File name: | 02322404_3 |
Full analysis: | https://app.any.run/tasks/d91d6e5e-3f6a-4f83-8382-d31ba8578abf |
Verdict: | Malicious activity |
Analysis date: | November 30, 2020, 04:43:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 7BF1609284AC1049408E7E9951795F8E |
SHA1: | 8874E55935596EA43880A726085F3D0B9E2E39D7 |
SHA256: | 027F61C750849D235F3E33A6153E054463D37179AB147721B747D63E2D044D23 |
SSDEEP: | 196608:aw8jSfS9MJkLXU2bUn6CJ9UoQH3Znw8f/mwqwbIt6IfkmJL8ai+FOQ:aR6JJ2bUp9ZQpDfewqjXfk+i+Fz |
.exe | | | Win32 Executable MS Visual C++ (generic) (32.1) |
---|---|---|
.exe | | | Win64 Executable (generic) (28.5) |
.exe | | | Winzip Win32 self-extracting archive (generic) (23.7) |
.dll | | | Win32 Dynamic Link Library (generic) (6.7) |
.exe | | | Win32 Executable (generic) (4.6) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2009:02:24 16:49:16+01:00 |
PEType: | PE32 |
LinkerVersion: | 8 |
CodeSize: | 73728 |
InitializedDataSize: | 118784 |
UninitializedDataSize: | - |
EntryPoint: | 0xa78e |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 24-Feb-2009 15:49:16 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 24-Feb-2009 15:49:16 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00011FE5 | 0x00012000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.62078 |
.rdata | 0x00013000 | 0x00003732 | 0x00004000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.93401 |
.data | 0x00017000 | 0x0000E744 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.97645 |
.rsrc | 0x00026000 | 0x000093A8 | 0x0000A000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.1307 |
_winzip_ | 0x00030000 | 0x0082B000 | 0x0082B000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 7.99779 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.8317 | 978 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 4.03621 | 744 | UNKNOWN | English - United States | RT_ICON |
3 | 3.14459 | 296 | UNKNOWN | English - United States | RT_ICON |
4 | 5.56342 | 3752 | UNKNOWN | English - United States | RT_ICON |
5 | 5.99214 | 2216 | UNKNOWN | English - United States | RT_ICON |
6 | 3.69605 | 1384 | UNKNOWN | English - United States | RT_ICON |
7 | 5.83382 | 9640 | UNKNOWN | English - United States | RT_ICON |
8 | 6.01045 | 4264 | UNKNOWN | English - United States | RT_ICON |
9 | 4.68735 | 1128 | UNKNOWN | English - United States | RT_ICON |
63 | 3.18826 | 764 | UNKNOWN | English - United States | RT_STRING |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
956 | "C:\Users\admin\AppData\Local\Temp\02322404_3.exe" | C:\Users\admin\AppData\Local\Temp\02322404_3.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2156 | "C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\CSW.exe" | C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\CSW.exe | — | 02322404_3.exe |
User: admin Company: Fuji Xerox Co., Ltd. Integrity Level: MEDIUM Description: Driver Installation Tool Exit code: 3221226540 Version: 6.14.00.6 | ||||
3668 | "C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\CSW.exe" | C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\CSW.exe | 02322404_3.exe | |
User: admin Company: Fuji Xerox Co., Ltd. Integrity Level: HIGH Description: Driver Installation Tool Exit code: 0 Version: 6.14.00.6 |
(PID) Process: | (956) 02322404_3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (956) 02322404_3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3668) CSW.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3668) CSW.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3668) CSW.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3668) CSW.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3668) CSW.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: |
PID | Process | Filename | Type | |
---|---|---|---|---|
956 | 02322404_3.exe | C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\CSW.chm | chm | |
MD5:CFDB9616266BB00626DBF4AF6ACE7579 | SHA256:A4112EDEEF70267DEBB485F100C012B99C207FB919239E4FE69748F619CB0877 | |||
956 | 02322404_3.exe | C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\CwAboutres.dll | executable | |
MD5:6C9CAE277CAB4EA852AF2237C2D3EB67 | SHA256:1DFE766AF49535D1D9ACE8C27AE05FC007F2A70F4E3C81096C87E48152E43D26 | |||
956 | 02322404_3.exe | C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\CnOem.dll | executable | |
MD5:9449891027BEA2D6A6CA27055578125C | SHA256:893837E5561C5AE7DD65BECA30707F027F48F6D4F5E0A3632DB2267E3688F033 | |||
956 | 02322404_3.exe | C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\CnOemres.dll | executable | |
MD5:61B631A95D827F7E15A740E32E2E4A54 | SHA256:3D959F63B8E4752CA88CB3E1DBC32EF3BDA93987D12D4995D0E52547763FBD1C | |||
956 | 02322404_3.exe | C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\CSWres.dll | executable | |
MD5:23F6965441BBF7576E033F49385464BE | SHA256:338AC2F0929D39522832B8679B727D297CFA14E546E272CC2A2E298F52B4CBA2 | |||
956 | 02322404_3.exe | C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\CwDl.dll | executable | |
MD5:239C83AE4AF3AC7C232FD6CD51FB78E8 | SHA256:1203BDE0CD526AF8783E8D3F3F295C7BA665324573355B42CBC86771C366CF10 | |||
956 | 02322404_3.exe | C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\CSW.exe | executable | |
MD5:8C7227F2004183418A861AC8B6462820 | SHA256:167025A88C7E5A54378476E932B03D3AEB262A65D31FB4F5C81E91BB7F206D9E | |||
956 | 02322404_3.exe | C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\DrvRepo.dll | executable | |
MD5:BA2396139292E0B24F5D9F87667997DE | SHA256:3F6E16D7E9157A75F83AC2C18C72EBA99DC413AC334C25F98312512F1F59F6B9 | |||
956 | 02322404_3.exe | C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\CwAboutCSW.bmp | image | |
MD5:86103D1C35A3669D806B37253EE60F95 | SHA256:7B8FDB7E2ABD4A850037EA7416267107CE369D57A275599EAC60949A2ED3F652 | |||
956 | 02322404_3.exe | C:\Users\admin\AppData\Local\Temp\fxap3c4400pcl612121nwxp6izh\cswnd\cwns\csw\Cwutil.dll | executable | |
MD5:C499C080F42812F7FEEB6ADC1F95BAD1 | SHA256:F2CD18CB44B3299D8ECE9273FD48753B840EF86A17888BB31B8A8D734678B78E |