File name: | seledka.exe |
Full analysis: | https://app.any.run/tasks/686523cd-9395-458a-b1cd-7207b8e6ab76 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | February 19, 2019, 12:52:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 10DCF1D147C4197FBA20C86F3D59B777 |
SHA1: | 977753B6457897489F4E32CDF6140323782E6FED |
SHA256: | 39EB2AB1CC9CE7D1D0E89CAD1AC68E18A0177A176F1E9E60349D7CCAE5AF8415 |
SSDEEP: | 6144:8O1gBmlau483ON2t9N4v3+nY5O6VwHVh47vgcmvH0E3EoT0waEI/YTBfKrX7:pcm7PM2t9sLwegl3BT09V/+BoX7 |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
ProductVersion: | 9.9.6.1 |
---|---|
ProductName: | BasketHydrocarbon |
OriginalFileName: | BasketHydrocarbon.exe |
CompanyName: | CACE Technologies, Inc. |
Comments: | Surprises N Accton 827281 |
PrivateBuild: | 9.9.6.1 |
LegalCopyright: | CACE Technologies, Inc. Copyright (c) |
FileVersion: | 9.9.6.1 |
FileDescription: | Surprises N Accton 827281 |
InternalName: | BasketHydrocarbon |
LegalTrademarks: | CACE Technologies, Inc. Copyright (c) |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 9.9.6.1 |
FileVersionNumber: | 9.9.6.1 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x19b6d |
UninitializedDataSize: | - |
InitializedDataSize: | 360960 |
CodeSize: | 194560 |
LinkerVersion: | 11 |
PEType: | PE32 |
TimeStamp: | 2019:02:12 14:30:27+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 12-Feb-2019 13:30:27 |
Detected languages: |
|
LegalTrademarks: | CACE Technologies, Inc. Copyright (c) |
InternalName: | BasketHydrocarbon |
FileDescription: | Surprises N Accton 827281 |
FileVersion: | 9.9.6.1 |
LegalCopyright: | CACE Technologies, Inc. Copyright (c) |
PrivateBuild: | 9.9.6.1 |
Comments: | Surprises N Accton 827281 |
CompanyName: | CACE Technologies, Inc. |
OriginalFilename: | BasketHydrocarbon.exe |
ProductName: | BasketHydrocarbon |
ProductVersion: | 9.9.6.1 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 10 |
Time date stamp: | 12-Feb-2019 13:30:27 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0002F4C1 | 0x0002F600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.62075 |
.text1 | 0x00031000 | 0x000001C0 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.1085 |
.rdata | 0x00032000 | 0x0001020E | 0x00010400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.43065 |
.data | 0x00043000 | 0x00007664 | 0x00004E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.21148 |
.data1 | 0x0004B000 | 0x00001590 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.883499 |
.debug_o\xa8\x19 | 0x0004D000 | 0x000019A8 | 0x00001A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.09577 |
.trace | 0x0004F000 | 0x000009DC | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.61688 |
_RDATA | 0x00050000 | 0x00000540 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.21289 |
.rsrc | 0x00051000 | 0x00038CF0 | 0x00038E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.55745 |
.reloc | 0x0008A000 | 0x0000604C | 0x00006200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.82784 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.16799 | 859 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.96011 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 3.07216 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 3.39755 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 1.53537 | 10344 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 2.88705 | 16936 | Latin 1 / Western European | English - United States | RT_ICON |
96 | 7.86044 | 1308 | Latin 1 / Western European | English - United States | UNKNOWN |
97 | 7.8948 | 1819 | Latin 1 / Western European | English - United States | UNKNOWN |
98 | 7.80698 | 1193 | Latin 1 / Western European | English - United States | UNKNOWN |
101 | 2.80883 | 90 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
COMCTL32.dll |
DHCPSAPI.DLL |
GDI32.dll |
GLU32.dll |
IMM32.dll |
KERNEL32.dll |
OPENGL32.dll |
SHLWAPI.dll |
USER32.dll |
UxTheme.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3596 | "C:\Users\admin\AppData\Local\Temp\seledka.exe" | C:\Users\admin\AppData\Local\Temp\seledka.exe | explorer.exe | |
User: admin Company: CACE Technologies, Inc. Integrity Level: MEDIUM Description: Surprises N Accton 827281 Version: 9.9.6.1 |
(PID) Process: | (3596) seledka.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E006E0063006A0075006B006D00670069006D0067000000 | |||
(PID) Process: | (3596) seledka.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A400005253413100080000010001005D7D910A52FD8CA751DCC2BFE897AD7C6421F0C01FFADD4427FEA0C6E567CC2E30125A2455DBC806F36B56013B089317476B7A07EBF5D32D40B61E3FBBE96B3A9808D990450B972D2660FF90F15B82EAAAE77E780FF2A24DF9B3B679EFD5F0273E0F5BF134291DE2D2D49108D9F7D6842BD83A21843D24D656359ED0357060CD830DEA4523CD566083F357FD89C31A4FAFEC9BB13496B8F604D4F19F1ED4922DF26BCDA1E2789CE8E26AA646F5B3BBB25434D8E6D1AC4FA98C04445AC9FD91C735C12E5BC97F51FE06C293C4E4E025C5FB0C3A83B4A6ACEFF7AF01002413FB7015AE99806F86F7ADFFD75F4E2A0675A5737050B5F565A958BD9F5164463AE2D3 | |||
(PID) Process: | (3596) seledka.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | private |
Value: 94040000CE7A1ED5DD8D4C8B09F2605537E41A0DE5EAF9EC00C449BF4F02FC1EBED0EA74086022663AFBA6DB56D2F04E873D720BA6F07D0D1F99D240872A1F71B493D3F1F9F2110DE6C7221103B1811EBD32F465697B5C28024B1C71391835C30657586B0383CDEE375B8B232B7DF330097FC3520335E7CC092280118FF15A85DC9CA439B66799CB8ADF5C4286A236758703303BB95425B2A4C1EE9F2B06136E4C6321C7396F68D14E93E70187C28C6A11503DB47D0DF85404E9E0D4F8E3B0B511C045E222E0B5594F5E8ED0239D40E0DFED43B82E5AD0E1F04EBCCDF181727FE690034D20793A678A95D5C99BB9608B0BCBB36343C20517264862C3D30AFB1A4C0CF9673C87669AA041D012EF1EF5A9CBE3093BB3C2C4110D0321728E6D66AB89CE58C7013282AD83FEBD206A5E00F132F5C8524DB26B88D028C652CCA190A8F30C216754DF10CA1B651DA3E642755E51911EDFE13DC244AE838896B2A231AE2276AA7680100736D3F6803646DE2D9E5EE622B277D4CB957A85D4144DCDAFA3D9DF7DB3F7D5AFA506678225D1857CCB51FF6D4CF483EE173D61D6DF40A8E489EBB0021B339B9F31611AA18FC14260EA2254F32380CFC17A169FCA2B1E3CC83AD7A461016CDFBD3A88C52138AC93ED11F005AB5F9EBF4DD3E7D092403216D388B63123339AEA7D49FFE0902AFA3738BFB251506C871147BD883E21ABF0F21E50111A4A9B4DB2D12F425AD1DD050F792EBB03A26434D8042EEF5A4A74D7EBD10DFCA8841EFE2C2F057A9F7ADCF82A4C76946AC9941F4BC071658EE0D019ABD243131B94BE1A72EB9F427E962516DBAC0D785A2EA09A833BA55A62194B95CE413C47BA33B51D337462E165CB2C2279F3F906576D6B5AAB5BDC29185B5E114315C2A83D7877F1D62D9CD0851FDBA15D4CE49FDECB593E124F58CC8D8C08335441CBD4FE8F3A6B9B229211B14C6238256C23161AC8C3783F1D664D8B087CD913F5E4F53FF3BEEDF6F4DC47E1D2C4A13262FB10FD0674E18E4FE0B1E63946091C8DE2D3B230B49558E083FC9EA511D45F36C2C798147F9DDBA81D874C747A25FF98CC6D392974B881CB18D148798A64E5108CE9F35EC428E60040FEB317A4B507F86AE29FE5A0F43D2DD4AA5761684C34B03CD84CCCFA4320243C1CB2AEE17B1DB1525A30178310C39B2A2AA485A987D34C220777AC84277B7167769D768DEF39D15F0C171623D15061FA07CDDAAE47BCDC9E80E2E86326A49D8754CA86A4FB92F5D1D149576BA094F22A0988639B4530BDFE437E22A0396F4C395D57F0738C4A021F55554C71CB127EC1EAB14803CFFE90EF65D18A35809A41B746E5A61E76A8560E099592397C1FF3A46A26AAA3B387127CC2BE52576E9EEDB07E032720BDF5FCF8B6F02526A1BFE2207AD74E2629CB084A683FCF3378DCC26D17284AD50B33E6F243B55CC81F47387873BEAE62BCE754EAEE9DD096E0D3CEF7A9E0E2429D4103127811BB7CFF6F866BD0402D76F6FE2C50F3D964B1D83DA6F1F393CB4E0729133F11AB6E337C9360DD08C993052FBBF1E1FE46E77244F063D3E8A3E7104E592F1272FFACC95FEDCEA423B15C85C928E5CDECCC412D17F8F870CB46ED744250037E3BC2A069B8BC2DCF2EB1456A05577CB954DE058DCAEC43F50668C9A09E6C17FB714850B22F85572C9B1587BF38CB96A02962D0978D3B4798BAC0768C7CACF85B3199D2B1D00779160A616AE06CFD4E080F1D12A6BBC4D91638814FB20578A0E02775CE66C1C1150749D2F4265EEA1CDD6DEFC036FE0C26E14520BA432277A622DE43C12681E7B831FC72DBECA43728D2A1159B175D22714964B3A32AD3DA231625F641E058E3D13DB3888948C20303495B7C4782DD31512C311DCB90BBB0713AC50F16B5572C9DD15C900F1FDF12D0C186CCB446A751372093B1BDFF4C2236CED5A0E2D66AE0440B45950DD9D575F2CEA0234F5387FCEF809A82E2F89CE31A51575C9E31E3091868AD13248C2D6AEBA93B5AB9BE3DBF0DEAA39550DFE694135038099F4595B1F5261014324268F1A6F63A08BD5AFE31373740A120DD8363CF01A9F03FEAA5F096BD2D052EAC2FFD10EB3658768EB5FD8662ADD5707F383B7AA525BAC68A7CC22B50200D69A25111D2FC0BA4DE2FD594EF4ADCD138DA58443D3E7D41055DDDA5B55BAE0E03503050A239385475F7796690F1CBA031C3C989B28FABC5D35643CE9970AD2E8E121419B2AC6A3924E40BF4CDCD702AAF29D4362EB12A1BA0806315DBAE69B4232BB272C3D9E5D6C4FA8C3DEDA37EAB1FB4B499037EE01179C9AFEA228E232441C29251E0507D026598F9FFD114374A39B8469C55B284CA8CD0870FA5F5022EF06A3460D25264C8444802A54BE1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3596 | seledka.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
3596 | seledka.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
3596 | seledka.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.ncjukmgimg | — | |
MD5:— | SHA256:— | |||
3596 | seledka.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{05ed3515-06b3-48f6-8cf2-bf24b1bf0727}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3596 | seledka.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{16d74681-6bc3-4c44-97f0-8b8dfefe2355}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3596 | seledka.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{38e8535f-27d0-4352-aa3a-ce4178930102}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3596 | seledka.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{3cc0f82b-873a-4e59-b89f-689fbdf88af9}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3596 | seledka.exe | C:\MSOCache\NCJUKMGIMG-DECRYPT.txt | text | |
MD5:5902F91766F20CB946474C880EAA4398 | SHA256:5FC5C48071FEFA5F4BE54F347745C735139C6B0B5726A0428A35BA465129C981 | |||
3596 | seledka.exe | C:\PerfLogs\Admin\NCJUKMGIMG-DECRYPT.txt | text | |
MD5:5902F91766F20CB946474C880EAA4398 | SHA256:5FC5C48071FEFA5F4BE54F347745C735139C6B0B5726A0428A35BA465129C981 | |||
3596 | seledka.exe | C:\Config.Msi\NCJUKMGIMG-DECRYPT.txt | text | |
MD5:5902F91766F20CB946474C880EAA4398 | SHA256:5FC5C48071FEFA5F4BE54F347745C735139C6B0B5726A0428A35BA465129C981 |