File name: | eadc3c11fd66afd716e8e4f20be2b9f6048ddc0b.exe |
Full analysis: | https://app.any.run/tasks/89d8aa2d-430c-4c3b-80d8-df17b69a5fc3 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 10, 2019, 17:19:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 3ABB1F4A8F2FDEB302985911BFEFD6BF |
SHA1: | EADC3C11FD66AFD716E8E4F20BE2B9F6048DDC0B |
SHA256: | 5E901677DAD76C0DC21DA659115B4D08E1E27C279C1CD038518AE1518646C306 |
SSDEEP: | 192:piKixqK606vbxjowPrfpfh9A/dWhgUP1oynaUTG8tu8W1:pimAar2/dWhg610UTG8k8 |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x1030 |
UninitializedDataSize: | - |
InitializedDataSize: | 7168 |
CodeSize: | 7168 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2019:01:10 17:08:41+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 10-Jan-2019 16:08:41 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 10-Jan-2019 16:08:41 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00001B2F | 0x00001C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.56902 |
.rdata | 0x00003000 | 0x00001244 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.07414 |
.data | 0x00005000 | 0x00000050 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.rsrc | 0x00006000 | 0x000001B4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.09798 |
.reloc | 0x00007000 | 0x0000025C | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 3.83187 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.79597 | 346 | Latin 1 / Western European | English - United States | RT_MANIFEST |
ADVAPI32.dll |
KERNEL32.dll |
MSVCRT.dll |
SHELL32.dll |
SHLWAPI.dll |
WININET.dll |
urlmon.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2976 | "C:\Users\admin\AppData\Local\Temp\eadc3c11fd66afd716e8e4f20be2b9f6048ddc0b.exe" | C:\Users\admin\AppData\Local\Temp\eadc3c11fd66afd716e8e4f20be2b9f6048ddc0b.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3952 | C:\Users\admin\495030305060\winsvcs.exe | C:\Users\admin\495030305060\winsvcs.exe | eadc3c11fd66afd716e8e4f20be2b9f6048ddc0b.exe | |
User: admin Integrity Level: MEDIUM | ||||
3760 | C:\Users\admin\AppData\Local\Temp\2281337220.exe | C:\Users\admin\AppData\Local\Temp\2281337220.exe | winsvcs.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
364 | C:\Users\admin\AppData\Local\Temp\4223939108.exe | C:\Users\admin\AppData\Local\Temp\4223939108.exe | winsvcs.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2968 | C:\Users\admin\657607470096780\winsvcs.exe | C:\Users\admin\657607470096780\winsvcs.exe | 2281337220.exe | |
User: admin Integrity Level: MEDIUM | ||||
3744 | C:\Users\admin\4950606094303050\wincfg32svc.exe | C:\Users\admin\4950606094303050\wincfg32svc.exe | 4223939108.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1140 | C:\Users\admin\AppData\Local\Temp\3002915575.exe | C:\Users\admin\AppData\Local\Temp\3002915575.exe | winsvcs.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2144 | C:\Users\admin\AppData\Local\Temp\2288140680.exe | C:\Users\admin\AppData\Local\Temp\2288140680.exe | — | winsvcs.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3704 | C:\Users\admin\AppData\Local\Temp\4230842568.exe | C:\Users\admin\AppData\Local\Temp\4230842568.exe | — | winsvcs.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2192 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | 3002915575.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1140 | 3002915575.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
1140 | 3002915575.exe | C:\Users\admin\IPPCNFVVZU-DECRYPT.txt | text | |
MD5:48F9D18BA67761E7951DE1EC958FA317 | SHA256:74C4331408D38C883608FB173ADFC5D5823C1CCCCC99D628F535EFB028CC86F7 | |||
3952 | winsvcs.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\2[1].exe | executable | |
MD5:9CCE24E78759E70020A4C1C82359F471 | SHA256:9A3064A02F7D45B5D073D5653C53694EBFD37AF6255A0B928703A11EAC4A142D | |||
3952 | winsvcs.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\1[1].exe | executable | |
MD5:B58FE475F58E3070E3F506085108EF76 | SHA256:35DE112DE2021EB54DEA91383112609551240DB7D95AC0171D224CA13FA4E0E5 | |||
3952 | winsvcs.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\1[2].exe | executable | |
MD5:5A31E0AE80102A6B25FA0CA56CF7C15E | SHA256:DC92A406EC40D1356ABBD8DD8EA8CA90AE84516B741D3D898F892DB31D470480 | |||
2976 | eadc3c11fd66afd716e8e4f20be2b9f6048ddc0b.exe | C:\Users\admin\495030305060\winsvcs.exe | executable | |
MD5:3ABB1F4A8F2FDEB302985911BFEFD6BF | SHA256:5E901677DAD76C0DC21DA659115B4D08E1E27C279C1CD038518AE1518646C306 | |||
3760 | 2281337220.exe | C:\Users\admin\657607470096780\winsvcs.exe | executable | |
MD5:B58FE475F58E3070E3F506085108EF76 | SHA256:35DE112DE2021EB54DEA91383112609551240DB7D95AC0171D224CA13FA4E0E5 | |||
1140 | 3002915575.exe | C:\Users\admin\AppData\IPPCNFVVZU-DECRYPT.txt | text | |
MD5:48F9D18BA67761E7951DE1EC958FA317 | SHA256:74C4331408D38C883608FB173ADFC5D5823C1CCCCC99D628F535EFB028CC86F7 | |||
1140 | 3002915575.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\IPPCNFVVZU-DECRYPT.txt | text | |
MD5:48F9D18BA67761E7951DE1EC958FA317 | SHA256:74C4331408D38C883608FB173ADFC5D5823C1CCCCC99D628F535EFB028CC86F7 | |||
1140 | 3002915575.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2968 | winsvcs.exe | GET | 304 | 92.63.197.48:80 | http://slpsrgpsrhojifdij.ru/2.exe | RU | — | — | malicious |
3952 | winsvcs.exe | GET | — | 92.63.197.48:80 | http://slpsrgpsrhojifdij.ru/2.exe | RU | — | — | malicious |
3952 | winsvcs.exe | GET | 200 | 92.63.197.48:80 | http://92.63.197.48/m/1.exe | RU | executable | 247 Kb | malicious |
3952 | winsvcs.exe | GET | — | 92.63.197.48:80 | http://slpsrgpsrhojifdij.ru/1.exe | RU | — | — | malicious |
3952 | winsvcs.exe | GET | 200 | 92.63.197.48:80 | http://slpsrgpsrhojifdij.ru/2.exe | RU | executable | 258 Kb | malicious |
2968 | winsvcs.exe | GET | 304 | 92.63.197.48:80 | http://slpsrgpsrhojifdij.ru/1.exe | RU | — | — | malicious |
3952 | winsvcs.exe | GET | 200 | 92.63.197.48:80 | http://slpsrgpsrhojifdij.ru/1.exe | RU | executable | 261 Kb | malicious |
3952 | winsvcs.exe | GET | 404 | 92.63.197.48:80 | http://slpsrgpsrhojifdij.ru/4.exe | RU | html | 178 b | malicious |
3952 | winsvcs.exe | GET | — | 92.63.197.48:80 | http://92.63.197.48/m/1.exe | RU | — | — | malicious |
2968 | winsvcs.exe | GET | — | 92.63.197.48:80 | http://92.63.197.48/2.exe | RU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3952 | winsvcs.exe | 92.63.197.48:80 | slpsrgpsrhojifdij.ru | — | RU | malicious |
2968 | winsvcs.exe | 92.63.197.48:80 | slpsrgpsrhojifdij.ru | — | RU | malicious |
3744 | wincfg32svc.exe | 98.137.159.25:25 | mta5.am0.yahoodns.net | Yahoo | US | unknown |
1140 | 3002915575.exe | 138.201.162.99:80 | www.fliptray.biz | Hetzner Online GmbH | DE | malicious |
1140 | 3002915575.exe | 78.46.77.98:443 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
1140 | 3002915575.exe | 74.220.215.73:80 | www.bizziniinfissi.com | Unified Layer | US | malicious |
1140 | 3002915575.exe | 136.243.13.215:80 | www.holzbock.biz | Hetzner Online GmbH | DE | suspicious |
1140 | 3002915575.exe | 138.201.162.99:443 | www.fliptray.biz | Hetzner Online GmbH | DE | malicious |
1140 | 3002915575.exe | 217.26.53.161:80 | www.haargenau.biz | Hostpoint AG | CH | malicious |
1140 | 3002915575.exe | 78.46.77.98:80 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
slpsrgpsrhojifdij.ru |
| malicious |
yahoo.com |
| whitelisted |
mta5.am0.yahoodns.net |
| unknown |
osheoufhusheoghuesd.ru |
| malicious |
www.2mmotorsport.biz |
| unknown |
ofheofosugusghuhush.ru |
| unknown |
www.haargenau.biz |
| unknown |
www.bizziniinfissi.com |
| malicious |
www.holzbock.biz |
| unknown |
www.fliptray.biz |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3952 | winsvcs.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
3952 | winsvcs.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
3952 | winsvcs.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3952 | winsvcs.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
3952 | winsvcs.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
3952 | winsvcs.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3952 | winsvcs.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
3952 | winsvcs.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
3952 | winsvcs.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
3952 | winsvcs.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |