File name: | config_20180706.exe |
Full analysis: | https://app.any.run/tasks/80109919-f430-4dd2-956e-c9db9d893923 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 10:02:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (console) Intel 80386, for MS Windows |
MD5: | 00CBA2112C9EB46E844D8EAC43FA3B5A |
SHA1: | FBEA05E845B072CC4A714D8344976F58A59BF037 |
SHA256: | 077904AAFD3F9D33AF98ABB2125289B4E4B9711C52841E7B8A507CA8156E4DA6 |
SSDEEP: | 1536:MVIn7vLAsry2eslLS8Ti1nQyd9O3jKVfO1HoHoSSq+0Elh6:MU/9+vstGGGFO9SzEi |
.exe | | | Win32 Executable PureBasic (generic) (58) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (17.2) |
.exe | | | Win64 Executable (generic) (15.2) |
.dll | | | Win32 Dynamic Link Library (generic) (3.6) |
.exe | | | Win32 Executable (generic) (2.4) |
Subsystem: | Windows command line |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x1000 |
UninitializedDataSize: | - |
InitializedDataSize: | 23552 |
CodeSize: | 61440 |
LinkerVersion: | 2.5 |
PEType: | PE32 |
TimeStamp: | 2017:01:18 11:10:31+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 18-Jan-2017 10:10:31 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 18-Jan-2017 10:10:31 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.code | 0x00001000 | 0x000035B7 | 0x00003600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.26514 |
.text | 0x00005000 | 0x0000B8BB | 0x0000BA00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.57376 |
.rdata | 0x00011000 | 0x0000098E | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.61645 |
.data | 0x00012000 | 0x00001C58 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.51551 |
.rsrc | 0x00014000 | 0x00003B64 | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.74554 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.08821 | 672 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
18E747D2FAC6E4DDDF94C2F42BA6D6F3 | 7.9775 | 8444 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
31E81A43F23E3702349C634706F5C27B | 5.32307 | 44 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
40C70B0595CC3EAAD8DE9429D807ED50 | 7.24058 | 5316 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
6ABBCDA4AE3D0AF1CDD41FD12CB16D57 | 5.16993 | 36 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
7A811C37905472EE8758C73DE1F5D192 | 0.918296 | 6 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
COMCTL32.DLL |
GDI32.DLL |
KERNEL32.dll |
MSVCRT.dll |
OLE32.DLL |
SHELL32.DLL |
SHLWAPI.DLL |
USER32.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1816 | "C:\Users\admin\Desktop\config_20180706.exe" | C:\Users\admin\Desktop\config_20180706.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3688 | "C:\Users\admin\Desktop\config_20180706.exe" | C:\Users\admin\Desktop\config_20180706.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2504 | "C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\41DE.tmp\41EF.bat C:\Users\admin\Desktop\config_20180706.exe" | C:\Windows\system32\cmd.exe | — | config_20180706.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2948 | taskkill /f /im "iexplore.exe" | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4028 | taskkill /f /im "jp2luncher.exe" | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3292 | xcopy /y trusted.certs "C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\security" | C:\Windows\system32\xcopy.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Extended Copy Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
724 | xcopy /y priv.ser "C:\Users\admin\AppData\Roaming\..\locallow\.wt" | C:\Windows\system32\xcopy.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Extended Copy Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2344 | xcopy /y priv.ser "C:\Users\admin\AppData\Roaming\..\.wt" | C:\Windows\system32\xcopy.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Extended Copy Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3380 | setx /m JAVA_TOOL_OPTIONS -Djava.vendor="'Sun Microsystems Inc.'" | C:\Windows\system32\setx.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Setx - Sets environment variables Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
908 | setx /m JAVA_HOME "C:\Program Files\java\jre6" | C:\Windows\system32\setx.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Setx - Sets environment variables Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment |
Operation: | write | Name: | JAVA_TOOL_OPTIONS |
Value: -Djava.vendor='Sun Microsystems Inc.' | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment |
Operation: | write | Name: | JAVA_HOME |
Value: C:\Program Files\java\jre6 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy |
Operation: | write | Name: | EnableAutoUpdateCheck |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000CC700B22821A48429B4B3FF2B5ABB4EC0000000002000000000003660000C000000010000000D7F5D95A87E042F5C72CCAD82FC304EA0000000004800000A0000000100000007DA00FEDF908B9DE9489A7731C1A842B08000000A8FEE4BD7990A5CC14000000CC6BA7DFDFCA71FC5C1FBBB09D1D65DB40FE04EA | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData |
Operation: | write | Name: | UserFilter |
Value: 411F00005308ADBA020000006200000001000000020000000C000000EBB23155DF1FD301010000000C006300750063006B006F006F002E0063006F002E006B0072000C00000021BDA49A5E20D301010000000D006300750063006B006F006F002E0064006F006D00610069006E00 | |||
(PID) Process: | (1336) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 |
Operation: | write | Name: | 1809 |
Value: 3 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | PopupsUseNewWindow |
Value: 0 | |||
(PID) Process: | (960) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 |
Operation: | write | Name: | 2301 |
Value: 0 | |||
(PID) Process: | (2652) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 |
Operation: | write | Name: | 2101 |
Value: 0 | |||
(PID) Process: | (324) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 |
Operation: | write | Name: | 1409 |
Value: 3 | |||
(PID) Process: | (2896) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 |
Operation: | write | Name: | 1409 |
Value: 3 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3688 | config_20180706.exe | C:\Users\admin\Desktop\priv.ser | binary | |
MD5:C0DA0804F7504A815D4CCBC058FAFD32 | SHA256:0DB8A90924915C57BBA4BFE3ABA2EB344E58C2BA316FCC2E2019C8CAF9320916 | |||
3688 | config_20180706.exe | C:\Users\admin\AppData\Local\Temp\41DE.tmp\41EF.bat | text | |
MD5:F6434B520CE3AA32020B5FC4A999B986 | SHA256:3D9640C0E15933764B9C61835840DCE916B1F00189645CE90B6EAF5C05BFF71F | |||
724 | xcopy.exe | C:\Users\admin\AppData\locallow\.wt\priv.ser | binary | |
MD5:C0DA0804F7504A815D4CCBC058FAFD32 | SHA256:0DB8A90924915C57BBA4BFE3ABA2EB344E58C2BA316FCC2E2019C8CAF9320916 | |||
2344 | xcopy.exe | C:\Users\admin\AppData\.wt\priv.ser | binary | |
MD5:C0DA0804F7504A815D4CCBC058FAFD32 | SHA256:0DB8A90924915C57BBA4BFE3ABA2EB344E58C2BA316FCC2E2019C8CAF9320916 | |||
3292 | xcopy.exe | C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\security\trusted.certs | jks | |
MD5:3020F9F2B36B2F1303A46F5234A13AF5 | SHA256:D90EBEAF1A97BFAF9B7BAF9A52DC67AE5859C97DC9694AF101E84B7C43EF44B4 | |||
2504 | cmd.exe | C:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties | text | |
MD5:A1802B912096CD1E89746A211946E9B1 | SHA256:F7015EC0CBBFF5006E931F0494A4EC5D3E3008C4FA94472A1C260667B69C54C8 | |||
2504 | cmd.exe | C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\deployment.properties | text | |
MD5:A1802B912096CD1E89746A211946E9B1 | SHA256:F7015EC0CBBFF5006E931F0494A4EC5D3E3008C4FA94472A1C260667B69C54C8 | |||
2504 | cmd.exe | C:\Windows\ip.bat | text | |
MD5:1F2B70D8D91E9E1708BCD4A8AFE4D849 | SHA256:963C26040CDD500856D1CB74DDD175A17A033E173EACD887E00A09FFDD3C36C1 | |||
2504 | cmd.exe | C:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties.bak | text | |
MD5:83AD36C3676F18050C889097D9840AE7 | SHA256:F3960EB590E0BD44502ABC60979F664CA200FE1405046048769F9908CC92A9DA | |||
2504 | cmd.exe | C:\Windows\ipp.bat | text | |
MD5:4085F2383D3B8448877745F2BD7163CA | SHA256:ED1FB7494112587F67A837985B8F24662A3672C23306B3C64338DCD5D0977BA7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3396 | iexplore.exe | GET | — | 210.105.131.211:80 | http://silkroad.cuckoo.co.kr/ohs_images/swanEXTN-custom-2_3_6_5-ko-ie-windows.css | KR | — | — | suspicious |
3396 | iexplore.exe | GET | — | 210.105.131.211:80 | http://silkroad.cuckoo.co.kr/ohs_images/oafcoreR121.js | KR | — | — | suspicious |
3396 | iexplore.exe | GET | 200 | 210.105.131.211:80 | http://silkroad.cuckoo.co.kr/ohs_images/Common2_3_6_5.js | KR | text | 116 Kb | suspicious |
3396 | iexplore.exe | GET | 200 | 210.105.131.211:80 | http://silkroad.cuckoo.co.kr/ohs_images/globalTop.jpg | KR | image | 19.3 Kb | suspicious |
3396 | iexplore.exe | GET | 200 | 210.105.131.211:80 | http://silkroad.cuckoo.co.kr/ohs_images/people.jpg | KR | image | 971 b | suspicious |
3396 | iexplore.exe | GET | — | 210.105.131.211:80 | http://silkroad.cuckoo.co.kr/ohs_images/lightBlue_back.jpg | KR | — | — | suspicious |
1020 | iexplore.exe | GET | 200 | 23.210.249.75:80 | http://www.naver.com/favicon.ico | NL | image | 322 b | whitelisted |
3396 | iexplore.exe | GET | 200 | 210.105.131.211:80 | http://silkroad.cuckoo.co.kr/ohs_images/FNDSSCORP.gif | KR | image | 322 b | suspicious |
3396 | iexplore.exe | GET | 200 | 210.105.131.211:80 | http://silkroad.cuckoo.co.kr/ohs_images/t.htm | KR | html | 29 b | suspicious |
3396 | iexplore.exe | GET | 200 | 210.105.131.211:80 | http://silkroad.cuckoo.co.kr/ohs_images/topLines.gif | KR | image | 9.66 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3396 | iexplore.exe | 210.105.131.211:80 | silkroad.cuckoo.co.kr | Korea Telecom | KR | suspicious |
1020 | iexplore.exe | 23.210.249.75:80 | www.naver.com | Akamai International B.V. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
silkroad.cuckoo.co.kr |
| suspicious |
www.naver.com |
| whitelisted |