File name: | dUzv3Q.exe |
Full analysis: | https://app.any.run/tasks/8d144dd4-009f-44aa-b61e-fd7712f3d977 |
Verdict: | Malicious activity |
Analysis date: | August 08, 2020, 13:19:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 87354AE63A158C9BB9BC29CA8D7E391B |
SHA1: | 23A0A09639F8EE274569DD95E6F9E8E46B8961B9 |
SHA256: | 7649B6ED9D33F4A08FA129CFF00BF4AD2320D09B013081C52E0DA766B5D839AB |
SSDEEP: | 384:1gH5hHyWSLOUBhPWkbU4puuIaLMxyxQCSfK:1gH5hHyPLhP1b1Yxn6 |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (7.4) |
.exe | | | Win32 Executable (generic) (5.1) |
.exe | | | Generic Win/DOS Executable (2.2) |
.exe | | | DOS Executable Generic (2.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2045:03:17 23:10:21+01:00 |
PEType: | PE32 |
LinkerVersion: | 48 |
CodeSize: | 14336 |
InitializedDataSize: | 2048 |
UninitializedDataSize: | - |
EntryPoint: | 0x5652 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 6 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.0.0.0 |
ProductVersionNumber: | 1.0.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
Comments: | - |
CompanyName: | - |
FileDescription: | dUzv3Q |
FileVersion: | 1.0.0.0 |
InternalName: | dUzv3Q.exe |
LegalCopyright: | Copyright © 2020 |
LegalTrademarks: | - |
OriginalFileName: | dUzv3Q.exe |
ProductName: | dUzv3Q |
ProductVersion: | 1.0.0.0 |
AssemblyVersion: | 1.0.0.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-Feb-1909 15:42:05 |
Debug artifacts: |
|
Comments: | - |
CompanyName: | - |
FileDescription: | dUzv3Q |
FileVersion: | 1.0.0.0 |
InternalName: | dUzv3Q.exe |
LegalCopyright: | Copyright © 2020 |
LegalTrademarks: | - |
OriginalFilename: | dUzv3Q.exe |
ProductName: | dUzv3Q |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 09-Feb-1909 15:42:05 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x00003658 | 0x00003800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.53796 |
.rsrc | 0x00006000 | 0x0000059C | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.06627 |
.reloc | 0x00008000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0815394 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2772 | "C:\Users\admin\AppData\Local\Temp\dUzv3Q.exe" | C:\Users\admin\AppData\Local\Temp\dUzv3Q.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: dUzv3Q Version: 1.0.0.0 | ||||
952 | "netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=any | C:\Windows\system32\netsh.exe | — | dUzv3Q.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2504 | "netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=in action=allow enable=yes profile=any | C:\Windows\system32\netsh.exe | — | dUzv3Q.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3852 | "netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=any | C:\Windows\system32\netsh.exe | — | dUzv3Q.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2924 | "netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=out action=allow enable=yes profile=any | C:\Windows\system32\netsh.exe | — | dUzv3Q.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
308 | "cmd.exe" reg add "HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security" /f /v "PromptOOMSend" /t REG_DWORD /d 2 | C:\Windows\system32\cmd.exe | — | dUzv3Q.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2288 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRD0CD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:3330B7E4A4362FBE568A3E8BFBAE9759 | SHA256:2CDAFAF9249FE1636677C16724835986A22D345450557D83AD607107786E4531 | |||
2288 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmp | binary | |
MD5:03E897C1677686803F9C276CFFE33B1C | SHA256:F2FEC18C3B63C2388AC82B47233ABD4A168A332C4EDB66EB5B67AC0FDCB42D29 | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{21F3A1FA-B9C3-4CDC-B324-52DB3D455CA3}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:4C61C12EDBC453D7AE184976E95258E1 | SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_529F2BF0DE2C0C4AA2E731CB5BB5A792.dat | xml | |
MD5:57F30B1BCA811C2FCB81F4C13F6A927B | SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3 | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_21F63E6308B7D94E94A500BD39426726.dat | xml | |
MD5:807EF0FC900FEB3DA82927990083D6E7 | SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913 | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_4A7AFB3C272D8A488E5DB4BBAEFCA48F.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:48DD6CAE43CE26B992C35799FCD76898 | SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_7C75AB69D8CB0C489A3642A0FBAE3B44.dat | xml | |
MD5:F194B1FA12F9B6F46A47391FAE8BEEC2 | SHA256:FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74 | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_B073578AE30D214293DDC9E442C486D1.dat | xml | |
MD5:D8B37ED0410FB241C283F72B76987F18 | SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2772 | dUzv3Q.exe | GET | 200 | 195.201.245.34:80 | http://unhanorarse.altervista.org/add.php?usernameadmin | RU | — | — | malicious |
2288 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 195.201.245.34:80 | unhanorarse.altervista.org | Awanti Ltd. | RU | malicious |
2288 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2772 | dUzv3Q.exe | 104.23.98.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
unhanorarse.altervista.org |
| unknown |
www.sitoweb.com |
| unknown |
config.messenger.msn.com |
| whitelisted |