File name: | Док-ы 20.11.exe |
Full analysis: | https://app.any.run/tasks/a68d979f-719e-47f1-8919-2a25cf4efeeb |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 03:10:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C1C4643585A5E5350410D433A7F16067 |
SHA1: | D28B9686AF0F5009979B3C7FC09907F6C5C7B7FA |
SHA256: | 044981125ED4B8AA8816AC0FD3CC231A6C16E90EA84A45D9A9B92CD3B3E89243 |
SSDEEP: | 6144:M/3pavuug5tNohqbA7o0W0WjcyV5E6cYs1HZkxN48LdLtwZ:apa9gShDxRccocP5kx6 |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x6578 |
UninitializedDataSize: | - |
InitializedDataSize: | 107520 |
CodeSize: | 244736 |
LinkerVersion: | 10 |
PEType: | PE32 |
TimeStamp: | 2015:04:02 03:25:29+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 02-Apr-2015 01:25:29 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000C0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 02-Apr-2015 01:25:29 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0003BB7A | 0x0003BC00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.74554 |
.rdata | 0x0003D000 | 0x00000B76 | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.81606 |
.data | 0x0003E000 | 0x000024EC | 0x00002600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.78768 |
.rsrc | 0x00041000 | 0x000171B8 | 0x00017200 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.24187 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.04657 | 38 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
2 | 7.95249 | 26442 | UNKNOWN | UNKNOWN | RT_ICON |
kernel32.dll |
modemui.dll |
user32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3408 | "C:\Users\admin\AppData\Local\Temp\Док-ы 20.11.exe" | C:\Users\admin\AppData\Local\Temp\Док-ы 20.11.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3440 | rundll32.exe "C:\ProgramData\noggdfen\kfglhhjm.pli",DllGetClassObject host | C:\Windows\system32\rundll32.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2044 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3440 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\40E4.tmp | — | |
MD5:— | SHA256:— | |||
3440 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\imdaegdclnfbaakg | — | |
MD5:— | SHA256:— | |||
3440 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\Док-ы 20.11.exe | — | |
MD5:— | SHA256:— | |||
3440 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\ilcnpdmgffjakokl | — | |
MD5:— | SHA256:— | |||
3440 | rundll32.exe | C:\ProgramData\noggdfen\11348a5509a5 | — | |
MD5:— | SHA256:— | |||
3440 | rundll32.exe | \Device\HarddiskVolume2\ProgramData\noggdfen\onnacjpngjjoalmf | — | |
MD5:— | SHA256:— | |||
3408 | Док-ы 20.11.exe | C:\ProgramData\noggdfen\11348a5509a5 | binary | |
MD5:BAECC180B615CF27361490DE79B9608B | SHA256:6BADDB37BB15990F5D1E84BBF679A955C56368DD6B2D2D1B45C60E3034782940 | |||
3408 | Док-ы 20.11.exe | C:\Users\admin\AppData\Local\Temp\40E4.tmp | executable | |
MD5:B7FE3CAC1364B8B7617E13045493EF20 | SHA256:99001B300EF7C792061EAB6A2E6BFE63C623EA53C74AC92522D4A4D86BF07205 | |||
3408 | Док-ы 20.11.exe | C:\ProgramData\noggdfen\kfglhhjm.pli | executable | |
MD5:B7FE3CAC1364B8B7617E13045493EF20 | SHA256:99001B300EF7C792061EAB6A2E6BFE63C623EA53C74AC92522D4A4D86BF07205 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3440 | rundll32.exe | POST | — | 195.123.245.184:80 | http://195.123.245.184/index.php | UA | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3440 | rundll32.exe | 188.165.200.156:53 | — | OVH SAS | FR | malicious |
3440 | rundll32.exe | 195.123.245.184:80 | — | — | UA | malicious |
3440 | rundll32.exe | 212.73.150.183:53 | — | BelCloud Hosting Corporation | BG | suspicious |
3440 | rundll32.exe | 109.69.8.34:53 | — | Fundacio Privada per a la Xarxa Lliure, Oberta i Neutral, guifi.net | ES | malicious |
3440 | rundll32.exe | 104.24.106.23:443 | namecha.in | Cloudflare Inc | US | shared |
3440 | rundll32.exe | 185.190.82.182:53 | — | — | AT | malicious |
— | — | 185.190.82.182:53 | — | — | AT | malicious |
Domain | IP | Reputation |
---|---|---|
namecha.in |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3440 | rundll32.exe | Potentially Bad Traffic | ET CURRENT_EVENTS DNS Query Domain .bit |
3440 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 286 |