File name: | down2.exe |
Full analysis: | https://app.any.run/tasks/7e768fd9-2583-49e0-aba2-958bad755af4 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2019, 14:45:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 6070309FC85000309E813AFB25584457 |
SHA1: | 010F7A317F1AABC76DF83B4E3AB955EC4A1D9512 |
SHA256: | 1A3CDE3C6FFB2792A922AE3CBFFC700FAFCCD0B7CDCE648860ECFD1F3C89D003 |
SSDEEP: | 49152:DmvTYbAy39JR3HrSdbAy2nwUn59s0hyEygUUDjfR7VBlB8bcXPOdwrBqiGMUk4jI:YTyAOFLUT6T59sTd8R7VBHZKyBqRjzg |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
Comments: | Google Update |
---|---|
LegalCopyright: | Copyright 2007-2010 Google Inc. |
ProductVersion: | 1.3.33.23 |
ProductName: | Google Update |
FileDescription: | Google Update Setup |
FileVersion: | 1.3.33.23 |
CharacterSet: | Unicode |
LanguageCode: | Chinese (Simplified) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 1.3.33.23 |
FileVersionNumber: | 1.3.33.23 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x1000 |
UninitializedDataSize: | - |
InitializedDataSize: | 2129920 |
CodeSize: | 548864 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2019:01:07 10:44:24+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 07-Jan-2019 09:44:24 |
Detected languages: |
|
FileVersion: | 1.3.33.23 |
FileDescription: | Google Update Setup |
ProductName: | Google Update |
ProductVersion: | 1.3.33.23 |
LegalCopyright: | Copyright 2007-2010 Google Inc. |
Comments: | Google Update |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 07-Jan-2019 09:44:24 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
0x00275000 | 0x0002B000 | 0x00005200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.98994 | |
.rsrc | 0x002A0000 | 0x00008000 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.60535 |
.data0 | 0x002A8000 | 0x00061000 | 0x00029E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.76254 |
.adata | 0x00309000 | 0x00001000 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.07695 | 461 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
2 | 2.18858 | 296 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 3.76602 | 296 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 4.13669 | 1384 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 3.91985 | 744 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 4.83772 | 2216 | Latin 1 / Western European | UNKNOWN | RT_ICON |
7 | 3.68656 | 1640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
8 | 4.50268 | 3752 | Latin 1 / Western European | UNKNOWN | RT_ICON |
127 | 1.95915 | 12 | Latin 1 / Western European | Chinese - PRC | RT_MENU |
150 | 2.62987 | 152 | Latin 1 / Western European | Chinese - PRC | RT_DIALOG |
advapi32.dll |
comctl32.dll |
comdlg32.dll |
gdi32.dll |
kernel32.dll |
ole32.dll |
oleaut32.dll |
shell32.dll |
user32.dll |
winmm.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3264 | "C:\Users\admin\Desktop\down2.exe" | C:\Users\admin\Desktop\down2.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Google Update Setup Exit code: 3221226540 Version: 1.3.33.23 | ||||
2640 | "C:\Users\admin\Desktop\down2.exe" | C:\Users\admin\Desktop\down2.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: Google Update Setup Exit code: 0 Version: 1.3.33.23 | ||||
3908 | C:\Users\admin\AppData\Local\Temp\ChromeSetup.exe | C:\Users\admin\AppData\Local\Temp\ChromeSetup.exe | down2.exe | |
User: admin Company: Google Inc. Integrity Level: HIGH Description: Google Update Setup Version: 1.3.33.23 | ||||
2856 | "C:\Program Files\GUMF503.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={DB56639D-40AB-7912-2F9D-BE4275B60254}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" | C:\Program Files\GUMF503.tmp\GoogleUpdate.exe | ChromeSetup.exe | |
User: admin Company: Google Inc. Integrity Level: HIGH Description: Google Installer Version: 1.3.33.23 | ||||
3988 | "C:\Program Files\Google\Update\GoogleUpdate.exe" /regsvc | C:\Program Files\Google\Update\GoogleUpdate.exe | — | GoogleUpdate.exe |
User: admin Company: Google Inc. Integrity Level: HIGH Description: Google Installer Exit code: 0 Version: 1.3.33.23 | ||||
2236 | "C:\Program Files\Google\Update\GoogleUpdate.exe" /regserver | C:\Program Files\Google\Update\GoogleUpdate.exe | — | GoogleUpdate.exe |
User: admin Company: Google Inc. Integrity Level: HIGH Description: Google Installer Exit code: 0 Version: 1.3.33.23 | ||||
3368 | C:\Windows\System32\svchost.exe | C:\Windows\System32\svchost.exe | down2.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2652 | "C:\Program Files\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zMy4yMyIgc2hlbGxfdmVyc2lvbj0iMS4zLjMzLjIzIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezNDQ0JFNDNFLTA2QTEtNEI0RS1COTA2LUU4QzM5RkI0NkJENX0iIHVzZXJpZD0iezA0RTY2QkE2LTkzOUQtNEI4MS04NjY0LUIzRDU4REVERDA2Rn0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9IntDQ0YzQjEzMC04NkQyLTRERjQtQTgyQS1FMDQ5QUREQ0ZBODV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjMiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDg2Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IjEuMy4zMy4xNyIgbmV4dHZlcnNpb249IjEuMy4zMy4yMyIgbGFuZz0iemgtQ04iIGJyYW5kPSIiIGNsaWVudD0iIiBpaWQ9IntEQjU2NjM5RC00MEFCLTc5MTItMkY5RC1CRTQyNzVCNjAyNTR9Ij48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBpbnN0YWxsX3RpbWVfbXM9IjE2MjUiLz48L2FwcD48L3JlcXVlc3Q- | C:\Program Files\Google\Update\GoogleUpdate.exe | GoogleUpdate.exe | |
User: admin Company: Google Inc. Integrity Level: HIGH Description: Google Installer Exit code: 0 Version: 1.3.33.23 | ||||
2860 | "C:\Program Files\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={DB56639D-40AB-7912-2F9D-BE4275B60254}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{3CCBE43E-06A1-4B4E-B906-E8C39FB46BD5}" | C:\Program Files\Google\Update\GoogleUpdate.exe | — | GoogleUpdate.exe |
User: admin Company: Google Inc. Integrity Level: HIGH Description: Google Installer Version: 1.3.33.23 | ||||
3056 | "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc | C:\Program Files\Google\Update\GoogleUpdate.exe | services.exe | |
User: SYSTEM Company: Google Inc. Integrity Level: SYSTEM Description: Google Installer Version: 1.3.33.23 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3908 | ChromeSetup.exe | C:\Program Files\GUMF503.tmp\goopdateres_am.dll | executable | |
MD5:27F6BBD61941D43925F88562139C6F65 | SHA256:35A6E99723B99ED65D780479FB289BFD31CC1E306350C088062C2462CE578A84 | |||
3908 | ChromeSetup.exe | C:\Program Files\GUMF503.tmp\goopdateres_bn.dll | executable | |
MD5:CB0ED6FA92CBC86BF87ECCED719A6A24 | SHA256:F33F1EFD4896D752B2336ACE53AA3D5F359ADFEDE35DE92D440B23130892213C | |||
3908 | ChromeSetup.exe | C:\Program Files\GUMF503.tmp\goopdateres_bg.dll | executable | |
MD5:347C9E14ED0465ECEBD697D2CF5AF45D | SHA256:1381E6528A6E06386554B5F899F5A4AB422C6A13296E2AE156A2C2A6061CA8BA | |||
3908 | ChromeSetup.exe | C:\Program Files\GUMF503.tmp\GoogleUpdateOnDemand.exe | executable | |
MD5:BCC7E7FAE565655F28201F027104530B | SHA256:A01C95BC809B979FD07130500AF34D220E0984DB7616CA480B1CB449FD3BE84C | |||
3908 | ChromeSetup.exe | C:\Program Files\GUMF503.tmp\GoogleUpdateComRegisterShell64.exe | executable | |
MD5:E093DC3362DBCECB4FA27C9CACE64D0A | SHA256:30AE722349C3A700CE31927DE27E50463DB60DD3A9980EE81E0839D5F5F89267 | |||
3908 | ChromeSetup.exe | C:\Program Files\GUMF503.tmp\goopdateres_ar.dll | executable | |
MD5:C58D00CF808BE896AD5072E1E5F2F526 | SHA256:EC64A0509AA00B27D678CEDDCE8CE799A9250687C3ADE647E5A8F7D82DAF95A9 | |||
3908 | ChromeSetup.exe | C:\Program Files\GUMF503.tmp\psuser.dll | executable | |
MD5:E83F92CFB6876FB3DEFB3825E4FA9C87 | SHA256:25C850421D0E8A6AE4531AE28857BABE295A719FFF9FE1E0ECC843ED0DEAE219 | |||
3908 | ChromeSetup.exe | C:\Program Files\GUMF503.tmp\psmachine_64.dll | executable | |
MD5:A5B17D12719EA1FF72B5E46F8D4385D9 | SHA256:9BE1477BE27FC3DE1617694F4C5DB1118842275772E3D77A479BCBEFFD9CF328 | |||
3908 | ChromeSetup.exe | C:\Program Files\GUMF503.tmp\GoogleCrashHandler.exe | executable | |
MD5:E43B5F4FB1B872F4705179B32F5AB23F | SHA256:CDEC9B206EA1CA4CE755BF9B967A0C5861DE77A80962AF79C4181F42FCE09706 | |||
3908 | ChromeSetup.exe | C:\Program Files\GUMF503.tmp\goopdate.dll | executable | |
MD5:DFDC0F7FB807FAD35308E83D95EB68A6 | SHA256:39E018EBE1FAEB76D2E7E6E67354BEDA587F801D197D32938EE39BD130485CE2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3368 | svchost.exe | GET | — | 222.187.232.56:80 | http://www.taolea.top/tongji.php?os=6.1.7601&userid=hcc888&mac=5254004A04AF&ver=&xiezai=0&wb=&az=2&uid= | CN | — | — | suspicious |
— | — | HEAD | 302 | 172.217.18.110:80 | http://redirector.gvt1.com/edgedl/release2/chrome/Ep6pbjF0xlQ_71.0.3578.98/71.0.3578.98_chrome_installer.exe | US | — | — | whitelisted |
— | — | HEAD | 200 | 173.194.150.219:80 | http://r5---sn-5goeen7r.gvt1.com/edgedl/release2/chrome/Ep6pbjF0xlQ_71.0.3578.98/71.0.3578.98_chrome_installer.exe?cms_redirect=yes&mip=82.102.22.104&mm=28&mn=sn-5goeen7r&ms=nvh&mt=1547131408&mv=m&pl=24&shardbypass=yes | US | — | — | whitelisted |
2640 | down2.exe | POST | 200 | 69.30.242.179:80 | http://69.30.242.179/img/logxz.txt | US | text | 6 b | suspicious |
— | — | GET | 200 | 173.194.150.219:80 | http://r5---sn-5goeen7r.gvt1.com/edgedl/release2/chrome/Ep6pbjF0xlQ_71.0.3578.98/71.0.3578.98_chrome_installer.exe?cms_redirect=yes&mip=82.102.22.104&mm=28&mn=sn-5goeen7r&ms=nvh&mt=1547131408&mv=m&pl=24&shardbypass=yes | US | executable | 50.9 Mb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3056 | GoogleUpdate.exe | 172.217.16.131:443 | update.googleapis.com | Google Inc. | US | whitelisted |
3368 | svchost.exe | 222.187.232.56:80 | www.taolea.top | No.31,Jin-rong Street | CN | suspicious |
2652 | GoogleUpdate.exe | 172.217.16.131:443 | update.googleapis.com | Google Inc. | US | whitelisted |
— | — | 172.217.18.110:80 | redirector.gvt1.com | Google Inc. | US | whitelisted |
2640 | down2.exe | 69.30.242.179:80 | — | WholeSale Internet, Inc. | US | suspicious |
— | — | 173.194.150.219:80 | r5---sn-5goeen7r.gvt1.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.taolea.top |
| suspicious |
update.googleapis.com |
| whitelisted |
redirector.gvt1.com |
| whitelisted |
r5---sn-5goeen7r.gvt1.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |