download: | test_1.exe |
Full analysis: | https://app.any.run/tasks/fc746cc2-d498-4fbb-8cf7-c651ca57a913 |
Verdict: | Malicious activity |
Analysis date: | April 14, 2019, 17:12:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | E8384F60317577023D433889A9ADC8D0 |
SHA1: | 386D4C16180EC1AD2B44961ECA39583D7470446A |
SHA256: | 25C8FA1B83F4E25A7BCDB5C038CE2E937AE24FF46EAE52AC47AAD094FE9E580E |
SSDEEP: | 12288:gj5VhCLTfKQwDvD5Q9kS+40fyESCp+gvOyWsg14WwZBA/q7fwAyn:M50KQoekU06dCp+g2yWsq1OIq7fTyn |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
SquirrelAwareVersion: | 1 |
---|---|
OriginalFileName: | electron.exe |
LegalCopyright: | Copyright (c) 2015-2019 Exodus Movement, Inc. |
InternalName: | electron.exe |
FileVersion: | 19.3.31.0 |
FileDescription: | Exodus |
CompanyName: | Exodus Movement Inc |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 19.3.31.0 |
FileVersionNumber: | 19.3.31.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x320c |
UninitializedDataSize: | 1024 |
InitializedDataSize: | 162816 |
CodeSize: | 25600 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2018:12:15 23:24:41+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 15-Dec-2018 22:24:41 |
Detected languages: |
|
CompanyName: | Exodus Movement Inc |
FileDescription: | Exodus |
FileVersion: | 19.3.31.0 |
InternalName: | electron.exe |
LegalCopyright: | Copyright (c) 2015-2019 Exodus Movement, Inc. |
OriginalFilename: | electron.exe |
SquirrelAwareVersion: | 1 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 15-Dec-2018 22:24:41 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0000628F | 0x00006400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.44221 |
.rdata | 0x00008000 | 0x0000135C | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.24004 |
.data | 0x0000A000 | 0x00025518 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.04938 |
.ndata | 0x00030000 | 0x00008000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00038000 | 0x00000EC8 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.03098 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.2992 | 830 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 2.32506 | 296 | UNKNOWN | English - United States | RT_ICON |
103 | 2.37086 | 34 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.66174 | 256 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.88094 | 284 | UNKNOWN | English - United States | RT_DIALOG |
111 | 2.48825 | 96 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3072 | "C:\Users\admin\AppData\Local\Temp\test_1.exe" | C:\Users\admin\AppData\Local\Temp\test_1.exe | explorer.exe | |
User: admin Company: Exodus Movement Inc Integrity Level: MEDIUM Description: Exodus Exit code: 0 Version: 19.3.31.0 | ||||
2328 | "C:\Users\admin\AppData\Roaming\Uigoigoiugoi.exe" -s -p3d34fd23rf3q4rfv | C:\Users\admin\AppData\Roaming\Uigoigoiugoi.exe | test_1.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4052 | "C:\Users\admin\AppData\Roaming\File2.exe" | C:\Users\admin\AppData\Roaming\File2.exe | Uigoigoiugoi.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2184 | "C:\Users\admin\AppData\Roaming\Flle2.exe" | C:\Users\admin\AppData\Roaming\Flle2.exe | — | Uigoigoiugoi.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
252 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2408 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3108 | auto_proc32 | C:\Windows\system32\svchost.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
252 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\topinstallation.png (2).lnk | lnk | |
MD5:6E5C4805CD95E8F4B9573FE3D2D5B5A6 | SHA256:DE911547A33455D3BEE1A717E27FB33BA281DF9B07F59E847B23CF17F6E586C2 | |||
2328 | Uigoigoiugoi.exe | C:\Users\admin\AppData\Roaming\File2.exe | executable | |
MD5:3640DFE5D63BC76C2B723CA6C2CC64F2 | SHA256:EF4725731521A20400DB937314D683D9342F4F13522E6A65B2619C4B9413BFBF | |||
3072 | test_1.exe | C:\Users\admin\AppData\Roaming\Uigoigoiugoi.exe | executable | |
MD5:A41826CCA93EA37AABE58DEAC6A87B77 | SHA256:E1D03D4B8B1DB695F485334F64EC3A7D8BA8757D53D2B2F6EB762C87AD8A101A | |||
2328 | Uigoigoiugoi.exe | C:\Users\admin\AppData\Roaming\Flle2.exe | executable | |
MD5:2BB1A6245E3E6D953C06B814CD463582 | SHA256:81D63855B1A2659BFC9EDB772C22BD8DDE6BEBC4D55EEBE6E142EED252A54C27 | |||
252 | explorer.exe | C:\ProgramData\Time Manager\auto_proc32 | binary | |
MD5:0781CB08A10AD7AEA61CD12CE79A7CD3 | SHA256:5C1CD2032A19779EF1DAE422658DC1FA1A8F979369DEC12D9E018D2F846A1DA9 | |||
252 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:8911A62C4D5EE7308B77E9DF6C16C94F | SHA256:3D6F0A6320C1ACCAF162F6AF8E8A67B5CDB7035BEE120D331F63D29192F0C257 | |||
252 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019041420190415\index.dat | dat | |
MD5:03956EC725121885B4F5551418A93766 | SHA256:51EA79F3875A9FE65E1300605AA2347357457CFA449A058367DF51A9FE440236 | |||
252 | explorer.exe | C:\ProgramData\TimeManager.exe | executable | |
MD5:16FDB6D44F16D0FD51BD06CB070C16DD | SHA256:F673F77C89029CBC994B094A49BBD0B60D34D3BE03DE27081F5BA932576ED557 | |||
4052 | File2.exe | C:\Users\admin\AppData\Local\Temp\system.exe | executable | |
MD5:806779989C6EA355A1ABF4F6C7CB646C | SHA256:126395638DE030E60D4A3A5CF7A8F8B664AAC9CA37DC9A766182F8DFD5228FE4 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
252 | explorer.exe | 178.21.11.90:25998 | — | Domain names registrar REG.RU, Ltd | RU | malicious |
3108 | svchost.exe | 89.108.99.143:60323 | — | Domain names registrar REG.RU, Ltd | RU | suspicious |
252 | explorer.exe | 178.21.11.90:31258 | — | Domain names registrar REG.RU, Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
google-public-dns-b.google.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan:Win32/Azden.A!cl |
252 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan:Win32/Azden.A!cl |