File name: | 2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe |
Full analysis: | https://app.any.run/tasks/36423ab5-82b5-4a51-999d-93a0f23b6f87 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 13:50:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
MD5: | DABEA808BB91F02E158CDBCBF3E8A790 |
SHA1: | 689671AFC1EBD57F273F1773ED211D58A9793FB1 |
SHA256: | 2B64536B04F8773D80AAEF36FC7943058BDA76372C5EB3516B0107F2937CCB9E |
SSDEEP: | 1536:D+KDd7SAV2aEFwktnrs5cQWPU6MEEgBCWrgi9QPDCRiG1sVdqt:yKDd7pE+ktDqHEEgBCWE7csVs |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2014:05:23 07:23:53+02:00 |
PEType: | PE32 |
LinkerVersion: | 10 |
CodeSize: | 57344 |
InitializedDataSize: | 70656 |
UninitializedDataSize: | - |
EntryPoint: | 0x4e44 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 11.0.9600.16428 |
ProductVersionNumber: | 11.0.9600.16428 |
FileFlagsMask: | 0x0000 |
FileFlags: | (none) |
FileOS: | Windows NT 32-bit |
ObjectFileType: | Dynamic link library |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
CompanyName: | Microsoft Corporation |
FileDescription: | Internet Explorer ImpExp FF exporter |
FileVersion: | 11.00.9600.16428 (winblue_gdr.131013-1700) |
InternalName: | extexport3 |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
OriginalFileName: | extexport.exe |
ProductName: | Internet Explorer |
ProductVersion: | 11.00.9600.16428 |
OleSelfRegister: | - |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 23-May-2014 05:23:53 |
Detected languages: |
|
CompanyName: | Microsoft Corporation |
FileDescription: | Internet Explorer ImpExp FF exporter |
FileVersion: | 11.00.9600.16428 (winblue_gdr.131013-1700) |
InternalName: | extexport3 |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
OriginalFilename: | extexport.exe |
ProductName: | Internet Explorer |
ProductVersion: | 11.00.9600.16428 |
OleSelfRegister: | - |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 23-May-2014 05:23:53 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0000CDAC | 0x0000CE00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.30798 |
.text2 | 0x0000E000 | 0x000010CC | 0x00001200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.83598 |
.rdata | 0x00010000 | 0x0000144C | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.97375 |
.data | 0x00012000 | 0x0000AF44 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.32017 |
.rsrc | 0x0001D000 | 0x00004398 | 0x00004400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.67288 |
.reloc | 0x00022000 | 0x00000930 | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.21829 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.46266 | 964 | UNKNOWN | English - United States | RT_VERSION |
2 | 5.18457 | 4264 | UNKNOWN | English - United States | RT_ICON |
3 | 5.27865 | 1128 | UNKNOWN | English - United States | RT_ICON |
1204 | 2.45849 | 48 | UNKNOWN | English - United States | RT_GROUP_ICON |
1205 | 1.94496 | 856 | UNKNOWN | English - United States | RT_BITMAP |
IPHLPAPI.DLL |
KERNEL32.dll |
USER32.dll |
WTSAPI32.dll |
msvcrt.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3384 | "C:\Users\admin\AppData\Local\Temp\2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe" | C:\Users\admin\AppData\Local\Temp\2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer ImpExp FF exporter Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3160 | "C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe" | C:\Windows\system32\cmd.exe | 2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3400 | C:\Users\admin\AppData\Local\Temp\2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe | C:\Users\admin\AppData\Local\Temp\2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer ImpExp FF exporter Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3624 | "C:\Windows\Installer\{EB700053-1084-1170-A3AC-E42A82A955B2}\syshost.exe" /service | C:\Windows\Installer\{EB700053-1084-1170-A3AC-E42A82A955B2}\syshost.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Internet Explorer ImpExp FF exporter Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2704 | cmd.exe /C del /Q /F "C:\Users\admin\AppData\Local\Temp\1e9e3151.tmp" | C:\Windows\system32\cmd.exe | — | 2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
284 | "C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=any | C:\Windows\system32\netsh.exe | — | syshost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
324 | "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=in action=allow enable=yes profile=any | C:\Windows\system32\netsh.exe | — | syshost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3588 | "C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=any | C:\Windows\system32\netsh.exe | — | syshost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
596 | "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=out action=allow enable=yes profile=any | C:\Windows\system32\netsh.exe | — | syshost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3384) 2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3384) 2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3400) 2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager |
Operation: | write | Name: | PendingFileRenameOperations |
Value: \??\C:\Users\admin\AppData\Local\Temp\1e9e3151.tmp | |||
(PID) Process: | (3624) syshost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\syshost32 |
Operation: | write | Name: | ce211ab95004cc21 |
Value: BDD70FFFC063 | |||
(PID) Process: | (3624) syshost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\syshost32 |
Operation: | write | Name: | 446c07f2202edda8 |
Value: 165601B9E26592EE3523A8D3E46CA8AE91587FDD99A26AC5FAFFAD21353A92111A8EA1E2F755F7F10D2596E1DB4DAFCDE6743595204E96D26F205DAE16DA4C24A3089D588A16F1F716D0F35C13316ADA3F7C0FC9FC30693E7B2F13337EAE08B8E00FF0771F6270C83525D6BCFF5D4934D56E734A75CF68D11266F1CA7C7596D23970D8A716D41EF70C4FE163BC9896BB603BE783D67D89F74CFC73A6165636340476E14A5F492AB016571CB40E087C58BDFF95F0AAACC1F84566966E36AF55FB16A653092E027DCCE5A14EDB1D50B8D68554E16A1D7130FACAF516363261FCCB19B7ECF205A9AAF7235F9D7995E98F8EF4EFC510885D71B9780DB4E7FABED82BAE49E16356F6DFD6CAFAB99AE009E0C5DF006FA3F73358C1FF659D3F6D395189123C94D2F8399654420091AA606446A4FD299658E7776EABB35543F2F658B67BA3668DEAE76F9A632903E14955760FE9F8178C151A3E9283AA44EFAB163D83FD2E7865D65DE261BC1655D7F4FA379912CE7FFFDD8D503BFFFB4B0D16D921C1CFAD0555F53D45955F7A2D54847C5EA897065C96E3F9685BCE16D61BDFFC35010E59377CB7D46369CAAD7196210F9433E576BE165397728C97153198AB16A731F0D45092B81A11C9D1B028DCC57D43969880B24FE671BC59C4FB3F96D68764108B61EB28F4060BA35832AB2AD117468396E30A9038E5F74EA112468A09E665964BEB217EE2758A6C56B0375807A19ECAD260040B041D5C66F927FA36CFFCFD2B6A676AE16BC8F92EF01655C7B0513B7C70FF61928A163D81BD2E78E9674AE517B6A69083EFB40396A9A8B691C9FE196DCDDA5A96C67BDF49C461E02F2CDA2296D50ADEF0C4163E57BC5D5F26B8386DD1ECD44B179D560B45DA1B68D1A5D465BFC8CE0BA64E3A9056E2FD4FDBDD7970A32B9A4BCFABC5EBBBFA070D9625AB8B88B6C573432FED3A7EA7F716D7B416569EDF3B499979E94F70BAF09E15E41C5D92E80DCA90D1F62D082E952530A20ADFFAF26034D16FB94CE0CA2056C3FEFBFC7D01595EF18A564F11A31638075A0A3492C5AECA51C81D94D15DED64453A2523ECBC7C1DBCF9E85192067ED5ABCC1650A7C4DD2E744AC0F8C4C3EC20CAE54801E134F36A308D86F543B743709DAEA2E4E0FD160A265FCA6F786A676F45EF7678573DCF7E13C1D55602AB7CD07B9D045996BDA90488BA6FF38D5DD03966A0A949B7A616DA2EEA06259D30D90926C6E67914AD223C7C4F2715E0889A4BDCE3F853E0A3E01128EBF1327933CA3A9D4805F0708716C54D1E8670965BDE5F8CB58FFDFDC7C8246FA2CE4965EF1D36815CD5639653EE4C09E412476521E5236AA0176511DC61192C907963E933C93A5DF2C80E94CD31069650AA238FB31D07F0B27B65FD101F0C5CB0163E913A697D06A6151FDDE616A1A55DAD2F96F93C746982F13C65BDB4485D5766155CF1D3D2D2295B246FD5B424AFCE1491645AF8049224D3146EAAF848AF17A1377C97DE330FEEE3828DFDFC4571D1732F61FDD8D594F6DA2A30A5316D2BD612A43A9EC7564565882040FF77FBCCCD843C93643D470CC816D0210B27047AEEA6B939CE3862AA1D862B0663AFE9CCCC1AD2B67D7B5FBE4E3DE662C481FDD4CBAE679645B37BBA813BBB1FA26847965579C16CB81D0749559B2F9542228051DE16526356322892C4796EEBCF7D8DAB08F02E92C0C92EFBA21F4AA1951604F8F6892476EAD481CFDC132696D5815CD78F1D37B9B2D26792C3111DE9B0FCE43847256A9976F26B9A89D4EC320FD6619D874187AFFFE0B4FAF1607C7342FB2B32B61CC476A7216396D7D4AAEF8616DAD73AC47296525305C4C312167039442EFCF0CDE3EFF616D6A7FB977B1956D44F41DC1D537AE4EF75EB3635F5EF8A3F5166A5474B711161BE34D0FC7731BEFB0C30E2BC6017BB15D24E01980A672EA27CD1A5165D80BA806A969E98EB68A7FF601B74AD7D9481A925B7CA16D543FF6A7D7CE7354ADCDD3ECE22812C291AC6BE00FAEEF5569F9BF46566A62C0910C7124738D02B2F6CEF7F2835AD16D5D2AC904B92C30916E6BF61E0CD13B431928E4170EEA012C7E7DB726F962D86FD358F18DE4813BE4A658ED9A8D4D6E405168DB93930709617F7D6E76A8DD0090DAA5609D255BB3CD2F63CC6089D30A3B4B3DD12439A63CE5096F19FA626D4867E5DA7E24B98E613CF75C7E69A9C0075069E48C1BBC68A16EE48E65E2DE0CAAB80C0D9141EC0679C3564FAD3E9C4D3F44F343047097136CD5A4DD5E0DCF7AE5F5596553E001DA416A700A8BE447342A84C5EB81D084BEE870D68E1B4B0C7A4DF02AA2B2163922E6A346CEA86C9EF108424ED674CBA31801D05AE23DE4CE0CCE30391BC15DCCEB02C0C6CAACE9D3BFFE292FF38302979729395D4F80507B9F70C42A5DBD878D3EB862F9FE3726B965AC554238813E87A7C7924966F4C4745CB606AECDA3969969322058EBD1241D82F1F4C65832D6BD38D1DBE01F7F52FAA548145C1BCEC788618A62F92C25E5FD3B416CB6B97FE62E149190FAAAC12413C86D0001394F70893F560689468092996578852F8A9EA9AEAEF9A2A7CED9CAF72A31291AFFD733EBB24228B86EA16D426FF4F6D92BB637799DC16DEFD02FC0977B3DA064FB3F137DA20854C8BEDAA57428E16D4E9A0AB2B96BC0DBEE7A416DE5BC3600C3796659A0BC2163E0BFB0E07701CDB3C18D5123630E22450ED9E6E5EBAC0689158D405099658AC69C1FE61CA78F094707B86E0291FB21290FDF4676D7827131CF7B3120FFC000C087B9AFB9ABDDE124363B9136A96D78687B6837D9D6AAD4366962FE57AA5CA03E48785152F16D1EC6F22868612A08BD4272A2B1271B6D2124612BC2A4A7177E1F49D824068F0A0 | |||
(PID) Process: | (3624) syshost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\syshost32 |
Operation: | write | Name: | dd98bf0628848602 |
Value: D0DE4092422EE28ED45CCB1C | |||
(PID) Process: | (3624) syshost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\syshost32 |
Operation: | write | Name: | 3b1c8732756d6ab5 |
Value: EEF9485AEA1D78975CE852A4 | |||
(PID) Process: | (3624) syshost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\syshost32 |
Operation: | write | Name: | 133f2c218f92b391 |
Value: 99A461577AACFB1F | |||
(PID) Process: | (284) netsh.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (324) netsh.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
3400 | 2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe | C:\Users\admin\AppData\Local\Temp\1e9e3151.tmp | — | |
MD5:— | SHA256:— | |||
3400 | 2b64536b04f8773d80aaef36fc7943058bda76372c5eb3516b0107f2937ccb9e.exe | C:\Windows\Installer\{EB700053-1084-1170-A3AC-E42A82A955B2}\syshost.exe | executable | |
MD5:DABEA808BB91F02E158CDBCBF3E8A790 | SHA256:2B64536B04F8773D80AAEF36FC7943058BDA76372C5EB3516B0107F2937CCB9E | |||
3624 | syshost.exe | C:\Windows\TEMP\b6205b5f-4d5a-fc60-72aa-989e74800151.tmp | binary | |
MD5:9F88CFE99E5CBEB00C2A65CDBCC24A72 | SHA256:3874195165AD93D5F98D181076EB215727829D548C7AAF9D56BF7D8BA64C350B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3624 | syshost.exe | 40.112.72.205:80 | microsoft.com | Microsoft Corporation | IE | malicious |
3624 | syshost.exe | 129.70.132.37:123 | 1.pool.ntp.org | Verein zur Foerderung eines Deutschen Forschungsnetzes e.V. | DE | unknown |
3624 | syshost.exe | 129.70.132.36:123 | 0.pool.ntp.org | Verein zur Foerderung eines Deutschen Forschungsnetzes e.V. | DE | unknown |
3624 | syshost.exe | 190.78.41.33:32074 | — | CANTV Servicios, Venezuela | VE | unknown |
— | — | 76.116.128.54:16441 | — | Comcast Cable Communications, LLC | US | unknown |
— | — | 186.118.157.59:19328 | — | COLOMBIA TELECOMUNICACIONES S.A. ESP | CO | unknown |
3624 | syshost.exe | 80.151.151.109:123 | 2.pool.ntp.org | Deutsche Telekom AG | DE | unknown |
— | — | 82.231.133.185:8861 | — | Free SAS | FR | unknown |
3624 | syshost.exe | 95.77.223.105:15781 | — | Liberty Global Operations B.V. | RO | unknown |
— | — | 87.69.49.186:23874 | — | 012 Smile Communications LTD. | IL | unknown |
Domain | IP | Reputation |
---|---|---|
microsoft.com |
| whitelisted |
mmlufaqrah.com |
| unknown |
jwnlgvwkpfbumil.com |
| unknown |
xrljmcjgggddjl.com |
| unknown |
myiqpjzliawgsz.com |
| unknown |
0.pool.ntp.org |
| whitelisted |
1.pool.ntp.org |
| whitelisted |
2.pool.ntp.org |
| whitelisted |
dns.msftncsi.com |
| shared |