File name: | мое.exe |
Full analysis: | https://app.any.run/tasks/92e74fe0-54c9-495e-a378-b0878d22f22a |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 21:30:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 5646341AC9A7EA52C4D4E9F764A01DCC |
SHA1: | 0E1D9C93F80C50FC8595601F39CD076D5590E4D1 |
SHA256: | 568FD5DC32BFDCBCE9ED5368516B5BBAE39C02D8B33C81E47170A0928A79EFC3 |
SSDEEP: | 1536:uF+0HVKN5ZLyqXfn5hPHjdbDRCmPm8GPqGI:w+06PWgD/jdbDRCk+qh |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
---|---|---|
.exe | | | Win64 Executable (generic) (21.3) |
.scr | | | Windows screen saver (10.1) |
.dll | | | Win32 Dynamic Link Library (generic) (5) |
.exe | | | Win32 Executable (generic) (3.4) |
AssemblyVersion: | 0.0.0.0 |
---|---|
ProductVersion: | 0.0.0.0 |
ProductName: | - |
OriginalFileName: | lc.exe |
LegalTrademarks: | - |
LegalCopyright: | - |
InternalName: | lc.exe |
FileVersion: | 0.0.0.0 |
FileDescription: | - |
CompanyName: | - |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 0.0.0.0 |
FileVersionNumber: | 0.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x16bde |
UninitializedDataSize: | - |
InitializedDataSize: | 2048 |
CodeSize: | 84992 |
LinkerVersion: | 80 |
PEType: | PE32 |
TimeStamp: | 2022:05:17 19:52:44+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 17-May-2022 17:52:44 |
Debug artifacts: |
|
Comments: | - |
CompanyName: | - |
FileDescription: | - |
FileVersion: | 0.0.0.0 |
InternalName: | lc.exe |
LegalCopyright: | - |
LegalTrademarks: | - |
OriginalFilename: | lc.exe |
ProductName: | - |
ProductVersion: | 0.0.0.0 |
Assembly Version: | 0.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 17-May-2022 17:52:44 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x00014BE4 | 0x00014C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.9394 |
.rsrc | 0x00018000 | 0x00000550 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.86503 |
.reloc | 0x0001A000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2852 | "C:\Users\admin\AppData\Local\Temp\мое.exe" | C:\Users\admin\AppData\Local\Temp\мое.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Version: 0.0.0.0 Modules
| |||||||||||||||
2052 | reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v WIN32_1 /f /d AWindowsService.exe | C:\Windows\system32\reg.exe | мое.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3584 | reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v WIN32_2 /f /d taskhost.exe | C:\Windows\system32\reg.exe | мое.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3556 | reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v WIN32_3 /f /d windowsx-c.exe | C:\Windows\system32\reg.exe | мое.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
584 | reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v WIN32_4 /f /d System.exe | C:\Windows\system32\reg.exe | мое.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3232 | reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v WIN32_5 /f /d _default64.exe | C:\Windows\system32\reg.exe | мое.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1340 | reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v WIN32_6 /f /d native.exe | C:\Windows\system32\reg.exe | мое.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2904 | reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v WIN32_7 /f /d ux-cryptor.exe | C:\Windows\system32\reg.exe | мое.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3048 | reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v WIN32_8 /f /d crypt0rsx.exe | C:\Windows\system32\reg.exe | мое.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
4044 | cmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r /D /S * & echo [%random%] Your files are encrypted by the BitBytes hacker group! Telegram for contact: @bit_bytes 1>info-0v92.txt & attrib -h +s +r info-0v92.txt | C:\Windows\system32\cmd.exe | — | мое.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
|
(PID) Process: | (3584) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | WIN32_2 |
Value: taskhost.exe | |||
(PID) Process: | (2052) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | WIN32_1 |
Value: AWindowsService.exe | |||
(PID) Process: | (2852) мое.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | мое.exe |
Value: C:\Users\admin\AppData\Local\Temp\мое.exe | |||
(PID) Process: | (3556) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | WIN32_3 |
Value: windowsx-c.exe | |||
(PID) Process: | (584) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | WIN32_4 |
Value: System.exe | |||
(PID) Process: | (1340) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | WIN32_6 |
Value: native.exe | |||
(PID) Process: | (3232) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | WIN32_5 |
Value: _default64.exe | |||
(PID) Process: | (2904) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | WIN32_7 |
Value: ux-cryptor.exe | |||
(PID) Process: | (3048) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | WIN32_8 |
Value: crypt0rsx.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
2860 | cmd.exe | C:\Users\admin\info-0v92.txt | text | |
MD5:4915ACB37CFF2ADB40BBE791B4D5B41B | SHA256:C7A746779D31F8FE5413608D981CAC6B9F153140A963B06D575DAF9389E4B901 | |||
2612 | cmd.exe | C:\Users\admin\Downloads\info-0v92.txt | text | |
MD5:4915ACB37CFF2ADB40BBE791B4D5B41B | SHA256:C7A746779D31F8FE5413608D981CAC6B9F153140A963B06D575DAF9389E4B901 | |||
2852 | мое.exe | C:\Users\admin\AppData\Local\Temp\$unlocker_id.ux-cryptobytes | text | |
MD5:0428842C6A6A4F695AC6DFC67C74AAEF | SHA256:2E621A7764239A940B7F95EBE49DC5A74E91BAF79BF111A1DDD09D2CAA0F038A | |||
2532 | cmd.exe | C:\Users\admin\Documents\info-0v92.txt | text | |
MD5:4915ACB37CFF2ADB40BBE791B4D5B41B | SHA256:C7A746779D31F8FE5413608D981CAC6B9F153140A963B06D575DAF9389E4B901 | |||
4044 | cmd.exe | C:\Users\admin\Desktop\info-0v92.txt | text | |
MD5:4915ACB37CFF2ADB40BBE791B4D5B41B | SHA256:C7A746779D31F8FE5413608D981CAC6B9F153140A963B06D575DAF9389E4B901 |