File name: | run_this_if_you_got_balls.exe |
Full analysis: | https://app.any.run/tasks/ea8b861e-816a-434f-ab73-c7cc8f7dd529 |
Verdict: | Malicious activity |
Analysis date: | January 15, 2022, 01:04:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | E63BF69ECCFEBFCF7580F4F770DB555E |
SHA1: | 65DF3E86542A8A6A548C6FACBF302213A9B26DF7 |
SHA256: | 856564ABE8D897B441E4A8E44384E8F895BE65F32C456CF33F01D2EF34FB3A65 |
SSDEEP: | 24576:OpZYvRoNyaooMslvC4AVeJ3H6UaLDd6l0BUL+YDRUSOqgEhTB0m6aoOcn+Ds:UZOWNyovhAVG3Htyd804pXgS0POc+A |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2013:12:25 06:01:44+01:00 |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 25088 |
InitializedDataSize: | 186368 |
UninitializedDataSize: | 2048 |
EntryPoint: | 0x3229 |
OSVersion: | 4 |
ImageVersion: | 6 |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 2.189.0.3 |
ProductVersionNumber: | 2.189.0.3 |
FileFlagsMask: | 0x0000 |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
Comments: | - |
CompanyName: | Overwolf Ltd. |
FileDescription: | Overwolf |
FileVersion: | 2.189.0.3 |
LegalCopyright: | Copyright (C) 2021 Overwolf Ltd. All Rights Reserved. |
LegalTrademarks: | - |
ProductName: | Overwolf |
ProductVersion: | 2.189.0.3 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 25-Dec-2013 05:01:44 |
Detected languages: |
|
Comments: | - |
CompanyName: | Overwolf Ltd. |
FileDescription: | Overwolf |
FileVersion: | 2.189.0.3 |
LegalCopyright: | Copyright (C) 2021 Overwolf Ltd. All Rights Reserved. |
LegalTrademarks: | - |
ProductName: | Overwolf |
ProductVersion: | 2.189.0.3 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000C8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 25-Dec-2013 05:01:44 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0000606C | 0x00006200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.45707 |
.rdata | 0x00008000 | 0x00001460 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.94596 |
.data | 0x0000A000 | 0x0002AF98 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.79535 |
.ndata | 0x00035000 | 0x00013000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00048000 | 0x00003540 | 0x00003600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.28573 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.27028 | 773 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 7.57954 | 3714 | UNKNOWN | English - United States | RT_ICON |
3 | 1.10023 | 2216 | UNKNOWN | English - United States | RT_ICON |
4 | 2.26683 | 1128 | UNKNOWN | English - United States | RT_ICON |
103 | 2.50269 | 62 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.66174 | 256 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.88094 | 284 | UNKNOWN | English - United States | RT_DIALOG |
111 | 2.48825 | 96 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3980 | "C:\Users\admin\AppData\Local\Temp\run_this_if_you_got_balls.exe" | C:\Users\admin\AppData\Local\Temp\run_this_if_you_got_balls.exe | Explorer.EXE | ||||||||||||
User: admin Company: Overwolf Ltd. Integrity Level: MEDIUM Description: Overwolf Exit code: 1223 Version: 2.189.0.3 Modules
| |||||||||||||||
2528 | "C:\Users\admin\AppData\Local\Temp\run_this_if_you_got_balls.exe" /UAC:901A8 /NCRC | C:\Users\admin\AppData\Local\Temp\run_this_if_you_got_balls.exe | run_this_if_you_got_balls.exe | ||||||||||||
User: admin Company: Overwolf Ltd. Integrity Level: HIGH Description: Overwolf Exit code: 1223 Version: 2.189.0.3 Modules
| |||||||||||||||
2300 | "C:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\OWinstaller.exe" Sel=1&Channel=web_dl_btn&Partner=4204&Extension=edoaelkdajnifpnkdfillhjpaimimibflhkhjngh&Name=U.GG&Thanks=https%3A%2F%2Fgo.overwolf.com%2Finstall-successful%2F&UtmSource=ugghome /UAC:901A8 /NCRC -partnerCustomizationLevel 0 -exepath C:\Users\admin\AppData\Local\Temp\run_this_if_you_got_balls.exe | C:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\OWinstaller.exe | run_this_if_you_got_balls.exe | ||||||||||||
User: admin Company: Overwolf Integrity Level: HIGH Description: Overwolf Installer Exit code: 0 Version: 2.187.0.5 Modules
| |||||||||||||||
2620 | "C:\Windows\System32\DxDiag.exe" /tC:\Users\admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt | C:\Windows\System32\DxDiag.exe | OWinstaller.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft DirectX Diagnostic Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2528) run_this_if_you_got_balls.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2528) run_this_if_you_got_balls.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2528) run_this_if_you_got_balls.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2528) run_this_if_you_got_balls.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2528) run_this_if_you_got_balls.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2528) run_this_if_you_got_balls.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2528) run_this_if_you_got_balls.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2528) run_this_if_you_got_balls.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2528) run_this_if_you_got_balls.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2528) run_this_if_you_got_balls.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8} |
Operation: | write | Name: | WpadDecisionReason |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2528 | run_this_if_you_got_balls.exe | C:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\OWInstaller.exe | executable | |
MD5:437BD6F8A674D7F60B9A6C49F3F40EDC | SHA256:409B1D25FAADD555D4EEBEF970378641EAE347E06F36E2B82E33009C49EEB178 | |||
2528 | run_this_if_you_got_balls.exe | C:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\nsis7z.dll | executable | |
MD5:8BC34305598F5FABED471A86A0133642 | SHA256:AE7F725D7D37CA8B6639060C2BB4EA0BACFB59D281523411EBD048AF67393FBD | |||
3980 | run_this_if_you_got_balls.exe | C:\Users\admin\AppData\Local\Temp\nsxEA06.tmp\UserInfo.dll | executable | |
MD5:9301577FF4D229347FE33259B43EF3B2 | SHA256:090C4BC8DC534E97B3877BD5115EB58B3E181495F29F231479F540BAB5C01EDC | |||
2528 | run_this_if_you_got_balls.exe | C:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\app\manifest.json | binary | |
MD5:D13AC7ACBAD20D60DFA1DFEC462AB375 | SHA256:7C351ECFC9D1646253EAED45E8260F67736B048CEF316B00B7240E273EDA4557 | |||
2528 | run_this_if_you_got_balls.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Counter[1] | text | |
MD5:99914B932BD37A50B983C5E7C90AE93B | SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A | |||
3980 | run_this_if_you_got_balls.exe | C:\Users\admin\AppData\Local\Temp\nsxEA06.tmp\uac.dll | executable | |
MD5:ADB29E6B186DAA765DC750128649B63D | SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08 | |||
2528 | run_this_if_you_got_balls.exe | C:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\System.dll | executable | |
MD5:7399323923E3946FE9140132AC388132 | SHA256:5A1C20A3E2E2EB182976977669F2C5D9F3104477E98F74D69D2434E79B92FDC3 | |||
2528 | run_this_if_you_got_balls.exe | C:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\app\_locales\de\messages.json | binary | |
MD5:78EC264BF985B0393F3CF6F6C650EB23 | SHA256:AC9DD27A1F4DB976FB741514E7E4D70047F988B79422B6994E9469E1D9E7714F | |||
2528 | run_this_if_you_got_balls.exe | C:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\OWInstaller.exe.config | xml | |
MD5:4BF2A039CD2CF37CF37C19F2912996E0 | SHA256:EC7C6BC4205712A0A78C68F7F0F762AC7E62276720A61A6877A94F6A573F0AA7 | |||
2528 | run_this_if_you_got_balls.exe | C:\Users\admin\AppData\Local\Overwolf\OWInstall.log | text | |
MD5:07E605D2D7609CF336EA1708E86B5A0C | SHA256:C69AD6C6A1D6D89336E18DB86A6C852AB60C0CEB367C79922807E55DE7BE49DD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2300 | OWinstaller.exe | GET | 200 | 69.16.175.42:80 | http://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=2.187.0.5&PartnerID=4204&Name=Manual_Installer_Launched&Value=1&UserName=&GameSessionId=&owver=0.187.0.4&MUID=21859394-9b15-41ba-bda6-e12e02f6e7ed | US | text | 2 b | malicious |
2300 | OWinstaller.exe | GET | 200 | 69.16.175.42:80 | http://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=2.187.0.5&PartnerID=4204&Name=installer_webbrowser_init&Value=1&UserName=&GameSessionId=&Extra=%255b%257b%2522Name%2522%253a%2522ver%2522%252c%2522Value%2522%253a%252211.0.9600.19597%2522%257d%255d&owver=0.187.0.4&MUID=21859394-9b15-41ba-bda6-e12e02f6e7ed | US | text | 2 b | malicious |
2300 | OWinstaller.exe | GET | 200 | 41.63.96.0:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?52a47d7c98ee5bcf | ZA | compressed | 4.70 Kb | whitelisted |
2300 | OWinstaller.exe | GET | 200 | 142.250.186.67:80 | http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEG9FXshPqpwWCgAAAAEn3MY%3D | US | der | 471 b | whitelisted |
2300 | OWinstaller.exe | GET | 200 | 99.86.3.143:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
2300 | OWinstaller.exe | GET | 200 | 99.86.3.68:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
2300 | OWinstaller.exe | GET | 200 | 142.250.186.67:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
2300 | OWinstaller.exe | GET | 200 | 142.250.186.67:80 | http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEGmSmALa8169CgAAAAEn3NM%3D | US | der | 471 b | whitelisted |
2300 | OWinstaller.exe | GET | 200 | 65.9.62.120:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
2300 | OWinstaller.exe | GET | 200 | 142.250.186.67:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2300 | OWinstaller.exe | 41.63.96.0:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | ZA | suspicious |
2300 | OWinstaller.exe | 143.204.215.24:443 | storeapi.overwolf.com | — | US | malicious |
2300 | OWinstaller.exe | 142.250.185.174:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
2300 | OWinstaller.exe | 65.9.61.40:443 | content.overwolf.com | AT&T Services, Inc. | US | unknown |
2528 | run_this_if_you_got_balls.exe | 69.16.175.42:80 | analyticsnew.overwolf.com | Highwinds Network Group, Inc. | US | malicious |
2300 | OWinstaller.exe | 69.16.175.42:80 | analyticsnew.overwolf.com | Highwinds Network Group, Inc. | US | malicious |
2300 | OWinstaller.exe | 13.35.253.89:443 | www.overwolf.com | — | US | suspicious |
2300 | OWinstaller.exe | 142.250.186.67:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2300 | OWinstaller.exe | 142.250.186.138:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2300 | OWinstaller.exe | 99.86.3.143:80 | ocsp.rootg2.amazontrust.com | AT&T Services, Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
analyticsnew.overwolf.com |
| malicious |
www.google-analytics.com |
| whitelisted |
content.overwolf.com |
| whitelisted |
storeapi.overwolf.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
o.ss2.us |
| whitelisted |
ocsp.rootg2.amazontrust.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2528 | run_this_if_you_got_balls.exe | Potentially Bad Traffic | ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) |