created or modified a file
Legitimate software creates or modifies files to preserve data across system restarts. Malware may create or modify files
to deliver malicious payloads or maintain persistence on a system.
The sample shows limited activities during analysis.
A sample may not be able to generate much behaviors by design or because of its dependency on user input or system
environment, which could means it is trying to evade the dynamic analysis.
The idle time between two API events are too long.
The idle time between two API events are too long.
Created an unusually large registry key
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
3.1.2. Network Activity
No network data available.
3.1.3. Host Activity
Process Activity
Process Name - sample.exe
(command: C:\Users\Administrator\sample.exe)
Event Timeline
1 Created Process C:\Users\Administrator\sample.exe
3.2. VM2 (Windows 10 x64, Flash 22, Adobe Reader 11, Office 2019)
3/4
�3.2.1. Behavioral Summary
This sample was found to be benign on this virtual machine.
Behavior Severity
Program has shown a message box.
The program has shown a message box.
Created or modified a file
Legitimate software creates or modifies files to preserve data across system restarts. Malware may create or modify files
to deliver malicious payloads or maintain persistence on a system.
Identify System domain DNS controller
Identify System domain DNS controller on an endpoint using nslookup LDAP query. This command is being abused by
malware to gather information on the domain controller of the targeted or compromised host.
The sample shows limited activities during analysis.
A sample may not be able to generate much behaviors by design or because of its dependency on user input or system
environment, which could means it is trying to evade the dynamic analysis.
The idle time between two API events are too long.
The idle time between two API events are too long.
Created an unusually large registry key
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
3.2.2. Network Activity
DNS Queries
Domain Name Query Type DNS Response
azure.com NS ns1-39.azure-dns.com
azure.com NS ns3-39.azure-dns.org
azure.com NS ns4-39.azure-dns.info
azure.com NS ns2-39.azure-dns.net
3.2.3. Host Activity
Process Activity
Process Name - sample.exe
(command: C:\Users\Administrator\sample.exe)
Event Timeline
1 Created Process C:\Users\Administrator\sample.exe
4/4
