File name: | wordupd.tmp |
Full analysis: | https://app.any.run/tasks/14191267-0448-40b8-985c-ea35c3223ff4 |
Verdict: | Malicious activity |
Threats: | Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data. |
Analysis date: | December 06, 2019, 15:47:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 21A563F958B73D453AD91E251B11855C |
SHA1: | 64ED4F6B315448D518ED003A1D0C7E56790EF50D |
SHA256: | 067F1B8F1E0B2BFE286F5169E17834E8CF7F4266B8D97F28EA78995DC81B0E7B |
SSDEEP: | 12288:VIeWyYCERmabd3LPwPqnk7HLhccQ5VSdQpRSZN9dSz6:VIeHERmabdbPwP4k71cXrEEwH9dSz6 |
.exe | | | Win64 Executable (generic) (61.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.6) |
.exe | | | Win32 Executable (generic) (10) |
.exe | | | Win16/32 Executable Delphi generic (4.6) |
.exe | | | Generic Win/DOS Executable (4.4) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:10:29 07:34:19+01:00 |
PEType: | PE32 |
LinkerVersion: | 6.6 |
CodeSize: | 653824 |
InitializedDataSize: | 98816 |
UninitializedDataSize: | 2560 |
EntryPoint: | 0xc005 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 29-Oct-2019 06:34:19 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 29-Oct-2019 06:34:19 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0009EF2E | 0x0009F000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.73397 |
.data | 0x000A0000 | 0x0000092E | 0x00000A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.838068 |
.rsrc | 0x000A1000 | 0x00018079 | 0x00018200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.16107 |
0x000BA000 | 0x00000034 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.19421 | 95440 | Latin 1 / Western European | Process Default Language | RT_ICON |
2 | 4.79597 | 346 | Latin 1 / Western European | English - United States | RT_MANIFEST |
comctl32.dll |
kernel32.dll |
winspool.drv |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2692 | "C:\Users\admin\AppData\Local\Temp\wordupd.tmp.exe" | C:\Users\admin\AppData\Local\Temp\wordupd.tmp.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
1916 | "C:\dcxb\..\Windows\tq\..\system32\ymrho\ttbls\..\..\wbem\jyy\k\neu\..\..\..\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | wordupd.tmp.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2096 | "C:\t\ak\ph\..\..\..\Windows\bu\yvlbv\m\..\..\..\system32\vvkk\tip\n\..\..\..\wbem\yco\w\ps\..\..\..\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | wordupd.tmp.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2364 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1888 | "C:\Program Files\Microsoft Office\Office14\CLVIEW.EXE" "WINWORD" "Microsoft Word" | C:\Program Files\Microsoft Office\Office14\CLVIEW.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Help Viewer Exit code: 0 Version: 14.0.6015.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2692 | wordupd.tmp.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
2692 | wordupd.tmp.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData | — | |
MD5:— | SHA256:— | |||
2692 | wordupd.tmp.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings | — | |
MD5:— | SHA256:— | |||
2692 | wordupd.tmp.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata | — | |
MD5:— | SHA256:— | |||
2692 | wordupd.tmp.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\DECRYPT-FILES.txt | text | |
MD5:14BF754BFE9124FAA66CA66B0CB849E7 | SHA256:79FEC51365BFDC773102CAB8871A5A77AFDC0FA11078D2B5D1FA425800C59879 | |||
2692 | wordupd.tmp.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.vbTz | binary | |
MD5:748AA3D7E4C8019979850A9EC731C726 | SHA256:DE414387451B5FE17C4B862E0AC6230F66D4F7D2B6312E1B13BED6539FD0C55C | |||
2692 | wordupd.tmp.exe | C:\Users\admin\AppData\Roaming\Adobe\DECRYPT-FILES.txt | text | |
MD5:14BF754BFE9124FAA66CA66B0CB849E7 | SHA256:79FEC51365BFDC773102CAB8871A5A77AFDC0FA11078D2B5D1FA425800C59879 | |||
2692 | wordupd.tmp.exe | C:\Users\admin\.oracle_jre_usage\DECRYPT-FILES.txt | text | |
MD5:14BF754BFE9124FAA66CA66B0CB849E7 | SHA256:79FEC51365BFDC773102CAB8871A5A77AFDC0FA11078D2B5D1FA425800C59879 | |||
2692 | wordupd.tmp.exe | C:\Users\admin\AppData\DECRYPT-FILES.txt | text | |
MD5:14BF754BFE9124FAA66CA66B0CB849E7 | SHA256:79FEC51365BFDC773102CAB8871A5A77AFDC0FA11078D2B5D1FA425800C59879 | |||
2692 | wordupd.tmp.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Forms\DECRYPT-FILES.txt | text | |
MD5:14BF754BFE9124FAA66CA66B0CB849E7 | SHA256:79FEC51365BFDC773102CAB8871A5A77AFDC0FA11078D2B5D1FA425800C59879 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2692 | wordupd.tmp.exe | POST | — | 91.218.114.77:80 | http://91.218.114.77/qlygpy.aspx | RU | — | — | malicious |
2692 | wordupd.tmp.exe | POST | — | 91.218.114.4:80 | http://91.218.114.4/jeebremke.phtml?mby=03r&veo=45o7lv&bg=5 | RU | — | — | malicious |
2692 | wordupd.tmp.exe | POST | — | 91.218.114.37:80 | http://91.218.114.37/post/r.asp?afco=wt1 | RU | — | — | malicious |
2692 | wordupd.tmp.exe | POST | — | 91.218.114.32:80 | http://91.218.114.32/vcaji.action?whgr=f330e3oq5&nw=c5pul537&dbv=7457u0a&mev=0 | RU | — | — | malicious |
2692 | wordupd.tmp.exe | POST | — | 91.218.114.38:80 | http://91.218.114.38/post/r.asp?afco=wt1 | RU | — | — | malicious |
2692 | wordupd.tmp.exe | POST | — | 91.218.114.26:80 | http://91.218.114.26/e.aspx | RU | — | — | malicious |
2692 | wordupd.tmp.exe | POST | — | 91.218.114.31:80 | http://91.218.114.31/vcaji.action?whgr=f330e3oq5&nw=c5pul537&dbv=7457u0a&mev=0 | RU | — | — | malicious |
2692 | wordupd.tmp.exe | POST | — | 91.218.114.11:80 | http://91.218.114.11/u.do | RU | — | — | malicious |
2692 | wordupd.tmp.exe | POST | — | 91.218.114.4:80 | http://91.218.114.4/u.do | RU | — | — | malicious |
2692 | wordupd.tmp.exe | POST | — | 91.218.114.11:80 | http://91.218.114.11/update/tbti.shtml?b=c0s02sa1ny | RU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2692 | wordupd.tmp.exe | 91.218.114.26:80 | — | Mir Telematiki Ltd | RU | malicious |
2692 | wordupd.tmp.exe | 91.218.114.32:80 | — | Mir Telematiki Ltd | RU | malicious |
2692 | wordupd.tmp.exe | 91.218.114.11:80 | — | Mir Telematiki Ltd | RU | malicious |
2692 | wordupd.tmp.exe | 91.218.114.25:80 | — | Mir Telematiki Ltd | RU | malicious |
2692 | wordupd.tmp.exe | 91.218.114.38:80 | — | Mir Telematiki Ltd | RU | malicious |
2692 | wordupd.tmp.exe | 91.218.114.4:80 | — | Mir Telematiki Ltd | RU | malicious |
2692 | wordupd.tmp.exe | 91.218.114.37:80 | — | Mir Telematiki Ltd | RU | malicious |
2692 | wordupd.tmp.exe | 91.218.114.31:80 | — | Mir Telematiki Ltd | RU | malicious |
2692 | wordupd.tmp.exe | 91.218.114.77:80 | — | Mir Telematiki Ltd | RU | malicious |
2692 | wordupd.tmp.exe | 91.218.114.79:80 | — | Mir Telematiki Ltd | RU | malicious |
PID | Process | Class | Message |
---|---|---|---|
2692 | wordupd.tmp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
2692 | wordupd.tmp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
2692 | wordupd.tmp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
2692 | wordupd.tmp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
2692 | wordupd.tmp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
2692 | wordupd.tmp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
2692 | wordupd.tmp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
2692 | wordupd.tmp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
2692 | wordupd.tmp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
2692 | wordupd.tmp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |