File name: | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873 |
Full analysis: | https://app.any.run/tasks/65497349-f00d-465f-a784-cda33f5255c6 |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 13:01:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 9877D7C9A60BE9B7236A3D3C1EDCF2C4 |
SHA1: | A4892C20FEC0847F56884132D1897238D27FBAD6 |
SHA256: | 0303FE5F2918748E5CD97AB879EB3ADBA44218448678D4E1D1AA74FFC3F93873 |
SSDEEP: | 768:36QBhc7416N8lBR2z24jRL7lxnOTTBTXUgKI5tNmnpvJrozvamg49ART+Z+8cH1i:qQBFO8lLr0R3cBhKXO99AJ+Z+3a |
.exe | | | Win32 Executable Microsoft Visual Basic 6 (90.6) |
---|---|---|
.exe | | | Win32 Executable (generic) (4.9) |
.exe | | | Generic Win/DOS Executable (2.2) |
.exe | | | DOS Executable Generic (2.2) |
OriginalFileName: | azusabil.exe |
---|---|
InternalName: | azusabil |
ProductVersion: | 2.01 |
FileVersion: | 2.01 |
ProductName: | Planorbi |
LegalTrademarks: | Yibbon Curbina |
LegalCopyright: | Yibbon Curbina |
CharacterSet: | Unicode |
LanguageCode: | Spanish (Castilian) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 2.1.0.0 |
FileVersionNumber: | 2.1.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 2.1 |
OSVersion: | 4 |
EntryPoint: | 0x1618 |
UninitializedDataSize: | - |
InitializedDataSize: | 12288 |
CodeSize: | 77824 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2011:10:30 17:36:15+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 30-Oct-2011 16:36:15 |
Detected languages: |
|
LegalCopyright: | Yibbon Curbina |
LegalTrademarks: | Yibbon Curbina |
ProductName: | Planorbi |
FileVersion: | 2.01 |
ProductVersion: | 2.01 |
InternalName: | azusabil |
OriginalFilename: | azusabil.exe |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000B8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 30-Oct-2011 16:36:15 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00012F40 | 0x00013000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.77736 |
.data | 0x00014000 | 0x00000A74 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00015000 | 0x000018C8 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.57686 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.22309 | 624 | Unicode (UTF 16LE) | Spanish - Spain (Traditional sort) | RT_VERSION |
30001 | 3.87302 | 2216 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
30002 | 4.61208 | 1736 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
30003 | 4.50173 | 1384 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
MSVBVM60.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1856 | "C:\Users\admin\Desktop\0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe" | C:\Users\admin\Desktop\0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 2.01 | ||||
916 | "C:\Users\admin\Desktop\0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe" | C:\Users\admin\Desktop\0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | |
User: admin Integrity Level: MEDIUM Version: 2.01 |
(PID) Process: | (916) 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (916) 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 46000000A5000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (916) 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (916) 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (916) 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (916) 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (916) 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (916) 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (916) 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 |
Operation: | write | Name: | Blob |
Value: 040000000100000010000000ACB694A59C17E0D791529BB19706A6E40F0000000100000014000000CE0E658AA3E847E467A147B3049191093D055E6F030000000100000014000000D4DE20D05E66FC53FE1A50882C78DB2852CAE4741D0000000100000010000000918AD43A9475F78BB5243DE886D8103C140000000100000014000000E59D5930824758CCACFA085436867B3AB5044DF062000000010000002000000016AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB0B0000000100000030000000440069006700690043006500720074002000420061006C00740069006D006F0072006500200052006F006F007400000009000000010000003E000000303C06082B0601050507030106082B0601050507030406082B0601050507030206082B0601050507030306082B0601050507030906082B0601050507030853000000010000006200000030603020060A2B06010401B13E01640130123010060A2B0601040182373C0101030200C0301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0301B060567810C010130123010060A2B0601040182373C0101030200C019000000010000001000000068CB42B035EA773E52EF50ECF50EC52920000000010000007B030000308203773082025FA0030201020204020000B9300D06092A864886F70D0101050500305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F74301E170D3030303531323138343630305A170D3235303531323233353930305A305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F7430820122300D06092A864886F70D01010105000382010F003082010A0282010100A304BB22AB983D57E826729AB579D429E2E1E89580B1B0E35B8E2B299A64DFA15DEDB009056DDB282ECE62A262FEB488DA12EB38EB219DC0412B01527B8877D31C8FC7BAB988B56A09E773E81140A7D1CCCA628D2DE58F0BA650D2A850C328EAF5AB25878A9A961CA967B83F0CD5F7F952132FC21BD57070F08FC012CA06CB9AE1D9CA337A77D6F8ECB9F16844424813D2C0C2A4AE5E60FEB6A605FCB4DD075902D459189863F5A563E0900C7D5DB2067AF385EAEBD403AE5E843E5FFF15ED69BCF939367275CF77524DF3C9902CB93DE5C923533F1F2498215C079929BDC63AECE76E863A6B97746333BD681831F0788D76BFFC9E8E5D2A86A74D90DC271A390203010001A3453043301D0603551D0E04160414E59D5930824758CCACFA085436867B3AB5044DF030120603551D130101FF040830060101FF020103300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100850C5D8EE46F51684205A0DDBB4F27258403BDF764FD2DD730E3A41017EBDA2929B6793F76F6191323B8100AF958A4D46170BD04616A128A17D50ABDC5BC307CD6E90C258D86404FECCCA37E38C637114FEDDD68318E4CD2B30174EEBE755E07481A7F70FF165C84C07985B805FD7FBE6511A30FC002B4F852373904D5A9317A18BFA02AF41299F7A34582E33C5EF59D9EB5C89E7C2EC8A49E4E08144B6DFD706D6B1A63BD64E61FB7CEF0F29F2EBB1BB7F250887392C2E2E3168D9A3202AB8E18DDE91011EE7E35AB90AF3E30947AD0333DA7650FF5FC8E9E62CF47442C015DBB1DB532D247D2382ED0FE81DC326A1EB5EE3CD5FCE7811D19C32442EA6339A9 | |||
(PID) Process: | (916) 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 |
Operation: | delete key | Name: | (default) |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | C:\Users\admin\AppData\Local\Temp\Cab893A.tmp | — | |
MD5:— | SHA256:— | |||
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | C:\Users\admin\AppData\Local\Temp\Tar893B.tmp | — | |
MD5:— | SHA256:— | |||
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\OGGG1P19.txt | text | |
MD5:CB1181200AAE63BBAF5FEF6F5E1934D4 | SHA256:4531850A06F234EED8F6A68DDC5D964838BA3C9EAC6FA9360485BA3FE1BB51E6 | |||
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\CK8HYCWX.txt | text | |
MD5:604A116AFAFD5606E8D4E418B85C1FB3 | SHA256:9E9928F811E06AAA11B487C0F8900DFF9B9605DB62082DA7531AC5499F916C0E | |||
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\EO1HW1HY.txt | text | |
MD5:46B083C082A6C48459B41A385B58F848 | SHA256:A65DF9CF93B6CCEC6C76EFCE01AFAC86D03BCC99E727705011711897B7AF3BB5 | |||
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\X9PZ8KH3.txt | text | |
MD5:89F2D60BA6935350035D2784D6793EC2 | SHA256:A37800CBD2C359C21B06075371C28F6E86431BB79135FD6375FEA8A881B556D7 | |||
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\SLJNESFM.txt | text | |
MD5:5B16C89D24816E8545E96DBE096213C2 | SHA256:D707D3F4D6D8950771F698458056EC2CB267A1888F11C4F2F88D9521318918C2 | |||
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 | der | |
MD5:4E7F4C294173F3C51068595747364F79 | SHA256:65D2585B57AC757DB0E8ADB7F83AF4F8EEAB04650928A66705F741F7BDC955D9 | |||
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | binary | |
MD5:F0FCE94EF1B7CD7C125A90675CF3AC3E | SHA256:99E7082F14D317636A61EA35A02A0EC80243D3555EB99EBE4BD11C75BF062F65 | |||
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\3ORWAS26.txt | text | |
MD5:82DCC5C4F8540AE175F78FF803F1E4F0 | SHA256:BF09FF5F4B64684002DFA1AABD54BCFAA794FDE779CB8999D0B8D3EBD7E935C6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | 13.107.42.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | 40.90.137.125:443 | login.live.com | Microsoft Corporation | US | unknown |
916 | 0303fe5f2918748e5cd97ab879eb3adba44218448678d4e1d1aa74ffc3f93873.exe | 40.90.23.154:443 | login.live.com | Microsoft Corporation | US | unknown |
Domain | IP | Reputation |
---|---|---|
onedrive.live.com |
| shared |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |