Lab 1-4

Analyze the file Lab01-04.exe.

Questions

1. Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
   • NO
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
   • No, it is not obfuscated because PeID doesn’t detect anything and so do PEStudio
3. When was this program compiled?
   • 30 August 2019 22:26:59
4. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
   • AdjustTokenPrivileges probably is used to impersonate another process
   • WriteFile, WinExec is to execute something
   • Since we found out that we have something in resources, the malware probably executes the program in resources
5. What host- or network-based indicators could be used to identify this malware on infected machines?
   • the updater.exe URL
   • URLDownloadToFile
   • wupdmgrd.exe
   • urlmon.dll
6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?
   • it downloads updater.exe and runs it