File name: | 2018-11-02-t.exe-from-92.63.197.48.exe |
Full analysis: | https://app.any.run/tasks/5e49435e-e6b2-49ef-b707-764fdf7d7c7f |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | June 12, 2019, 07:35:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | DA66CBC9AE879173F9E38D51A2CFFDB8 |
SHA1: | CE651B549E945FAB1FFBCED06C671C8F050B5018 |
SHA256: | 098AAD386B0F549CEFDDF2001DBA9F31F40D88A3618CD3A8D5589B4B0B467342 |
SSDEEP: | 1536:JLMVCWvZ8URtqOz3d+1Qs6H9Mk2e3E2avMWC3yMgYxf6+okbdWsWjcdpECaIxWzX:VM9ntZ3s1QJdnU2SQdf64ZZSCaIxWec |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:10:26 10:47:08+02:00 |
PEType: | PE32 |
LinkerVersion: | 12 |
CodeSize: | 80896 |
InitializedDataSize: | 68096 |
UninitializedDataSize: | - |
EntryPoint: | 0x6229 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 26-Oct-2018 08:47:08 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 26-Oct-2018 08:47:08 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00013BE4 | 0x00013C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.58693 |
.rdata | 0x00015000 | 0x00006B46 | 0x00006C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.59744 |
.data | 0x0001C000 | 0x000087F4 | 0x00006A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.15553 |
.rsrc | 0x00025000 | 0x000001E0 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.7123 |
.reloc | 0x00026000 | 0x000013A8 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.64868 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.91161 | 381 | UNKNOWN | English - United States | RT_MANIFEST |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
MPR.dll |
RPCRT4.dll |
SHELL32.dll |
USER32.dll |
WININET.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3092 | "C:\Users\admin\AppData\Local\Temp\2018-11-02-t.exe-from-92.63.197.48.exe" | C:\Users\admin\AppData\Local\Temp\2018-11-02-t.exe-from-92.63.197.48.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
596 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | 2018-11-02-t.exe-from-92.63.197.48.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3092) 2018-11-02-t.exe-from-92.63.197.48.exe | Key: | HKEY_CURRENT_USER\Software\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E00660061006D006F00730072000000 | |||
(PID) Process: | (3092) 2018-11-02-t.exe-from-92.63.197.48.exe | Key: | HKEY_CURRENT_USER\Software\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A400005253413100080000010001001DEEF7C0FA185E6FD48884F18E3190553CA8F8564E762570A8AA0AF130A9A0065953340C6EE536F9A06D46C3BF12E269C46CE6A5183022E68F833858058EEF3A756C5ED378624E8AC4A0695D60B63E475F5688EB56CEE59B9EED9D043343C43CBE97B8938A9D9C748A3074AE278B72E9BA732AD4C97278461087CD480792E4E142815762BF7223B8C924F523949B8BE7815DDBA91F11BD9315BADB06ECAF4D2BF0702F2EF3D4C4883F3C7B97DC511E3F33A1A643CB95E7434811C1A3A20B33E9B49EB189FE35409AD3324B2A4ADD46EF1BE62642D6FEF8420041E3D0FE0DBF545DBC51AEC05087B52CF85B79CD0057C6CAA788A2F9012AFE2EF531E8F0EB11BF | |||
(PID) Process: | (3092) 2018-11-02-t.exe-from-92.63.197.48.exe | Key: | HKEY_CURRENT_USER\Software\keys_data\data |
Operation: | write | Name: | private |
Value: 94040000E3D2D6FACFEB3A477BC72A60C6817522AF889CEB6151AA8CE3D68C16CD1B4C6FE66532656F53D587CEEB8061925F92EAE3C1E979F5D5305B5DEC21D20828AD25E6E92C78251C61790DFE33FFBC0A91E30F834F32DCB0E8C896962674E38894E908F82E84BBD0670007FA82510A3D5FB3799263FB070FF6078E4439AB0DA33375A8C5E8EEA5179E699D2989F15CADCC8C4BEBE9F996C215DAB9D47715AD342A43C69D9D9077FACB757E7C21B8AC36051EDF0977B3DB33EC3BEEF93CAFD23C344CC01534B2B6295777A634969289086193DFA73F1A0441F78ABF6ABA1CDEB422D4287F84210E30A5C11056A930848C6B5944873F901B518CCCCC89EFE9FB2CC16811D50D509214D4CB4F642864D39EB12873AA5419E715F199EFAA7741A354E21193AE9BF74962A1A22F2DD4B7649E1E55CD0CAA55CEE343F504FFD63D161372A5CAA236986118AC44530AF04307EA147E058B83467A5224EE93A8955DB4FE932F6E4A1CAC2A343753426D4FA4D6E0BBED06EA7FE00AD28102F2021DB84DADD7B0ADC9ECEA02D963E6E60C063384ED2DF7E7D2A9C94727DCE84097A66D1AC1C66A21DBD2B1FA079248466181D66395C903BC4DD09ACCDFB9BE267EA9A06DD64570E209046D2E2D1A90BEE38E96062F4A2C742EC6ACDA02D055D46D595E882EBEBBABEDC3152EFAD5090F99ED378F1CEC64E7402A43F18A93F0561D2CBAF4A8DC90A38EF25D6E8FE4A9D3B84A342605B79B4FEF6CC1275031AAF7DCE0594514BC5600600F2C456E7F7280CFF45804EF3D2DA105DC91821A9164AD675195E40AA89BD709A78D083DBCA9220DADDAAA458C7C05FFCE666CD94AE0A6E53E7C62A4BFDEBA1F863F2AA8B4FA29CDE3CEDAEA87DE127F4A322BF954D1DF65452A393535658E72E945F5FA031412E7D865A6DEE7503EB3730F2D1443081AA9C9AD1A4AA0F1E0ABE56C0FFE8B4D971868505D2F8E913F4256205180208D7ED44D010E231716B43E8D007407A25CA1D544126F4BE4651A6CA386B6B8FED4D9744AA832A4B11C656398BE5E26E5690F78B68C457692B66561CF9ACEE8B6E275D2FFEB70E456294843BBC9022975920487A723B4F033082F8CA69D51EA8A1703174E55857D33387580EAAF6598899BC3F37CA421AC129FAE943A3E1AE2D256A58064B2F2183DCB801AC2E3B2251A7D29CBF7A79D5A3353EC56B3502C4D5FFF9739BCC77D419514D6F4ABA72D5DA675DBC4681EE4313AEA2D1294F86D853CA6029E48715BB1BAAF325C9A6D7A1696B7FB50CE5FF0B7E9C1958BB680D61BF652CAB5366A51B8313AFFBF1D1AF4B9BE98F705494227F686D320045875BD1E841AAEF240844201E507294E89B3C3959AE3579460EEEA594C34A46C2E9616392CEB754D4FDD9C73E45A892BAAF6D3CF2D63887F32979FC17F1D006EB6833B471148B63C1CDF9884C57C670C4338FEEFF9A73C799E213A94A0A06205C76DE5BD919D01FAC67A7B41B39B6F91FDB59B63983A1E8414D29485AE1EA1C342BECFA1C7DA38D428C59A8D3BAE702BFBEBF8DF601885EA700CBEF5D8A2B7CB7F1A9E08654F58656224B68ABE1D8CD2221E7EC3E1A66F16205BE37DAAA1EA08F90AA9066402DD7CDD9BA286126798B9A83F88DC899A3607C200B9821ECAE3C3596C8D1BF1A407278D99A77B88AD035AF74600E6AD1397A2C8F038CAF3E3864174555BEA6C1603D02F93CCF86F8ABA80D45247D589AB30BF0F74B46C5C3CC410E0D627E4F677EE5BE11B9F8F43F7DA3C7181B87DA0B3635C18381366AB634845E9C27FBB51C0780C2FF121C3436A71BACA05A29EED183541B645EBC389F1A54A06608DF8AC316D08A4A4777F7F74F6D393A34DB7A8531CF86D9441E8B39C7C7F9AE94072D483B12619E318BA5E4295DEDE098C0A79BF2B8580CB6E71B8760D42D7F1955EF74B7C583FC0A1A6297D2C82B3E1F9C758EED1052F39B6A7F0C7B390F125B8D5DB263C1AF4D8E070A79E874CA600282D0FE24836B27F1745193914F4C84DA68D4DF1D2726EE24F31D96AEA3C6ED1542236E3046ED560A4A627A10CFAF0B66AF4B4128DB9615A8DD420B2FDE5D5DE49CBC81D6D82323F31E10E7F2A59F388ADC1C4ABD46E96DADA4F9C4773534930776D91039BD9853D46CDB57A367BC545946288E76D2FD159234A13646628983893D9337E25A46B38A592A7396EB7B87EA30AB0E99E2CE9494AC01743E2AF3F34A5892604FCCA4169AB22F4C02A8510CC86AEB2D6EAD59E0456C4ED62987D401C1240C3020A56A4A6CD35499ADCA04EBA78897FD81F9A308FCD2972B0B5004B433CE1747CA9EBBBBD72E373C3637873C12392DEA9211C99B1428BE53BD8AC3B736728D833BEA4EDD374121763DC36E1B9 | |||
(PID) Process: | (3092) 2018-11-02-t.exe-from-92.63.197.48.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3092) 2018-11-02-t.exe-from-92.63.197.48.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3092) 2018-11-02-t.exe-from-92.63.197.48.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2018-11-02-t_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3092) 2018-11-02-t.exe-from-92.63.197.48.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2018-11-02-t_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3092) 2018-11-02-t.exe-from-92.63.197.48.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2018-11-02-t_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3092) 2018-11-02-t.exe-from-92.63.197.48.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2018-11-02-t_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3092) 2018-11-02-t.exe-from-92.63.197.48.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\2018-11-02-t_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData | — | |
MD5:— | SHA256:— | |||
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings | — | |
MD5:— | SHA256:— | |||
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata | — | |
MD5:— | SHA256:— | |||
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl | — | |
MD5:— | SHA256:— | |||
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl | — | |
MD5:— | SHA256:— | |||
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | C:\Users\admin\AppData\FAMOSR-DECRYPT.txt | text | |
MD5:630C6BBCC0CE709CB618567CAF964EC4 | SHA256:19053D2AE313550424B4BBCCEC2D9C0675532B05C6BF19578921AF69B7677F20 | |||
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\FAMOSR-DECRYPT.txt | text | |
MD5:630C6BBCC0CE709CB618567CAF964EC4 | SHA256:19053D2AE313550424B4BBCCEC2D9C0675532B05C6BF19578921AF69B7677F20 | |||
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.famosr | binary | |
MD5:CF3D2A410C842E57C4C32147B77D55BE | SHA256:44972EBFB750A3C883B979C246E94EB10A281A5B009C18510681BCD8CAB7039E | |||
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\FAMOSR-DECRYPT.txt | text | |
MD5:630C6BBCC0CE709CB618567CAF964EC4 | SHA256:19053D2AE313550424B4BBCCEC2D9C0675532B05C6BF19578921AF69B7677F20 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | — | 212.59.186.61:80 | http://www.hotelweisshorn.com/ | CH | — | — | malicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | GET | 302 | 192.185.159.253:80 | http://www.pizcam.com/ | US | — | — | malicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | GET | — | 78.46.77.98:80 | http://www.2mmotorsport.biz/ | DE | — | — | suspicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | GET | 301 | 83.138.82.107:80 | http://www.swisswellness.com/ | DE | — | — | whitelisted |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | GET | — | 74.220.199.8:80 | http://www.bizziniinfissi.com/ | US | — | — | malicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | GET | 301 | 83.166.138.7:80 | http://www.whitepod.com/ | CH | — | — | whitelisted |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | GET | — | 217.26.53.161:80 | http://www.haargenau.biz/ | CH | — | — | malicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | GET | 302 | 18.207.88.16:80 | http://www.hardrockhoteldavos.com/ | US | — | — | whitelisted |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | GET | 301 | 104.24.22.22:80 | http://www.belvedere-locarno.com/ | US | — | — | shared |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | GET | 301 | 80.244.187.247:80 | http://www.hotelfarinet.com/ | GB | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | 78.46.77.98:80 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | 74.220.199.8:80 | www.bizziniinfissi.com | Unified Layer | US | malicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | 83.166.138.7:443 | www.whitepod.com | Infomaniak Network SA | CH | malicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | 212.59.186.61:80 | www.hotelweisshorn.com | green.ch AG | CH | malicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | 136.243.13.215:80 | www.holzbock.biz | Hetzner Online GmbH | DE | suspicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | 78.46.77.98:443 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | 217.26.53.161:80 | www.haargenau.biz | Hostpoint AG | CH | malicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | 192.185.159.253:443 | www.pizcam.com | CyrusOne LLC | US | malicious |
— | — | 83.138.82.107:443 | www.swisswellness.com | hostNET Medien GmbH | DE | suspicious |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | 185.52.2.154:443 | www.fliptray.biz | RouteLabel V.O.F. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
www.2mmotorsport.biz |
| unknown |
www.haargenau.biz |
| unknown |
www.bizziniinfissi.com |
| malicious |
www.holzbock.biz |
| unknown |
www.fliptray.biz |
| malicious |
www.pizcam.com |
| unknown |
www.swisswellness.com |
| whitelisted |
www.hotelweisshorn.com |
| unknown |
www.whitepod.com |
| whitelisted |
www.hardrockhoteldavos.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | A Network Trojan was detected | ET POLICY Data POST to an image file (gif) |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | A Network Trojan was detected | ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab Ransomware HTTP |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | A Network Trojan was detected | ET POLICY Data POST to an image file (jpg) |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab Ransomware HTTP |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | A Network Trojan was detected | ET POLICY Data POST to an image file (gif) |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
3092 | 2018-11-02-t.exe-from-92.63.197.48.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab Ransomware HTTP |