analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | sohui.exe |
| Full analysis: | https://app.any.run/tasks/b251c4bd-1001-4094-ab72-e7ae2040bb7a |
| Verdict: | Malicious activity |
| Analysis date: | July 13, 2020, 06:57:52 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, Nullsoft Installer self-extracting archive |
| MD5: | 633FE2FC2FBB1A7366F19D6E11469653 |
| SHA1: | D569A35E14CD3B3D256E6DC21B80FCAED9F39CDC |
| SHA256: | 151EC0CB10F6B8CD9278A06ACE390ADACDBD6CEE828FE681B6E4ED105BACD133 |
| SSDEEP: | 196608:4RFznWxQ58jpbT4SNKezvl8gjPKstVOjGhAXZndz3YVIWtnuPiZ3:Ddwe7egmsfOjWAX5JoeWtuPa |
MALICIOUS
Application was dropped or rewritten from another process
- ScdReg.exe (PID: 996)
- install.exe (PID: 2236)
- SkinReg.exe (PID: 2804)
- Wizard.exe (PID: 2376)
- ConfigIE.exe (PID: 3832)
- ScdReg.exe (PID: 2800)
- ScdReg.exe (PID: 2788)
- WbConfig.exe (PID: 3004)
Loads dropped or rewritten executable
- regsvr32.exe (PID: 3296)
- ScdReg.exe (PID: 996)
- sohui.exe (PID: 3324)
- WbConfig.exe (PID: 3004)
- ScdReg.exe (PID: 2800)
- ScdReg.exe (PID: 2788)
Registers / Runs the DLL via REGSVR32.EXE
- sohui.exe (PID: 3324)
SUSPICIOUS
Low-level read access rights to disk partition
- sohui.exe (PID: 3324)
Modifies the open verb of a shell class
- ScdReg.exe (PID: 996)
- SkinReg.exe (PID: 2804)
- ConfigIE.exe (PID: 3832)
Creates files in the Windows directory
- sohui.exe (PID: 3324)
Creates COM task schedule object
- regsvr32.exe (PID: 3296)
Executable content was dropped or overwritten
- sohui.exe (PID: 3324)
Reads Internet Cache Settings
- sohui.exe (PID: 3324)
Creates files in the program directory
- sohui.exe (PID: 3324)
Creates a software uninstall entry
- sohui.exe (PID: 3324)
INFO
Manual execution by user
- WbConfig.exe (PID: 3004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (39.3) |
|---|---|---|
| .exe | | | Win32 EXE Yoda's Crypter (38.6) |
| .dll | | | Win32 Dynamic Link Library (generic) (9.5) |
| .exe | | | Win32 Executable (generic) (6.5) |
| .exe | | | Generic Win/DOS Executable (2.9) |
EXIF
EXE
| ProductVersion: | 2.0.1.1189 |
|---|---|
| ProductName: | Sogou Wubi Input Method |
| LegalCopyright: | (C) 2011 Sogou.com Inc. All rights reserved. |
| FileVersion: | 2.0.1.1189 |
| FileDescription: | Sogou Input Installer |
| CompanyName: | Sogou.com Inc. |
| Comments: | - |
| CharacterSet: | Unicode |
| LanguageCode: | Neutral |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x0000 |
| ProductVersionNumber: | 2.0.1.1189 |
| FileVersionNumber: | 2.0.1.1189 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 5 |
| ImageVersion: | 6.1 |
| OSVersion: | 5 |
| EntryPoint: | 0x15ed30 |
| UninitializedDataSize: | 1413120 |
| InitializedDataSize: | 139264 |
| CodeSize: | 20480 |
| LinkerVersion: | 9 |
| PEType: | PE32 |
| TimeStamp: | 2009:09:09 15:23:23+02:00 |
| MachineType: | Intel 386 or later, and compatibles |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 09-Sep-2009 13:23:23 |
| Detected languages: |
|
| Comments: | - |
| CompanyName: | Sogou.com Inc. |
| FileDescription: | Sogou Input Installer |
| FileVersion: | 2.0.1.1189 |
| LegalCopyright: | (C) 2011 Sogou.com Inc. All rights reserved. |
| ProductName: | Sogou Wubi Input Method |
| ProductVersion: | 2.0.1.1189 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x000000E0 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 3 |
| Time date stamp: | 09-Sep-2009 13:23:23 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x00159000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x0015A000 | 0x00005000 | 0x00005000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.83238 |
.rsrc | 0x0015F000 | 0x00022000 | 0x00021200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.4366 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.21649 | 968 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 7.97924 | 50363 | UNKNOWN | English - United States | RT_ICON |
3 | 5.1116 | 9640 | UNKNOWN | English - United States | RT_ICON |
4 | 5.57695 | 4264 | UNKNOWN | English - United States | RT_ICON |
102 | 6.73406 | 180 | UNKNOWN | English - United States | RT_DIALOG |
103 | 2.57313 | 62 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 7.44208 | 512 | UNKNOWN | English - United States | RT_DIALOG |
106 | 7.14241 | 248 | UNKNOWN | English - United States | RT_DIALOG |
111 | 6.98093 | 238 | UNKNOWN | English - United States | RT_DIALOG |
202 | 6.81862 | 160 | UNKNOWN | English - United States | RT_DIALOG |
Imports
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.DLL |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
Total processes
47
Monitored processes
11
Malicious processes
3
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 1048 | "C:\Users\admin\Desktop\sohui.exe" | C:\Users\admin\Desktop\sohui.exe | — | explorer.exe |
User: admin Company: Sogou.com Inc. Integrity Level: MEDIUM Description: Sogou Input Installer Exit code: 3221226540 Version: 2.0.1.1189 | ||||
| 3324 | "C:\Users\admin\Desktop\sohui.exe" | C:\Users\admin\Desktop\sohui.exe | explorer.exe | |
User: admin Company: Sogou.com Inc. Integrity Level: HIGH Description: Sogou Input Installer Exit code: 0 Version: 2.0.1.1189 | ||||
| 2236 | "C:\Users\admin\AppData\Local\Temp\install.exe" -i -w | C:\Users\admin\AppData\Local\Temp\install.exe | — | sohui.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
| 2804 | "C:\Program Files\SogouWBInput\2.0.1.1189\SkinReg.exe" -register "C:\Program Files\SogouWBInput\2.0.1.1189" | C:\Program Files\SogouWBInput\2.0.1.1189\SkinReg.exe | — | sohui.exe |
User: admin Company: Sogou.com Inc. Integrity Level: HIGH Description: 搜狗五笔输入法 皮肤安装程序 Exit code: 0 Version: 2.0.1.1189 | ||||
| 3296 | regsvr32 /s /i "C:\Program Files\SogouWBInput\2.0.1.1189\SogouTSF.dll" | C:\Windows\system32\regsvr32.exe | — | sohui.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 996 | "C:\Program Files\SogouWBInput\2.0.1.1189\ScdReg.exe" -register "C:\Program Files\SogouWBInput\2.0.1.1189" | C:\Program Files\SogouWBInput\2.0.1.1189\ScdReg.exe | — | sohui.exe |
User: admin Company: Sogou.com Inc. Integrity Level: HIGH Description: 搜狗五笔输入法 细胞词库安装程序 Exit code: 0 Version: 2.0.1.1189 | ||||
| 2800 | "C:\Program Files\SogouWBInput\2.0.1.1189\ScdReg.exe" -cdefault | C:\Program Files\SogouWBInput\2.0.1.1189\ScdReg.exe | — | sohui.exe |
User: admin Company: Sogou.com Inc. Integrity Level: HIGH Description: 搜狗五笔输入法 细胞词库安装程序 Exit code: 0 Version: 2.0.1.1189 | ||||
| 3832 | "C:\Program Files\SogouWBInput\2.0.1.1189\ConfigIE.exe" 2 "C:\Program Files\SogouWBInput\2.0.1.1189" | C:\Program Files\SogouWBInput\2.0.1.1189\ConfigIE.exe | — | sohui.exe |
User: admin Company: Sogou.com Inc. Integrity Level: HIGH Description: 搜狗五笔输入法 导入导出配置向导 Exit code: 0 Version: 2.0.1.1189 | ||||
| 2376 | "C:\Program Files\SogouWBInput\2.0.1.1189\Wizard.exe" | C:\Program Files\SogouWBInput\2.0.1.1189\Wizard.exe | — | sohui.exe |
User: admin Company: Sogou.com Inc. Integrity Level: HIGH Description: 搜狗五笔输入法 设置向导 Exit code: 1 Version: 2.0.1.1189 | ||||
| 3004 | "C:\Program Files\SogouWBInput\2.0.1.1189\WbConfig.exe" | C:\Program Files\SogouWBInput\2.0.1.1189\WbConfig.exe | — | explorer.exe |
User: admin Company: Sogou.com Inc. Integrity Level: MEDIUM Description: 搜狗五笔输入法 设置程序 Exit code: 1 Version: 2.0.1.1189 | ||||
Total events
355
Read events
241
Write events
0
Delete events
0
Modification events
Executable files
34
Suspicious files
29
Text files
43
Unknown types
12
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3324 | sohui.exe | C:\Users\admin\AppData\Local\Temp\nsnDAD3.tmp\modern-wizard.bmp | image | |
MD5:93C97FC221CAAF744A8BDB3C946A2E86 | SHA256:770F6FD67F4F3DA7B90A73B724ED6DBC726416F8E5318FBCA50FD6E34B859C49 | |||
| 3324 | sohui.exe | C:\Users\admin\AppData\Local\Temp\nsnDAD3.tmp\modern-header.bmp | image | |
MD5:BC6A811F6A6DDD8C1862E66AEC582CDA | SHA256:F33344A296DBF1068D5351F5708A1561EE819A73AEF80A303AF50FD1D6AF274F | |||
| 3324 | sohui.exe | C:\Users\admin\AppData\Local\Temp\nsnDAD3.tmp\SetupLib.dll | executable | |
MD5:7914E13F28535ED2B04C285AA887F161 | SHA256:CBA2CEFE830420AAC74E08ECFDE07ABACD5370B169248A95D252F31554EB80BC | |||
| 3324 | sohui.exe | C:\Users\admin\AppData\Local\Temp\nsnDAD3.tmp\ioSpecial.ini | text | |
MD5:13EF935A70FEE0BFD6D605605D79DB0E | SHA256:CB69CE7D3424E22B3684E53A9BC2E1D999189B2F0238FAF0489359F48F2BD269 | |||
| 3324 | sohui.exe | C:\Users\admin\AppData\Local\Temp\Install64.exe | executable | |
MD5:CB05F57EA1B1A3259FD4DF5DE8F416FB | SHA256:AD11030ED6047688871343EDC83720F071263C49272362DC51E67AB160DC9F32 | |||
| 3324 | sohui.exe | C:\Program Files\SogouWBInput\2.0.1.1189\ScdReg.exe | executable | |
MD5:C383DEC800DB3EC2A57AB3DA5E4D6BC5 | SHA256:A1E2D45A0D819E24B128556ED8A8531AA5ED5F3E404AF10B4985D740059569BB | |||
| 3324 | sohui.exe | C:\Program Files\SogouWBInput\2.0.1.1189\Wizard.exe | executable | |
MD5:12C72A11F4E14A364E0CAEF2428DB8D8 | SHA256:00CE1D1339C3776D14E5838FC0C32303F6B852C6F80EFAB7F7B46124C9AAFF88 | |||
| 3324 | sohui.exe | C:\Program Files\SogouWBInput\2.0.1.1189\WbConfig.exe | executable | |
MD5:9A1F24488A5593F33A17CDD0A919E120 | SHA256:1B0750980B7F0AEC996AF20D879CB471CC13D4EAB828D54762B8C56FB8F090B2 | |||
| 3324 | sohui.exe | C:\Program Files\SogouWBInput\2.0.1.1189\HWSignature.dll | executable | |
MD5:0B731658CCC76D34D82B1116B8CA9425 | SHA256:AEFFC7A279CBD549583FB2DF7F6A3C5C6BD3C523118FB08C626286DBBDC7E7AD | |||
| 3324 | sohui.exe | C:\Program Files\SogouWBInput\2.0.1.1189\ImeUtil.exe | executable | |
MD5:5A649923D2A3A6969612F804AB41A2FE | SHA256:9CF7C7ED1E53631DF760331125ECA217A74F58516F1F44536283E92EBFF35670 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3324 | sohui.exe | 211.159.235.216:80 | ime.sogou.com | Shenzhen Tencent Computer Systems Company Limited | CN | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ime.sogou.com |
| malicious |