File name: | 931f52e339a904e8a5d345978c317f78f4a8784d |
Full analysis: | https://app.any.run/tasks/d1373570-8be5-4753-a330-7344d161eef9 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 10:53:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | 4738D7B0EC77C83685A382063C4239C3 |
SHA1: | 98BDED14E96AC06179894DD79C276BAA387D4483 |
SHA256: | 80F333D4779BC74CA08E70BA290D7811F68453D7E134AC262BA74D604FDE81BD |
SSDEEP: | 98304:o5ljwiMH1Xx8NtN4d8dW8zc10S+W5U/mfXnAp8:of8J4NGQWJ0dIeRp |
.exe | | | UPX compressed Win32 Executable (64.2) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.6) |
.exe | | | Win32 Executable (generic) (10.6) |
.exe | | | Generic Win/DOS Executable (4.7) |
.exe | | | DOS Executable Generic (4.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:06:28 07:16:03+02:00 |
PEType: | PE32 |
LinkerVersion: | 10 |
CodeSize: | 4485120 |
InitializedDataSize: | 45056 |
UninitializedDataSize: | 2129920 |
EntryPoint: | 0x64f4e0 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.0.0.0 |
ProductVersionNumber: | 1.0.0.0 |
FileFlagsMask: | 0x004f |
FileFlags: | (none) |
FileOS: | Unknown (0x40534) |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Unknown (457D) |
CharacterSet: | Unknown (F56B) |
InternalName: | dopinocora.exe |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 28-Jun-2018 05:16:03 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 28-Jun-2018 05:16:03 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x00208000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x00209000 | 0x00447000 | 0x00446800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.61889 |
.rsrc | 0x00650000 | 0x0000B000 | 0x0000A800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49271 |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.DLL |
MSIMG32.dll |
SHELL32.dll |
USER32.dll |
WINHTTP.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3184 | "C:\Users\admin\AppData\Local\Temp\931f52e339a904e8a5d345978c317f78f4a8784d.exe" | C:\Users\admin\AppData\Local\Temp\931f52e339a904e8a5d345978c317f78f4a8784d.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3208 | cmd.exe /C CompMgmtLauncher | C:\Windows\system32\cmd.exe | — | 931f52e339a904e8a5d345978c317f78f4a8784d.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3688 | CompMgmtLauncher | C:\Windows\system32\CompMgmtLauncher.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Computer Management Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
776 | "C:\Windows\system32\CompMgmtLauncher.exe" | C:\Windows\system32\CompMgmtLauncher.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Computer Management Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2744 | "C:\Windows\system32\CompMgmtLauncher.exe" | C:\Windows\system32\CompMgmtLauncher.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Computer Management Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2544 | "C:\Users\admin\AppData\Local\Temp\931f52e339a904e8a5d345978c317f78f4a8784d.exe" | C:\Users\admin\AppData\Local\Temp\931f52e339a904e8a5d345978c317f78f4a8784d.exe | — | CompMgmtLauncher.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2412 | "C:\Users\admin\AppData\Local\Temp\931f52e339a904e8a5d345978c317f78f4a8784d.exe" | C:\Users\admin\AppData\Local\Temp\931f52e339a904e8a5d345978c317f78f4a8784d.exe | 931f52e339a904e8a5d345978c317f78f4a8784d.exe | |
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 | ||||
2532 | cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" | C:\Windows\system32\cmd.exe | — | 931f52e339a904e8a5d345978c317f78f4a8784d.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2976 | netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes | C:\Windows\system32\netsh.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
308 | cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes" | C:\Windows\system32\cmd.exe | — | 931f52e339a904e8a5d345978c317f78f4a8784d.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2412 | 931f52e339a904e8a5d345978c317f78f4a8784d.exe | C:\Windows\rss\csrss.exe | executable | |
MD5:4738D7B0EC77C83685A382063C4239C3 | SHA256:80F333D4779BC74CA08E70BA290D7811F68453D7E134AC262BA74D604FDE81BD | |||
3108 | csrss.exe | C:\Windows\System32\drivers\WinmonProcessMonitor.sys | executable | |
MD5:622FD523A87CB55BE0B676A70C64E8F8 | SHA256:F609C6656A0C451DAFA5173DF0CD848F7CB7F22C4F150F8D16716C12593DE66C | |||
3108 | csrss.exe | C:\Windows\System32\drivers\Winmon.sys | executable | |
MD5:4EF0C39E632279D7B3672D2EFC071E5B | SHA256:889FB266C4C01BB4EF67635249C8DAEB641FC86CE62FC280B34BEEC415FB6129 | |||
3108 | csrss.exe | C:\Windows\System32\drivers\WinmonFS.sys | executable | |
MD5:0D3A8D67CD969C6E096B4D29E910DD9E | SHA256:EB0BE2AC3833C843214A55B14C31125A7B600D5272BDF322C4871F42627576E4 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3108 | csrss.exe | 104.18.36.59:443 | weekdanys.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
weekdanys.com |
| malicious |
headbuild.info |
| suspicious |