File name: | http://xemhang.vn/Website/iexplore.exe |
Full analysis: | https://app.any.run/tasks/8f65e730-5c6e-42fc-b510-46e7a46652e4 |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 07:07:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | F54C429A5A0B2BA6922417A181C89856 |
SHA1: | 5EB52117D4F01C7CCDE053D780242959686DA355 |
SHA256: | 47C20159BAB515DD809169D8339892BAC10FA8EDE4781FC1CD8B76978DBC3D47 |
SSDEEP: | 1572864:xYmpnWwFRqWuRAqd4iiN+e6eu18GIw5LDwJy59oG7:xYmpnRFcPAqOiiWeu18G7wo59f7 |
.exe | | | InstallShield setup (83.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (8.7) |
.exe | | | Generic Win/DOS Executable (3.8) |
.exe | | | DOS Executable Generic (3.8) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 1992-Jun-19 22:22:17 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 80 |
e_cp: | 2 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | 15 |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | 26 |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 256 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 8 |
TimeDateStamp: | 1992-Jun-19 22:22:17 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 4096 | 77892 | 78336 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.43594 |
DATA | 86016 | 1548 | 2048 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.51863 |
BSS | 90112 | 3237 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.idata | 94208 | 2640 | 3072 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.26186 |
.tls | 98304 | 12 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rdata | 102400 | 24 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.204488 |
.reloc | 106496 | 6328 | 6656 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.52837 |
.rsrc | 114688 | 52999344 | 52999680 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 7.87114 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.96797 | 1384 | Latin 1 / Western European | English - United States | RT_ICON |
2 | 6.2503 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 7.90976 | 708670 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
4 | 4.9657 | 392704 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
5 | 7.75028 | 45568 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
6 | 6.09357 | 1072593 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
7 | 6.45762 | 5128016 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
8 | 6.17976 | 167936 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
9 | 7.68694 | 181772 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
10 | 7.99858 | 41853697 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
advapi32.dll |
kernel32.dll |
kernel32.dll (#2) |
kernel32.dll (#3) |
kernel32.dll (#4) |
oleaut32.dll |
oleaut32.dll (#2) |
user32.dll |
user32.dll (#2) |
winmm.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2188 | "C:\Windows\System32\runas.exe" /user:administrator C:\Users\admin\AppData\Local\Temp\iexplore.exe | C:\Windows\System32\runas.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Run As Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1284 | C:\Users\admin\AppData\Local\Temp\iexplore.exe | C:\Users\admin\AppData\Local\Temp\iexplore.exe | runas.exe | ||||||||||||
User: Administrator Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2032 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\SetupSV.cmd" " | C:\Windows\system32\cmd.exe | — | iexplore.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2208 | reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1556 | find "0x0" | C:\Windows\system32\find.exe | — | cmd.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (grep) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3500 | C:\Windows\system32\cmd.exe /c findstr -b -n "^_two181019_" "C:\Users\admin\AppData\Local\Temp\SetupSV.cmd" 2>nul | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2552 | findstr -b -n "^_two181019_" "C:\Users\admin\AppData\Local\Temp\SetupSV.cmd" | C:\Windows\system32\findstr.exe | — | cmd.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2724 | C:\Windows\system32\cmd.exe /c type "C:\Users\admin\AppData\Local\Temp\SetupSV.cmd" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2896 | "C:\Users\ADMINI~1\AppData\Local\Temp\screen.exe" elevate "C:\Users\ADMINI~1\AppData\Local\Temp\screen.exe" Exec Hide "C:\ProgramData\run.cmd" | C:\Users\ADMINI~1\AppData\Local\Temp\screen.exe | — | cmd.exe | |||||||||||
User: Administrator Company: NirSoft Integrity Level: HIGH Description: NirCmd Exit code: 0 Version: 2.86 Modules
| |||||||||||||||
1568 | "C:\Users\ADMINI~1\AppData\Local\Temp\screen.exe" Exec Hide "C:\ProgramData\run.cmd" | C:\Users\ADMINI~1\AppData\Local\Temp\screen.exe | — | screen.exe | |||||||||||
User: Administrator Company: NirSoft Integrity Level: HIGH Description: NirCmd Exit code: 0 Version: 2.86 Modules
|
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | delete value | Name: | ProxyByPass |
Value: 0 | |||
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | delete value | Name: | IntranetName |
Value: 0 | |||
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2896) screen.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2896) screen.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3036) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
Operation: | write | Name: | C:\Windows\SysWOW64\RuntimeBroker.exe |
Value: ~ RUNASADMIN | |||
(PID) Process: | (1936) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
Operation: | write | Name: | C:\ProgramData\RuntimeBroker.exe |
Value: ~ RUNASADMIN | |||
(PID) Process: | (3180) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
Operation: | write | Name: | C:\Windows\SysWOW64\screen.exe |
Value: ~ RUNASADMIN | |||
(PID) Process: | (3296) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
Operation: | write | Name: | C:\ProgramData\screen.exe |
Value: ~ RUNASADMIN |
PID | Process | Filename | Type | |
---|---|---|---|---|
1284 | iexplore.exe | C:\Users\ADMINI~1\AppData\Local\Temp\palemoon.zip | — | |
MD5:— | SHA256:— | |||
2832 | cmd.exe | C:\Windows\System32\MicrosoftEdgeTaskMachineWS.xml | xml | |
MD5:E0FA2E19D4FC3C2AB72B3982A09BADB8 | SHA256:DEA511C320B0D5CFCC95C45BEFE3653FA1B458C68F32552CAE3D513F6F936DE8 | |||
2832 | cmd.exe | C:\Program Files\palemoon.zip | — | |
MD5:— | SHA256:— | |||
1284 | iexplore.exe | C:\Users\ADMINI~1\AppData\Local\Temp\Unicod.cmd | text | |
MD5:EB43C214E68D2201FB2A7236E8E0AA71 | SHA256:40162E30C97238AFDD0D7B0178B2EB96DDECE98967B41C393F8232A126B9526A | |||
2832 | cmd.exe | C:\ProgramData\MicrosoftEdgeTaskMachineWS.xml | xml | |
MD5:E0FA2E19D4FC3C2AB72B3982A09BADB8 | SHA256:DEA511C320B0D5CFCC95C45BEFE3653FA1B458C68F32552CAE3D513F6F936DE8 | |||
2032 | cmd.exe | C:\Users\Public\Documents\pathcd.txt | text | |
MD5:91D838F2C457428DC003B90CFE2061E2 | SHA256:C3AC5952FE0D7061DE7DD8FC4DEF6386725C07FE56F24C9FB3414CF5254B933A | |||
1284 | iexplore.exe | C:\Users\ADMINI~1\AppData\Local\Temp\IntelSvc.exe | executable | |
MD5:A7CDE18F991E97037A7899B7669E2548 | SHA256:8B9F1FA5F941C7F46B65BF8929CA80D132435151E1DCB3A5DE7693B70B254467 | |||
1284 | iexplore.exe | C:\Users\ADMINI~1\AppData\Local\Temp\netserver.exe | executable | |
MD5:483421FB3DA24E88AE3B3337967CF4A4 | SHA256:FAB3AB7FD5D49194EEAF4D88B487F4FA7E2388B81999031367521457AAD0A65B | |||
2832 | cmd.exe | C:\Windows\System32\Unicod.cmd | text | |
MD5:EB43C214E68D2201FB2A7236E8E0AA71 | SHA256:40162E30C97238AFDD0D7B0178B2EB96DDECE98967B41C393F8232A126B9526A | |||
2032 | cmd.exe | C:\ProgramData\run.cmd | text | |
MD5:9B5299B3005B35D550387B6D3F85278F | SHA256:ED4D54DFA21DBEC24F1BD9906C6028910F55F31FC411C8F17119863E16623696 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
708 | IntelSvc.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
708 | IntelSvc.exe | GET | 200 | 8.248.131.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5fce982482aa552d | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
708 | IntelSvc.exe | 188.114.97.3:443 | ulm.aeroadmin.com | CLOUDFLARENET | NL | malicious |
708 | IntelSvc.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
708 | IntelSvc.exe | 8.248.131.254:80 | ctldl.windowsupdate.com | LEVEL3 | US | suspicious |
708 | IntelSvc.exe | 37.48.87.53:5665 | auth11.aeroadmin.com | LeaseWeb Netherlands B.V. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
auth11.aeroadmin.com |
| malicious |
ulm.aeroadmin.com |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
708 | IntelSvc.exe | Generic Protocol Command Decode | SURICATA Applayer Wrong direction first Data |
Process | Message |
---|---|
IntelSvc.exe | Info: % 1106] mode: 0
|
IntelSvc.exe | Info: % 1123] Start
|
IntelSvc.exe | Info: % 1135] Environment language: "en"
|
IntelSvc.exe | Info: % 1138] Launch parameters: admin: 1, boot_mode: 0, mode: 0, restart: ""C:\Windows\Temp\IntelSvc.exe" a ", selected: 0, service: 0, as sessid: 1, is running updated: 0
|
IntelSvc.exe | Error: % 1274] registering tray window class
|
IntelSvc.exe | Info: % 1306] Running with no UI
|
IntelSvc.exe | Info: % 54] Adapter best: 1, name: "{4040CF00-1B3E-486A-B407-FA14C56B6FC0}", status: 1
|
IntelSvc.exe | Info: % 54] Adapter best: 0, name: "{E29AC6C2-7037-11DE-816D-806E6F6E6963}", status: 1
|
IntelSvc.exe | Info: % 274] Connecting to ip: "37.48.87.53", port: "5665"
|
IntelSvc.exe | Info: % 262] TCP connection established with socket: 632
|