File name: | 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe |
Full analysis: | https://app.any.run/tasks/00e61a6c-7546-4277-a5b3-b837f8f22809 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | May 21, 2022, 04:24:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 88687C7DC456C49C92E1C108D2E9C742 |
SHA1: | 07441F02634480B05714CE7A4D8194681C76EBCC |
SHA256: | 5E4990AF033733F53D7B03D5F63184239A7C7D000763B53DA20147750144598D |
SSDEEP: | 3072:7BdoKA9aCWuUHslgAsUXk5yOi8fExgwOULiQHtZIaH/hiPbkaR2EF7o:7Bd2aCgHUgQXzORygw/icZB/naBo |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x4de7 |
UninitializedDataSize: | - |
InitializedDataSize: | 6154240 |
CodeSize: | 83456 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2018:04:22 20:26:27+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 22-Apr-2018 18:26:27 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 22-Apr-2018 18:26:27 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0001446C | 0x00014600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60922 |
.rdata | 0x00016000 | 0x000045E8 | 0x00004600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.34328 |
.data | 0x0001B000 | 0x005B0A68 | 0x00001C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.49829 |
.rsrc | 0x005CC000 | 0x00024DF6 | 0x00024E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.56893 |
.reloc | 0x005F1000 | 0x0000550E | 0x00005600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 2.015 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 6.77887 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
2 | 6.67163 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 2.72308 | 192 | UNKNOWN | UNKNOWN | RT_STRING |
8 | 2.1371 | 76 | UNKNOWN | UNKNOWN | RT_STRING |
9 | 2.39676 | 114 | UNKNOWN | UNKNOWN | RT_STRING |
10 | 3.01564 | 272 | UNKNOWN | UNKNOWN | RT_STRING |
11 | 3.05985 | 382 | UNKNOWN | UNKNOWN | RT_STRING |
13 | 2.8616 | 256 | UNKNOWN | UNKNOWN | RT_STRING |
14 | 2.98259 | 336 | UNKNOWN | UNKNOWN | RT_STRING |
15 | 2.98468 | 346 | UNKNOWN | UNKNOWN | RT_STRING |
ADVAPI32.dll |
KERNEL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2916 | "C:\Users\admin\AppData\Local\Temp\5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe" | C:\Users\admin\AppData\Local\Temp\5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
3260 | nslookup zonealarm.bit ns1.corp-servers.ru | C:\Windows\system32\nslookup.exe | — | 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3780 | nslookup ransomware.bit ns2.corp-servers.ru | C:\Windows\system32\nslookup.exe | — | 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3232 | nslookup zonealarm.bit ns2.corp-servers.ru | C:\Windows\system32\nslookup.exe | — | 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2668 | nslookup ransomware.bit ns1.corp-servers.ru | C:\Windows\system32\nslookup.exe | — | 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1604 | nslookup zonealarm.bit ns1.corp-servers.ru | C:\Windows\system32\nslookup.exe | — | 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3144 | nslookup ransomware.bit ns2.corp-servers.ru | C:\Windows\system32\nslookup.exe | — | 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3516 | nslookup zonealarm.bit ns2.corp-servers.ru | C:\Windows\system32\nslookup.exe | — | 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1796 | nslookup ransomware.bit ns1.corp-servers.ru | C:\Windows\system32\nslookup.exe | — | 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
940 | nslookup zonealarm.bit ns1.corp-servers.ru | C:\Windows\system32\nslookup.exe | — | 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2916) 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce |
Operation: | write | Name: | nafndjfayxb |
Value: "C:\Users\admin\AppData\Roaming\Microsoft\eekiqy.exe" | |||
(PID) Process: | (2916) 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2916) 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2916) 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2916) 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2916) 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2916) 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2916) 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2916) 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2916) 5e4990af033733f53d7b03d5f63184239a7c7d000763b53da20147750144598d.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: |
PID | Process | Filename | Type | |
---|---|---|---|---|
732 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFDCF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4020 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7273.tmp.cvr | — | |
MD5:— | SHA256:— | |||
732 | WINWORD.EXE | C:\Users\admin\Desktop\~$ryincest.rtf | pgc | |
MD5:3B4033780004B55773108584E6E43897 | SHA256:C038650E723FECCC0B5C1C65D316789B356A092C8D01E04BAE0CBC5416FFCD8D | |||
732 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C7276F09-7E19-4D4F-9E5A-A7158311F996}.tmp | dbf | |
MD5:ABACA56C9B4B6BFBA00EC244D1D526E3 | SHA256:64B5C9CAF878AF5055817188BED927DE5AF191B4EB439743A21BF450B445255A | |||
732 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1A635D46-2698-44E7-BB27-A5583F808B63}.tmp | binary | |
MD5:2B09C18526AED16B061AC051F45C9B05 | SHA256:DDB64629840762A8262FF5665A723D9C6FD6353F8BFC30E896306401E5368692 | |||
732 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:AF9F93BE870FCDDB71D1D8C395926741 | SHA256:4697F6196A3BA34B57A6B4AB7F32FC2C6AD10E5EA83DE984DD6EB515BA7BEF16 | |||
732 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\veryincest.rtf.LNK | lnk | |
MD5:A00D6831B08F7112582D4A5F50A56BA9 | SHA256:E59E043CFE8C957AA6280046C669A550DE61ABBAF29CB98CA1489B9BC4EDB743 | |||
4020 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\qualityboard.rtf.LNK | lnk | |
MD5:DF9E0BCDDF9782771CC2556E0F80A7A5 | SHA256:6C28C5D8B3C4B464C2574C6AAC7A69AC68805D33884BF90CB2F4FA0132FF1448 | |||
4020 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C08481E6-151F-4744-A7C9-BA3F830EFFD9}.tmp | binary | |
MD5:222D2AF015E7D0024F7DF1C752305496 | SHA256:1FA1E0719D8F2CDD57C6C5773BEBD4BCF54938C106795CAF4B2EDF33E5B2F385 | |||
732 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:EA1BD1E85B2BA5B0E879125BE4CA0005 | SHA256:677E8143B8D1F122201D77198155002E36FF627CFACB5BA3CA07A5FF1AFDB2E0 |
Domain | IP | Reputation |
---|---|---|
ipv4bot.whatismyipaddress.com |
| shared |
ns1.corp-servers.ru |
| unknown |
2.100.168.192.in-addr.arpa |
| whitelisted |
zonealarm.bit |
| malicious |
ns2.corp-servers.ru |
| unknown |
ransomware.bit |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET TROJAN Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup) |
— | — | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
— | — | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
— | — | A Network Trojan was detected | ET TROJAN Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup) |
— | — | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
— | — | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
— | — | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
— | — | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
— | — | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
— | — | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |