File name: | 1C_U25355369126978-2018.scr |
Full analysis: | https://app.any.run/tasks/da0c1c7a-368f-4166-9428-c513802f87d9 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 08:01:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 15CE37527CD6F8018C221149DC0B31D2 |
SHA1: | 154D9BA302EECC68DFA72B4660BE868E58970432 |
SHA256: | 5292364263C59302A900C05ECB64D68A62D206396EC123466F79A9443AE6F454 |
SSDEEP: | 12288:B1DYrQh2At0T+uCqsWwOUH7Gt7Cg85gY9tISeCdmHQ2egus:BdYMBUHsW+HvZ5LISeCwQ2ehs |
.exe | | | InstallShield setup (49.2) |
---|---|---|
.exe | | | Win32 Executable Delphi generic (16.2) |
.scr | | | Windows screen saver (14.9) |
.dll | | | Win32 Dynamic Link Library (generic) (7.5) |
.exe | | | Win32 Executable (generic) (5.1) |
LegalCopyright: | 07.15.03.15 |
---|---|
FileVersion: | 10.12.03.6346 |
FileDescription: | 11.19.23.6343.324 10.12.03.6346 Installation |
CompanyName: | 07.15.03.15 |
Comments: | - |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 0.0.0.0 |
FileVersionNumber: | 10.12.3.6346 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x17de0 |
UninitializedDataSize: | - |
InitializedDataSize: | 37888 |
CodeSize: | 94208 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 1992:06:20 00:22:17+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 19-Jun-1992 22:22:17 |
Detected languages: |
|
Comments: | - |
CompanyName: | 07.15.03.15 |
FileDescription: | 11.19.23.6343.324 10.12.03.6346 Installation |
FileVersion: | 10.12.03.6346 |
LegalCopyright: | 07.15.03.15 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 8 |
Time date stamp: | 19-Jun-1992 22:22:17 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 0x00001000 | 0x00016E44 | 0x00017000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.45163 |
DATA | 0x00018000 | 0x00000700 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.1907 |
BSS | 0x00019000 | 0x000008AD | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0001A000 | 0x000014D0 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.78715 |
.tls | 0x0001C000 | 0x00000008 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x0001D000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.204488 |
.reloc | 0x0001E000 | 0x000011C4 | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.69814 |
.rsrc | 0x00020000 | 0x000061AC | 0x00006200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 5.73965 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.88266 | 944 | UNKNOWN | Russian - Russia | RT_MANIFEST |
50 | 2.94679 | 744 | UNKNOWN | UNKNOWN | RT_ICON |
51 | 2.97546 | 296 | UNKNOWN | UNKNOWN | RT_ICON |
52 | 6.16612 | 3752 | UNKNOWN | UNKNOWN | RT_ICON |
53 | 6.43409 | 2216 | UNKNOWN | UNKNOWN | RT_ICON |
54 | 5.17975 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
55 | 5.36891 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
56 | 5.31405 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
DVCLAL | 4 | 16 | UNKNOWN | UNKNOWN | RT_RCDATA |
PACKAGEINFO | 5.19786 | 248 | UNKNOWN | UNKNOWN | RT_RCDATA |
advapi32.dll |
cabinet.dll |
comctl32.dll |
gdi32.dll |
kernel32.dll |
ole32.dll |
oleaut32.dll |
shell32.dll |
user32.dll |
winmm.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3092 | "C:\Users\admin\AppData\Local\Temp\1C_U25355369126978-2018.scr" /S | C:\Users\admin\AppData\Local\Temp\1C_U25355369126978-2018.scr | — | explorer.exe |
User: admin Company: 07.15.03.15 Integrity Level: MEDIUM Description: 11.19.23.6343.324 10.12.03.6346 Installation Exit code: 3221226540 Version: 10.12.03.6346 | ||||
3536 | "C:\Users\admin\AppData\Local\Temp\1C_U25355369126978-2018.scr" /S | C:\Users\admin\AppData\Local\Temp\1C_U25355369126978-2018.scr | explorer.exe | |
User: admin Company: 07.15.03.15 Integrity Level: HIGH Description: 11.19.23.6343.324 10.12.03.6346 Installation Exit code: 0 Version: 10.12.03.6346 | ||||
2892 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Intel\1C_N94395369126978-2018.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | 1C_U25355369126978-2018.scr |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3444 | cmd /c ""C:\Intel\enable.cmd" " | C:\Windows\system32\cmd.exe | — | 1C_U25355369126978-2018.scr |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2572 | reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ê¡ΓÑúα¿α«óá¡¡δÑ_ñαá⌐óÑαá" /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3112 | powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0 | C:\Windows\system32\powercfg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3972 | powercfg -change -standby-timeout-ac 0 | C:\Windows\system32\powercfg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3440 | "C:\Intel\bmcon.exe" | C:\Intel\bmcon.exe | 1C_U25355369126978-2018.scr | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
4008 | powercfg -change -hibernate-timeout-ac 0 | C:\Windows\system32\powercfg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2208 | powercfg -h off | C:\Windows\system32\powercfg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3536 | 1C_U25355369126978-2018.scr | C:\Users\admin\AppData\Local\Temp\$inst\temp_0.tmp | — | |
MD5:— | SHA256:— | |||
2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRAD1C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3536 | 1C_U25355369126978-2018.scr | C:\Intel\iglhxa32.vp | ini | |
MD5:7FEF5563D091D8A44B96DD4EBE0350AA | SHA256:9A785572225997EDCF3791A7DE3AF98FDAF8D5544F38B9795113B365AC655937 | |||
3536 | 1C_U25355369126978-2018.scr | C:\Intel\bmcon.exe | executable | |
MD5:2731697E36FC09A4D8B4568DFFA42EFD | SHA256:40883E27922D357F0A3F15544ED9623475C9F430435F918D57A212F5BD11DA34 | |||
3536 | 1C_U25355369126978-2018.scr | C:\Intel\IntcDAuC.dll | executable | |
MD5:5059A182143DFA122278A331976BACCB | SHA256:1AB212EE9E6E28B847EEE0080969279C09068FCA3E2F5A34DB60286EA453E878 | |||
3536 | 1C_U25355369126978-2018.scr | C:\Intel\enable.cmd | text | |
MD5:D41FDBC0DF2C5C7338403A2D0B0AEE2B | SHA256:5525E7E98E0492B1EB7295AC24D87B7A28F88CF3770A8B5D6567DF59EEEEF689 | |||
3536 | 1C_U25355369126978-2018.scr | C:\Intel\bmcon\bm-xmrig.json | text | |
MD5:A901ABFEA4D188090EECEC950196B28A | SHA256:C73D333324CF1E95FF0D561F7CC599EF481CF1AEF4D9A3BDBDD242A8927D537A | |||
3440 | bmcon.exe | C:\Intel\bmcon\apps.json | text | |
MD5:27442889B1E97D0ECA51E116D7A288F3 | SHA256:35DC4D2287B8C5E6B85036B4B81924F1568B50D9A78D2EB8033548A9734BC250 | |||
3536 | 1C_U25355369126978-2018.scr | C:\Intel\mup.xml | xml | |
MD5:753B5A3D0663017CE7B9C4A7969D25CA | SHA256:A5BB55567DC02398046F4B6D66830FDB1C4A5A556CB12FCD28A1BA471A047224 | |||
3536 | 1C_U25355369126978-2018.scr | C:\Intel\bmcon.json | text | |
MD5:8514B69D7637C7909F54FD3F11C86205 | SHA256:F9C44EDA210BE2027210A5D15E32B59301C957FA267F8B808C47CA36A2CB45E1 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2976 | sender.exe | 185.182.57.35:587 | smtp.8680541.store | Astralus B.V. | NL | unknown |
2768 | bm-xmrig-x32.exe | 88.198.117.171:4444 | pool.bmnr.pw | Hetzner Online GmbH | DE | malicious |
3440 | bmcon.exe | 88.99.38.225:443 | dl.browsermine.com | Hetzner Online GmbH | DE | unknown |
Domain | IP | Reputation |
---|---|---|
dl.browsermine.com |
| unknown |
smtp.8680541.store |
| unknown |
8680541.store |
| unknown |
pool.bmnr.pw |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3440 | bmcon.exe | unknown | SURICATA TCPv4 invalid checksum |
2976 | sender.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2768 | bm-xmrig-x32.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
2768 | bm-xmrig-x32.exe | Misc activity | MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response |
2768 | bm-xmrig-x32.exe | Misc activity | MINER [PTsecurity] Risktool.W32.coinminer!c |
2768 | bm-xmrig-x32.exe | Misc activity | MINER [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response |
2768 | bm-xmrig-x32.exe | Misc activity | MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response |
2768 | bm-xmrig-x32.exe | Misc activity | MINER [PTsecurity] Risktool.W32.coinminer!c |
2768 | bm-xmrig-x32.exe | Misc activity | MINER [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response |