File name: | ACF712SP00_60-20006190.EXE |
Full analysis: | https://app.any.run/tasks/b4a7f929-b134-4027-a36d-b54405e7e893 |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 15:50:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 3DA53DF8F5D9BC94885FC2C9647C3EDA |
SHA1: | 27D4A114DB27FEA33226F246D0F5EB0037344DF4 |
SHA256: | 24B8BF40A93C8A29D36815EA93669BE5229FA9A5446FD4E09DB4B4B20DB13F15 |
SSDEEP: | 196608:ax0rzfhZFDkWO5UF7/+zq/A3xmpdZovu0KZqCfd6Pnc7eY6PgIVkNYs/QS0:aafhZFy2biqogLvZH2n9PgIVkNYo0 |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
SpecialBuild: | Unicode Build |
---|---|
ProductVersion: | 9, 0, 95, 0 |
ProductName: | SAP Front-End Setup for the Windows(R) Environment |
PrivateBuild: | - |
OriginalFileName: | SapSx.exe |
LegalTrademarks: | - |
Copyright: | Copyright (C)2001-2017 SAP SE |
LegalCopyright: | Copyright (C)2001-2017 SAP SE |
InternalName: | SAP Self-Extractor |
FileVersion: | 9, 0, 95, 0 |
FileDescription: | SAP Self-Extractor |
CompanyName: | SAP SE |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 9.0.95.0 |
FileVersionNumber: | 9.0.95.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0x4bdb8 |
UninitializedDataSize: | - |
InitializedDataSize: | 232960 |
CodeSize: | 534016 |
LinkerVersion: | 12 |
PEType: | PE32 |
TimeStamp: | 2018:05:22 19:11:49+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 22-May-2018 17:11:49 |
Detected languages: |
|
Debug artifacts: |
|
Comments: | - |
CompanyName: | SAP SE |
FileDescription: | SAP Self-Extractor |
FileVersion: | 9, 0, 95, 0 |
InternalName: | SAP Self-Extractor |
LegalCopyright: | Copyright (C)2001-2017 SAP SE |
Copyright: | Copyright (C)2001-2017 SAP SE |
LegalTrademarks: | - |
OriginalFilename: | SapSx.exe |
PrivateBuild: | - |
ProductName: | SAP Front-End Setup for the Windows(R) Environment |
ProductVersion: | 9, 0, 95, 0 |
SpecialBuild: | Unicode Build |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000108 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 22-May-2018 17:11:49 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00082558 | 0x00082600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.5234 |
.rdata | 0x00084000 | 0x0002004C | 0x00020200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.35275 |
.data | 0x000A5000 | 0x00008DC8 | 0x00004000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.73472 |
.tls | 0x000AE000 | 0x00000009 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x000AF000 | 0x0000CA08 | 0x0000CC00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.59202 |
.reloc | 0x000BC000 | 0x00007C70 | 0x00007E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.56481 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.24837 | 948 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 4.29282 | 744 | Latin 1 / Western European | German - Germany | RT_ICON |
3 | 3.5546 | 296 | Latin 1 / Western European | German - Germany | RT_ICON |
4 | 5.98053 | 3752 | Latin 1 / Western European | German - Germany | RT_ICON |
5 | 6.1098 | 2216 | Latin 1 / Western European | German - Germany | RT_ICON |
6 | 4.08587 | 1384 | Latin 1 / Western European | German - Germany | RT_ICON |
7 | 2.12805 | 78 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 6.27499 | 3240 | Latin 1 / Western European | German - Germany | RT_ICON |
9 | 5.44703 | 1128 | Latin 1 / Western European | German - Germany | RT_ICON |
100 | 3.28591 | 376 | Latin 1 / Western European | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
Cabinet.dll |
KERNEL32.dll |
NETAPI32.dll |
OLEAUT32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
VERSION.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3392 | "C:\Users\admin\Desktop\ACF712SP00_60-20006190.EXE" | C:\Users\admin\Desktop\ACF712SP00_60-20006190.EXE | explorer.exe | |
User: admin Company: SAP SE Integrity Level: MEDIUM Description: SAP Self-Extractor Exit code: 3221225477 Version: 9, 0, 95, 0 | ||||
3748 | "C:\Users\admin\Desktop\ACF712SP00_60-20006190.EXE" | C:\Users\admin\Desktop\ACF712SP00_60-20006190.EXE | explorer.exe | |
User: admin Company: SAP SE Integrity Level: HIGH Description: SAP Self-Extractor Exit code: 3221225477 Version: 9, 0, 95, 0 | ||||
3804 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\ACF712SP00_60-20006190.EXE" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1876 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe13_ Global\UsGthrCtrlFltPipeMssGthrPipe13 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
2588 | "C:\Users\admin\Desktop\ACF712SP00_60-20006190\SetupAll.exe" | C:\Users\admin\Desktop\ACF712SP00_60-20006190\SetupAll.exe | — | explorer.exe |
User: admin Company: SAP SE Integrity Level: MEDIUM Description: Proxy Application Exit code: 3221226540 Version: 2018, 0, 95, 0 | ||||
1480 | "C:\Users\admin\Desktop\ACF712SP00_60-20006190\SetupAll.exe" | C:\Users\admin\Desktop\ACF712SP00_60-20006190\SetupAll.exe | explorer.exe | |
User: admin Company: SAP SE Integrity Level: HIGH Description: Proxy Application Exit code: 3221225477 Version: 2018, 0, 95, 0 | ||||
128 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
400 | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | C:\Windows\System32\csrss.exe | — | — |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Client Server Runtime Process Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
852 | C:\Windows\system32\svchost.exe -k netsvcs | C:\Windows\System32\svchost.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2488 | "C:\Users\admin\Desktop\ACF712SP00_60-20006190\Setup\NwSapSetup.exe" | C:\Users\admin\Desktop\ACF712SP00_60-20006190\Setup\NwSapSetup.exe | — | explorer.exe |
User: admin Company: SAP SE Integrity Level: MEDIUM Exit code: 3221226540 Version: 9, 0, 95, 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3804 | WinRAR.exe | C:\Users\admin\Desktop\ACF712SP00_60-20006190\SAP Setup Guide.pdf | ||
MD5:EBF3B8F6429CDADF71D3E2BD21440082 | SHA256:3FC714E6E2AE9DC6A014A8DD06E595AE9D2A0D2C57B4F5F3D2B2BC5176B06728 | |||
3804 | WinRAR.exe | C:\Users\admin\Desktop\ACF712SP00_60-20006190\Setup\NwSapSetupAdmin.exe | executable | |
MD5:8A5A51FCA816A8138A8D7009B3E2DC5F | SHA256:73AD0CED5088A570EB3EF0CA337837B38BEADF895F69DC17202A302454049CDB | |||
3804 | WinRAR.exe | C:\Users\admin\Desktop\ACF712SP00_60-20006190\SetupAll.exe | executable | |
MD5:078D2A97D5366EAED1A4CC1E094FF270 | SHA256:239CB89E07C4D767E09908CDF2760EED7E448AA8F856379E402609E8DF878F0A | |||
3804 | WinRAR.exe | C:\Users\admin\Desktop\ACF712SP00_60-20006190\Setup\NwSapSetup.exe | executable | |
MD5:14E6FE62E195DF5651BABC0DC0F839E9 | SHA256:762E81CE50221766F656E444178B9F5B2DD830C58AAD5C47DE9C6C62C6C89A54 | |||
3804 | WinRAR.exe | C:\Users\admin\Desktop\ACF712SP00_60-20006190\Setup\DotNetUtils40.exe | executable | |
MD5:06BB578BACDCC2FFF354432228DF1775 | SHA256:3BB9F6C31B715B2B719265E0911228D412D9814B07BF462BAB16BE41F5ED769B | |||
3804 | WinRAR.exe | C:\Users\admin\Desktop\ACF712SP00_60-20006190\Setup\NwSapFeiLg.dll | executable | |
MD5:4BF67316028CFE9082389C90189BD2D3 | SHA256:14B58C141D71303F85419928472076F286F0273D4505C111C228B87E98330591 | |||
852 | svchost.exe | C:\Windows\appcompat\programs\RecentFileCache.bcf | txt | |
MD5:12B7DAAEAC62822D64B1DC9CF00A1959 | SHA256:D0B7F56E9304F87E9F14ABF6C9D4349A9778C2FA788DA8B62B5D31C286CA87A1 | |||
3804 | WinRAR.exe | C:\Users\admin\Desktop\ACF712SP00_60-20006190\Setup\NwCreateInstServer.exe | executable | |
MD5:BAC0378C74611D91F04DBC57CF40DCEE | SHA256:D58ED942AAE13D5DAEACB432CC1AA2651BF1DC2646C04FFDAC6D84B37BE5C02E | |||
3804 | WinRAR.exe | C:\Users\admin\Desktop\ACF712SP00_60-20006190\Setup\Interop.NwSapAdminEngineLib.dll | executable | |
MD5:7ABACB8E62489AFFBA4BFDD7163E5A23 | SHA256:FD468DAA416E71AEEDEC9FA4A8A4E6B7E3BCD44BA137F4183A35AAED937BD0BB | |||
3804 | WinRAR.exe | C:\Users\admin\Desktop\ACF712SP00_60-20006190\Setup\NwSapFeiUt.dll | executable | |
MD5:D9887AE35AAEC9DEF912722AC3D329D2 | SHA256:15E973DF1A559BA513ECFCFC27E32F73D0035AFC0D1A5891A6EF46BD5DC0577C |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|