File name: | 7cdcac94520c25e2cdced89829744109807e809273ef607472fbaa9975cf1c32.exe |
Full analysis: | https://app.any.run/tasks/91ce4ccf-e440-47cd-ad5d-dd2884ca95bd |
Verdict: | Malicious activity |
Analysis date: | September 18, 2019, 16:31:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | MS-DOS executable, MZ for MS-DOS |
MD5: | D7D18BD7AA00EFA982FEAC1A755E7F88 |
SHA1: | 1D9EB555B77ED4FFED44D38AD445E9976637CA97 |
SHA256: | 7CDCAC94520C25E2CDCED89829744109807E809273EF607472FBAA9975CF1C32 |
SSDEEP: | 1536:V99999999QAZKCMfxrZYv+GmyB/CcU/Q6g:SW+GmyBD |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 1 |
EntryPoint: | 0x107d |
UninitializedDataSize: | - |
InitializedDataSize: | 23552 |
CodeSize: | 3072 |
LinkerVersion: | 1.7 |
PEType: | PE32 |
TimeStamp: | 2013:10:23 15:13:32+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 23-Oct-2013 13:13:32 |
Comments: | - |
CompanyName: | MS Corporation |
FileDescrsiption: | note.exe |
FileVersion: | 2.0.0.2 |
InternalName: | note.exe |
LegalCopyright: | Copyright (C) 2005 |
LegalTrademarks: | - |
OriginalFilename: | note.exe |
PrivateBuild: | - |
ProductName: | Note |
ProductVersion: | 3.0.0.3 |
SpecialBuild: | - |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0040 |
Pages in file: | 0x0001 |
Relocations: | 0x0000 |
Size of header: | 0x0002 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0xB400 |
OEM information: | 0xCD09 |
Address of NE header: | 0x00000040 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 23-Oct-2013 13:13:32 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
. | 0x0000B000 | 0x00004000 | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.5802 |
.imports | 0x0000F000 | 0x00001000 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.62382 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.89469 | 403 | UNKNOWN | UNKNOWN | RT_MANIFEST |
2 | 3.2818 | 804 | UNKNOWN | UNKNOWN | RT_VERSION |
106 | 2.52691 | 34 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
5000 | 3.00578 | 232 | UNKNOWN | UNKNOWN | RT_DIALOG |
Msacm32.dll |
Winmm.dll |
kernel32.dll |
user32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3812 | "C:\Users\admin\AppData\Local\Temp\7cdcac94520c25e2cdced89829744109807e809273ef607472fbaa9975cf1c32.exe" | C:\Users\admin\AppData\Local\Temp\7cdcac94520c25e2cdced89829744109807e809273ef607472fbaa9975cf1c32.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 3221225547 | ||||
3172 | "C:\Users\admin\AppData\Local\Temp\hhcbrnaff.exe" | C:\Users\admin\AppData\Local\Temp\hhcbrnaff.exe | 7cdcac94520c25e2cdced89829744109807e809273ef607472fbaa9975cf1c32.exe | |
User: admin Integrity Level: MEDIUM Exit code: 3221225547 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3172 | hhcbrnaff.exe | C:\Users\admin\AppData\Local\Temp\Cab96D1.tmp | — | |
MD5:— | SHA256:— | |||
3172 | hhcbrnaff.exe | C:\Users\admin\AppData\Local\Temp\Tar96D2.tmp | — | |
MD5:— | SHA256:— | |||
3172 | hhcbrnaff.exe | C:\Users\admin\AppData\Local\Temp\Cab96E3.tmp | — | |
MD5:— | SHA256:— | |||
3172 | hhcbrnaff.exe | C:\Users\admin\AppData\Local\Temp\Tar96E4.tmp | — | |
MD5:— | SHA256:— | |||
3172 | hhcbrnaff.exe | C:\Users\admin\AppData\Local\Temp\Cab9762.tmp | — | |
MD5:— | SHA256:— | |||
3172 | hhcbrnaff.exe | C:\Users\admin\AppData\Local\Temp\Tar9763.tmp | — | |
MD5:— | SHA256:— | |||
3172 | hhcbrnaff.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@glyphs-design[1].txt | — | |
MD5:— | SHA256:— | |||
3172 | hhcbrnaff.exe | C:\Users\admin\AppData\Local\Temp\hhgnrddkjee.exe | — | |
MD5:— | SHA256:— | |||
3172 | hhcbrnaff.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 | binary | |
MD5:293FF4D19FF7B36B287CA6E35345831C | SHA256:B8F654C5F02A43C2A576598CD450412F0B7FBCFCD165DC7ABD4C86DA552D0244 | |||
3812 | 7cdcac94520c25e2cdced89829744109807e809273ef607472fbaa9975cf1c32.exe | C:\Users\admin\AppData\Local\Temp\hhcbrnaff.exe | executable | |
MD5:8446515167AC5312D6407163A6E9DD4A | SHA256:B66A99884BC3E56EBF7EBCB623A5FF4E3010996D29950EC7BE657281740BABA4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3172 | hhcbrnaff.exe | GET | 200 | 13.107.4.50:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 57.0 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3172 | hhcbrnaff.exe | 173.231.184.62:443 | glyphs-design.com | Voxel Dot Net, Inc. | US | malicious |
3172 | hhcbrnaff.exe | 13.107.4.50:80 | www.download.windowsupdate.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
glyphs-design.com |
| malicious |
www.download.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3172 | hhcbrnaff.exe | Not Suspicious Traffic | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) |
3172 | hhcbrnaff.exe | Not Suspicious Traffic | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) |