File name: | dUzv3Q.exe |
Full analysis: | https://app.any.run/tasks/1d501355-e616-4d72-a422-56eff5ef18b1 |
Verdict: | Malicious activity |
Analysis date: | August 08, 2020, 13:22:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 46153BEFE26DB1FB2787489066BD5197 |
SHA1: | F1FEE36B396E9BD89CBEBE3B008143C1FB115044 |
SHA256: | 3FA47AB3A08FC45701A37A50EAC63481929F38033925D9EA969A9F7A62743139 |
SSDEEP: | 384:agH5a0Hy7SSLOUBhPWkbU4puuIaLMxyrQCSfD:agH5a0Hy7bLhP1b1YxNz |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (7.4) |
.exe | | | Win32 Executable (generic) (5.1) |
.exe | | | Generic Win/DOS Executable (2.2) |
.exe | | | DOS Executable Generic (2.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2098:04:02 01:17:14+02:00 |
PEType: | PE32 |
LinkerVersion: | 48 |
CodeSize: | 14336 |
InitializedDataSize: | 2048 |
UninitializedDataSize: | - |
EntryPoint: | 0x5622 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 6 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.0.0.0 |
ProductVersionNumber: | 1.0.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
Comments: | - |
CompanyName: | - |
FileDescription: | dUzv3Q |
FileVersion: | 1.0.0.0 |
InternalName: | dUzv3Q.exe |
LegalCopyright: | Copyright © 2020 |
LegalTrademarks: | - |
OriginalFileName: | dUzv3Q.exe |
ProductName: | dUzv3Q |
ProductVersion: | 1.0.0.0 |
AssemblyVersion: | 1.0.0.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 24-Feb-1962 16:48:58 |
Debug artifacts: |
|
Comments: | - |
CompanyName: | - |
FileDescription: | dUzv3Q |
FileVersion: | 1.0.0.0 |
InternalName: | dUzv3Q.exe |
LegalCopyright: | Copyright © 2020 |
LegalTrademarks: | - |
OriginalFilename: | dUzv3Q.exe |
ProductName: | dUzv3Q |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 24-Feb-1962 16:48:58 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x00003628 | 0x00003800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.53016 |
.rsrc | 0x00006000 | 0x0000059C | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.06627 |
.reloc | 0x00008000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0815394 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2280 | "C:\Users\admin\AppData\Local\Temp\dUzv3Q.exe" | C:\Users\admin\AppData\Local\Temp\dUzv3Q.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: dUzv3Q Version: 1.0.0.0 | ||||
2496 | "netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=any | C:\Windows\system32\netsh.exe | — | dUzv3Q.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2160 | "netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=in action=allow enable=yes profile=any | C:\Windows\system32\netsh.exe | — | dUzv3Q.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3600 | "netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=any | C:\Windows\system32\netsh.exe | — | dUzv3Q.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2740 | "netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=out action=allow enable=yes profile=any | C:\Windows\system32\netsh.exe | — | dUzv3Q.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1508 | "cmd.exe" reg add "HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security" /f /v "PromptOOMSend" /t REG_DWORD /d 2 | C:\Windows\system32\cmd.exe | — | dUzv3Q.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2436 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRD012.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:48DD6CAE43CE26B992C35799FCD76898 | SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A | |||
2436 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmp | binary | |
MD5:569B182080A11A4A5EA74DEBC7EBA886 | SHA256:F2BEFD5CEF059AA96A41A9A4D38CE61BAD0A2745E27E887CF19EAC37DB3304F0 | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:2651666C2C18EDC32326E50BCEAFE9E6 | SHA256:C3664FEF1601AD585BA16F14980E570F2416241B85E934ED0CEB9A748EE4314F | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_176C11D1E8F879489651834C25E58656.dat | xml | |
MD5:D8B37ED0410FB241C283F72B76987F18 | SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114 | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8C3202D0-53DE-4D80-8B55-2E582BEB5598}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:4C61C12EDBC453D7AE184976E95258E1 | SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_9CFBD24CD6B76A43A657BA185D50558B.dat | xml | |
MD5:F194B1FA12F9B6F46A47391FAE8BEEC2 | SHA256:FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74 | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_DD103498BF88504D9164F0CEFFA46A53.dat | xml | |
MD5:BBCF400BD7AE536EB03054021D6A6398 | SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_9E8A11C4FBFD844A9655B52F53976332.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_A33A16F9E563D04D83E22F2832EF228D.dat | xml | |
MD5:57F30B1BCA811C2FCB81F4C13F6A927B | SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2280 | dUzv3Q.exe | GET | 200 | 195.201.245.34:80 | http://unhanorarse.altervista.org/add.php?username=admin | RU | — | — | malicious |
2436 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
2280 | dUzv3Q.exe | POST | 200 | 195.201.245.34:80 | http://unhanorarse.altervista.org/getdos.php | RU | binary | 1 b | malicious |
2280 | dUzv3Q.exe | POST | 200 | 195.201.245.34:80 | http://unhanorarse.altervista.org/getdos.php | RU | binary | 1 b | malicious |
2280 | dUzv3Q.exe | POST | 200 | 195.201.245.34:80 | http://unhanorarse.altervista.org/getdos.php | RU | binary | 1 b | malicious |
2280 | dUzv3Q.exe | POST | 200 | 195.201.245.34:80 | http://unhanorarse.altervista.org/getdos.php | RU | binary | 1 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2280 | dUzv3Q.exe | 195.201.245.34:80 | unhanorarse.altervista.org | Awanti Ltd. | RU | malicious |
— | — | 195.201.245.34:80 | unhanorarse.altervista.org | Awanti Ltd. | RU | malicious |
2436 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2280 | dUzv3Q.exe | 104.23.98.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
unhanorarse.altervista.org |
| unknown |
config.messenger.msn.com |
| whitelisted |