File name: | st.exe |
Full analysis: | https://app.any.run/tasks/db34464c-2272-4fff-9032-330e36e16440 |
Verdict: | Malicious activity |
Analysis date: | April 15, 2019, 08:51:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | MS-DOS executable, MZ for MS-DOS |
MD5: | ECF5CABC81047B46977A4DF9D8D68797 |
SHA1: | 9E0C79A494C450D684E17B0CB4BADEC73171B8DA |
SHA256: | 750BAA808221DD28920451DF0BDEBF7C1456C5B4B71E32917668E2E19677B666 |
SSDEEP: | 49152:EHfXZ/v+zgAWDaCkJFDgGOiBIHf8WK0GvsbDCcMszvlt:EHB/G8mH4H0QG8DCcpzz |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x7491c5 |
UninitializedDataSize: | - |
InitializedDataSize: | 6202880 |
CodeSize: | 1418240 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2018:06:24 09:07:00+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 24-Jun-2018 07:07:00 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0040 |
Pages in file: | 0x0001 |
Relocations: | 0x0000 |
Size of header: | 0x0002 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0xB400 |
OEM information: | 0xCD09 |
Address of NE header: | 0x00000040 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 24-Jun-2018 07:07:00 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.MPRESS1 | 0x00001000 | 0x00748000 | 0x00282400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99993 |
.MPRESS2P\x0d | 0x00749000 | 0x00000D50 | 0x00000E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.83198 |
.rsrc | 0x0074A000 | 0x00000A64 | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.06563 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.91161 | 381 | UNKNOWN | English - United States | RT_MANIFEST |
101 | 7.99878 | 129024 | UNKNOWN | Chinese - PRC | ECC |
102 | 7.57265 | 503 | UNKNOWN | Chinese - PRC | ECC1 |
103 | 7.97503 | 7782 | UNKNOWN | Chinese - PRC | ECC2 |
104 | 7.99822 | 100864 | UNKNOWN | Chinese - PRC | ECC3 |
105 | 7.98532 | 15360 | UNKNOWN | Chinese - PRC | ECC4 |
106 | 7.99016 | 17408 | UNKNOWN | Chinese - PRC | ECC5 |
107 | 7.9906 | 479744 | UNKNOWN | Chinese - PRC | ECC6 |
108 | 0 | 5120 | UNKNOWN | Chinese - PRC | ECC7 |
109 | 0 | 10240 | UNKNOWN | Chinese - PRC | ECC8 |
ADVAPI32.dll |
KERNEL32.DLL |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
WLDAP32.dll |
WS2_32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2672 | "C:\Users\admin\AppData\Local\Temp\st.exe" | C:\Users\admin\AppData\Local\Temp\st.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
300 | "C:\Users\All Users\mmkt.exe" | C:\Users\All Users\mmkt.exe | — | st.exe | |||||||||||
User: admin Company: gentilkiwi (Benjamin DELPY) Integrity Level: MEDIUM Description: mimikatz for Windows Exit code: 0 Version: 2.1.1.0 Modules
|
(PID) Process: | (2672) st.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2672) st.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2672 | st.exe | C:\ProgramData\blue.xml | xml | |
MD5:F56025565DE4F53F5771D4966C2B5555 | SHA256:EA7CAA08E115DBB438E29DA46B47F54C62C29697617BAE44464A9B63D9BDDF18 | |||
2672 | st.exe | C:\ProgramData\down64.dll | executable | |
MD5:562DF8E4EABE900AEF8A6F6642316CDE | SHA256:8D579D65B4C0E208AABEB79683E7F9F00CBEAC3A3965CE85D4CB08D06897A6C0 | |||
2672 | st.exe | C:\ProgramData\crli-0.dll | executable | |
MD5:F82FA69BFE0522163EB0CF8365497DA2 | SHA256:B556B5C077E38DCB65D21A707C19618D02E0A65FF3F9887323728EC078660CC3 | |||
2672 | st.exe | C:\ProgramData\trfo-2.dll | executable | |
MD5:3E89C56056E5525BF4D9E52B28FBBCA7 | SHA256:B2A3172A1D676F00A62DF376D8DA805714553BB3221A8426F9823A8A5887DAAA | |||
2672 | st.exe | C:\ProgramData\exma-1.dll | executable | |
MD5:BA629216DB6CF7C0C720054B0C9A13F3 | SHA256:15292172A83F2E7F07114693AB92753ED32311DFBA7D54FE36CC7229136874D9 | |||
2672 | st.exe | C:\ProgramData\posh-0.dll | executable | |
MD5:2F0A52CE4F445C6E656ECEBBCACEADE5 | SHA256:CDE45F7FF05F52B7215E4B0EA1F2F42AD9B42031E16A3BE9772AA09E014BACDB | |||
2672 | st.exe | C:\ProgramData\dmgd-4.dll | executable | |
MD5:A05C7011AB464E6C353A057973F5A06E | SHA256:50F329E034DB96BA254328CD1E0F588AF6126C341ED92DDF4AEB96BC76835937 | |||
2672 | st.exe | C:\ProgramData\cnli-1.dll | executable | |
MD5:A539D27F33EF16E52430D3D2E92E9D5C | SHA256:DB0831E19A4E3A736EA7498DADC2D6702342F75FD8F7FBAE1894EE2E9738C2B4 | |||
2672 | st.exe | C:\ProgramData\libeay32.dll | executable | |
MD5:F01F09FE90D0F810C44DCE4E94785227 | SHA256:5F30AA2FE338191B972705412B8043B0A134CDB287D754771FC225F2309E82EE | |||
2672 | st.exe | C:\ProgramData\coli-0.dll | executable | |
MD5:3C2FE2DBDF09CFA869344FDB53307CB2 | SHA256:0439628816CABE113315751E7113A9E9F720D7E499FFDD78ACBAC1ED8BA35887 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2672 | st.exe | GET | — | 103.17.104.4:80 | http://103.17.104.4/ | IN | — | — | unknown |
2672 | st.exe | GET | — | 103.17.104.3:80 | http://103.17.104.3/ | IN | — | — | unknown |
2672 | st.exe | GET | — | 103.17.104.1:80 | http://103.17.104.1/ | IN | — | — | unknown |
2672 | st.exe | GET | — | 103.17.104.0:80 | http://103.17.104.0/ | IN | — | — | unknown |
2672 | st.exe | GET | — | 103.17.104.2:80 | http://103.17.104.2/ | IN | — | — | unknown |
2672 | st.exe | GET | — | 103.17.104.2:8080 | http://103.17.104.2:8080/ | IN | — | — | unknown |
2672 | st.exe | GET | — | 103.17.104.3:8080 | http://103.17.104.3:8080/ | IN | — | — | unknown |
2672 | st.exe | GET | — | 103.17.104.1:8080 | http://103.17.104.1:8080/ | IN | — | — | unknown |
2672 | st.exe | GET | — | 103.17.104.4:8080 | http://103.17.104.4:8080/ | IN | — | — | unknown |
2672 | st.exe | GET | — | 103.17.104.0:8080 | http://103.17.104.0:8080/ | IN | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2672 | st.exe | 103.17.104.0:88 | — | Vasai Cable Pvt. Ltd. | IN | unknown |
2672 | st.exe | 103.17.104.0:83 | — | Vasai Cable Pvt. Ltd. | IN | unknown |
2672 | st.exe | 103.17.104.0:81 | — | Vasai Cable Pvt. Ltd. | IN | unknown |
2672 | st.exe | 103.17.104.0:82 | — | Vasai Cable Pvt. Ltd. | IN | unknown |
2672 | st.exe | 103.17.104.0:80 | — | Vasai Cable Pvt. Ltd. | IN | unknown |
2672 | st.exe | 103.17.104.0:84 | — | Vasai Cable Pvt. Ltd. | IN | unknown |
2672 | st.exe | 103.17.104.0:89 | — | Vasai Cable Pvt. Ltd. | IN | unknown |
2672 | st.exe | 103.17.104.0:99 | — | Vasai Cable Pvt. Ltd. | IN | unknown |
2672 | st.exe | 103.17.104.0:113 | — | Vasai Cable Pvt. Ltd. | IN | unknown |
2672 | st.exe | 103.17.104.0:102 | — | Vasai Cable Pvt. Ltd. | IN | unknown |
PID | Process | Class | Message |
---|---|---|---|
2672 | st.exe | Misc activity | ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection |