File name: | default_.exe |
Full analysis: | https://app.any.run/tasks/3dc072a0-a837-457c-8f75-613ac2ffc6a9 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 22, 2019, 22:07:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | D424A90E8CCBBA7CECFEF646781CF93C |
SHA1: | 616F74CA274FDB89B28FB26B2261B02E276FF81B |
SHA256: | 7CE0835682F4C82B7E044C9D9DBB59DA5C5EAA07D3C60CDE0FFBAC58E85BE47D |
SSDEEP: | 3072:5Ez0Ex4k7eQyX7HAWnY4MVZ0zAwU2GYOuXsnEKUyrAhF4YUWl1:5wx7MVnYRVZ0BU2Ze3MH4YB1 |
.exe | | | UPX compressed Win32 Executable (64.2) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.6) |
.exe | | | Win32 Executable (generic) (10.6) |
.exe | | | Generic Win/DOS Executable (4.7) |
.exe | | | DOS Executable Generic (4.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:06:25 16:21:47+02:00 |
PEType: | PE32 |
LinkerVersion: | 10 |
CodeSize: | 131072 |
InitializedDataSize: | 8192 |
UninitializedDataSize: | 172032 |
EntryPoint: | 0x4ad20 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.0.0.0 |
ProductVersionNumber: | 1.0.0.0 |
FileFlagsMask: | 0x004f |
FileFlags: | (none) |
FileOS: | Unknown (0x40534) |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Unknown (457A) |
CharacterSet: | Unknown (A56B) |
InternalName: | zebeba.exe |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 25-Jun-2018 14:21:47 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 25-Jun-2018 14:21:47 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x0002A000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x0002B000 | 0x00020000 | 0x00020000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.69823 |
.rsrc | 0x0004B000 | 0x00002000 | 0x00001A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.50091 |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.DLL |
MSIMG32.dll |
SHELL32.dll |
USER32.dll |
WINHTTP.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2860 | "C:\Users\admin\AppData\Local\Temp\default_.exe" | C:\Users\admin\AppData\Local\Temp\default_.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
3260 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | default_.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2848 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2860) default_.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E0061006C00700061006A00610071000000 | |||
(PID) Process: | (2860) default_.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A40000525341310008000001000100295BA7143EFA7D47564CDFAD1E5387E0D37E03CBA196D290790B7B36CB79DDAD44FD2EC109F072494962EEF21B35C8D077637A6A571DD5641127562715F104825BC27A51061D35F2F9AB78ED9C0A7DBE1A4C40287810108FDFE956B707D7F5D33B2AAD89FAB728A86A04FE11F54CA3E821CE4278038D485EF496C06F1BDF0701AB5FF6E0A96D92CD0AEAB74FAB66E7F6BC07594798C9BB881F7B03A90E2A721B79A496ECF9D947F11904D69ED2D65724D30BA4D6672F9D823071622FE36FF3DD2FD1C9EBCB46D63EBD9793BF770896669BF7363B4605DC3441CD48FF95DBEF40804D968869A445CE555AACFC0EE7F1F168F76433F5D3C93D8CC86395DB1A27A0 | |||
(PID) Process: | (2860) default_.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | private |
Value: 94040000D7102F3F120D9F26D07A8FE53B9E8F3065C0B5473D29120D42C8795CE2D4E25F340C708CF9D4EEB99F504F39FDA098520650990998B0F724AC5B41F394D3A04C0AE3245C98E6D6A40154EFBF27FD6B34A536694A906977BEFFAE27F9619D6F7AD0E42A163AE2596386927C269FB0FF61991E82BC2D4AC6F202EADF10B5756ACDA55CEEACFEA620B32AD6CFA400FACBF05534E06D434CD077110FAEA91A3B274077CB12407A6EE89B0529A8264CD7BF2308B2992F0787A0190761583B48DA9D30FC356496AC46B89404086BDDA7C7FBD7A8AF04E3493A62B8142A229B0CCF26B0FE091AC296981EB506838746D982C45B2F1880F298BB2D3C0CCCD68554218E8D02CB7EA460366F180730711E490D5E9992ED2AC1AF8EBCFBDDB96C9819FAF75DC48FA95F219A7BF5E52A87B38AAAE3465D558C983A87D3384C15C3E381165B3727C77E30C8E5A13EA6AF40B56661E4AE80CE47BEF110F1FB7AF0D3E4B894643DED021F948E55A2C7577107C43955E79E94993D603694DFC3B36C4A233B2333EC32A744BBDD68A426D551DA9F7184E0686497C7FE12E0C303DB9EA620442F51CA2D130F990506E2985229164F2E6D65AF5E5249C0623F30FFD687E64F304F852E09CB0A030DF3EFABEA181C0E5F914B98D49D1E79322797E8DB4E0436B37A4671F59AF82D9BCC03DD8899607EE8B135615BFBE143A8DB716070294B3576C4E13365542A6497CD44EF483346473B214DA6476F8BD832B479F0715CD774D38DE726462215533EF748C2718C411303168B375C9C30C06B8E7D6AF3F9F69AF2EEE8FDB007DFB3F1D88D565042B02270AF07111924EA269009BC8E61813FDA9CD7E20F6F54013EE18D8A370CABEE38312DAABDA7CFE21EB470B19F15F74255748480BEC2E3C6B881134427C1DC43E37BD0411DD67D46B4F2ACE0D42A35C0C3FF33E451B1451FB1B678E5E5FBC5F69E3DC7E544A45B52ED59DC9D5E0CA73991E4593B9D65506BAA0BAF2479905C78D6B7BC67BA8DE13E901471211543C863BFE8BDD4A1339CA9A8DD9A55E16FFF31305B237A051B93A9705346AFB61948C5D16F1DA0589AC90E75843E7D378F0578872FDFA9CBB0BB0E508964C114754153541B960789A66E0582E7829B8CCD8804029A36456044586F6B632DEEF98FF7C90B7BE82EE75870EDDBF4222EA6AC91CDF1FE406DE015DD55871057B8BA52A588A3BF6CD1B72549CAB99693F567CF69EB088350A5D0F267434BFFF1533C2DCAD3EB41A001DB32AFAA768F4F8BEC7A6B06A8E8558F20E00DBB2A733FEA3A251E7D90AC7B82B862D275B3ABD0FEAB1C3191CBC1D3D6BB662D0219D0B91644EC68D82CC367232CB9A47FBA7022BA65C2F4020C32AB7FB78E562D904BF06F48B794CFDB5A96893DDF32A6BCCF18B3E28575E99D081EF2F4E59234D303CD16840C4AF1D891EBD63EFDAD26F06B4603BFEFE62EEB05C8D6737E5225C2400F48F6C58276E7564BC75B11F1F7AB5142A3172F6DD035718727840C8333D872B49F9F536E04F4FE943745A6F2ABBD826B3D8BD9C949028D5FF4BE41395602DA023EA0A655C0939C73FB9238BD5941B5D962C81C3344A47DA9578B1D870B80D730C63E271B462BEC3205179261380CC1B20EE57614C344756644E80BD26ADF7882A8C2FB365CE93CD0238867059BFB228C0F28A55D25E810C8ED9E2859F32A2B6CC31C928524FFEC4257F01D8AF601A965A5AFD83D22D86D347D9244309D4F95E30108EA4FAD92CC63F9F01A9ACC06FEB9EFE5CED3B51EF02712EDF0C10A3C7721C202B1DE56B649FDB9DE22DF2B1C60E084CED60A69FBFC4C14B8A67AF0D97C98641154B8F8723738E5D86B01F3AC18F1EE7742E75A4C68B12402EFF9E606F406E61BA9EF92216068F478B66D518184957EA640E0A071522C60DEAF189BF9BC7A78BCB5E20F001046A460F34D1A7B96B330D1563B010BAA32D130CF5F2E35FBBAA5693E037ADCDE1C40373CD1334AC22DA143EBE26F7F798B7E03D1ECAD673BBB939257199AE6F51A8AF5517232BE343E5DC7F42DE472821E99B7139AE5B6EF0A814A22FF15CA0DC2248772DDAC5EEACB09148A73E6122FB627D14C4E159C63DB5206E4A8E952C3021CDCB130E41AB3EDEAEF9F6E3A55C55D23BDBF6A9A2C8F467BF97EE643F8E83CB184B6D73E00F2AC1605A5DB84D9C1ABE06FE921354234D7166E7C26E1D0AFBFCA09839A0F37926867DBA4DBD11FCBFDC274E078D5EDFF07319E9F6A74313DEC4BB009DEDA3DA9D3D45F80B9E65355FED299BA280D8AA2E7C8EF3EF759052F9E65B348B39935D05A769A0BB7A674A5C8E0C144A1DDADE9046D579728B6357005305B115827A28CB3986EA6D25A6D3483C751033E0DD7 | |||
(PID) Process: | (2860) default_.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2860) default_.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2860) default_.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\default__RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2860) default_.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\default__RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2860) default_.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\default__RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2860) default_.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\default__RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2860) default_.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\default__RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2860 | default_.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
2860 | default_.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.alpajaq | — | |
MD5:— | SHA256:— | |||
2860 | default_.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
2860 | default_.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{05ed3515-06b3-48f6-8cf2-bf24b1bf0727}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2860 | default_.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{16d74681-6bc3-4c44-97f0-8b8dfefe2355}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2860 | default_.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{38e8535f-27d0-4352-aa3a-ce4178930102}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2860 | default_.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{3cc0f82b-873a-4e59-b89f-689fbdf88af9}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2860 | default_.exe | C:\MSOCache\ALPAJAQ-DECRYPT.txt | text | |
MD5:AAB9717EECC8C7249F73205FFAB1CC11 | SHA256:9BC82D5EC85035B63B526BCCB5C879EB6F9C7A81E5AD1FD053B61632A131F659 | |||
2860 | default_.exe | C:\ALPAJAQ-DECRYPT.txt | text | |
MD5:AAB9717EECC8C7249F73205FFAB1CC11 | SHA256:9BC82D5EC85035B63B526BCCB5C879EB6F9C7A81E5AD1FD053B61632A131F659 | |||
2860 | default_.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{5c4beaff-a038-4df7-9b35-072a18f8e3d6}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2860 | default_.exe | GET | 301 | 138.201.162.99:80 | http://www.kakaocorp.link/ | DE | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2860 | default_.exe | 138.201.162.99:80 | www.kakaocorp.link | Hetzner Online GmbH | DE | malicious |
2860 | default_.exe | 138.201.162.99:443 | www.kakaocorp.link | Hetzner Online GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
www.kakaocorp.link |
| malicious |