File name: | KRSWL0cker.exe |
Full analysis: | https://app.any.run/tasks/617f2e58-00af-4ca9-a21a-8519fef061b7 |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 02:00:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 585A07714CB3DA8E53CD37054B5ED8F3 |
SHA1: | 444CDCDDFFBD5DE68EF7791E579A9E806E167977 |
SHA256: | 5F6EE623CB033295A0E4C2A701F006C067DAA0DADF09CBFADCD4431B551C80FB |
SSDEEP: | 1536:rYRe8Fpln4vnaKR0JeDjEX8TDduVbMyjELc50w+XI+tut++8LJFaW/Cxlb5JwKbW:rYRe8Fpln4vnaKR0JeDwX8TDduVbMyjE |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (72.2) |
---|---|---|
.scr | | | Windows screen saver (12.9) |
.dll | | | Win32 Dynamic Link Library (generic) (6.4) |
.exe | | | Win32 Executable (generic) (4.4) |
.exe | | | Generic Win/DOS Executable (1.9) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Oct-05 01:58:03 |
Debug artifacts: |
|
Comments: | - |
CompanyName: | - |
FileDescription: | KRSWL0cker |
FileVersion: | 1.0.0.0 |
InternalName: | KRSWL0cker.exe |
LegalCopyright: | Copyright © 2783 |
LegalTrademarks: | - |
OriginalFilename: | KRSWL0cker.exe |
ProductName: | KRSWL0cker |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2022-Oct-05 01:58:03 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 91076 | 91136 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.45942 |
.reloc | 106496 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
.rsrc | 114688 | 1464 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.12924 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.30248 | 812 | UNKNOWN | UNKNOWN | RT_VERSION |
1 (#2) | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2968 | "C:\Users\admin\AppData\Local\Temp\KRSWL0cker.exe" | C:\Users\admin\AppData\Local\Temp\KRSWL0cker.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Description: KRSWL0cker Version: 1.0.0.0 |
(PID) Process: | (2968) KRSWL0cker.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | KR |
Value: "C:\Users\admin\AppData\Local\Temp\KRSWL0cker.exe" | |||
(PID) Process: | (2968) KRSWL0cker.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2968) KRSWL0cker.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2968) KRSWL0cker.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2968) KRSWL0cker.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2968 | KRSWL0cker.exe | C:\Users\admin\Desktop\clientsnc.rtf.krsw | binary | |
MD5:BD8987D19BF3A08F01692458212BAE72 | SHA256:603A3076ABB55F1781162BC6B05E7F2EC9C94E32AE92C13D22C2B59D540813CD | |||
2968 | KRSWL0cker.exe | C:\Users\admin\Pictures\desktop.ini.krsw | binary | |
MD5:3319C6F67845E27A3F58E0A643471251 | SHA256:7B81A6EBCD2E5D652AFFCFFBC231B9BFB16EA5C7514F9CF0ABFB635DE8B80566 | |||
2968 | KRSWL0cker.exe | C:\Users\admin\AppData\Local\Temp\krswtkhrkrs.txt | text | |
MD5:C8370F662F6266629D38EE7460E8F77A | SHA256:958197DB2E1BBD7CA03D3249A6DBE6F221AE96F228B42BF5774F29DFE8B86C32 | |||
2968 | KRSWL0cker.exe | C:\Users\admin\Desktop\desktop.ini.krsw | binary | |
MD5:7D47B0BE084A16B372A8528E251BAB48 | SHA256:FBE91FA1F67B17AB351327B581E19DB5922BEBA4C69E7773CEDAA239B526CD7E | |||
2968 | KRSWL0cker.exe | C:\Users\admin\Documents\sizewine.rtf.krsw | binary | |
MD5:85BF9043BCF785CC3A3333869AD16929 | SHA256:E8055E51DEA5781F27CB0D320E244B49D90D0CC7890CF3FE043CF48A760AC8D0 | |||
2968 | KRSWL0cker.exe | C:\Users\admin\Documents\desktop.ini.krsw | binary | |
MD5:B203161D9043BECB07E672CDD1E94F55 | SHA256:2A4818483C43B3D0B8B0E9BD13975F924A1155DAE622D986B4A90B41B5338C4F | |||
2968 | KRSWL0cker.exe | C:\Users\admin\Desktop\locationaz.rtf.krsw | binary | |
MD5:0474F2DC9FC5C18A7ADF034FBA0E40F6 | SHA256:6F0299C5A527D82B364BA5D6573E1DFF97517E84AB5DA094FAD696A053C745D0 | |||
2968 | KRSWL0cker.exe | C:\Users\admin\Desktop\beforenorthern.png.krsw | binary | |
MD5:38F851EFE72CE18A1C2F6BE1D11F85C7 | SHA256:4D87D0A2F1B8351056E324AFDA57DB764C8A356D01C9032114D84BAF883F1F5C | |||
2968 | KRSWL0cker.exe | C:\Users\admin\Desktop\developedoverview.jpg.krsw | binary | |
MD5:DED20913811FF5796B9FA73E57AEDCF2 | SHA256:A7F70C21EE9FFD85879C91F293416A87F3134C182BD9EEAF93758E963BB6CF87 | |||
2968 | KRSWL0cker.exe | C:\Users\admin\Pictures\respectivemsn.png.krsw | binary | |
MD5:2E580CA8A58CD3453CBEEE1AB747560D | SHA256:4B83158EFBF341770B0E1B23A57DB323868521B0D3E025375EA9D330B5682296 |