download: | APN7IobBS_19.exe |
Full analysis: | https://app.any.run/tasks/743cfc1a-500c-429c-89c0-c20176da4944 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 15:06:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 0AEDA6BD816B213C13B065825B8668B2 |
SHA1: | A12D158163BFC2FBC39826C996E5C5BF6E4FF0EC |
SHA256: | 2E28A018E975EF454C92BF024F5460CFC441951510798894EB02C824FAAB5C37 |
SSDEEP: | 196608:DAQut9G96xXBsGA31XTHnWuiX5Tr5XYAKd:BuOiXcC5xkd |
.exe | | | Win64 Executable (generic) (76.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2017:08:11 15:54:06+02:00 |
PEType: | PE32 |
LinkerVersion: | 14 |
CodeSize: | 188928 |
InitializedDataSize: | 632320 |
UninitializedDataSize: | - |
EntryPoint: | 0x1cec9 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 73.0.3683.86 |
ProductVersionNumber: | 73.0.3683.86 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
CompanyName: | Google Inc. |
FileDescription: | Google Chrome |
FileVersion: | 73.0.3683.86 |
InternalName: | chrome_exe |
LegalCopyright: | Copyright 2018 Google Inc. All rights reserved. |
OriginalFileName: | chrome.exe |
ProductName: | Google Chrome |
ProductVersion: | 73.0.3683.86 |
CompanyShortName: | |
ProductShortName: | Chrome |
LastChange: | f9b0bec6063ea50ce2b71f5b9abbae7beee319a6-refs/branch-heads/3683@{#858} |
OfficialBuild: | 1 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 11-Aug-2017 13:54:06 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | Google Inc. |
FileDescription: | Google Chrome |
FileVersion: | 73.0.3683.86 |
InternalName: | chrome_exe |
LegalCopyright: | Copyright 2018 Google Inc. All rights reserved. |
OriginalFilename: | chrome.exe |
ProductName: | Google Chrome |
ProductVersion: | 73.0.3683.86 |
CompanyShortName: | |
ProductShortName: | Chrome |
LastChange: | f9b0bec6063ea50ce2b71f5b9abbae7beee319a6-refs/branch-heads/3683@{#858} |
Official Build: | 1 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000108 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 11-Aug-2017 13:54:06 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0002E1CB | 0x0002E200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.69427 |
.rdata | 0x00030000 | 0x000098A0 | 0x00009A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.12106 |
.data | 0x0003A000 | 0x0001F290 | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.23719 |
.gfids | 0x0005A000 | 0x000000E8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.05507 |
.rsrc | 0x0005B000 | 0x0008DCD3 | 0x0008DE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.54649 |
.reloc | 0x000E9000 | 0x00001F58 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.62297 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.25329 | 1875 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
2 | 3.88998 | 1384 | Latin 1 / Western European | UNKNOWN | RT_ICON |
3 | 4.12176 | 744 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 4.68705 | 2216 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 2.74998 | 41064 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 3.31136 | 1640 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 3.66634 | 508 | Latin 1 / Western European | UNKNOWN | RT_STRING |
8 | 3.71728 | 582 | Latin 1 / Western European | UNKNOWN | RT_STRING |
9 | 3.74776 | 476 | Latin 1 / Western European | UNKNOWN | RT_STRING |
10 | 3.55807 | 220 | Latin 1 / Western European | UNKNOWN | RT_STRING |
KERNEL32.dll |
USER32.dll (delay-loaded) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3260 | "C:\Users\admin\AppData\Local\Temp\APN7IobBS_19.exe" | C:\Users\admin\AppData\Local\Temp\APN7IobBS_19.exe | explorer.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 73.0.3683.86 | ||||
3224 | "C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe" -pLfd435fdWe | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe | APN7IobBS_19.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
932 | "C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe" | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe | WinSupport.exe | |
User: admin Company: NetSupport Ltd Integrity Level: MEDIUM Description: NetSupport Client Application Version: V12.10 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3224 | WinSupport.exe | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\clhook4.dll | executable | |
MD5:6F787B2A2930EF76C468EE410ADC86A3 | SHA256:47E7C7C11B8A8FAB19F4F30C2F023B741E6057190B80A928E48D37AF0E08AD16 | |||
3224 | WinSupport.exe | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.ini | text | |
MD5:182318FA51DB5DAA7008F8ED91F3FDA9 | SHA256:00C60D416C139F841E1BE8A1F5469C7747A62A78CCAC4AFF82B4B9EE4B2BEF33 | |||
3224 | WinSupport.exe | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\CryptPak.dll | executable | |
MD5:92FD46BD92D218EE3F1E800C1C5DAEF8 | SHA256:7E6616F762AB9F9850090D1C89507D2851222CFA1FF66982F84AC214C6FDE570 | |||
3224 | WinSupport.exe | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\gdihook5.sys | executable | |
MD5:85ED5E4FA9A8B4776FA82B8BEF5F2791 | SHA256:044F4A62B98A132DE1F752FB33D654640D09221E74EBE1C062E6A276D22E5B69 | |||
3224 | WinSupport.exe | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\DBI.EXE | executable | |
MD5:5D64121AB6415EC11EFFBD6D6761D46A | SHA256:689FACAF0E03034C42BE4A4473E806BCD5272A40D7CF4E8B09083FFF8744F278 | |||
3224 | WinSupport.exe | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA1.DLL | executable | |
MD5:591D271DA2B308CC83F06A3FC3CD0CC5 | SHA256:41ED0449F1D00FDCF0ED749437BD273610FFFCAA34D7F51AAB7542677C8E4A6C | |||
3224 | WinSupport.exe | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\IPBR32.DLL | executable | |
MD5:7597D4434EDA66A2D118279CCA71881E | SHA256:46AAB21E20C6D2B2BEF9BAF26EA746186F5A5894CAE04A2C0ED56160EF6874EE | |||
3224 | WinSupport.exe | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\gdihook5.dll | executable | |
MD5:367A4E8F632F0F1D05B8AB9922DAB331 | SHA256:8423C1BE72387638C0143B8BC0EDC91A9F4AD7262AF8BAEC1C2464EC45BE98A0 | |||
3260 | APN7IobBS_19.exe | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe | executable | |
MD5:E005B19C48B9EA71303611636BF73738 | SHA256:AEB2520197D1B899F1F2CAB3081119936D7E3D88B8241F2F96F9B2508FA028C7 | |||
3224 | WinSupport.exe | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\IPCTL32.DLL | executable | |
MD5:67184A4406F5ECB71C21583987038708 | SHA256:E70CB83658B4FB9F7266CCF528219C835F0EFBE5E06872D4F5FAD8CD496B71F2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
932 | client32.exe | POST | — | 5.45.73.63:4151 | http://5.45.73.63/fakeurl.htm | NL | — | — | suspicious |
932 | client32.exe | POST | — | 5.45.73.63:4151 | http://5.45.73.63/fakeurl.htm | NL | — | — | suspicious |
932 | client32.exe | POST | 200 | 5.45.73.63:4151 | http://5.45.73.63/fakeurl.htm | NL | binary | 152 b | suspicious |
932 | client32.exe | POST | 200 | 5.45.73.63:4151 | http://5.45.73.63/fakeurl.htm | NL | binary | 61 b | suspicious |
932 | client32.exe | GET | 400 | 62.172.138.35:80 | http://geo.netsupportsoftware.com/location/loca.asp | GB | text | 39 b | suspicious |
932 | client32.exe | GET | 400 | 62.172.138.35:80 | http://geo.netsupportsoftware.com/location/loca.asp | GB | text | 39 b | suspicious |
932 | client32.exe | GET | 400 | 62.172.138.35:80 | http://geo.netsupportsoftware.com/location/loca.asp | GB | text | 39 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
932 | client32.exe | 62.172.138.35:80 | geo.netsupportsoftware.com | British Telecommunications PLC | GB | suspicious |
932 | client32.exe | 5.45.73.63:4151 | — | Serverius Holding B.V. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
geo.netsupportsoftware.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
932 | client32.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] NetSupport Remote Admin |
932 | client32.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] NetSupport Remote Admin |
932 | client32.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] NetSupport Remote Admin |