File name: | 117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022 |
Full analysis: | https://app.any.run/tasks/6f5475f4-83a8-464f-878b-b6d89c1f78e4 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 09:57:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 54D16D1D025D34891E996F7397369C82 |
SHA1: | 39757DED9D50151BF41CECF33E1AB59957CF429B |
SHA256: | 117713C6956ECD18A52768C76452254DF2C5E907F804593EB881C4D756823022 |
SSDEEP: | 3072:qjz9HLSWE4KDvHEc0VRD4pTlgwpW0BNbyq5pkLLxajW4:qjz9HLe4KDvHx0VRDGywpWMkPsjW |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
ProgramVersion: | 1.4.7 |
---|---|
Copyright: | Copyright (C) 2020, softtail |
InternalServiceName: | speedy.exe |
FileVersionNew: | 2.3.4 |
CharacterSet: | Unicode |
LanguageCode: | Unknown (0867) |
FileSubtype: | 82 |
ObjectFileType: | Unknown (8) |
FileOS: | Unknown (0x40204) |
FileFlags: | Pre-release, Special build, [6] |
FileFlagsMask: | 0x005f |
ProductVersionNumber: | 23.4.13.0 |
FileVersionNumber: | 2.4.1.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x2cec |
UninitializedDataSize: | - |
InitializedDataSize: | 773120 |
CodeSize: | 107008 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2018:10:03 20:24:38+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 03-Oct-2018 18:24:38 |
Detected languages: |
|
FileVersionNew: | 2.3.4 |
InternalServiceName: | speedy.exe |
Copyright: | Copyright (C) 2020, softtail |
ProgramVersion: | 1.4.7 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 03-Oct-2018 18:24:38 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0001A040 | 0x0001A200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.4047 |
.rdata | 0x0001C000 | 0x00004324 | 0x00004400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.57752 |
.data | 0x00021000 | 0x000AEE54 | 0x00001A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.22037 |
.rsrc | 0x000D0000 | 0x000088B8 | 0x00008A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.00629 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.39991 | 468 | UNKNOWN | UNKNOWN | RT_VERSION |
2 | 5.44238 | 2216 | UNKNOWN | F.Y.R.O. Macedonia - F.Y.R.O. Macedonia | RT_ICON |
3 | 5.74839 | 1736 | UNKNOWN | F.Y.R.O. Macedonia - F.Y.R.O. Macedonia | RT_ICON |
4 | 5.92041 | 1384 | UNKNOWN | F.Y.R.O. Macedonia - F.Y.R.O. Macedonia | RT_ICON |
5 | 4.08205 | 9640 | UNKNOWN | F.Y.R.O. Macedonia - F.Y.R.O. Macedonia | RT_ICON |
6 | 4.54173 | 4264 | UNKNOWN | F.Y.R.O. Macedonia - F.Y.R.O. Macedonia | RT_ICON |
7 | 4.78566 | 2440 | UNKNOWN | F.Y.R.O. Macedonia - F.Y.R.O. Macedonia | RT_ICON |
8 | 4.8292 | 1128 | UNKNOWN | F.Y.R.O. Macedonia - F.Y.R.O. Macedonia | RT_ICON |
11 | 2.6118 | 148 | UNKNOWN | UNKNOWN | RT_STRING |
12 | 3.26571 | 1336 | UNKNOWN | UNKNOWN | RT_STRING |
ADVAPI32.dll |
KERNEL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
944 | "C:\117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022.exe" | C:\117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 3221225477 | ||||
3564 | "windanr.exe" | C:\Windows\system32\windanr.exe | — | qemu-ga.exe |
User: admin Integrity Level: MEDIUM | ||||
3624 | C:\Windows\System32\svchost.exe -k WerSvcGroup | C:\Windows\System32\svchost.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3728 | C:\Windows\system32\WerFault.exe -u -p 944 -s 92 | C:\Windows\system32\WerFault.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3564) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | APPSTARTING |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (3564) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | ARROW |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (3564) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | CROSS |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (3564) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | HAND |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (3564) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | HELP |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (3564) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | IBEAM |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (3564) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | NO |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (3564) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | SIZEALL |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (3564) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | SIZENESW |
Value: %SystemRoot%\cursors\clearcur.cur | |||
(PID) Process: | (3564) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
Operation: | write | Name: | SIZENS |
Value: %SystemRoot%\cursors\clearcur.cur |
PID | Process | Filename | Type | |
---|---|---|---|---|
3728 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WERDF1.tmp.mdmp | — | |
MD5:— | SHA256:— | |||
3728 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_117713c6956ecd18_52964b6a98d6f2363c4fe3a3414952329b2691_cab_0e370e4b\WERD82.tmp.hdmp | dmp | |
MD5:8A436F578752134E8589526D78863AB3 | SHA256:9F3AB268BF2EB89AC0B69B119346651CA80D9957517447DCCC492F4543C55E27 | |||
3728 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_117713c6956ecd18_52964b6a98d6f2363c4fe3a3414952329b2691_cab_0e370e4b\Report.wer | binary | |
MD5:B5E82899C7E0828B0D5323F868C94854 | SHA256:EAE360381304B94172B8810EFBD98363D033E3B6F829A1A08F1718139675706D | |||
3728 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_117713c6956ecd18_52964b6a98d6f2363c4fe3a3414952329b2691_cab_0e370e4b\WER8872.tmp.WERInternalMetadata.xml | xml | |
MD5:A97190E0EB6985C41934C9CFDD85E684 | SHA256:0946635D92AE53C47D1FFDD98708CAF25ED1C57FC1747713DBEB36D6C5433072 | |||
3728 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WERD43.tmp.appcompat.txt | xml | |
MD5:0D86488B0A109BA45DD83BBF3B11E28D | SHA256:89BF952B9895CBB6D3BC048043C55F67B783A128990002B3C163DA5BC8D90590 | |||
3728 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WERD82.tmp.hdmp | dmp | |
MD5:8A436F578752134E8589526D78863AB3 | SHA256:9F3AB268BF2EB89AC0B69B119346651CA80D9957517447DCCC492F4543C55E27 | |||
3728 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WER8872.tmp.WERInternalMetadata.xml | xml | |
MD5:A97190E0EB6985C41934C9CFDD85E684 | SHA256:0946635D92AE53C47D1FFDD98708CAF25ED1C57FC1747713DBEB36D6C5433072 | |||
3728 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_117713c6956ecd18_52964b6a98d6f2363c4fe3a3414952329b2691_cab_0e370e4b\WERDF1.tmp.mdmp | dmp | |
MD5:4B53D4AE12ECE3D62AEA61EA8EE5F796 | SHA256:7F5557BBFE574A02F6865533F8902048A6D57A572EB7FD464831ACA86F55A90C | |||
3728 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_117713c6956ecd18_52964b6a98d6f2363c4fe3a3414952329b2691_cab_0e370e4b\WERD43.tmp.appcompat.txt | xml | |
MD5:0D86488B0A109BA45DD83BBF3B11E28D | SHA256:89BF952B9895CBB6D3BC048043C55F67B783A128990002B3C163DA5BC8D90590 | |||
3728 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022.exe.944.dmp | dmp | |
MD5:616512378247DB8DBE6D75703B8C8C88 | SHA256:F8D5D2A72C8281C032C18DE590E56B712181F7E3336B163CD8454A6A7329B0FF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3728 | WerFault.exe | GET | — | 51.143.111.81:80 | http://watson.microsoft.com/StageOne/117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022/2_4_1_0/5e6f3cde/117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022/2_4_1_0/5e6f3cde/c0000005/00005a95.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063 | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3728 | WerFault.exe | 51.143.111.81:80 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
Domain | IP | Reputation |
---|---|---|
watson.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3728 | WerFault.exe | Potential Corporate Privacy Violation | ET POLICY Application Crash Report Sent to Microsoft |
3728 | WerFault.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |