File name: | testuuu.exe |
Full analysis: | https://app.any.run/tasks/2007c87c-f1ad-437d-a758-1196428369b6 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 23, 2019, 09:31:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C70CCCC83EDC3F6C757C267CD08D4687 |
SHA1: | 0D747483B316A7125AC8C4EADD365FA6D914C380 |
SHA256: | 5B73019C232ADBD1627B986BFC476DE96C230AD54A9A014932F3F32D814FC744 |
SSDEEP: | 6144:xuBE0jQFX+/tHjxsyg7BoHgKyWpY/gQpImg9R:xufjWXKtH27CTyK4fpIm8 |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:01:17 17:31:47+01:00 |
PEType: | PE32 |
LinkerVersion: | 9 |
CodeSize: | 136192 |
InitializedDataSize: | 210432 |
UninitializedDataSize: | - |
EntryPoint: | 0xf6d0 |
OSVersion: | 5 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
FileVersionNumber: | 5.2.5.6 |
ProductVersionNumber: | 5.2.5.6 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Windows NT 32-bit |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
CompanyName: | IBE Software |
FileDescription: | Contention One Vs |
OriginalFileName: | Safer.exe |
LegalCopyright: | IBE Software Copyright (c) |
InternalName: | Safer |
ProductName: | Safer |
ProductVersion: | 5.2.5.6 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 17-Jan-2019 16:31:47 |
Detected languages: |
|
CompanyName: | IBE Software |
FileDescription: | Contention One Vs |
OriginalFilename: | Safer.exe |
LegalCopyright: | IBE Software Copyright (c) |
InternalName: | Safer |
ProductName: | Safer |
ProductVersion: | 5.2.5.6 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 17-Jan-2019 16:31:47 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000213E1 | 0x00021400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.6802 |
.rdata | 0x00023000 | 0x000078A4 | 0x00007A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.16623 |
.data | 0x0002B000 | 0x000036A4 | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.66505 |
.rsrc | 0x0002F000 | 0x0002A358 | 0x0002A400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.9376 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.01596 | 957 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 2.84011 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 2.04327 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 2.31284 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 2.15052 | 10344 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 2.02131 | 16936 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 1.82697 | 62 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 2.14675 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 2.93257 | 744 | Latin 1 / Western European | English - United States | RT_ICON |
10 | 2.14675 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
ADVAPI32.dll |
AVIFIL32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
OPENGL32.dll |
SHLWAPI.dll |
Secur32.dll |
TAPI32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2936 | "C:\Users\admin\AppData\Local\Temp\testuuu.exe" | C:\Users\admin\AppData\Local\Temp\testuuu.exe | explorer.exe | |
User: admin Company: IBE Software Integrity Level: MEDIUM Description: Contention One Vs | ||||
3648 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | testuuu.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2712 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3364 | "C:\Windows\System32\control.exe" SYSTEM | C:\Windows\System32\control.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
884 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2936) testuuu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E00630065006B0069007800630077000000 | |||
(PID) Process: | (2936) testuuu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A40000525341310008000001000100777450B517C58D7B8C57851234425D7AFF3A5F6DC3D20F6F7EA2D2A8F8272751A939F103FCB7D76DB4B6F6092914E208F72E0B20C94EC420C06F19F5D61D86BF54FEB6575C6054025E21AB20484FF75A71B67DD9DA90C2E01241B4BB385AFB61114008FC7C99015C04240BAD189C88AE796F11407AE77A353A2AEDA74AD2AFD058DDE9DEF0A3D682A9B69F0CEE74D5B2BA9B1B7CD4051979FE52B262C6C380422D372C8B897C283EE663DA6D9868707AD4D5E2E11659E714054AD3DA847C46C6818474B10E9231C500B3C8E939091E0B6407D90F4737F63AF86D32EAEB093A97E4E7C80BF2FD0976075FCF0515E8AC1209F5BBA33CD675988497C532181C3BA9 | |||
(PID) Process: | (2936) testuuu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | private |
Value: 940400002E19C7116056D870573FCA2A3FAE253B01267B11F9457EF066C0E5132585A37F895BCA76E37771569FAFA5E5B27D614ACA3DFB1D9D2E66527EF41F44EA1ED8E6CB30B0E4321B5CF02F8742A4DD879551E11A12EF369430E826678F516D3380EB018D697284E6968F71BE1AE8ADB3CA937C277594033CDA0F31950FF3B450E25E0465C4060F23D0C16F322C8342A0289D5557DA45DC50B04A746BD34E429AD454935C31378EB493C4D170317A34057A912454832A63622CE1EEA1070FFF56AE2549ACF0D0C2CDDDBF19BE8ACB361E7A837C70408FF794AE85FE52ECDB651A33A8C80013BD6534F6BCD0A6A941BE7485DFD73AD227879388CD60B3DC674E73BE624F8C7CAC4F2351A5D7ABC3C0A3408FBDBB7D19B85EB75E98F31534FD1EEB5DE232603A8234933667EC6F31AE7932D641642B3B71901F69A7F433CF277C79B4B3849F99AB9CF8F8368F4E2B5CD740D3DA2787A15253FB0AA42D3D51B839DCB304F1B54BA3DE83C33934B9CE073D507A8148472B74740B9AFD2BBDACF3B485F280CB99D9CDEAB4D84C93AB2D817A65363FFB317FBA38A5828ED8F3A051B9288FA9569211892A7CCE26472C668543BDA1A307E16B416BECFFB5262B6ED0CE6F6774503DD56D06141BE01642BDC760BD27776194A06658E19B8189C0BDDF67062EF7E065FC0D4FA7DF6F6A0E9D56553DFAE1A2B605FD86B5223D7E197242C2AC77678201C9A5B05726729BAC0C479FAF78EF55869BE5617A4F88E06791EE10719B04FF0C62180FC21BCC320B1726C5D86051E0B7FADAB35C724DF9ED51FA5161E8F665F09A53A74832F34B8E6B67ECE50848C5B449E2C41F2A9321EE459661C07BC9AAFD0EF0C1F50EC753A8BEF2229C53CB21399FD9BE3803DFB0174178AFECC3C45E152C9A1992EDBC8774228004267F20CB1698A7B36A5D4249819438E7120F44A61CB9DCA45A5CBC61F68BFF76AD5472884AFDAD535A51275182A7A4E535455A36580A25A0AC5E6CA579FA585210F7866B5FA520186748EE49F338BC2C51922BCAA1F9E1EA6727277BF3CB3F9C18568386396390721E54622FC1B96D206D4201BCD3AEFCBCD02CED04CFDC2EA72153B9BC7EC8FC8BAEB74C6502A9B9889EBAB190656CB8E0D0CBB63B884FD222A2D2DF57A7C8043EC3DF9E558975972A48CE157B72B387669CAFED7431B201A3A80FC4058A2CD8B7E32237A5EC46D2F4436A0008F8A302260791660A43EC472440304E8E79AB03D5FECAE59D11F30EEC50EF5CDFE874F7FA1E871323A81450F09FF04D4D32791E8701CF0F3A6946F5E6C292DB24A0B7BEA8AA712887B660BC0D53D9DFEF34E2CCA94DF1742AD1A2669C0B42A051BCB24DAADC4C7220A0892903412999B854C156C48B8B68D27AC799F71653359D71672B055F7F6EE06AD692D1B45126FA85B3FE90F6C5A769DF1707D82779E73247354A1D6E98DB0DDE2C0F8D49ABD5DFAF5C750D4F04E4A36893FCD37668BFD7B077BB80990F5BA04FACD5F36218A3DA2F9C0EE546BC6870465B59D15D1962A66AD7D602D6D0C46A5558D378734B6A511231375E8DC4F1965A24629176C722D83B0A1199947DDCD315BD8C7A43954E6E51BA53B452154C9C34E4B4B16191192AA1544D6E9D7011D1D65356AC4BC88045A56F423E8F1A08FE34CED2F6A2F21D027C95CD3B0A721A83DFF1167A219475E5A7E12C9530231835D3C5CE17C8FFEFFA146AE95A6417D9054FE8299B897D4C8C12D55812E2A3FE16F8C33CFB77A95DE18DEABFDC825509E0F0A52E47CAF2B1EC9C68740D70CD0D8A374C6CD8BB1724D645FA5677C4094CE1C9F88DC4D5956F9BC21C4BE523FA33ABFE1EC139BC79E22ABF4691D1487AAC468AFE03C5A662A8957F33E560090D5870A8614533599D0E543F0885D21B06B556264B2058837993DE52164B89D530B47A6B13DCD15C47CF3F21FDD5121CCC1F7E4439450708EF63EA9C2CEBCC0A7990CA302C1BD73443D5BBA8B1521B18941E2B2B2CBD6C75E1CE541E19B19CA566B7108B082795ACE89C95CC2637E86288579285AA65AF1F72E7CD5F6BDAA256E1C95F013E413289A56ADB6A70160C83A9985E25D18D655F359A36F7779A0A277DCB885526DFA6F66324B2221E019F82B185E9DD5D834755C9EB388056976282618796E4C0F266B43C8D49653991F38A8B612D568854277A7FD7D02BD8DDACE59102A72AFCBEC1A1C30546AFEFC3B6E97B2DEDFEE3BBD45F30BD390C094D13D939493BFCFAFE43529B942A934B3B9FA77FE89598C028D92CCBC89BE9D20650E6FC799E4DB7A194F7CF3BA4AD964D265AA44807D2F81CC1D8F3533B695BF13AE66FD7577B7DB64227496682BA3724BA7D6588EB6EF78FF187C1C80F4A98D5 | |||
(PID) Process: | (2936) testuuu.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2936) testuuu.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2936) testuuu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testuuu_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2936) testuuu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testuuu_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2936) testuuu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testuuu_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2936) testuuu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testuuu_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2936) testuuu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testuuu_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2936 | testuuu.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
2936 | testuuu.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.cekixcw | — | |
MD5:— | SHA256:— | |||
2936 | testuuu.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
2936 | testuuu.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{05ed3515-06b3-48f6-8cf2-bf24b1bf0727}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2936 | testuuu.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{16d74681-6bc3-4c44-97f0-8b8dfefe2355}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2936 | testuuu.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{38e8535f-27d0-4352-aa3a-ce4178930102}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2936 | testuuu.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{3cc0f82b-873a-4e59-b89f-689fbdf88af9}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2936 | testuuu.exe | C:\Config.Msi\CEKIXCW-DECRYPT.txt | text | |
MD5:5F11783E542E2850539FF1979AFD4E45 | SHA256:0C764D167D6449CEC0C24C29B66B78F43149E3356444C63AD104416840A83014 | |||
2936 | testuuu.exe | C:\MSOCache\CEKIXCW-DECRYPT.txt | text | |
MD5:5F11783E542E2850539FF1979AFD4E45 | SHA256:0C764D167D6449CEC0C24C29B66B78F43149E3356444C63AD104416840A83014 | |||
2936 | testuuu.exe | C:\CEKIXCW-DECRYPT.txt | text | |
MD5:5F11783E542E2850539FF1979AFD4E45 | SHA256:0C764D167D6449CEC0C24C29B66B78F43149E3356444C63AD104416840A83014 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2936 | testuuu.exe | GET | 301 | 138.201.162.99:80 | http://www.kakaocorp.link/ | DE | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2936 | testuuu.exe | 138.201.162.99:443 | www.kakaocorp.link | Hetzner Online GmbH | DE | malicious |
2936 | testuuu.exe | 138.201.162.99:80 | www.kakaocorp.link | Hetzner Online GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
www.kakaocorp.link |
| malicious |