File name: | Autodesk_Domain Script.exe |
Full analysis: | https://app.any.run/tasks/3c2a599a-b2dc-4623-9a41-4ca3c5e0fb57 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2019, 16:23:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | 19C6A604B6955DB4984B5E16E2222AE1 |
SHA1: | D2200ED292E5D0FDB69FADB626B61C05E29B36AA |
SHA256: | 18C89E9368EEAAAA5F2D2F20740C81E3839E9359E3783D0391170A45E9D5B244 |
SSDEEP: | 384:DCIiV728hUQ7Y2P/cVEccDdye7kjlWLe7grPiA8jyrMPhTjanbBoZlV8x6aNJawA:DCRGuY2P0Vo6r7SiAwyrMRjbryxLnbca |
.exe | | | UPX compressed Win32 Executable (39.3) |
---|---|---|
.exe | | | Win32 EXE Yoda's Crypter (38.6) |
.dll | | | Win32 Dynamic Link Library (generic) (9.5) |
.exe | | | Win32 Executable (generic) (6.5) |
.exe | | | Generic Win/DOS Executable (2.9) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2009:02:07 07:33:08+01:00 |
PEType: | PE32 |
LinkerVersion: | 2.5 |
CodeSize: | 24576 |
InitializedDataSize: | 4096 |
UninitializedDataSize: | 49152 |
EntryPoint: | 0x11620 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 07-Feb-2009 06:33:08 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 07-Feb-2009 06:33:08 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x0000C000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x0000D000 | 0x00006000 | 0x00005200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.91554 |
.rsrc | 0x00013000 | 0x00001000 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.5209 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.92322 | 611 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
B | 0 | 13572 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
N | 4.62352 | 26 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
O | 2.58496 | 6 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
COMCTL32.dll |
GDI32.dll |
KERNEL32.DLL |
MSVCRT.dll |
OLE32.dll |
SHELL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2692 | "C:\Users\admin\AppData\Local\Temp\Autodesk_Domain Script.exe" | C:\Users\admin\AppData\Local\Temp\Autodesk_Domain Script.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1736 | cmd /c ""C:\Users\admin\AppData\Local\Temp\906F.tmp\Autodesk_Domain Script.bat" " | C:\Windows\system32\cmd.exe | — | Autodesk_Domain Script.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 16 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2828 | C:\Windows\system32\cmd.exe /c echo:|date | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3060 | C:\Windows\system32\cmd.exe /S /D /c" echo:" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3112 | C:\Windows\system32\cmd.exe /S /D /c" date" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3720 | C:\Windows\system32\cmd.exe /c date/t | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3988 | C:\Windows\system32\cmd.exe /c echo 20190117 | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2196 | SYSTEMINFO | C:\Windows\system32\systeminfo.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Displays system information Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2408 | FIND /i "Install Date" C:\USER-PC_1\system_details.txt | C:\Windows\system32\find.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2948 | regedit /e c:\USER-PC_1\deployed_products.txt hkey_local_machine\software\microsoft\windows\currentversion\uninstall | C:\Windows\regedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Editor Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1736 | cmd.exe | C:\USER-PC_1\local_4.csv | — | |
MD5:— | SHA256:— | |||
1736 | cmd.exe | C:\USER-PC_1\review.csv | — | |
MD5:— | SHA256:— | |||
1736 | cmd.exe | C:\USER-PC_1\local.txt | text | |
MD5:0C7627D9AAC19C86BF8F7415DD8FB814 | SHA256:F41C222D6FB3B7691F6AAEBE3CDF4993562A34B2F7CA6F640F5DEEE6F93C5756 | |||
1736 | cmd.exe | C:\USER-PC_1\system_details.txt | text | |
MD5:5308E713ADBB2B76FACA2E8CA95A1BAF | SHA256:A5A06BF33C3AE858CDC422169EAE996C94469A36D16EDC37823C596B5472E66F | |||
2692 | Autodesk_Domain Script.exe | C:\Users\admin\AppData\Local\Temp\906F.tmp\Autodesk_Domain Script.bat | text | |
MD5:1EAA6C8BC3EF3316091197E0EE785BCC | SHA256:0F7EC4E67583D1473F9F306D829967971B8E99B4AC1FC6AC8E8B23912D091ECF | |||
2164 | regedit.exe | C:\USER-PC_1\deployed_products.txt | text | |
MD5:C43F16C6191F79FA4BD20DC01CFDF50F | SHA256:F81AA0066152DE563CA05E669A6F2072669B2B9334D54C059CFCF809E9CC4E9F | |||
1736 | cmd.exe | C:\USER-PC_1\USER-PC_1.txt | text | |
MD5:9E76BDBCE70E7840E4A999B19834CFF3 | SHA256:0B14837B019D860A970DA6117233338A4AC579DBA80A8EB94B5614BD626DF4E3 | |||
1736 | cmd.exe | C:\USER-PC_1\local_4.txt | text | |
MD5:550759D1425C47B38CBF896585449EF4 | SHA256:0443A35583D3E1EC9FF99DCADC767CEC14B9671AA89416D76218FB8DC7265BD4 | |||
1736 | cmd.exe | C:\USER-PC_1\review.txt | text | |
MD5:FB07BCE2C8E2E6F30AFE078C9D52F087 | SHA256:400306D838D79F08A3523AD9EE170AFFF0D6A3FF239A9057EE2FEB82466C807E | |||
2748 | regedit.exe | C:\USER-PC_1\local_2.txt | text | |
MD5:FEE955AC41D26E7CB346808B1970B83C | SHA256:EE99C93FE48922BC59509489F2991642EF2B8BB740F2A9CA3643CC55A168F587 |