File name: | 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986 |
Full analysis: | https://app.any.run/tasks/74c360af-4ca9-463c-8d85-bf73bf70f191 |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 05:38:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 145BA213336BBB05C09D2BCF198AA3BD |
SHA1: | 517DC0D3D853C09FD7CB69AA85FC8F37B9BF3A87 |
SHA256: | 6329693E5C61A2F0FA1A53BD177F5A332EF729050B3F109630B759C792F0B986 |
SSDEEP: | 6144:RQNOV3wQRokxB8n7zPUmmTg2OJH80FjTz/XmlH9n7a:qCFRoI8zP38OJ80Fjff49u |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x94ef |
UninitializedDataSize: | - |
InitializedDataSize: | 122880 |
CodeSize: | 126976 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2017:10:16 06:21:38+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 16-Oct-2017 04:21:38 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 16-Oct-2017 04:21:38 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0001F000 | 0x0001F000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.67526 |
.rdata | 0x00020000 | 0x00007000 | 0x00007000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.21626 |
.data | 0x00027000 | 0x00017000 | 0x00008000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.20325 |
.linus | 0x0003E000 | 0x00034B18 | 0x00035000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.4861 |
.rsrc | 0x00073000 | 0x00004000 | 0x00004000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.22653 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.76616 | 756 | UNKNOWN | English - United States | RT_VERSION |
2 | 5.2901 | 296 | UNKNOWN | English - United Kingdom | RT_ICON |
3 | 5.25747 | 308 | UNKNOWN | English - United States | RT_CURSOR |
4 | 5.49692 | 180 | UNKNOWN | English - United States | RT_CURSOR |
7 | 5.07368 | 64 | UNKNOWN | English - United States | RT_STRING |
100 | 5.46433 | 266 | UNKNOWN | English - United States | RT_DIALOG |
102 | 5.58148 | 242 | UNKNOWN | English - United States | RT_DIALOG |
128 | 4.21953 | 34 | UNKNOWN | English - United Kingdom | RT_GROUP_ICON |
3841 | 5.44621 | 130 | UNKNOWN | English - United States | RT_STRING |
3842 | 4.55376 | 42 | UNKNOWN | English - United States | RT_STRING |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
WINSPOOL.DRV |
comdlg32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3372 | "C:\Users\admin\AppData\Local\Temp\6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986.exe" | C:\Users\admin\AppData\Local\Temp\6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM | ||||
3820 | "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\System32\cmd.exe | 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
596 | vssadmin.exe Delete Shadows /All /Quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3552 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2556 | bcdedit /set {default} recoveryenabled No | C:\Windows\system32\bcdedit.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3708 | bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\system32\bcdedit.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (3372) 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986.exe | Key: | HKEY_CURRENT_USER\Software\recfg |
Operation: | write | Name: | pk_key |
Value: BDE4241DF392B2FA4858F3210B35917AC567648C11FBECA69F3141DF15BB1D6E | |||
(PID) Process: | (3372) 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986.exe | Key: | HKEY_CURRENT_USER\Software\recfg |
Operation: | write | Name: | sk_key |
Value: 2AE8423DE6E694D15437B0872B7D581A63893C0216902D7657286CA4C5DA5A422C0B3B69122F09A40F0EDF2FD20151F9ABBB750F6B9FF25E32AB4B32443510CBAC758C6BA0D285D693B39150DB5A2E22606D63D3526454BB | |||
(PID) Process: | (3372) 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986.exe | Key: | HKEY_CURRENT_USER\Software\recfg |
Operation: | write | Name: | 0_key |
Value: 120B5ABADB90292BF2B0C8288EF1C764053D2CB39DBCD34898336370DB0B8B768137F0A08EBC2CC775085D061E371D88771B45AFF795D9959B7879E778E0350E2DF4FE53F6AA63B71BCA654667927AF4F0D4D0C293C3A20B | |||
(PID) Process: | (3372) 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986.exe | Key: | HKEY_CURRENT_USER\Software\recfg |
Operation: | write | Name: | rnd_ext |
Value: .16us53 | |||
(PID) Process: | (3372) 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986.exe | Key: | HKEY_CURRENT_USER\Software\recfg |
Operation: | write | Name: | stat |
Value: 3BDE19528AAD2BC23284E89F974C94746842DA16BB34B3EA04530E6E99A4893A08AA4347C5E5C9B7F7B2EFF0CAED152C4E5A6618B2178AD3B4A97739D24DC9B622B90CDE25497E8747D022944EC0DC72E9153BD26AB2382F2E2B240F1469DCD0F6AFA2017CDE3100956FEB1B8FB223E7B2AF1EBA1FB7DEDE4662C2A501A16B3DB6FE863C45BB27D7FCA1F51D976BFBA903E3E08A9E6ABECE5784476617B6394DCCBC6577E029E7EF03D4FB0BF977E0D1C3419A450F3E171F6AAF07C81DB1ECC49987FB3060CB5919F0FAF452DC8F8810D674E596B884E9E761BB45D8E19EE3C3FEBE6F2CAAAC578270157BB556CD1BACCA7F121AF54412D66D46190F430F01704F05413581D2CACD7BEF4A99957D8A1FFB4CEE22AC76BCB3B0841F12CACC76A97484B1BFEB066ED710D51E258F9BD49DF98B520480EA707FA0372A63DC8FD57853EDC3F157DCF50AA93770F485E2B7271E5DD83279142FE1425F34DE639431C2AF023D226814BAB159F9FC1F9DD37E4D38D8215C8A98AB1FB8182B99FDBF8A2C003709FA0569D186587A109C96AA2E0C612B19C357A305C26D981C78259B231DEF5BA0B668C4D8A483674ABCB5564F0D413CBE51B28E708B1C4C5A07A83125341035305E2EDC1BCF6CB8C2D8B9F55C49D55BA9ABA52A845C18FC49BDEFFC012B9C0D73089D0F8573812C386BAFB55BEDA8C48AE82A0FCF9F20A30B3DCF5D97661B98579396B21308196C2AA261D1A9F749C175563F535E555D2B8930EC2D60D559801667A39A7D9B03B276F60ED2A79F65D821760A583E394FA19C5252B5E93CAED38B7996B08ABC20483D2CA9F11DE98B5C7D3CF7AB2C7C42919513C78DE9431F02E54295A0A3B138327072BBF8FDEE45CB2AA491671D1E9F45CD5E7E969A1039659F5735E5EEF5E7AF270A166E3068410A335734C382B2B14DE0369035DA5C8C3EF6E05BECB117A7B91057FC8C312DBD3EF5633F48D2CE3A50E3452B9AA5762DC0039879A351AC34CB27BEFCDA4388388E4E48134829DDDDBF7F2B20FFAF409ADFEC1E4160448BF22E70C0BB173917179A1B710095659A213393932F9CD813A938247ACB6E7D7892932FB31E561FE82FFE6F057DE9E12A1587744679FDDAE6E5FD2B61DBCFB865B7C41B1094F0E21B8E29DC33CB521E786860CCFC894844EEFA7E50B8A26D8FA9 | |||
(PID) Process: | (3372) 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3372) 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\16000009 |
Operation: | write | Name: | Element |
Value: 00 | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\250000e0 |
Operation: | write | Name: | Element |
Value: 0100000000000000 |