File name: | openvpn-install-2.4.7-I603.exe |
Full analysis: | https://app.any.run/tasks/6fb5e258-e1f2-4cf3-a982-991470ae7ab1 |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 19:52:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | B04C1B28BAAC54B415CB88635B4DC815 |
SHA1: | E34F5291917D1A9D2E0E94AF8CF34C2F6D0ECA1B |
SHA256: | 0237BE0BE0156F869F38FB2F38842E3AB5DF46C79B914EBA580DE3031C116651 |
SSDEEP: | 98304:6+ldZJUIozgux1p3zNoVmljXvz1oy8pvenqIkMK/JFhv07MTE:/XLUh91J+mp7d8pvsxkRhv0YY |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x4375 |
UninitializedDataSize: | 110080 |
InitializedDataSize: | 38912 |
CodeSize: | 35840 |
LinkerVersion: | 2.26 |
PEType: | PE32 |
TimeStamp: | 2016:04:27 03:27:47+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 27-Apr-2016 01:27:47 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 7 |
Time date stamp: | 27-Apr-2016 01:27:47 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00008B24 | 0x00008C00 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.94493 |
.data | 0x0000A000 | 0x000000E0 | 0x00000200 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.62454 |
.rdata | 0x0000B000 | 0x00006A38 | 0x00006C00 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.22225 |
.bss | 0x00012000 | 0x0001AD00 | 0x00000000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0002D000 | 0x0000127C | 0x00001400 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.15437 |
.ndata | 0x0002F000 | 0x0001A000 | 0x00000400 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00049000 | 0x00006DC8 | 0x00006E00 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.84468 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.21594 | 960 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 4.15056 | 4264 | UNKNOWN | English - United States | RT_ICON |
3 | 3.94986 | 3752 | UNKNOWN | English - United States | RT_ICON |
4 | 4.50443 | 2216 | UNKNOWN | English - United States | RT_ICON |
5 | 4.1424 | 1384 | UNKNOWN | English - United States | RT_ICON |
6 | 4.74328 | 1128 | UNKNOWN | English - United States | RT_ICON |
102 | 2.70702 | 180 | UNKNOWN | English - United States | RT_DIALOG |
103 | 2.47314 | 90 | UNKNOWN | English - United States | RT_GROUP_ICON |
104 | 2.70176 | 356 | UNKNOWN | English - United States | RT_DIALOG |
105 | 2.68101 | 582 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.DLL |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3080 | "C:\Users\admin\AppData\Local\Temp\openvpn-install-2.4.7-I603.exe" | C:\Users\admin\AppData\Local\Temp\openvpn-install-2.4.7-I603.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3952 | "C:\Users\admin\AppData\Local\Temp\openvpn-install-2.4.7-I603.exe" | C:\Users\admin\AppData\Local\Temp\openvpn-install-2.4.7-I603.exe | explorer.exe | |
User: admin Integrity Level: HIGH | ||||
3524 | "C:\Users\admin\AppData\Local\Temp\nsvEE2F.tmp\ns4BF0.tmp" "C:\Users\admin\AppData\Local\Temp\tap-windows.exe" /S /SELECT_UTILITIES=1 | C:\Users\admin\AppData\Local\Temp\nsvEE2F.tmp\ns4BF0.tmp | — | openvpn-install-2.4.7-I603.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2628 | "C:\Users\admin\AppData\Local\Temp\tap-windows.exe" /S /SELECT_UTILITIES=1 | C:\Users\admin\AppData\Local\Temp\tap-windows.exe | ns4BF0.tmp | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3208 | "C:\Users\admin\AppData\Local\Temp\nsn4D36.tmp\ns4D75.tmp" "C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901 | C:\Users\admin\AppData\Local\Temp\nsn4D36.tmp\ns4D75.tmp | — | tap-windows.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
4080 | "C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901 | C:\Program Files\TAP-Windows\bin\tapinstall.exe | — | ns4D75.tmp |
User: admin Company: Windows (R) Win 7 DDK provider Integrity Level: HIGH Description: Windows Setup API Exit code: 0 Version: 6.1.7600.16385 built by: WinDDK | ||||
3316 | "C:\Users\admin\AppData\Local\Temp\nsn4D36.tmp\ns4E61.tmp" "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901 | C:\Users\admin\AppData\Local\Temp\nsn4D36.tmp\ns4E61.tmp | — | tap-windows.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3872 | "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901 | C:\Program Files\TAP-Windows\bin\tapinstall.exe | ns4E61.tmp | |
User: admin Company: Windows (R) Win 7 DDK provider Integrity Level: HIGH Description: Windows Setup API Exit code: 0 Version: 6.1.7600.16385 built by: WinDDK | ||||
3476 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{3502f335-5614-43cb-98fc-407179cd7253}\oemvista.inf" "0" "6d14a44ff" "000005C0" "WinSta0\Default" "000005BC" "208" "c:\program files\tap-windows\driver" | C:\Windows\system32\DrvInst.exe | svchost.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2416 | rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{5cfbbe6b-6bcb-0bab-07e7-276333807744} Global\{1f50f1de-0d59-092c-6969-1f0873c9e706} C:\Windows\System32\DriverStore\Temp\{1c0b2307-c612-761b-fd51-a07f75371e1a}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{1c0b2307-c612-761b-fd51-a07f75371e1a}\tap0901.cat | C:\Windows\system32\rundll32.exe | — | DrvInst.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3952 | openvpn-install-2.4.7-I603.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenVPN\Utilities\Generate a static OpenVPN key.lnk | lnk | |
MD5:353E851FAFFB1EB6C01F8D0DA6848742 | SHA256:10F68409EEE134DF8292C807601D51E98F669B148AA78F01CDE862CA5BE0440C | |||
3952 | openvpn-install-2.4.7-I603.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Windows Notes.lnk | lnk | |
MD5:A72033304B40ECB4167AE183268FDD21 | SHA256:A826438C5A0B7B37393CE8DD397EE640C7DAEB0552D2DF6E9C742853AFF53AB6 | |||
3952 | openvpn-install-2.4.7-I603.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Manual Page.lnk | lnk | |
MD5:8BFAB7F8FF12C805661A1552916CF9A4 | SHA256:0D194C78EA2080C58162320D0F75CCFD456CE4D8F18827266D5B04C857F8810A | |||
3952 | openvpn-install-2.4.7-I603.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenVPN\Shortcuts\OpenVPN Sample Configuration Files.lnk | lnk | |
MD5:B36B992D24CB4C516B71688349809090 | SHA256:500D6188D306B1C85195ED1137759C872AC713C12A90FE2D1EAE9AEC9C38B018 | |||
3952 | openvpn-install-2.4.7-I603.exe | C:\Program Files\OpenVPN\sample-config\client.ovpn | text | |
MD5:0E0C51874EF9C53E4A4DCEC263644536 | SHA256:A7DC6B3FB75EE3D2BA9244D9302BC0DD9A7F6FF621FFB9E6D1A4D88E436F5617 | |||
3952 | openvpn-install-2.4.7-I603.exe | C:\Program Files\OpenVPN\bin\openvpn.exe | executable | |
MD5:DE76066903427C91EEC491A269505828 | SHA256:FB263A21E7537D57E75B7FFE27CFE6A364C20CA81709B2980CA54D9D5D263553 | |||
3952 | openvpn-install-2.4.7-I603.exe | C:\Users\admin\AppData\Local\Temp\nsvEE2F.tmp\modern-header.bmp | image | |
MD5:CD8BC7B987FA89E7FD5ACDED7148CF66 | SHA256:127FC8103D7D1DAACFB0ABB422C9B2AA8ED14FA095E06A997E43445D5D963352 | |||
3952 | openvpn-install-2.4.7-I603.exe | C:\Program Files\OpenVPN\config\README.txt | text | |
MD5:0B36C15757F458123DC271DA6C802C20 | SHA256:EE88DA16216AAF4BC760C9732B5C99B46E7F9528811AED06483B2A5737736839 | |||
3952 | openvpn-install-2.4.7-I603.exe | C:\Program Files\OpenVPN\doc\openvpn.8.html | text | |
MD5:2D3145DA4E8B92290F3F177A0E97C29C | SHA256:6532899539398C1DB287C3AF7149CDD4F09547020704A672F7DEA2AEDC1135A6 | |||
3952 | openvpn-install-2.4.7-I603.exe | C:\Program Files\OpenVPN\sample-config\sample.ovpn | text | |
MD5:67F657EED08CE365508F739DCB94ADE1 | SHA256:07BE2BC7CA10E502485DADDD31785B5C18EA27C017118EE82B1411D7722E4EA5 |