File name: | sample.exe |
Full analysis: | https://app.any.run/tasks/f15b633d-3117-4d28-bb7d-f7f25407d941 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 10:42:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | A29C9F523B47027FB97190B908C18979 |
SHA1: | 203CA880EFA5E1C883F37AD56A4B0E832B813A15 |
SHA256: | 25CEEAED228C2D7C08BAD41362AD6619C243324AD8A0E05C75D3672E96373BED |
SSDEEP: | 49152:QS3LOzY7exX2IFqucmyChAgZmY+jsCt8cv1XuYyU7rhTqr6iZVQA:QS3qvxXvgucmTegr+bcO |
.exe | | | Win32 EXE PECompact compressed (generic) (53.4) |
---|---|---|
.exe | | | Win64 Executable (generic) (35.5) |
.exe | | | Win32 Executable (generic) (5.8) |
.exe | | | Generic Win/DOS Executable (2.5) |
.exe | | | DOS Executable Generic (2.5) |
ProductVersion: | 5.1.0.194 |
---|---|
ProductName: | sputnik |
OriginalFileName: | sputnik.exe |
LegalCopyright: | Copyright c 2005 - 2015 |
InternalName: | sputnik |
FileVersion: | 5.1.0.194 |
FileDescription: | sputnik |
CharacterSet: | Windows, Cyrillic |
LanguageCode: | Russian |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 5.1.0.194 |
FileVersionNumber: | 5.1.0.194 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x118241 |
UninitializedDataSize: | - |
InitializedDataSize: | 452096 |
CodeSize: | 1660416 |
LinkerVersion: | 14.12 |
PEType: | PE32 |
TimeStamp: | 2019:02:22 09:36:08+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 22-Feb-2019 08:36:08 |
Detected languages: |
|
TLS Callbacks: | 1 callback(s) detected. |
Debug artifacts: |
|
FileDescription: | sputnik |
FileVersion: | 5.1.0.194 |
InternalName: | sputnik |
LegalCopyright: | Copyright c 2005 - 2015 |
OriginalFilename: | sputnik.exe |
ProductName: | sputnik |
ProductVersion: | 5.1.0.194 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000120 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 22-Feb-2019 08:36:08 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x001955B3 | 0x00195600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.65676 |
.rdata | 0x00197000 | 0x0004B8FC | 0x0004BA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.04915 |
.data | 0x001E3000 | 0x0000A888 | 0x00008E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.97286 |
.rsrc | 0x001EE000 | 0x000055E0 | 0x00005600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.86905 |
.reloc | 0x001F4000 | 0x00012AE4 | 0x00012C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.588 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.12107 | 796 | UNKNOWN | English - United States | RT_MANIFEST |
GO_MAIL_RU_ICO | 7.98034 | 10132 | UNKNOWN | Russian - Russia | BIN |
GO_MAIL_RU_PNG | 7.53676 | 815 | UNKNOWN | Russian - Russia | BIN |
MAIL_RU_ICO | 7.97151 | 8319 | UNKNOWN | Russian - Russia | BIN |
MAIL_RU_PNG | 7.52939 | 783 | UNKNOWN | Russian - Russia | BIN |
ADVAPI32.dll |
CRYPT32.dll |
KERNEL32.dll |
OLEAUT32.dll |
PSAPI.DLL |
SHELL32.dll |
USER32.dll |
VERSION.dll |
WINHTTP.dll |
WTSAPI32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2448 | "C:\Users\admin\AppData\Local\Temp\sample.exe" | C:\Users\admin\AppData\Local\Temp\sample.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: sputnik Exit code: 0 Version: 5.1.0.194 | ||||
2688 | "C:\Users\admin\AppData\Local\Temp\sample.exe" --elevation | C:\Users\admin\AppData\Local\Temp\sample.exe | sample.exe | |
User: admin Integrity Level: HIGH Description: sputnik Version: 5.1.0.194 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2688 | sample.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
2688 | sample.exe | C:\Users\admin\AppData\Local\Temp\4175-7e29-6bb1-4219\MailRu.ico | — | |
MD5:— | SHA256:— | |||
2688 | sample.exe | C:\Users\admin\AppData\Local\Temp\117c-8a97-0caa-d222\GoMailRu.ico | — | |
MD5:— | SHA256:— | |||
2688 | sample.exe | C:\ProgramData\Mail.Ru\Id | text | |
MD5:2A5F5EE021D8C5E82849BA1A76A6DD15 | SHA256:706E95DC473F3EFD4567E66794DCAB0D3428C5B9B2297A2609A65B0B0A541F9F | |||
2688 | sample.exe | C:\Users\admin\AppData\Local\Mail.Ru\Tmp\DeferredTasks\metadata | binary | |
MD5:123728C745374CA4516EE424E61C74C6 | SHA256:0D19176A0DCCF5018F7B3170E5BD2387E47FBF326246260161B0E6205BCC1A2B | |||
2688 | sample.exe | C:\Users\admin\Favorites\Искать в Интернете.url | text | |
MD5:EB08378217B4A9D27F46FA00527D778B | SHA256:B0C3586271724BE93C4BA4AF3D9A7DF05462F76B603DD7EF7E5BA4448BB7C244 | |||
2688 | sample.exe | C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mail.Ru.lnk | lnk | |
MD5:85B59880C49352B02E6FD0B15A2E272C | SHA256:653B7C200485DBBCAEA23D2D3A62335E374A679C7C8D9DC2B0251C896B74EFD5 | |||
2688 | sample.exe | C:\Users\admin\AppData\Local\Mail.Ru\Sputnik\MailRu.ico | image | |
MD5:1B8FB79AAA423BE16049803FD901B79D | SHA256:7F9C40702936F23F24828FB0B49EDD70534F617BFADAC2854061620D6DD435D2 | |||
2688 | sample.exe | C:\Users\admin\Desktop\Искать в Интернете.url | text | |
MD5:EAA4AE3F04FD33F17CA945431D639099 | SHA256:8C1F09710F5AA6E6A82433F12FE1854C2E64A9A07ED9D5F32E1DB8AE43ACC202 | |||
2688 | sample.exe | C:\Users\admin\AppData\Local\Mail.Ru\Tmp\DeferredTasks\{ED89690A-8CF7-47DA-9384-7A89BC7967C1}_c | binary | |
MD5:B5232444AC326CF3F81FF61B62F087CB | SHA256:B98322A0D14AA176D33FA8CDD214A873625BAF076CF989A2E5083B83CE960012 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | — | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_gomailru&event=done&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules= | RU | — | — | suspicious |
— | — | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=fav_gomailru&event=done&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules= | RU | — | — | suspicious |
2688 | sample.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=spparams&raw=--elevation&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules= | RU | — | — | suspicious |
2688 | sample.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=install&bgn=1&standalone=1&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules= | RU | — | — | suspicious |
2688 | sample.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=taskbar_mailru&event=done&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules= | RU | — | — | suspicious |
— | — | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_mailru&event=done&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules= | RU | — | — | suspicious |
— | — | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=desktop_mailru&event=done&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules= | RU | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 94.100.180.110:443 | mailruupdater.cdnmail.ru | Limited liability company Mail.Ru | RU | suspicious |
— | — | 217.69.139.245:443 | mrds.mail.ru | Limited liability company Mail.Ru | RU | malicious |
2688 | sample.exe | 217.69.139.247:443 | xmlbinupdate.mail.ru | Limited liability company Mail.Ru | RU | malicious |
2688 | sample.exe | 217.69.139.122:443 | conserv.go.mail.ru | Limited liability company Mail.Ru | RU | unknown |
— | — | 217.69.139.245:80 | mrds.mail.ru | Limited liability company Mail.Ru | RU | malicious |
2688 | sample.exe | 217.69.139.245:80 | mrds.mail.ru | Limited liability company Mail.Ru | RU | malicious |
2688 | sample.exe | 94.100.180.110:443 | mailruupdater.cdnmail.ru | Limited liability company Mail.Ru | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
xmlbinupdate.mail.ru |
| shared |
dns.msftncsi.com |
| shared |
conserv.go.mail.ru |
| unknown |
mrds.mail.ru |
| suspicious |
mailruupdater.cdnmail.ru |
| unknown |
xtnmailru.cdnmail.ru |
| unknown |