File name: | 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware |
Full analysis: | https://app.any.run/tasks/8a0cd7f1-f0ae-4203-af1a-c99f408e1ef7 |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 06:58:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | 56AC9E72644A8DAE8C1968D63A26E58A |
SHA1: | D0349D04F33400541898426438D9E036D21DECC5 |
SHA256: | 3DB0E385EB53A32D61A5A35908A99317868B571E4CF7079DB67FD68604DA662C |
SSDEEP: | 24576:mq5TfcdHj4fmbi2q+0MmV0VMXeyrtoT1GokHTQoCwsC+Y:mUTsamOx9RoBVoCwT |
.exe | | | Win64 Executable (generic) (30.7) |
---|---|---|
.exe | | | UPX compressed Win32 Executable (30.1) |
.exe | | | Win32 EXE Yoda's Crypter (29.5) |
.exe | | | Win32 Executable (generic) (5) |
.exe | | | Generic Win/DOS Executable (2.2) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2015-Jul-22 13:51:55 |
Detected languages: |
|
FileVersion: | 1.0.7.4 |
Comments: | CHIP Secured Installer |
FileDescription: | CHIP Secured Installer |
ProductVersion: | 1.0.7.4 |
LegalCopyright: | Copyright © 2015 Chip Digital GmbH |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 264 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2015-Jul-22 13:51:55 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 4096 | 1380352 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
UPX1 | 1384448 | 344064 | 343040 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.93591 |
.rsrc | 1728512 | 851968 | 850944 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.34589 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.34174 | 588 | Latin 1 / Western European | German - Germany | RT_VERSION |
4 | 3.75291 | 9640 | Latin 1 / Western European | English - United Kingdom | RT_ICON |
7 | 3.34702 | 1428 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
8 | 3.2817 | 1674 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
9 | 3.28849 | 1168 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
10 | 3.28373 | 1532 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
11 | 3.26322 | 1628 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
12 | 3.25812 | 1126 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
99 | 2.0815 | 20 | Latin 1 / Western European | English - United Kingdom | RT_GROUP_ICON |
166 | 2.68292 | 80 | Latin 1 / Western European | English - United Kingdom | RT_MENU |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
IPHLPAPI.DLL |
KERNEL32.DLL |
MPR.dll |
OLEAUT32.dll |
PSAPI.DLL |
SHELL32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2972 | "C:\Users\admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe" | C:\Users\admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Description: CHIP Secured Installer Exit code: 3221226540 Version: 1.0.7.4 | ||||
3532 | "C:\Users\admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe" | C:\Users\admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe | Explorer.EXE | |
User: admin Integrity Level: HIGH Description: CHIP Secured Installer Exit code: 0 Version: 1.0.7.4 | ||||
2064 | "C:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -72189998 -chipde -e37278fe332e42d1af33e4480ad52248 - -BLUB2 -vqkfnfnirlrzkfsp -3532 | C:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exe | 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe | |
User: admin Company: Chip Digital GmbH Integrity Level: HIGH Description: DMR Version: 1.0.7.4 |
(PID) Process: | (3532) 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3532) 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3532) 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3532) 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2064) dmr_72.exe | Key: | HKEY_CURRENT_USER\Software\OCS |
Operation: | write | Name: | CID |
Value: eb5a3dd3-27c7-4bad-927d-6b6d8bbc4d74 | |||
(PID) Process: | (2064) dmr_72.exe | Key: | HKEY_CURRENT_USER\Software\OCS |
Operation: | write | Name: | PID |
Value: chipde | |||
(PID) Process: | (2064) dmr_72.exe | Key: | HKEY_CURRENT_USER\Software\OCS |
Operation: | write | Name: | lastPID |
Value: chipde | |||
(PID) Process: | (2064) dmr_72.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2064) dmr_72.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2064) dmr_72.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
3532 | 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe | C:\Users\admin\AppData\Local\Temp\DMR\vqkfnfnirlrzkfsp.dat | text | |
MD5:8C934B48A05955C6CC934925F4C01E7D | SHA256:51BE55DD44A7D2C782EF432971878A64040AEC99C5EC0B53AC92D72BB2645992 | |||
3532 | 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe | C:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exe | executable | |
MD5:1B81FA48134378F2B8D54A41FCFCF0CA | SHA256:5E2931D27098E63B67126EC2E036D8E2F4E46814D8C777C0307E3EEC3B947707 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2064 | dmr_72.exe | GET | 404 | 116.203.169.158:80 | http://api.chip-secured-download.de/geoip/geoip.php?ip=322e3234342e3130302e323535 | IN | xml | 341 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2064 | dmr_72.exe | 116.203.169.158:80 | api.chip-secured-download.de | Hetzner Online GmbH | DE | unknown |
Domain | IP | Reputation |
---|---|---|
api.chip-secured-download.de |
| unknown |