| File name: | CW.eXe |
| Full analysis: | https://app.any.run/tasks/8ba02f06-a6b2-4d0d-8ada-2084e1998fde |
| Verdict: | Malicious activity |
| Analysis date: | December 29, 2018, 15:55:15 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 6738D790FC0F3928A8A5F19D829CAE4D |
| SHA1: | DB0A727520178061506C7EC07A99BAC581610329 |
| SHA256: | 60CA507EF4BA7DBBB7EF6EA4B975B9B09A24D7D0C91D38D0876331203F962D98 |
| SSDEEP: | 196608:9O1vl2I4a7SdzRDymXLa4mnb0DtUog3jCUE2nKNfMILF9UBDHLSwxT1aQhS:Wt2O7Sd1ymX+4mnOU9+UCZM6kzWu12 |
MALICIOUS
Application was dropped or rewritten from another process
- autorun.exe (PID: 3764)
- hosts.exe (PID: 2532)
- touch.exe (PID: 2124)
- banish.exe (PID: 3672)
- touch.exe (PID: 2636)
- touch.exe (PID: 3184)
- touch.exe (PID: 2228)
- banish.exe (PID: 3696)
- touch.exe (PID: 3496)
- banish.exe (PID: 3412)
- touch.exe (PID: 3020)
- touch.exe (PID: 2300)
- touch.exe (PID: 4036)
- touch.exe (PID: 3652)
- touch.exe (PID: 3984)
- touch.exe (PID: 1288)
- touch.exe (PID: 2888)
- touch.exe (PID: 2172)
- touch.exe (PID: 2224)
- touch.exe (PID: 4000)
- touch.exe (PID: 3924)
- touch.exe (PID: 2684)
- touch.exe (PID: 3564)
- banish.exe (PID: 2804)
- touch.exe (PID: 2332)
- touch.exe (PID: 3416)
- banish.exe (PID: 3968)
Loads dropped or rewritten executable
- banish.exe (PID: 3412)
- conhost.exe (PID: 3968)
- conhost.exe (PID: 3488)
- touch.exe (PID: 4000)
- cmd.exe (PID: 3008)
- cmd.exe (PID: 4004)
- conhost.exe (PID: 2548)
- banish.exe (PID: 2804)
- cmd.exe (PID: 2208)
- touch.exe (PID: 3564)
- cmd.exe (PID: 3956)
- cmd.exe (PID: 2652)
- touch.exe (PID: 3984)
- cmd.exe (PID: 2752)
- conhost.exe (PID: 2816)
- CW.eXe (PID: 2584)
- touch.exe (PID: 2172)
- conhost.exe (PID: 2572)
- autorun.exe (PID: 3764)
- cmd.exe (PID: 3928)
- cmd.exe (PID: 3904)
- cmd.exe (PID: 4060)
- conhost.exe (PID: 3296)
- cmd.exe (PID: 3004)
- cmd.exe (PID: 2996)
- conhost.exe (PID: 1576)
- cmd.exe (PID: 2976)
- conhost.exe (PID: 3768)
- find.exe (PID: 2440)
- banish.exe (PID: 3968)
- hosts.exe (PID: 2532)
- cmd.exe (PID: 2352)
- cmd.exe (PID: 2620)
- conhost.exe (PID: 3844)
- cmd.exe (PID: 3140)
- cmd.exe (PID: 1328)
- find.exe (PID: 3228)
- touch.exe (PID: 3924)
- find.exe (PID: 3744)
- cmd.exe (PID: 3180)
- cmd.exe (PID: 2772)
- conhost.exe (PID: 3120)
- cmd.exe (PID: 2564)
- conhost.exe (PID: 1420)
- conhost.exe (PID: 3280)
- cmd.exe (PID: 3840)
- cmd.exe (PID: 4056)
- cmd.exe (PID: 3652)
- cmd.exe (PID: 1840)
- conhost.exe (PID: 2908)
- cmd.exe (PID: 3692)
- cmd.exe (PID: 2288)
- cmd.exe (PID: 3120)
- touch.exe (PID: 3020)
- conhost.exe (PID: 3320)
- touch.exe (PID: 3652)
- conhost.exe (PID: 3852)
- conhost.exe (PID: 3344)
- banish.exe (PID: 3672)
- conhost.exe (PID: 3112)
- cmd.exe (PID: 2340)
- conhost.exe (PID: 2788)
- touch.exe (PID: 4036)
- takeown.exe (PID: 3196)
- takeown.exe (PID: 2392)
- touch.exe (PID: 3416)
- cmd.exe (PID: 1268)
- touch.exe (PID: 2124)
- cmd.exe (PID: 2828)
- touch.exe (PID: 1288)
- conhost.exe (PID: 2712)
- conhost.exe (PID: 3068)
- conhost.exe (PID: 1268)
- conhost.exe (PID: 3248)
- cmd.exe (PID: 1840)
- conhost.exe (PID: 2796)
- takeown.exe (PID: 2512)
- cmd.exe (PID: 3928)
- cmd.exe (PID: 3680)
- touch.exe (PID: 2636)
- conhost.exe (PID: 2160)
- conhost.exe (PID: 2744)
- cmd.exe (PID: 2912)
- touch.exe (PID: 2224)
- cmd.exe (PID: 2780)
- touch.exe (PID: 2332)
- cmd.exe (PID: 3992)
- conhost.exe (PID: 2552)
- touch.exe (PID: 3184)
- cmd.exe (PID: 1792)
- cmd.exe (PID: 4000)
- conhost.exe (PID: 2920)
- takeown.exe (PID: 4040)
- takeown.exe (PID: 2184)
- cmd.exe (PID: 2340)
- conhost.exe (PID: 2452)
- conhost.exe (PID: 3148)
- cmd.exe (PID: 3728)
- conhost.exe (PID: 1456)
- conhost.exe (PID: 3688)
- cmd.exe (PID: 2944)
- conhost.exe (PID: 3888)
- cmd.exe (PID: 2272)
- cmd.exe (PID: 3836)
- cmd.exe (PID: 3108)
- touch.exe (PID: 2684)
- cmd.exe (PID: 2672)
- conhost.exe (PID: 2944)
- conhost.exe (PID: 4064)
- cmd.exe (PID: 2900)
- conhost.exe (PID: 1744)
- conhost.exe (PID: 2360)
- conhost.exe (PID: 3492)
- conhost.exe (PID: 3848)
- conhost.exe (PID: 2936)
- takeown.exe (PID: 2872)
- cmd.exe (PID: 2844)
- conhost.exe (PID: 2252)
- touch.exe (PID: 2228)
- cmd.exe (PID: 3892)
- conhost.exe (PID: 2384)
- conhost.exe (PID: 2256)
- conhost.exe (PID: 2472)
- cmd.exe (PID: 3704)
- banish.exe (PID: 3696)
- conhost.exe (PID: 684)
- conhost.exe (PID: 3060)
- cmd.exe (PID: 3732)
- takeown.exe (PID: 2144)
- cmd.exe (PID: 2756)
- cmd.exe (PID: 3644)
- cmd.exe (PID: 3080)
- conhost.exe (PID: 3244)
- conhost.exe (PID: 2772)
- takeown.exe (PID: 3940)
- cmd.exe (PID: 3176)
- touch.exe (PID: 2888)
- cmd.exe (PID: 3984)
- conhost.exe (PID: 2160)
- conhost.exe (PID: 3876)
- cmd.exe (PID: 3384)
- takeown.exe (PID: 3136)
- takeown.exe (PID: 2288)
- cmd.exe (PID: 3704)
- cmd.exe (PID: 2344)
- conhost.exe (PID: 2940)
- touch.exe (PID: 3496)
- conhost.exe (PID: 3136)
- cmd.exe (PID: 2252)
- cmd.exe (PID: 2232)
- touch.exe (PID: 2300)
- cmd.exe (PID: 3252)
- cmd.exe (PID: 2240)
- conhost.exe (PID: 3924)
- DllHost.exe (PID: 2984)
SUSPICIOUS
Executable content was dropped or overwritten
- autorun.exe (PID: 3764)
- CW.eXe (PID: 2584)
- cmd.exe (PID: 3008)
- cmd.exe (PID: 3108)
- cmd.exe (PID: 3704)
- cmd.exe (PID: 2620)
- cmd.exe (PID: 3904)
- cmd.exe (PID: 2564)
Starts CMD.EXE for commands execution
- autorun.exe (PID: 3764)
- cmd.exe (PID: 3004)
- hosts.exe (PID: 2532)
- banish.exe (PID: 3672)
- banish.exe (PID: 3696)
- banish.exe (PID: 3412)
- banish.exe (PID: 2804)
- banish.exe (PID: 3968)
Uses ICACLS.EXE to modify access control list
- cmd.exe (PID: 1268)
- cmd.exe (PID: 2340)
- cmd.exe (PID: 3892)
- cmd.exe (PID: 1328)
- cmd.exe (PID: 1840)
- cmd.exe (PID: 3992)
- cmd.exe (PID: 3840)
- cmd.exe (PID: 2976)
- cmd.exe (PID: 2232)
- cmd.exe (PID: 3180)
- cmd.exe (PID: 3836)
- cmd.exe (PID: 2288)
- cmd.exe (PID: 2240)
- cmd.exe (PID: 2652)
- cmd.exe (PID: 3704)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (35.8) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (31.7) |
| .scr | | | Windows screen saver (15) |
| .dll | | | Win32 Dynamic Link Library (generic) (7.5) |
| .exe | | | Win32 Executable (generic) (5.1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2009:06:23 19:57:07+02:00 |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 192512 |
| InitializedDataSize: | 458752 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x173a6 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.9.0.0 |
| ProductVersionNumber: | 0.9.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | ASCII |
| Comments: | Created with AutoPlay Media Studio (www.indigorose.com) |
| CompanyName: | Anemeros Software |
| FileDescription: | The Perpetuation Endeavor |
| FileVersion: | 0.9.0.0 |
| InternalName: | ams60_launch |
| LegalCopyright: | Copyright (c) 2009 - Anemeros Software |
| LegalTrademarks: | Chew-WGA |
| OriginalFileName: | cw.exe |
| ProductName: | Chew-WGA v0.9 |
| ProductVersion: | 0.9.0.0 |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 23-Jun-2009 17:57:07 |
| Detected languages: |
|
| Comments: | Created with AutoPlay Media Studio (www.indigorose.com) |
| CompanyName: | Anemeros Software |
| FileDescription: | The Perpetuation Endeavor |
| FileVersion: | 0.9.0.0 |
| InternalName: | ams60_launch |
| LegalCopyright: | Copyright (c) 2009 - Anemeros Software |
| LegalTrademarks: | Chew-WGA |
| OriginalFilename: | cw.exe |
| ProductName: | Chew-WGA v0.9 |
| ProductVersion: | 0.9.0.0 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x000000F0 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 4 |
| Time date stamp: | 23-Jun-2009 17:57:07 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x0002E906 | 0x0002F000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60114 |
.rdata | 0x00030000 | 0x0000842E | 0x00009000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.57824 |
.data | 0x00039000 | 0x00009D08 | 0x00006000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.67512 |
.rsrc | 0x00043000 | 0x000609FC | 0x00061000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.60247 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.02016 | 901 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 5.77242 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 5.67191 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 5.61132 | 16936 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 5.54801 | 67624 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 5.5135 | 270376 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 5.44696 | 3752 | Latin 1 / Western European | English - United States | RT_ICON |
8 | 4.26041 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 3.02695 | 308 | Latin 1 / Western European | English - United States | RT_CURSOR |
10 | 2.74274 | 180 | Latin 1 / Western European | English - United States | RT_CURSOR |
Imports
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
WINSPOOL.DRV |
comdlg32.dll |
Total processes
204
Monitored processes
171
Malicious processes
11
Suspicious processes
12
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 316 | icacls "C:\Windows\System32\winver.exe" /deny "SYSTEM":F | C:\Windows\system32\icacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 684 | \??\C:\Windows\system32\conhost.exe | C:\Windows\system32\conhost.exe | — | csrss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1268 | cmd /c ""C:\Users\admin\AppData\Local\Temp\banish.cmd" "C:\Windows\System32\slmgr.vbs"" | C:\Windows\system32\cmd.exe | — | banish.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1268 | \??\C:\Windows\system32\conhost.exe | C:\Windows\system32\conhost.exe | — | csrss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1288 | touch.exe /h /q /c /m /a /r t1.txt C:\Windows\System32\systemcpl.dll | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1288 | ICACLS "C:\Windows\System32\user32.dll" /grant "admin":F | C:\Windows\system32\icacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1328 | "C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\sppcomapi.dll" /deny "SYSTEM":F | C:\Windows\system32\cmd.exe | — | autorun.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1420 | \??\C:\Windows\system32\conhost.exe | C:\Windows\system32\conhost.exe | — | csrss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1456 | \??\C:\Windows\system32\conhost.exe | C:\Windows\system32\conhost.exe | — | csrss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1576 | \??\C:\Windows\system32\conhost.exe | C:\Windows\system32\conhost.exe | — | csrss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
423
Read events
417
Write events
6
Delete events
0
Modification events
| (PID) Process: | (3764) autorun.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration |
| Operation: | write | Name: | Speaker Configuration |
Value: 4 | |||
| (PID) Process: | (3764) autorun.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3764) autorun.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
Executable files
33
Suspicious files
16
Text files
206
Unknown types
6
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2584 | CW.eXe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\Shekere.ogg | ogg | |
MD5:2B1395C376D645D076CE7E2171EF9C7F | SHA256:F8D1022DEE83BF00C33AD160F4085464CA5818CA186C909030FDA3F6D9C71A79 | |||
| 2584 | CW.eXe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Sol-4.Btn | compressed | |
MD5:AAD23F06616570B7DCD713B320217179 | SHA256:4C7218EE657EA5301FB87A0F9AB282E9002B0C2B2EAED4AF3DD9E7CCA2E72613 | |||
| 2584 | CW.eXe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Home2.Btn | compressed | |
MD5:1C85362B0780DFB2F580E567AD57643A | SHA256:70919D158D55BA3A9C38BBE91C79BC69452E67FE7862AA00FE77DF56A7DDE4E7 | |||
| 2584 | CW.eXe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\button.btn | compressed | |
MD5:9ECB9FCFDCB46A87EC244CFE23659E0E | SHA256:3FF2C5E7C1B7471D41D64BD39B2D8E2DF3761408C0B235CE8CCBB3D39417466F | |||
| 2584 | CW.eXe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\done-install.jpg | image | |
MD5:B6479C2EC0E8353D8BA175D6D783612B | SHA256:457B13621CC0B8C07B048CAD8761DF175C3FEBC8B8E457789FDD88FEEDE20A83 | |||
| 2584 | CW.eXe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\install-error.jpg | image | |
MD5:68EC09592F71A542470246C5522D4636 | SHA256:D15A87CB382DDF6EFEA8CAD0AC82FD3EE72DB4F775BA4D22CA7BEA9CDBA20960 | |||
| 2584 | CW.eXe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Cik-2.Btn | compressed | |
MD5:2553A95A1D503C6C445DF761BF668E00 | SHA256:8311159D24F50560BAB4491918D0684E66AB80ECABC158118B9AE4063B2473AA | |||
| 2584 | CW.eXe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd | compressed | |
MD5:1C42C49A03F8416736F243907B1C8C0A | SHA256:6F9A4A22186AFB4EFD48689FE9DAD4A1CF1CFD6F2706D3411C8F5D83607E0BA9 | |||
| 2584 | CW.eXe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Baslat.Btn | compressed | |
MD5:DB33064E86D7E634CB842DD2918A3E05 | SHA256:05FFCFCA2AAD8509C6A16FFBCC727F290449956E9884495D86045A129331B0A4 | |||
| 2584 | CW.eXe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.ogg | ogg | |
MD5:FC2A595F574B1EAD82A6DCF06492C985 | SHA256:EE9A4903A8DF90EFF4C5B65A8073E564A3581CF73772A72EB82396E69932E769 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report