File name: | 1.exe |
Full analysis: | https://app.any.run/tasks/bc9bc451-6110-43ea-b45d-fa9e6ecccccc |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | February 11, 2019, 08:01:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | D6FA60094F8C7417722016E0D1E4C474 |
SHA1: | FBDB54ED582BA35FDFA38EAEA0031DB0DC31C91B |
SHA256: | 812F5627BBFA5311FC96D5894CEA16788C4F81D644729EBAEA432A45D65AB8FA |
SSDEEP: | 3072:3KtH7Fxw0GQi8SHa0jNwriVcJLLmgM3U:aB3wq70pwrimxLi |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x58ef |
UninitializedDataSize: | - |
InitializedDataSize: | 30720 |
CodeSize: | 70144 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2019:01:29 20:05:06+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 29-Jan-2019 19:05:06 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 29-Jan-2019 19:05:06 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00011112 | 0x00011200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.61303 |
.rdata | 0x00013000 | 0x00001648 | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.94434 |
.data | 0x00015000 | 0x000056BC | 0x00005600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.67031 |
.reloc | 0x0001B000 | 0x00000628 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.59251 |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
RPCRT4.dll |
USER32.dll |
WININET.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3080 | "C:\Users\admin\Desktop\1.exe" | C:\Users\admin\Desktop\1.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
3668 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | 1.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2828 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3080) 1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E00740072006A0064006B0079006A00780076000000 | |||
(PID) Process: | (3080) 1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A40000525341310008000001000100511C06B9F09A06A33C3EC4786C8A515DC3BA7A95FB0AE7118AD4C0178DF7DE93AE83097D9B559EAA7AFBA507A2FECF86A93F15D221BF5630E2402FA52A7BC9D1A85BF697A084B01C9A33C1B8C7611FF4F7321D36424DC7D7263293308EB2010FF72D7444B848E1C571FFB27A35D4D032768871E58E45437E49D9DAF5A48B4278B6BB9DF9C5D3BFBBCFD74309EBEDA8A5AA9A27DD5578D52DB92D69C5A95714195B01C83692085C2DEF39D0EA2FF921A795CCDD02E5291CF59DD09C48AE05C8141A0DC9966DBA6E6C4D06EBDD9E5AB1FA0D039B9A15918B6E10DD9D8A968605927047E870CB7C8E7B07A5FBC50A2370584361ADEC3B94A2F5D008D092B001B2BB | |||
(PID) Process: | (3080) 1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | private |
Value: 94040000A641DAE13545036CC0000BD48990B0334B975AE0281AA7686E1B47CF49FA50765F78B00823AC2AF8844A6C3528BA0CAE9755A66E78589DD442F0B09B0FBDB0C9506EC55603A824934D8634A3E771A199D511D86E3942C4D2B942DD4BD4BEFFE0E299A7CA0D04ACD86540C67364EDFB617075414C491F584F3FA2A61655056A0E68F8C000FBB3330B4A7A838ABFC6B7B06A113CBEB783379C397BE7F33CA04A7FFF98F00B8D201B99C9F9D3F2A5827024C87238711A1AB067516CC2944AF9987400139F2C56B9977F7A25A7860DF706F13BC39FF5A05069BC2CFC30D2F531E61BD463100843EF0D1A22E7920D4EE43365A50F0D0F1FEA0CC873CEDFD191E69A4D39DEF9C22F620DD8EFBE357CF35EBFEFA74DE3A0D55AF52AC6D389BF9245A4E2DEA8F307BD6E924A4ACE6397CE0956C88FDF457958C0B9EC77BC0025CB3A7327B9BBDF6993B8705B5C2E5A2A1E3D00DB06F1C2A4577E42FA36AC9A35D7AE693E20A4D599437256FB30EE3457B65578E03C6610ECE8A781948DD3349D1325558BA6B7FAF2337B98E51E2CF2D3BBF176C18288786BE844F616384DAD3CEBF2CECD40A01622C4915F0FBC04954EB7A0813BBF92CD549C5C26BA222FB0EDD2E021179F19DCC5601C2D1607C0E69256D2EAB74FFE9691D8350AACDE706EC802287143401B5925AF9E951C029F3FB09D517FDC3EC68B54194760D44508BB2F4910364E14552AE287349977371DDD16935D39E50129E10D323D2138C3DB21BFB8A8AB73C9DEE50025A05839DE28109F09079314DE1BD1671969D5DF0B72ADE29A2EF7C93B8A7E4B388D8A5A640F3A647605E734522C4FFADA8EF726D8E942DD615F9FD31C5103F768880509B54DC3D4259FC30605DF7DC2DB08FE5A1002666248BC6E9578713C0926A4173ED81FD5FBA3D5924602D27FD59F1486DAB3D0F3274B8D071019C9FC6A298DAEF7CA9B6DD4D7521C59D6E4ABE99E4E480890DA2D65F062301EB6F12413C377191334D384162B821A1DAABB87E681296878EBA52993D479C4A8ABEEF7DD158963ED3859139300BC1ECEAD877096E5E7A3B4F6ACEFA71A2B70E04DDA37C5A532FBAC0010F16742468B1FEA7D2E722571EF8BD928C7019EE14E3DCE461663312AE67B579FE16DBC28239F6E3724CC90B2E7B320BD9D57E2C5812D86AD2FF3775BAA2130791631BFB94440E0752A6DCFCEDDE1476EC3C2F90BAB8FED57BFEBF609162DAAA4A1D596354F73995723921448EE802CD6C3DC542AD0F8FD57BB5452BE9E371DBA8957FD90AF1A18B541457F4CAD2B75B2994979FF50D01A611F3DC5CCE499D9A3CA2551B57FC752006542F871D1CF6D79A42731AD5676D79F2384A86BEBA519F80CC1FEA7DA032A3A49FC0AD6DEDA2AEC7FB8EC7E411B441DB9BA1E8C469B5F1BD0C269D2CA3C1339118C7AEB9495DC802BE6D29065D220A6E397CC1545E0F749E649FE0CF7F7BB2414CD32EE86E99D18684C4FE7BA302536B5B62DD559BF92167A9E5EE354C35B9C80888C09CAAB8C9C7B09DD571A177CEB2E44B4D49514AD8BE6B3E449FD5D93EE308894A19CDA4E7C95F6C3931D4A006434800E22DC81847B770CF5797A4781269A20562545B33C656246933CB54886024EADF3C26FBD63339ECAAE02AB52D25B76F1B41CC24CF06BEE40845972AF2EC0F2E04C01798BEBE0BD80640ACA2E3B9B8FE79D5EEC2ED769E3E8F0E371D72351AFA3DAB832808A72AD69AC59CE34ADDB2A8AE8AF51BF606D9C0146E69B5C51D6FC5E403061C0747F6EE33D06909E866DB2442E7593D7B4495743B07DCE4E2C89A1520C3670D5C76012129CADD03E13D8BE293E0496DC8E2894A11098B6AA8D011FAF04821796D789C1EC309A1CAF4359465AC9FE5C9D07394C4A5CBEB33D1F48E2320D4565180495BF93AC592D3193EF3F8D94FFC20EB6B0F00D84220A5E4C0EED2F86ECA8A851D26A5027B9A89284931C66F6B90295C4D16E675BD7595AEFC64A132E1E92C4F0A76305A0B7DDB27321C11326205DA7ED0B1B5361B6DE4B29643069085F30D9FB1ECFF3BCC7ED83F359CC704B42FE6AE89CE83FA5E623B9CEF0AB8E50F9934366EB6851CFCF18EFE92C97EA0B5F616207191A82D71376DFDA4D223956E966AD281BA0A599D99399D23C581CF4150EA8804489590E97F582AB5A122273BA3A2BD74BC13E8B76F116D4A1EB852AC0CB2DB872F2A7969CE51A8AAC29C0722EF7FA7DC4EFFBB4CDBE7F84A9D6451746D1E3AD7A14921B44769C27D82D74833D2D9830A96F63AE319B58422AEB131358B4E3826C23CB5547B76C0CB45AD9B6B2F95C1BEAF64AD5C151E6A72BC1085D85FD356EDD4812564A6B47B65A025336E16B154DE303F6FB737798E0CAF147 | |||
(PID) Process: | (3080) 1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3080) 1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3080) 1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3080) 1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3080) 1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3080) 1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3080) 1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3080 | 1.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
3080 | 1.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
3080 | 1.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.trjdkyjxv | — | |
MD5:— | SHA256:— | |||
3080 | 1.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{05ed3515-06b3-48f6-8cf2-bf24b1bf0727}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3080 | 1.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{16d74681-6bc3-4c44-97f0-8b8dfefe2355}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3080 | 1.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{38e8535f-27d0-4352-aa3a-ce4178930102}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3080 | 1.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{3cc0f82b-873a-4e59-b89f-689fbdf88af9}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3080 | 1.exe | C:\MSOCache\TRJDKYJXV-DECRYPT.txt | text | |
MD5:96D721E6F1DA307B4A272FD5503E404D | SHA256:495201C4A5A77F275E5CF9B867BDFF267EC76BA15C3E42D6E826B781502B6E62 | |||
3080 | 1.exe | C:\PerfLogs\Admin\TRJDKYJXV-DECRYPT.txt | text | |
MD5:96D721E6F1DA307B4A272FD5503E404D | SHA256:495201C4A5A77F275E5CF9B867BDFF267EC76BA15C3E42D6E826B781502B6E62 | |||
3080 | 1.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{5c4beaff-a038-4df7-9b35-072a18f8e3d6}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3080 | 1.exe | GET | 301 | 185.52.2.154:80 | http://www.kakaocorp.link/ | NL | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3080 | 1.exe | 185.52.2.154:443 | www.kakaocorp.link | RouteLabel V.O.F. | NL | suspicious |
3080 | 1.exe | 185.52.2.154:80 | www.kakaocorp.link | RouteLabel V.O.F. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
www.kakaocorp.link |
| malicious |