Origin[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Origin.exe
Size

3.5MB
MD5

dab21c14c09fa0f40dacd1a19c7a9125
SHA1

d7eeb0dbb397c6d37bfd084a6fa791da8017589a
SHA256

dc215daa9f79ea6b9d3b2c376a908ac4621871dc4b56374fad7edaed4feb66d7
SHA512

3f427c3b88321579fb6e30ebc7ecb74072a6ac36a6e9f8ce73bb48db170de4167991f8d110067a3191e872939d230b016a2f21160aa17d8a4b95743ddfa687b0
SSDEEP

49152:PTia0KriyXm65M5pwSmYgMgnIJdkPgIpE0AO8ubG9g:x

Score

1^/10

Malware Config

Signatures

Files

Origin.exe
.exe windows:5 windows x86 arch:x86

87c2f22aaa051eea5d178e91d7470c6d

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

4e:e1:c2:d9:3b:3c:fb:bd:84:50:10:8a:58:a6:4f:76
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

14/05/2015, 00:00

Not After

22/07/2017, 23:59

Subject

CN=Electronic Arts\, Inc.,OU=EAC,O=Electronic Arts\, Inc.,L=Burnaby,ST=British Columbia,C=CA

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7d:91:d0:50:bb:4c:25:05:ea:13:2c:bf:f1:27:99:73:5e:5d:9c:f6
Signer

Actual PE Digest

7d:91:d0:50:bb:4c:25:05:ea:13:2c:bf:f1:27:99:73:5e:5d:9c:f6

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\ebisu\hudson\workspace\Origin-HL\origin\HL\originClient\dev\runtime\Origin.pdb

Imports

gdi32

SetTextColor
BitBlt
DeleteDC
GetDeviceCaps
DeleteObject
SelectObject
CreateCompatibleDC
CreateCompatibleBitmap
GetObjectW
GetStockObject
CreateFontW
CreateSolidBrush

user32

IsDlgButtonChecked
GetDlgItemTextW
MapWindowPoints
EnableWindow
EndPaint
ClientToScreen
GetWindowTextLengthW
DestroyAcceleratorTable
ScreenToClient
GetMessageW
CharNextW
RegisterWindowMessageW
FillRect
IsChild
SetCapture
UnregisterClassW
GetFocus
GetParent
InvalidateRgn
LoadCursorW
GetClientRect
CreateAcceleratorTableW
SetFocus
CheckDlgButton
GetClassInfoExW
GetDC
TranslateMessage
RegisterClassExW
InvalidateRect
MapDialogRect
GetWindowTextW
ReleaseDC
SetWindowLongW
RedrawWindow
GetDesktopWindow
GetSysColor
SetWindowPos
CreateDialogParamW
IsWindow
ReleaseCapture
SendMessageW
SetWindowTextW
CallWindowProcW
GetWindow
MoveWindow
DispatchMessageW
SendNotifyMessageW
PostMessageW
EndDialog
LoadIconW
ShowWindow
IsDialogMessageW
SetDlgItemTextW
MessageBoxExW
DestroyWindow
SetForegroundWindow
FindWindowW
EnumWindows
PeekMessageW
GetClassNameW
SendMessageTimeoutW
CreateWindowExW
RegisterClassW
GetWindowRect
wsprintfW
GetWindowLongW
GetDlgItem
IsWindowVisible
DefWindowProcW
GetWindowThreadProcessId
BeginPaint

advapi32

ConvertStringSidToSidW
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclW
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegDeleteValueW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
GetUserNameW
RegSetValueExW

winhttp

WinHttpReadData
WinHttpCrackUrl
WinHttpOpenRequest
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpCloseHandle
WinHttpConnect
WinHttpSendRequest
WinHttpGetIEProxyConfigForCurrentUser
WinHttpReceiveResponse
WinHttpSetTimeouts
WinHttpSetOption

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

msvcp120

??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@_JH@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PAD_J@Z
?tellp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ
?seekp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@_JH@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
?always_noconv@codecvt_base@std@@QBE_NXZ
??Bid@locale@std@@QAEIXZ
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEXXZ
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ
?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEPA_WXZ
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UAE@XZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ
?in@?$codecvt@DDH@std@@QBEHAAHPBD1AAPBDPAD3AAPAD@Z
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEHXZ
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEPAV12@PA_W_J@Z
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JPB_W_J@Z
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JPA_W_J@Z
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEGXZ
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JXZ
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAE@XZ
?_Winerror_map@std@@YAPBDH@Z
?_Syserror_map@std@@YAPBDH@Z
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPBD@Z
?_Xlength_error@std@@YAXPBD@Z
?_BADOFF@std@@3_JB
?uncaught_exception@std@@YA_NXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@H@Z
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z
?id@?$codecvt@DDH@std@@2V0locale@2@A
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z
?_Getcat@?$codecvt@DDH@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ
?unshift@?$codecvt@DDH@std@@QBEHAAHPAD1AAPAD@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?out@?$codecvt@DDH@std@@QBEHAAHPBD1AAPBDPAD3AAPAD@Z
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEXABVlocale@2@@Z

msvcr120

__iob_func
_get_osfhandle
_wrmdir
_rmdir
_wunlink
_unlink
wcsncat
wcsrchr
isalpha
_wopen
_open
_open_osfhandle
fprintf
abort
_finite
_isnan
__daylight
__timezone
_tzset
_strtoui64
_ecvt
_fcvt
_lock
_unlock
_calloc_crt
__dllonexit
_onexit
??1type_info@@UAE@XZ
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
?terminate@@YAXXZ
_stricmp
_XcptFilter
__crtGetShowWindowMode
_amsg_exit
__getmainargs
__set_app_type
_exit
_cexit
_ismbblead
_configthreadlocale
__setusermatherr
_initterm_e
_initterm
_acmdln
_fmode
_commode
_except_handler4_common
_except1
__crtSetUnhandledExceptionFilter
_invoke_watson
_controlfp_s
wcsncpy
realloc
_setmode
calloc
memcpy
_umask
_close
strrchr
mbtowc
_strdup
_errno
_mktime64
memset
_CxxThrowException
__CxxFrameHandler3
mbstowcs_s
_itow_s
_wchdir
vsprintf_s
_wcslwr_s
wcstombs_s
strncmp
__argc
_recalloc
_snprintf_s
__argv
wcsncpy_s
towlower
sprintf
swprintf_s
exit
fclose
_localtime64
fwrite
memcpy_s
strftime
wcsftime
_lock_file
setvbuf
fsetpos
tolower
_vswprintf
fgetc
fflush
_fseeki64
fgetpos
ungetc
malloc
_unlock_file
??0exception@std@@QAE@ABV01@@Z
??0bad_cast@std@@QAE@ABV01@@Z
??0bad_cast@std@@QAE@PBD@Z
??1bad_cast@std@@UAE@XZ
fputc
_time64
wcstok_s
clock
??_V@YAXPAX@Z
wcsstr
free
_wtoi
_wcsicmp
wcschr
??2@YAPAXI@Z
wcscpy_s
wcscat_s
??3@YAXPAX@Z
_purecall
memmove
_strnicmp
toupper

kernel32

TlsFree
GetExitCodeThread
IsDebuggerPresent
GetPriorityClass
SetPriorityClass
GetThreadPriority
SetThreadPriority
GetCurrentThread
CreateMutexA
WaitForSingleObjectEx
SleepEx
ReleaseMutex
GetProcessHeap
HeapFree
HeapAlloc
SetEnvironmentVariableA
GetEnvironmentVariableA
GetFileInformationByHandle
EncodePointer
IsProcessorFeaturePresent
InitializeSListHead
InterlockedPopEntrySList
InterlockedPushEntrySList
VirtualAlloc
VirtualFree
OutputDebugStringW
RemoveDirectoryW
TlsAlloc
GetNamedPipeHandleStateA
PeekNamedPipe
CreateDirectoryA
GetFileAttributesA
SetFileAttributesW
SetFilePointerEx
SetEndOfFile
GetFileAttributesW
GetFileType
SetFileTime
LoadLibraryA
CreateFileA
GetFullPathNameW
lstrlenA
LocalAlloc
GetTempPathW
CopyFileW
WideCharToMultiByte
SetFileAttributesA
CreateThread
GetCurrentProcessId
GetCurrentThreadId
lstrcmpiW
DecodePointer
FindClose
GetProcAddress
RaiseException
FlushInstructionCache
lstrcmpW
GetModuleFileNameW
MulDiv
LoadLibraryW
GetPrivateProfileStringW
GetSystemTimeAsFileTime
WaitForSingleObject
SetEnvironmentVariableW
GetCurrentProcess
InterlockedDecrement
InterlockedIncrement
LoadLibraryExW
CreateProcessW
FreeLibrary
FindFirstFileW
LocalFree
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
GlobalUnlock
GetLocaleInfoW
GlobalAlloc
GlobalLock
DeleteFileW
GetDiskFreeSpaceExW
QueryPerformanceFrequency
LockResource
MoveFileW
MultiByteToWideChar
CreateFileW
ReadFile
GetVersionExW
SizeofResource
InitializeCriticalSectionAndSpinCount
WriteFile
CreateDirectoryW
QueryPerformanceCounter
MoveFileExW
LoadResource
FindResourceW
FreeResource
GetFileSize
GetCommandLineW
CloseHandle
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
SetLastError
GetLastError
TerminateProcess
Sleep
OpenProcess
GetTickCount
GetModuleHandleW
CreateMutexW
FindNextFileW

ole32

CoCreateInstance
CreateStreamOnHGlobal
OleLockRunning
CoUninitialize
CoTaskMemRealloc
CLSIDFromProgID
CLSIDFromString
StringFromGUID2
OleInitialize
OleUninitialize
CoTaskMemFree
CoGetClassObject
CoTaskMemAlloc
CoInitializeEx

shell32

ShellExecuteW
SHGetFolderPathW
SHCreateDirectoryExW
ShellExecuteExW

oleaut32

VariantInit
VariantClear
SysAllocString
SysFreeString
SysStringLen
LoadTypeLi
OleCreateFontIndirect
VarUI4FromStr
LoadRegTypeLi
VariantChangeType
SysAllocStringLen

shlwapi

PathFileExistsW
StrStrIW
wnsprintfW

comctl32

InitCommonControlsEx

wintrust

WinVerifyTrust

crypt32

CertFindCertificateInStore
CryptMsgGetParam
CertGetNameStringW
CryptQueryObject
CryptMsgClose
CertFreeCertificateContext
CertCloseStore

Sections

.text
Size: 214KB - Virtual size: 213KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 71KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 5B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

87c2f22aaa051eea5d178e91d7470c6d

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

4e:e1:c2:d9:3b:3c:fb:bd:84:50:10:8a:58:a6:4f:76Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

7d:91:d0:50:bb:4c:25:05:ea:13:2c:bf:f1:27:99:73:5e:5d:9c:f6Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

gdi32

user32

advapi32

winhttp

version

msvcp120

msvcr120

kernel32

ole32

shell32

oleaut32

shlwapi

comctl32

wintrust

crypt32

Sections

.text Size: 214KB - Virtual size: 213KB

.rdata Size: 71KB - Virtual size: 70KB

.data Size: 11KB - Virtual size: 26KB

.tls Size: 512B - Virtual size: 5B

.rsrc Size: 3.2MB - Virtual size: 3.2MB

.reloc Size: 15KB - Virtual size: 15KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

4e:e1:c2:d9:3b:3c:fb:bd:84:50:10:8a:58:a6:4f:76
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

7d:91:d0:50:bb:4c:25:05:ea:13:2c:bf:f1:27:99:73:5e:5d:9c:f6
Signer

.text
Size: 214KB - Virtual size: 213KB

.rdata
Size: 71KB - Virtual size: 70KB

.data
Size: 11KB - Virtual size: 26KB

.tls
Size: 512B - Virtual size: 5B

.rsrc
Size: 3.2MB - Virtual size: 3.2MB

.reloc
Size: 15KB - Virtual size: 15KB