download: | Cundo_Checker_v2.2.exe |
Full analysis: | https://app.any.run/tasks/cea9e45f-1730-48bc-ba1c-b62e26b708ae |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 14:53:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C3C4A5089C481F983512E48F22B2E005 |
SHA1: | 53150D38B824998378E9D864606110C828161D19 |
SHA256: | 3EBD52C4E1E3377791831F480A02F380A78A57546D32738E61203AC53530F721 |
SSDEEP: | 98304:DGG8rVQ5+Y6hl7frcRItLuUeTBrHJWGs2NyqeoNE/7SRYYFilert2KIsWVymGu/b:TTVHJack+eArjIsWlGlSRRbCI |
.exe | | | InstallShield setup (53.2) |
---|---|---|
.exe | | | Win32 Executable Delphi generic (17.5) |
.scr | | | Windows screen saver (16.1) |
.exe | | | Win32 Executable (generic) (5.5) |
.exe | | | Win16/32 Executable Delphi generic (2.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x20cc |
UninitializedDataSize: | - |
InitializedDataSize: | 7793664 |
CodeSize: | 5120 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 1992:06:20 00:22:17+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 19-Jun-1992 22:22:17 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 8 |
Time date stamp: | 19-Jun-1992 22:22:17 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 0x00001000 | 0x000013B8 | 0x00001400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.34099 |
DATA | 0x00003000 | 0x0000007C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.11763 |
BSS | 0x00004000 | 0x00000695 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00005000 | 0x00000302 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.47732 |
.tls | 0x00006000 | 0x00000004 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00007000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.199108 |
.reloc | 0x00008000 | 0x000001C8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 5.7833 |
.rsrc | 0x00009000 | 0x0076E018 | 0x0076E200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 7.94154 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
50 | 7.92554 | 9248 | Latin 1 / Western European | UNKNOWN | RT_ICON |
51 | 2.45606 | 67624 | Latin 1 / Western European | UNKNOWN | RT_ICON |
52 | 2.64323 | 16936 | Latin 1 / Western European | UNKNOWN | RT_ICON |
53 | 2.819 | 9640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
54 | 3.02099 | 4264 | Latin 1 / Western European | UNKNOWN | RT_ICON |
55 | 3.42526 | 1128 | Latin 1 / Western European | UNKNOWN | RT_ICON |
A1 | 5.85121 | 44544 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
A2 | 5.59088 | 40448 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
A3 | 7.95584 | 7595259 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
B1 | 3.32782 | 16 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
kernel32.dll |
shell32.dll |
shfolder.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3340 | "C:\Users\admin\AppData\Local\Temp\Cundo_Checker_v2.2.exe" | C:\Users\admin\AppData\Local\Temp\Cundo_Checker_v2.2.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4092 | "C:\Users\admin\AppData\Local\Temp\auto_updater.exe" | C:\Users\admin\AppData\Local\Temp\auto_updater.exe | Cundo_Checker_v2.2.exe | |
User: admin Integrity Level: MEDIUM Description: Build 1.6 pro Exit code: 0 Version: 1.0.0.0 | ||||
2216 | "C:\Users\admin\AppData\Local\Temp\Test_Pyhton.exe" | C:\Users\admin\AppData\Local\Temp\Test_Pyhton.exe | Cundo_Checker_v2.2.exe | |
User: admin Integrity Level: MEDIUM Description: Build_clipper Exit code: 0 Version: 1.0.0.0 | ||||
2916 | "C:\Users\admin\AppData\Local\Temp\CLEAN AntiCheat.exe" | C:\Users\admin\AppData\Local\Temp\CLEAN AntiCheat.exe | — | Cundo_Checker_v2.2.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2572 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\admin\AppData\Local\Temp\CLEAN AntiCheat.exe" org.develnext.jphp.ext.javafx.FXLauncher | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | CLEAN AntiCheat.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2720 | "C:\ProgramData\WMI Services\WmiPrvSvc.exe" | C:\ProgramData\WMI Services\WmiPrvSvc.exe | — | Test_Pyhton.exe |
User: admin Integrity Level: MEDIUM Description: Clipper 1.1 Version: 1.0.0.0 | ||||
2116 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "WMI Services" /tr "C:\ProgramData\WMI Services\\WmiPrvSvc.exe" /f | C:\Windows\System32\schtasks.exe | — | Test_Pyhton.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3064 | "C:\ProgramData\WMI Provider Host\Wmi64Update.exe" | C:\ProgramData\WMI Provider Host\Wmi64Update.exe | — | auto_updater.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Provider Host Version: 10.0.17134.1 | ||||
2484 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "WMI Host Updater" /tr "C:\ProgramData\WMI Provider Host\\Wmi64Update.exe" /f | C:\Windows\System32\schtasks.exe | — | auto_updater.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3452 | "C:\ProgramData\taskshell.exe" | C:\ProgramData\taskshell.exe | Wmi64Update.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Perflib Event Messages Version: 10.0.17134.1 (WinBuild.160101.0800) |
(PID) Process: | (3340) Cundo_Checker_v2.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3340) Cundo_Checker_v2.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2216) Test_Pyhton.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2216) Test_Pyhton.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2216) Test_Pyhton.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | WMI Update Service |
Value: C:\ProgramData\WMI Services\WmiPrvSvc.exe | |||
(PID) Process: | (2572) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: javaw.exe | |||
(PID) Process: | (4092) auto_updater.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\auto_updater_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (4092) auto_updater.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\auto_updater_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (4092) auto_updater.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\auto_updater_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (4092) auto_updater.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\auto_updater_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4088 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
4088 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
4092 | auto_updater.exe | C:\ProgramData\config.json | text | |
MD5:C0D03B9329A16FD25BDA2108CE8CCCC9 | SHA256:3819598BD5C73FA6EC4D68EBDEB312B9D07E6BAAE402F08384B3FACC50C8D82A | |||
2216 | Test_Pyhton.exe | C:\ProgramData\WMI Services\WmiPrvSvc.exe | executable | |
MD5:6C9F801B3A9333E1CC630BF05578DBC5 | SHA256:1FAB7DCE20C8D51608E287F2925826863BC7D21D226BCD910A5A01875EFD43FE | |||
2572 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:F4E3E42C5BA211F96755781DC7F3C085 | SHA256:6B2D5B37858BF74389FE59C3AAA24BCA224F678CC79764DDECB1815C3E34F1BA | |||
4092 | auto_updater.exe | C:\ProgramData\WMI Provider Host\Wmi64Update.exe | executable | |
MD5:E330A5B3049D8794257452900A3F9CE4 | SHA256:7CEC46E29D8CBBD93A9CFFA4C30DECE69E3B69B0A889A487C4B0635596BE08A7 | |||
1496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:CDAFFAF04569B3B0C6CD5A6D1A17FCB0 | SHA256:1DBAA876162261CC2554FFC105F3CE4A73719F8660E84E15B6F497E7ECB665F2 | |||
3340 | Cundo_Checker_v2.2.exe | C:\Users\admin\AppData\Local\Temp\CLEAN AntiCheat.exe | executable | |
MD5:DF43D3E9827FEA6613E755EFAA2BFE04 | SHA256:17AF71F4F6A858553AE41D76AB3731A4525A1F3EB1A7D4D6F69098BF3795EA5C | |||
1496 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@citizenhack[1].txt | text | |
MD5:B66758F39B76E28CFCE457CD02A241E7 | SHA256:3CFBE823CC3676171A8A51A850E49E52A02C18CC47C3060D42D6515D2FD8DD08 | |||
4092 | auto_updater.exe | C:\ProgramData\taskshell.exe | executable | |
MD5:245B363E4CCD16ECD8442B60DFB44AFF | SHA256:D37C6FB632120B2DAE53CCAA4BEF644D19C608500EA96027247E329662A64A2A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4088 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4088 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
4092 | auto_updater.exe | 145.14.144.240:443 | cwnyfyxugire.000webhostapp.com | Hostinger International Limited | US | shared |
1496 | iexplore.exe | 104.27.132.174:443 | citizenhack.me | Cloudflare Inc | US | shared |
4092 | auto_updater.exe | 88.99.66.31:443 | iplogger.org | Hetzner Online GmbH | DE | malicious |
3452 | taskshell.exe | 136.243.102.154:45700 | xmr.pool.minergate.com | Hetzner Online GmbH | DE | malicious |
1496 | iexplore.exe | 205.185.208.52:443 | code.jquery.com | Highwinds Network Group, Inc. | US | unknown |
1496 | iexplore.exe | 209.197.3.15:443 | maxcdn.bootstrapcdn.com | Highwinds Network Group, Inc. | US | whitelisted |
1496 | iexplore.exe | 104.19.198.151:443 | cdnjs.cloudflare.com | Cloudflare Inc | US | shared |
1496 | iexplore.exe | 172.217.18.99:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
1496 | iexplore.exe | 172.217.16.170:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
cwnyfyxugire.000webhostapp.com |
| shared |
iplogger.org |
| shared |
xmr.pool.minergate.com |
| suspicious |
www.bing.com |
| whitelisted |
phizzofficial.wixsite.com |
| malicious |
www.securehosts.us |
| unknown |
citizenhack.me |
| suspicious |
fonts.googleapis.com |
| whitelisted |
code.jquery.com |
| whitelisted |
maxcdn.bootstrapcdn.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
4092 | auto_updater.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |
4092 | auto_updater.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
4092 | auto_updater.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
— | — | A Network Trojan was detected | ET POLICY Monero Mining Pool DNS Lookup |
3452 | taskshell.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
3452 | taskshell.exe | Misc activity | MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login |
3452 | taskshell.exe | Misc activity | MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response |
3452 | taskshell.exe | Misc activity | MINER [PTsecurity] Risktool.W32.coinminer!c |
3452 | taskshell.exe | Misc activity | MINER [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response |