| File name: | finish.exe |
| Full analysis: | https://app.any.run/tasks/7d15f915-0b02-4466-b6c5-302c83d00565 |
| Verdict: | Malicious activity |
| Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
| Analysis date: | February 11, 2019, 12:21:33 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | F3785C36761BA6583A5F36D60C9D13E5 |
| SHA1: | 7CCD94137ED403656D711437187E8C085FF345B9 |
| SHA256: | 35DE0CE1AE8A131E40590823ABC8D597DF5620AC0C63BB3AA4FABEC50CA31932 |
| SSDEEP: | 49152:4h+ZkldoPK8Ya0Dh0H/9QiozzEXY75ka8R0gh2yNm7DM+DMdk9hC7KKALOonCvf:52cPK8UCQiel8R2HXMsMqy7KKALMX |
MALICIOUS
Application was dropped or rewritten from another process
- build__Protected.exe (PID: 3564)
- build_startup_Protected.exe (PID: 2712)
- PCHunter32.exe (PID: 960)
- PCHunter32.exe (PID: 3252)
DARKVNC was detected
- svchost.exe (PID: 2384)
- svchost.exe (PID: 2208)
Connects to CnC server
- svchost.exe (PID: 2208)
- svchost.exe (PID: 2384)
Changes the autorun value in the registry
- dllhost.exe (PID: 4020)
Uses SVCHOST.EXE for hidden code execution
- dllhost.exe (PID: 4020)
- dllhost.exe (PID: 1668)
SUSPICIOUS
Creates files in the user directory
- finish.exe (PID: 3736)
Executable content was dropped or overwritten
- finish.exe (PID: 3736)
- WinRAR.exe (PID: 2168)
Creates or modifies windows services
- PCHunter32.exe (PID: 3252)
Low-level read access rights to disk partition
- PCHunter32.exe (PID: 3252)
INFO
Reads settings of System Certificates
- chrome.exe (PID: 3652)
Application launched itself
- chrome.exe (PID: 3652)
Reads Internet Cache Settings
- chrome.exe (PID: 3652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:01:22 13:20:33+01:00 |
| PEType: | PE32 |
| LinkerVersion: | 12 |
| CodeSize: | 581632 |
| InitializedDataSize: | 2825216 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2800a |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (British) |
| CharacterSet: | Unicode |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 22-Jan-2019 12:20:33 |
| Detected languages: |
|
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000110 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 5 |
| Time date stamp: | 22-Jan-2019 12:20:33 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x0008DFDD | 0x0008E000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.67525 |
.rdata | 0x0008F000 | 0x0002FD8E | 0x0002FE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.76324 |
.data | 0x000BF000 | 0x00008F74 | 0x00005200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.19638 |
.rsrc | 0x000C8000 | 0x002758E4 | 0x00275A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.96696 |
.reloc | 0x0033E000 | 0x00007134 | 0x00007200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.78396 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.40026 | 1007 | Latin 1 / Western European | English - United Kingdom | RT_MANIFEST |
2 | 7.92501 | 10215 | Latin 1 / Western European | English - United Kingdom | RT_ICON |
3 | 4.31783 | 67624 | Latin 1 / Western European | English - United Kingdom | RT_ICON |
4 | 4.47076 | 16936 | Latin 1 / Western European | English - United Kingdom | RT_ICON |
5 | 4.77183 | 9640 | Latin 1 / Western European | English - United Kingdom | RT_ICON |
6 | 4.74697 | 4264 | Latin 1 / Western European | English - United Kingdom | RT_ICON |
7 | 3.34702 | 1428 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
8 | 3.2817 | 1674 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
9 | 3.28849 | 1168 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
10 | 3.28373 | 1532 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
Imports
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
MPR.dll |
OLEAUT32.dll |
PSAPI.DLL |
SHELL32.dll |
Total processes
59
Monitored processes
23
Malicious processes
8
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 772 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,7676872586667883134,10516610751214269549,131072 --enable-features=PasswordImport --service-pipe-token=17278515C0455B4DCC9D9BE577B05DC1 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17278515C0455B4DCC9D9BE577B05DC1 --renderer-client-id=3 --mojo-platform-channel-handle=1540 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
| |||||||||||||||
| 960 | "C:\Users\admin\Desktop\PCHunter32.exe" | C:\Users\admin\Desktop\PCHunter32.exe | — | explorer.exe | |||||||||||
User: admin Company: 一普明为(北京)信息技术有限公司 Integrity Level: MEDIUM Description: Epoolsoft Windows Information View Tools Exit code: 3221226540 Version: 1.0.0.5 Modules
| |||||||||||||||
| 1668 | "C:\Windows\System32\dllhost.exe" | C:\Windows\System32\dllhost.exe | — | build__Protected.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1944 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=996,7676872586667883134,10516610751214269549,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=43086312DDFA108D8B95513B2F14206F --mojo-platform-channel-handle=1028 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
| |||||||||||||||
| 2168 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\PCHunter_free.zip" | C:\Program Files\WinRAR\WinRAR.exe | chrome.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 2208 | C:\Windows\system32\svchost.exe -k | C:\Windows\system32\svchost.exe | dllhost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2384 | C:\Windows\system32\svchost.exe -k | C:\Windows\system32\svchost.exe | dllhost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2456 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6f4600b0,0x6f4600c0,0x6f4600cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
| |||||||||||||||
| 2712 | "C:\Users\admin\AppData\Roaming\Z33775803\build_startup_Protected.exe" | C:\Users\admin\AppData\Roaming\Z33775803\build_startup_Protected.exe | — | finish.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2984 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,7676872586667883134,10516610751214269549,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=3776367CC8AF053185B8833E625DD229 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3776367CC8AF053185B8833E625DD229 --renderer-client-id=6 --mojo-platform-channel-handle=3548 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
| |||||||||||||||
Total events
1 786
Read events
1 669
Write events
112
Delete events
5
Modification events
| (PID) Process: | (3736) finish.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3736) finish.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (4020) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows |
| Operation: | write | Name: | Load |
Value: C:\Windows\System32\dllhost.exe | |||
| (PID) Process: | (3652) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (3652) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (3652) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (3776) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | write | Name: | 3652-13194361319985125 |
Value: 259 | |||
| (PID) Process: | (3652) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (3652) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome |
| Operation: | write | Name: | UsageStatsInSample |
Value: 0 | |||
| (PID) Process: | (3652) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | delete value | Name: | 3516-13180984670829101 |
Value: 0 | |||
Executable files
3
Suspicious files
76
Text files
71
Unknown types
10
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3736 | finish.exe | C:\Users\admin\AppData\Local\Temp\aut62C3.tmp | — | |
MD5:— | SHA256:— | |||
| 3652 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\46ee2bb4-0432-4b20-abe0-e339a6435e92.tmp | — | |
MD5:— | SHA256:— | |||
| 3652 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp | — | |
MD5:— | SHA256:— | |||
| 3652 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp | — | |
MD5:— | SHA256:— | |||
| 3652 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3652 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\dc823827-bcd9-4ea5-80cd-dd631ce006ac.tmp | — | |
MD5:— | SHA256:— | |||
| 3652 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF24973f.TMP | text | |
MD5:— | SHA256:— | |||
| 3736 | finish.exe | C:\Users\admin\AppData\Roaming\Z33775803\build_startup_Protected.exe | executable | |
MD5:— | SHA256:— | |||
| 3736 | finish.exe | C:\Users\admin\AppData\Roaming\Z33775803\build__Protected.exe | executable | |
MD5:— | SHA256:— | |||
| 3652 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\temp-index | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
32
DNS requests
14
Threats
60
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3252 | PCHunter32.exe | GET | 404 | 120.133.5.200:80 | http://www.epoolsoft.com/pchunter/pchunter_free | CN | html | 187 b | malicious |
3252 | PCHunter32.exe | GET | 404 | 120.133.5.200:80 | http://www.epoolsoft.com/PCHunter_StandardV1.56=F3EB3CFF9B0EA3C6968CBC366078345D9FBD918D447169B141FB79AE219533EA5EC0F2ED65DD36F9F934577FBABBD566 | CN | html | 317 b | malicious |
3652 | chrome.exe | GET | 200 | 69.163.162.37:80 | http://www.xuetr.com/download/PCHunter_free.zip | US | compressed | 6.89 Mb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3652 | chrome.exe | 216.58.206.4:443 | www.google.com | Google Inc. | US | whitelisted |
3652 | chrome.exe | 172.217.16.138:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3652 | chrome.exe | 216.58.208.35:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
3652 | chrome.exe | 172.217.23.142:443 | sb-ssl.google.com | Google Inc. | US | whitelisted |
3252 | PCHunter32.exe | 120.133.5.200:80 | www.epoolsoft.com | CHINA UNICOM China169 Backbone | CN | malicious |
2208 | svchost.exe | 216.170.126.109:443 | — | ColoCrossing | US | malicious |
2384 | svchost.exe | 216.170.126.109:443 | — | ColoCrossing | US | malicious |
3652 | chrome.exe | 172.217.16.195:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
3652 | chrome.exe | 216.58.205.227:443 | www.gstatic.com | Google Inc. | US | whitelisted |
3652 | chrome.exe | 172.217.23.163:443 | www.google.de | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
clientservices.googleapis.com |
| whitelisted |
www.google.de |
| whitelisted |
www.gstatic.com |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
ssl.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
www.xuetr.com |
| unknown |
www.google.com |
| malicious |
www.google.at |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2208 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] BackDoor.DarkVNC.6 |
2384 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] BackDoor.DarkVNC.6 |
2208 | svchost.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] VNC connection |
2384 | svchost.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] VNC connection |
2384 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] BackDoor.DarkVNC.6 |
2384 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] BackDoor.DarkVNC.6 |
2384 | svchost.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] VNC connection |
2384 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] BackDoor.DarkVNC.6 |
2384 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] BackDoor.DarkVNC.6 |
2384 | svchost.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] VNC connection |
23 ETPRO signatures available at the full report