File name: | 150899608 |
Full analysis: | https://app.any.run/tasks/924aee24-34f7-47b6-92d9-60049529724b |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 18, 2019, 10:35:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 24F030B17DD8152A3CD04253DD648690 |
SHA1: | 456FB8F627C1E28745C9F63FAF2615E1A0CC1D66 |
SHA256: | 57ACEA19D6B84C350A6C9CF2B55794377C7D12491B65AF1D06C7F857316F1D7B |
SSDEEP: | 12288:QasyKZffHK7s1cLOhTpOfekiImLZGMn55aYEO:AH+LOF8ek6fn5I7 |
.exe | | | Win32 Executable MS Visual C++ (generic) (41) |
---|---|---|
.exe | | | Win64 Executable (generic) (36.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.6) |
.exe | | | Win32 Executable (generic) (5.9) |
.exe | | | Clipper DOS Executable (2.6) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:01:17 16:14:17+01:00 |
PEType: | PE32 |
LinkerVersion: | 10 |
CodeSize: | 189952 |
InitializedDataSize: | 290304 |
UninitializedDataSize: | - |
EntryPoint: | 0x16d5a |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 6.9.7.6 |
ProductVersionNumber: | 6.9.7.6 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Windows NT 32-bit |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
FileDescription: | Vbprj Feed Folderbrowserdialog Livermre |
LegalCopyright: | Copyright © 1995-Present Domo Technologies |
InternalName: | Protection |
OriginalFileName: | Protection.exe |
CompanyName: | Domo Technologies |
Comments: | Vbprj Feed Folderbrowserdialog Livermre |
ProductName: | Protection |
ProductVersion: | 6.9.7.6 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 17-Jan-2019 15:14:17 |
Detected languages: |
|
Debug artifacts: |
|
FileDescription: | Vbprj Feed Folderbrowserdialog Livermre |
LegalCopyright: | Copyright © 1995-Present Domo Technologies |
InternalName: | Protection |
OriginalFilename: | Protection.exe |
CompanyName: | Domo Technologies |
Comments: | Vbprj Feed Folderbrowserdialog Livermre |
ProductName: | Protection |
ProductVersion: | 6.9.7.6 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 17-Jan-2019 15:14:17 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0002E536 | 0x0002E600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.73045 |
.rdata | 0x00030000 | 0x0000BAB6 | 0x0000BC00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.8855 |
.data | 0x0003C000 | 0x00004A64 | 0x00002C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.91848 |
.rsrc | 0x00041000 | 0x000348AC | 0x00034A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.32468 |
.reloc | 0x00076000 | 0x00003B94 | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.09054 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.11681 | 530 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 4.18613 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 3.37186 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 3.74274 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 1.74461 | 10344 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 3.22704 | 16936 | Latin 1 / Western European | English - United States | RT_ICON |
101 | 2.76051 | 90 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
179 | 7.9558 | 7951 | Latin 1 / Western European | English - United States | PNG |
285 | 7.94932 | 11390 | Latin 1 / Western European | English - United States | TYPELIB |
1229 | 6.50383 | 128 | Latin 1 / Western European | English - United States | RT_RCDATA |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
DWrite.dll |
GDI32.dll |
GLU32.dll |
IMM32.dll |
KERNEL32.dll |
MSIMG32.dll |
MSVFW32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3092 | "C:\Users\admin\AppData\Local\Temp\150899608.exe" | C:\Users\admin\AppData\Local\Temp\150899608.exe | explorer.exe | |
User: admin Company: Domo Technologies Integrity Level: MEDIUM Description: Vbprj Feed Folderbrowserdialog Livermre | ||||
3880 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | 150899608.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3036 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3092) 150899608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E007A0071007600760065006700750070000000 | |||
(PID) Process: | (3092) 150899608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A40000525341310008000001000100094B4BE5049AAA559CDDF7EBC4648A368396390C818ED9A383C54755573A87C94921FBA6DB987AC75A9F728F202D6703FAC74A29E573A6D12FD1807CA205F601DAB361A8C2A4680E2DEEB46CE5D05638EB2D32FDA9929999A3A19773F5C000D00254EEFACFAA80739263DF2BEA8EF3D35A58FDDCA193D24F91C2897790BEFE95D6C5D4B573FD909D6B544CA4AF60EA2853592F6169D1733117662C83AC27FE41C0588ACC84EA36A0DC46C148E64231B6A7057C8DD1CE87A7829FB67D44D593C628BA06AF5519B25F9930D2EBA01D6CB6518938D3464A3ED73CF217922385049FA19EEF44DE5E50F3E053AC43DC48A96AD1B004A0619446E95DF81551FDE1E0A0 | |||
(PID) Process: | (3092) 150899608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | private |
Value: 94040000E7205BEF66FCEEA12DDDF04E6B4FF5D5A564392130549327D5AF10C3B81DE5B7921A13D662DA061ED45580A2DAB0DF5D071D428364F77BAF4A787A5C274E23BADC64F8BA34CF6AE8BA22306F89CC54EDF37368639C524134A0C3190EFD88050DD103648A4E304CDB70BBD9879CD46115176B3A715C9B5937E73B94F783986544D210E5C996C063AE53369BC56E21A66C96BFFDB0F01FCE6BD8C70640E1AA36AEE498238F4A2BA0ADC3479721769F2206075863AD8FDC3483D45FA0EDAEC32B7820B0C7A89459D33FE1BE2612A7B0521B3E92C935F92F85755D77360BC66662D6E393727CB2E5CFAB212F342D004C9FBDE4A23F5E346A1FB659BEE0D868B979412647C289E08B61C3C3663F6E0AF11998333D24DE0ABFD7A4B6183BD120066D0425005172732F80D6547D2B96630F87E7D6536D7E43999B59EC5D008C795E1421C349B558EA4FCD0E7691B970D1798B97FB31F74F5669B884D05B6EB8CAB0E730F37ADCA8898D254449B06B8E72A433967C2B1D819571035328EE3F962C8E4012CDFF7D3C4AF3C33F63F574070D2B60F69D314F7E218A3E314DD71AFD3E5E089BB079B293C693EE9F10B6A49EFF38782DECCE293473A94C2BF22430CE2A91287FE7A8231B97A14B4F70B2CBB24E853F8FBFE4A3656088AD97D4AAC9B45899127EABF4BB98BE83BE9192E160992C475AB43A5F1ABD02814A84B670ED0AC4504B3F089303BBFA626F757901D41DD1805A592079DB074238AC280CF5D7353662522469E065541B0842C5E09D89A4EA5AE0CEB8D132E6A195FAC63F5C756A43AF1A77C62E6809DF4F117DA4823163313F8C8D0FC0E176D426F106C031D494E244EC76EEF643F0B8AF829443F95ECD7756878ED127E09463ABC280C27E6E811EA754BD064FE51A2A07F87EBE3D315288538767FB30D7745EA39FCC3659654514196CFDC445BAD8C4455C3EA14DCAEB08799B960382200C401161553697E710015D998D0F637CFC4FF54E5139D7E81F11ECA68C8A5B86E7A0283C744DFF78E03B70FD06120ED0ECFD05B6F0706325FE95B67968A3F09EF82AC2A81806543B0FA2288A640226C79F53A19A20B39BE67F26F3F7C77EDD98B483F8D6EBB0AD4B99BC7798FD8E76C3A8FC1FD4E9563B2747F05A7E584BD742E355F2D938D17E8F8B403056D35F5D72002E26E142BF7927499F104224662E2CC7465CF96ECB92BF2922FF5F9379BEBEB5120452ADF6C88C0D6EED3904CA1CFFF47DCC3470DEC873D01DEFB0FDED2760BC082C1502DFCF6D331B824A060DD14B6D658121065057BD3AA14A29EC9DBFAF8E5FF40A5E95EDC9EC436A4128AA60F6B46A8E313D34945D772F12C8BEA5DF5BC00A5E4BB5C16C04F5E2D907383A45410A729180000BCDA4D3B8001398FE2C81F6997530C05E213D3376FF5AF71BF569A7508630EACBAD57FAD1194C575DE7EE76879467B41C9AD61A23DFCD78DACAB68B9224606A6422C1EE947036A3B90B40E7D33A8788DFDB2864A18C54C7B62A61733ECFE01CBDC0D3C75134C8B833073BE6877608C5781784C6F4E42D1027C98B230BE70D7DC6AEAC374520549A200AA1C1FF2180728814C1BCDC211CC9223A19C2B16C18CEB8FF6E9B115940B4A0D7F3FADD1D5BDBCB3DB94463FDDF95AE216E0DC0B60121097C4908B7230016E350907F6A48D57AA812243DD8CA0DF9FC4D518DDC0B8D701D49787E3EFC4844B915500EC190FFFDA14FB6B62D5AE9A9F2C6DE7C96E10A6451CD1309EC2EF383FEF053647C9EE8FB49DBC2229ADBD3DFB5D8C1DDBCFFCFC7D7E63E3DF4F9DAD6F79F136AFF15CA71530DCDC18CDB52B58FAB9D5043DBC397E586908A611C7E5B57BC07A733DC2C7EC3972FE79971E796C7BD0C5540A2D490D08812F1A3D45A3CE572F539D8E8286176ED2187E62FB756C63A80EDCA09A0D4978861E4B4606449CF6951B43581FE872E37ABB9CD62071D2DC39E5E95FC134829D4F6FD9AB27A7994B98FA5512D16E03AFC3727970C564705B614C56D064FD65FB44133BBFC10DF82543A216C3A963155732724277C31BC8E27ABC105D6EDF2E48540E10EAFE0B2A1A02499FF1D84B60A3709736DFC4D937FC6712D980C6643E108A562F1E188178B212E81D26A46229A96B229D6764BD9A6DAA140CED8C4492986A677011581EB33DC19A841A0AC2198F5C8B8832E206535991EFA8EAD8A26B9874DCF1E26299F114709DA43B8B17B7728F54B11487E6F9F2A7F2228346E1BC00B5051666072EA19F185175A83134958EF8B4076975A31ECDF03AC034852E634FD50A359F0D82BEF2E1A87A1161A633929B7114695E4131DAE3D8ECFD7D14988516408C84104458939456BA4B7CCB0738CFF89BF0B12F71CF952E8 | |||
(PID) Process: | (3092) 150899608.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3092) 150899608.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3092) 150899608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150899608_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3092) 150899608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150899608_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3092) 150899608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150899608_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3092) 150899608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150899608_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3092) 150899608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150899608_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3092 | 150899608.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
3092 | 150899608.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
3092 | 150899608.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.zqvvegup | — | |
MD5:— | SHA256:— | |||
3092 | 150899608.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{05ed3515-06b3-48f6-8cf2-bf24b1bf0727}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3092 | 150899608.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{16d74681-6bc3-4c44-97f0-8b8dfefe2355}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3092 | 150899608.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{38e8535f-27d0-4352-aa3a-ce4178930102}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3092 | 150899608.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{3cc0f82b-873a-4e59-b89f-689fbdf88af9}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3092 | 150899608.exe | C:\System Volume Information\SPP\ZQVVEGUP-DECRYPT.txt | text | |
MD5:7EC51A8C27EFA5B6237A5F9F13540C02 | SHA256:519464570DD3CF6AA4484946A49ED5C0E99D7714FEE4CA5632265F7A54EEE25B | |||
3092 | 150899608.exe | C:\Config.Msi\ZQVVEGUP-DECRYPT.txt | text | |
MD5:7EC51A8C27EFA5B6237A5F9F13540C02 | SHA256:519464570DD3CF6AA4484946A49ED5C0E99D7714FEE4CA5632265F7A54EEE25B | |||
3092 | 150899608.exe | C:\PerfLogs\Admin\ZQVVEGUP-DECRYPT.txt | text | |
MD5:7EC51A8C27EFA5B6237A5F9F13540C02 | SHA256:519464570DD3CF6AA4484946A49ED5C0E99D7714FEE4CA5632265F7A54EEE25B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3092 | 150899608.exe | GET | 301 | 138.201.162.99:80 | http://www.kakaocorp.link/ | DE | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3092 | 150899608.exe | 138.201.162.99:443 | www.kakaocorp.link | Hetzner Online GmbH | DE | malicious |
3092 | 150899608.exe | 138.201.162.99:80 | www.kakaocorp.link | Hetzner Online GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
www.kakaocorp.link |
| malicious |