File name: | Generator.exe |
Full analysis: | https://app.any.run/tasks/c0417482-4032-4aff-a560-3f724b2b0672 |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 22:30:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | DA5F670C35824674C4A6AC6D6A4ABD19 |
SHA1: | C02045E2D34BBF5C25B6962398698E052766FF2D |
SHA256: | 61BE36821A21BAC69E9CD201C37C17027A4C79BC6638CC7CE19EF727E5B802D8 |
SSDEEP: | 196608:NhPyVJhXVFPglHuv+47qUN5lob+IofxQPM+n6U4Bx2/robEaPRWMYGh:7uVFPu25lob+IofxR+cB6obEWWgh |
.exe | | | Win64 Executable (generic) (76.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1d4f9 |
UninitializedDataSize: | - |
InitializedDataSize: | 263168 |
CodeSize: | 190464 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2018:06:04 19:48:26+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 04-Jun-2018 17:48:26 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000108 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 04-Jun-2018 17:48:26 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0002E7E4 | 0x0002E800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.70246 |
.rdata | 0x00030000 | 0x00009A8C | 0x00009C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.12942 |
.data | 0x0003A000 | 0x000203A0 | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.23928 |
.gfids | 0x0005B000 | 0x000000E8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.0785 |
.rsrc | 0x0005C000 | 0x00033914 | 0x00033A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.63575 |
.reloc | 0x00090000 | 0x00001FD0 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.68222 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.25329 | 1875 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.72627 | 1640 | Latin 1 / Western European | Process Default Language | RT_ICON |
3 | 3.61888 | 744 | Latin 1 / Western European | Process Default Language | RT_ICON |
4 | 3.27331 | 488 | Latin 1 / Western European | Process Default Language | RT_ICON |
5 | 2.9628 | 424 | Latin 1 / Western European | Process Default Language | RT_ICON |
6 | 2.63946 | 296 | Latin 1 / Western European | Process Default Language | RT_ICON |
7 | 3.1586 | 482 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 3.11685 | 460 | Latin 1 / Western European | English - United States | RT_STRING |
9 | 3.15447 | 494 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 2.99727 | 326 | Latin 1 / Western European | English - United States | RT_STRING |
KERNEL32.dll |
USER32.dll (delay-loaded) |
gdiplus.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3484 | "C:\Users\admin\AppData\Local\Temp\Generator.exe" | C:\Users\admin\AppData\Local\Temp\Generator.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3680 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\RarSFX0\install.vbs" | C:\Windows\System32\WScript.exe | — | Generator.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3284 | cmd /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\setup.bat" " | C:\Windows\System32\cmd.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2336 | REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Google Updates" /t REG_SZ /d ""C:\Users\admin\AppData\Roaming"\Google\GoogleUpdates\Updates.vbs" /f | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3380 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Google\GoogleUpdates\Updates.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3108 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Google\GoogleUpdates\start.vbs" | C:\Windows\System32\WScript.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3620 | REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2304 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3908 | cmd /c ""C:\Users\admin\AppData\Roaming\Google\GoogleUpdates\start.bat" " | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (3484) Generator.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3484) Generator.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3680) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3680) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2336) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Google Updates |
Value: C:\Users\admin\AppData\Roaming\Google\GoogleUpdates\Updates.vbs | |||
(PID) Process: | (3284) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3284) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3380) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3380) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3108) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3484 | Generator.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\setup.bat | text | |
MD5:6815DB83F8DF65B269B4413BA9D278A8 | SHA256:CA985D6A6B9FAB402E511A5521FC4EC5A61207EA04DD84A75195B8CFF8CFC0BE | |||
3484 | Generator.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\start.bat | text | |
MD5:D1242B0F30D223FA175BCFBC25D016BB | SHA256:C96789FA5CEE0D17EEF8D7383BAACF2CFCD6FA1A75E1E744FE23DBD258984038 | |||
3484 | Generator.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\nvfatbinaryLoader.dll | executable | |
MD5:1472B1E4562ADDD252A35AA0940B08CB | SHA256:F1F005D4C718F23936020E6CE025F87DB43BBC56BE1D85AD4018A180FA552773 | |||
3484 | Generator.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll | executable | |
MD5:5578B8106BC09064343C421D9285AD29 | SHA256:3761DFB440B0E16A69DD69B325BEEDF4140370A99DF242ACE415A83B86A34F98 | |||
3284 | cmd.exe | C:\Users\admin\AppData\Roaming\Google\GoogleUpdates\nvrtc-builtins64_92.dll | executable | |
MD5:79ECDC6585CE79779E4500D4BBCA4AC9 | SHA256:33B088A56B28194259D276B19C274A88C939BEC88AB45EF1F3FDBA9717154F53 | |||
3484 | Generator.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\msvcp140.dll | executable | |
MD5:89BB632DCBE07CD7AFF17440FFF46526 | SHA256:9D770C363F3E20E3FF9BC30AA6C96BAFF3845A23E12854FD28B63916B5A12CCD | |||
3484 | Generator.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\start.vbs | text | |
MD5:8099C67A9631789DB03E90D7B7BF0980 | SHA256:88A4ED5C8CAAD58C8EDA0D4ED6E36C98CE5B7545529DA0CF41FFEA4015B71206 | |||
3484 | Generator.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\nvrtc64_92.dll | executable | |
MD5:75CE028BA3C02783C002D58941901A84 | SHA256:A4A0E8F95006BAC4FD1408D75387E30CD3E0C16C821D5B3F96EA0FE0C7DE07AB | |||
3484 | Generator.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\GoogleUpdate.exe | executable | |
MD5:1682ABF0276A7C0B746199DE6CFA0948 | SHA256:545628499E500602CBCAC88D316CDAEDECA89B3EED440518664B669D6B0402B5 | |||
3484 | Generator.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\nvrtc-builtins64_92.dll | executable | |
MD5:79ECDC6585CE79779E4500D4BBCA4AC9 | SHA256:33B088A56B28194259D276B19C274A88C939BEC88AB45EF1F3FDBA9717154F53 |