File name: | mkvvkcfw.exe |
Full analysis: | https://app.any.run/tasks/e996fffb-9049-4c6e-bf76-86211ae66d41 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 15:09:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | CDA13C6A7A6B9CA42A6142A9606C469D |
SHA1: | EC3ECD5AD0917376034690F619018492960A1E15 |
SHA256: | 0492C19F21FAE3E2718A78444F2811D6B3524BDECC16A8DCBFE8B0E16DF7A38E |
SSDEEP: | 196608:wB3e0E5MGzr3RhdJFk2kKVxpH8PIQJXOS/2JSNYPA:whMmGzFt22fpIZOS/A4 |
.exe | | | UPX compressed Win32 Executable (39.3) |
---|---|---|
.exe | | | Win32 EXE Yoda's Crypter (38.6) |
.dll | | | Win32 Dynamic Link Library (generic) (9.5) |
.exe | | | Win32 Executable (generic) (6.5) |
.exe | | | Generic Win/DOS Executable (2.9) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x3e4f0 |
UninitializedDataSize: | 184320 |
InitializedDataSize: | 61440 |
CodeSize: | 73728 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2013:03:23 23:26:55+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 23-Mar-2013 22:26:55 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 23-Mar-2013 22:26:55 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x0002D000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x0002E000 | 0x00012000 | 0x00011200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.98061 |
.rsrc | 0x00040000 | 0x0000F000 | 0x0000F000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.5312 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 6.15653 | 3752 | UNKNOWN | UNKNOWN | RT_ICON |
2 | 6.44895 | 2216 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 5.77742 | 1384 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 7.95095 | 38188 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 6.0521 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 6.15081 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 6.39466 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
101 | 2.71858 | 104 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
KERNEL32.DLL |
USER32.dll |
WS2_32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3256 | "C:\Users\admin\AppData\Local\Temp\mkvvkcfw.exe" | C:\Users\admin\AppData\Local\Temp\mkvvkcfw.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3508 | "C:\Users\admin\AppData\Local\Temp\mkvvkcfw.exe" | C:\Users\admin\AppData\Local\Temp\mkvvkcfw.exe | mkvvkcfw.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2268 | C:\Users\admin\AppData\Roaming\pwo6\svchost.exe | C:\Users\admin\AppData\Roaming\pwo6\svchost.exe | mkvvkcfw.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3244 | C:\Users\admin\AppData\Roaming\pwo6\svchost.exe | C:\Users\admin\AppData\Roaming\pwo6\svchost.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
2780 | C:\Users\admin\AppData\Local\Temp\_MEI22682\bin\winlogon.exe -SOCKSPort 33156 -ControlPort 33157 -DataDirectory C:\Users\admin\AppData\Roaming\pwo6 | C:\Users\admin\AppData\Local\Temp\_MEI22682\bin\winlogon.exe | svchost.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
(PID) Process: | (3508) mkvvkcfw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | pwo6 |
Value: C:\Users\admin\AppData\Roaming\pwo6\svchost.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
3256 | mkvvkcfw.exe | C:\Users\admin\AppData\Local\Temp\_MEI32562\win32pipe.pyd | executable | |
MD5:B492E1AAA4877AFC14BD50B8BFEB7CBA | SHA256:0D37C9AD5E3EE9A6031AE755AFD4B71A24D08292F5B3121B3DD7C418DEA8A744 | |||
3256 | mkvvkcfw.exe | C:\Users\admin\AppData\Local\Temp\_MEI32562\unicodedata.pyd | executable | |
MD5:A059F0D4F10C583126829E741B612818 | SHA256:2015EC241E526089ACCD5F1C2EEE4CB5D0DE996E6DDED71FDEBB2EEC03289ED8 | |||
3256 | mkvvkcfw.exe | C:\Users\admin\AppData\Local\Temp\_MEI32562\win32com.shell.shell.pyd | executable | |
MD5:311AF8755345D435A435FA96A55F2145 | SHA256:7CFDCC1FEA438E0B06864369605D0291EA12E6598306F80D27CCB23E122E9E49 | |||
3256 | mkvvkcfw.exe | C:\Users\admin\AppData\Local\Temp\_MEI32562\_ctypes.pyd | executable | |
MD5:DDF742C6C8F900158564A4CDD2E1ED5E | SHA256:AE4ABCF0A4C8B79018F4B6D545809E8CDEAA454375151B13ED5236CA27682B01 | |||
3256 | mkvvkcfw.exe | C:\Users\admin\AppData\Local\Temp\_MEI32562\win32file.pyd | executable | |
MD5:233E204CDD364C4B2A4FBBB3B310ABF0 | SHA256:A8501FEC10D3ADA36D01AAC09185A8312DCA7D19D09BBEA598486EDC316D6898 | |||
3256 | mkvvkcfw.exe | C:\Users\admin\AppData\Local\Temp\_MEI32562\_ssl.pyd | executable | |
MD5:B5C856714DEB16A1CE8F41ED71E00E58 | SHA256:079DD93C4ABC33295EA8B2CFD4D52D32E9DD61F1D0596DD3B6B5544A0169E2D9 | |||
3256 | mkvvkcfw.exe | C:\Users\admin\AppData\Local\Temp\_MEI32562\bz2.pyd | executable | |
MD5:AEAAF6487BAE3A828225506D80665C4B | SHA256:A5361FB1583B00123B237921E885C53DE284C140FB9D234ED95D6492AEDEC1CF | |||
3256 | mkvvkcfw.exe | C:\Users\admin\AppData\Local\Temp\_MEI32562\win32gui.pyd | executable | |
MD5:21D919030A29F626219B3DA21D75BD30 | SHA256:7A79A5C601D280177AB7F4A9F5BB20D5199AAFCC4EA9ACBC549BCC1A89EB04A8 | |||
3256 | mkvvkcfw.exe | C:\Users\admin\AppData\Local\Temp\_MEI32562\_hashlib.pyd | executable | |
MD5:21917B2F3BB8366103F60675DB9CDA3F | SHA256:27ACC2BAF1B3D5B7F7ED360AD4334E43CB86A3E3DE5A9E5DF1960BB26120B02D | |||
3256 | mkvvkcfw.exe | C:\Users\admin\AppData\Local\Temp\_MEI32562\_multiprocessing.pyd | executable | |
MD5:F878C3EA3E3F61091EA5889428EB56ED | SHA256:C9B85AB25FE2A60F058FF875C0BB03F885C3988D480621449FBE0755A015156D |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2780 | winlogon.exe | 171.25.193.9:80 | — | Foreningen for digitala fri- och rattigheter | SE | malicious |
2780 | winlogon.exe | 208.83.223.34:80 | — | Applied Operations, LLC | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
2780 | winlogon.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 248 |
2780 | winlogon.exe | Misc activity | ET POLICY TLS possible TOR SSL traffic |