download: | setup_wnysxz001.exe |
Full analysis: | https://app.any.run/tasks/b2cb55a1-ffa8-4d86-ba4a-f0e2e85cbe36 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 07:07:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 7457A920304FAA494F748A540B00D2EC |
SHA1: | CAA2F6D97024D8B2FFFEFE9AFF23871C355C9B0B |
SHA256: | 38CEB3D10AD9C92F6FE0BBFB538996B05EE47E4FEBC856AFEB61C03834F325BD |
SSDEEP: | 196608:SIZMZi34TFJNUWov4W+jG1NAMdzbqWDpJV073/CMKhP6uDkm9Hts3y4:jvyHNUTv4zeNAMdzbqWDpP0rCMxmkQi5 |
.exe | | | Win32 Executable (generic) (3.6) |
---|---|---|
.exe | | | Generic Win/DOS Executable (1.6) |
.exe | | | DOS Executable Generic (1.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:06:27 09:28:08+02:00 |
PEType: | PE32 |
LinkerVersion: | 14 |
CodeSize: | 1577984 |
InitializedDataSize: | 8332800 |
UninitializedDataSize: | - |
EntryPoint: | 0x40ebd |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.3.9.19627 |
ProductVersionNumber: | 1.3.9.19627 |
FileFlagsMask: | 0x0017 |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Chinese (Simplified) |
CharacterSet: | Unicode |
CompanyName: | 万能压缩 |
FileDescription: | 万能压缩 |
FileVersion: | 1.3.9.19627 |
InternalName: | 万能压缩 |
LegalCopyright: | Copyright (C) 2019 |
OriginalFileName: | Install.exe |
ProductName: | 万能压缩 |
ProductVersion: | 1,3,9,19627 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 27-Jun-2019 07:28:08 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | 万能压缩 |
FileDescription: | 万能压缩 |
FileVersion: | 1.3.9.19627 |
InternalName: | 万能压缩 |
LegalCopyright: | Copyright (C) 2019 |
OriginalFilename: | Install.exe |
ProductName: | 万能压缩 |
ProductVersion: | 1,3,9,19627 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000148 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 7 |
Time date stamp: | 27-Jun-2019 07:28:08 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00181363 | 0x00181400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.64637 |
.rdata | 0x00183000 | 0x0006944C | 0x00069600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.64652 |
.data | 0x001ED000 | 0x0001245C | 0x0000B400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.23462 |
.gfids | 0x00200000 | 0x000001B4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.51026 |
.tls | 0x00201000 | 0x00000009 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.rsrc | 0x00202000 | 0x00768DE4 | 0x00768E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.97354 |
.reloc | 0x0096B000 | 0x000149FC | 0x00014A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.58115 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.41141 | 1260 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 5.53107 | 67624 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 5.88889 | 38056 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
4 | 5.67784 | 16936 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
5 | 5.94895 | 9640 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
6 | 5.93778 | 5512 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
7 | 6.16633 | 2440 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
8 | 6.07871 | 1720 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
9 | 6.0888 | 1128 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
101 | 3.09794 | 132 | Latin 1 / Western European | Chinese - PRC | RT_GROUP_ICON |
ADVAPI32.dll |
COMCTL32.dll |
CRYPT32.dll |
GDI32.dll |
IMM32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
OLEAUT32.dll |
PSAPI.DLL |
SHELL32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2164 | "C:\Users\admin\Downloads\setup_wnysxz001.exe" | C:\Users\admin\Downloads\setup_wnysxz001.exe | — | explorer.exe |
User: admin Company: 万能压缩 Integrity Level: MEDIUM Description: 万能压缩 Exit code: 3221226540 Version: 1.3.9.19627 | ||||
3000 | "C:\Users\admin\Downloads\setup_wnysxz001.exe" | C:\Users\admin\Downloads\setup_wnysxz001.exe | explorer.exe | |
User: admin Company: 万能压缩 Integrity Level: HIGH Description: 万能压缩 Exit code: 0 Version: 1.3.9.19627 | ||||
3476 | taskkill /f /im WnZipConfigd.exe | C:\Windows\system32\taskkill.exe | — | setup_wnysxz001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3524 | taskkill /f /im WnZipService.exe | C:\Windows\system32\taskkill.exe | — | setup_wnysxz001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3620 | taskkill /f /im WnZipTool.exe | C:\Windows\system32\taskkill.exe | — | setup_wnysxz001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3672 | taskkill /f /im WnZipUtility.exe | C:\Windows\system32\taskkill.exe | — | setup_wnysxz001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3928 | taskkill /f /im WnZipUninst.exe | C:\Windows\system32\taskkill.exe | — | setup_wnysxz001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2232 | "C:\Program Files\WanNengZip\WnZipUtility.exe" InstallSpreadOperate --NewClientID wnysxz001****** --InstallSilent false | C:\Program Files\WanNengZip\WnZipUtility.exe | setup_wnysxz001.exe | |
User: admin Company: 万能压缩 Integrity Level: HIGH Description: 万能压缩 Version: 1.3.9.19627 | ||||
1456 | "C:\Program Files\WanNengZip\WnZipPower32.exe" RegCM | C:\Program Files\WanNengZip\WnZipPower32.exe | WnZipUtility.exe | |
User: admin Company: 万能压缩 Integrity Level: HIGH Description: 万能压缩 Exit code: 1 Version: 1.3.9.19627 | ||||
1528 | "C:\Program Files\WanNengZip\WnZipVirtualCD.exe" /install | C:\Program Files\WanNengZip\WnZipVirtualCD.exe | WnZipUtility.exe | |
User: admin Company: www.wn51.com Integrity Level: HIGH Description: 虚拟光盘 Exit code: 0 Version: 1.0.0.11031 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3000 | setup_wnysxz001.exe | C:\Users\admin\AppData\Local\Temp\WanNengZip-98075-7zData.7z | — | |
MD5:— | SHA256:— | |||
3000 | setup_wnysxz001.exe | C:\Users\admin\AppData\LocalLow\WanNengZip\Config\UseVestige.ini | text | |
MD5:D54460AE7869E8C1D2174BE5912D1CCD | SHA256:4716F70C27D4625A3DF565B6A339E391F7D97BBF7D1F73AAD4CB60FAD49208BA | |||
3000 | setup_wnysxz001.exe | C:\Program Files\WanNengZip\Setting\AlgorithmConfig.xml | xml | |
MD5:D3517B07CFF8652912B5DBD5B10C22AB | SHA256:2634C31C0AB0717E8A40FA62F9538A57BCB1065F5A65B44BF07F76A2138F7F62 | |||
3000 | setup_wnysxz001.exe | C:\Program Files\WanNengZip\WnZipUninst.exe | executable | |
MD5:6F75FCE6E13B1F3B1EB670644E200824 | SHA256:0A84FA1D5D3DC6497169E88C5B2430EBA4BCED91635AA7750203D45ED5B19976 | |||
3000 | setup_wnysxz001.exe | C:\Program Files\WanNengZip\Setting\FilterConfig.xml | xml | |
MD5:47B7A11DF71A074AE38BC52DA976401F | SHA256:5645B2234B8BF80D6568661D49497E1FE3D6F976580F7C8399DBE04469DCDC6E | |||
3000 | setup_wnysxz001.exe | C:\Program Files\WanNengZip\Lang\zh-cn.txt | text | |
MD5:F651D44C7EDD6A12F09FDFCE81F75516 | SHA256:0A4C2424D9349091E8B97FDDFABBBD6C633CE4B9E12DEE35EB61FF8106B41E37 | |||
3000 | setup_wnysxz001.exe | C:\Program Files\WanNengZip\WnZipPower64.exe | executable | |
MD5:8C5228046178F226B0A39E15A765DC0F | SHA256:4CA7C8AF3BFFB8F17B66691D91F7D0AAA1AB03649FF3F76F572210355266006E | |||
3000 | setup_wnysxz001.exe | C:\Program Files\WanNengZip\WanNengZip.ini | text | |
MD5:6055D30CD9B5E1D28283BB5D3AED7B02 | SHA256:D61BF517DAA0C86D82EF0B6D9C9F06B2F5AA68E400C5CAD61B08996A2D4D9E3E | |||
3000 | setup_wnysxz001.exe | C:\Program Files\Common Files\WanNengZip\WanNengZip.ini | text | |
MD5:FEB5D4D79183A8754DB976370BE2B639 | SHA256:0E2A61040D648D29B102DFAB3A1358D5305DD221BB20E72642816A178EF148F9 | |||
3000 | setup_wnysxz001.exe | C:\Program Files\WanNengZip\TimeHelp.exe | executable | |
MD5:E4B39A550587CFB20607B76C8FD5D335 | SHA256:BBBC57648575768BB3FBB57A5C54D3C1320A91E1AEC4D2577F5E13E1B029D1B1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2232 | WnZipUtility.exe | GET | — | 117.50.93.3:80 | http://tjtv3.wn51.com/fdot.php?data=Nzg1OTQ3NTQ1ODU3MzA3MTIwMDMyNDcxMjQ2OTYxNjQ2NzE5MTk1MjQyMzMxOTAwMTgzMzE5NzEzNTYxMDMxMTAyNTgzNzA4NjczNDYyNDI2MzUyNDE0NjY1NTMwNDQzMDcxMjcxMDIxMTEyNTUzMTE1NjYyNjQ0MDczNTM3NTI2NTIyNzExMDE1NTgxMjE0MzUwMDY4MjIyNjE0MTE0MDIwNjczNTUxMjA2NzM1MDMyMDE2MjI3MDY3NDczOTYzNDMzNzIwNTk1MTMwNDk3MQ%3D%3D | CN | — | — | malicious |
3000 | setup_wnysxz001.exe | GET | — | 120.132.61.186:80 | http://tjv1.wn51.com/statistics/timestamp | CN | — | — | malicious |
3664 | WnZipUtility.exe | GET | — | 117.50.93.3:80 | http://proup.wn51.com/proup.php?data=NTMyMzUxMDQwNDYyMjI1NzA0NDEyNDU3MjE1ODIyNTYyMTM3MjMwMDIxNjIwMjI5MjEzNjAzMzcyMTM2MDQzNjIxMzcyMDY0MDQzNzIyNDgyMTQyMjQxNzYwNDIyOTAzMDYxNzAyNjU0NjM3MDY2NTA3NDgzODM4NzEyNDI5MDA0NDM2MjE2NTIxNTk1NjQ5NjM0NzM0NjUzMTQ3MDQ1NjMxMzYyNDI1MjE0NjIzNDkyMTQyNzEwMDYwMjQ2ODQ3MzM1ODQ5MjkzMjA4MzQ0MTA0MjUyODM3Njg2NzcwMjk2NTA5MzIyODY2Mjc0MzI4MjkyMjMyNjgzNzMzMzU1NA%3D%3D | CN | — | — | malicious |
2848 | WnZipUtility.exe | GET | — | 117.50.93.3:80 | http://proup.wn51.com/proup.php?data=MzUyMTc2NTE2NjYzNjcwODY2NDk1MTA4Njg0ODY3MjQ2ODM0NTk0NTY4NjM2MTQyNjgzOTY5MzQ2ODM5NjYzOTY4MzQ2MDQ3NjYzNDY3MTI2ODU3NTExNjY0NTc0MjY5NTAxNjYxMDI1NDM0NTAwMjA0MTIyMjIyMTE1MTQyNDU3MDM5NjgwMjY4NTYyNDI4NTU0NjE1MDIxOTQ2NjYyNDE5Mzk1MTQzNjg1NDU5Mjg2ODU3MTE0NTY0NTEzODQ2MDM0ODI4NDIwNzIwMTU0OTY2NDMzMDQyMDI3MDAwMzAxODY3MDAzODAyMjY0MDI5 | CN | — | — | malicious |
3752 | WnZipUtility.exe | GET | 200 | 163.171.140.206:80 | http://d.wn51.com/yasuo/yp/yp.dat | US | binary | 481 b | malicious |
3064 | TimeHelp.exe | GET | 404 | 163.171.140.206:80 | http://d.wn51.com/yasuo/cld/po.dat?rand=7011 | US | text | 41 b | malicious |
2928 | WnZipUtility.exe | GET | — | 117.50.93.3:80 | http://tjtv3.wn51.com/ts.php?data=NGI0NzA0MWI4MmExMGFkMjJmMjNjMmQyNmI1MDA2ODkJV2FuTmVuZ1ppcAkxLjMuMS45CXdueXN4ejAwMTE5MDcxOAlMb25nU3ByaXRlCTEJMA%3D%3D | CN | — | — | malicious |
3448 | WnZipUtility.exe | GET | — | 106.75.114.162:80 | http://tjv5.wn51.com/statistics/timestamp | CN | — | — | malicious |
1824 | WnZipTool.exe | GET | 200 | 163.171.140.206:80 | http://d.wn51.com/yasuo/cld/tt.dat?rand=10253 | US | binary | 326 b | malicious |
2928 | WnZipUtility.exe | GET | 200 | 163.171.140.206:80 | http://d.wn51.com/yasuo/cld/st.dat | US | binary | 597 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3000 | setup_wnysxz001.exe | 120.132.61.186:80 | tjv1.wn51.com | China Unicom Beijing Province Network | CN | malicious |
3064 | TimeHelp.exe | 163.171.140.206:80 | d.wn51.com | — | US | malicious |
2848 | WnZipUtility.exe | 117.50.93.3:80 | tjtv3.wn51.com | IDC, China Telecommunications Corporation | CN | malicious |
3752 | WnZipUtility.exe | 163.171.140.206:80 | d.wn51.com | — | US | malicious |
2232 | WnZipUtility.exe | 117.50.93.3:80 | tjtv3.wn51.com | IDC, China Telecommunications Corporation | CN | malicious |
3664 | WnZipUtility.exe | 117.50.93.3:80 | tjtv3.wn51.com | IDC, China Telecommunications Corporation | CN | malicious |
2928 | WnZipUtility.exe | 163.171.140.206:80 | d.wn51.com | — | US | malicious |
2928 | WnZipUtility.exe | 117.50.93.3:80 | tjtv3.wn51.com | IDC, China Telecommunications Corporation | CN | malicious |
1824 | WnZipTool.exe | 163.171.140.206:80 | d.wn51.com | — | US | malicious |
1824 | WnZipTool.exe | 117.50.93.3:80 | tjtv3.wn51.com | IDC, China Telecommunications Corporation | CN | malicious |
Domain | IP | Reputation |
---|---|---|
tjv1.wn51.com |
| malicious |
config.wn51.com |
| suspicious |
tjtv3.wn51.com |
| unknown |
d.wn51.com |
| malicious |
proup.wn51.com |
| malicious |
tjv5.wn51.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3752 | WnZipUtility.exe | Misc activity | ADWARE [PTsecurity] Softcnapp.J PUP |
3752 | WnZipUtility.exe | Misc activity | ADWARE [PTsecurity] PUA.Softcnapp payload |
2928 | WnZipUtility.exe | Misc activity | ADWARE [PTsecurity] PUA.Softcnapp payload |
1824 | WnZipTool.exe | Misc activity | ADWARE [PTsecurity] PUA.Softcnapp payload |
Process | Message |
---|---|
setup_wnysxz001.exe | [zip]CreateRunProcess("C:\Program Files\WanNengZip\WnZipUtility.exe" InstallSpreadOperate --NewClientID wnysxz001****** --InstallSilent false)
|
WnZipUtility.exe | [zip]CreateRunProcess("C:\Program Files\WanNengZip\WnZipPower32.exe" RegCM)
|
WnZipUtility.exe | [zip]CreateRunProcess("C:\Program Files\WanNengZip\WnZipVirtualCD.exe" /install)
|
WnZipPower32.exe | [zip]CreateRunProcess("C:\Program Files\WanNengZip\WnZipPower32.exe" Reg32CM)
|
WnZipUtility.exe | CheckRegSZValue false - |
WnZipUtility.exe | Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\UserChoice |
WnZipUtility.exe | |
WnZipUtility.exe | CheckRegSZValue false - |
WnZipUtility.exe | Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zipx\UserChoice |
WnZipUtility.exe | |