File name: | ec768bb5afb0ed028c354b3ed10ca3ce.exe |
Full analysis: | https://app.any.run/tasks/aba4a51c-7d02-435e-b508-57fec823369d |
Verdict: | Malicious activity |
Analysis date: | February 19, 2019, 02:55:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 5BAB370514BA09B001CC4B9F877797FB |
SHA1: | FC642621E4CEF1B4B0EDCBD7771AB9BF4683E40A |
SHA256: | 8CAC639FCB35422402FD16C12C401B4831007DCDDE0A133CD9E9175B6BDCA6FE |
SSDEEP: | 12288:uSgOVWy9kmqyB+ZI9i/ACMRh+S6uR6RvFt/eFXwMiw8oEf:tklyB19ES6uR+r/rwEf |
.exe | | | Win32 EXE PECompact compressed (generic) (79.7) |
---|---|---|
.exe | | | Win32 Executable (generic) (8.6) |
.exe | | | Win16/32 Executable Delphi generic (3.9) |
.exe | | | Generic Win/DOS Executable (3.8) |
.exe | | | DOS Executable Generic (3.8) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:02:14 00:02:48+01:00 |
PEType: | PE32 |
LinkerVersion: | 2.25 |
CodeSize: | 138752 |
InitializedDataSize: | 465920 |
UninitializedDataSize: | - |
EntryPoint: | 0x22528 |
OSVersion: | 5 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 13-Feb-2019 23:02:48 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 11 |
Time date stamp: | 13-Feb-2019 23:02:48 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0002094C | 0x00020A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.43568 |
.itext | 0x00022000 | 0x00001274 | 0x00001400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.44888 |
.data | 0x00024000 | 0x00001888 | 0x00001A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.69432 |
.bss | 0x00026000 | 0x00005960 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0002C000 | 0x00000AEC | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.65761 |
.didata | 0x0002D000 | 0x000001C8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.05764 |
.edata | 0x0002E000 | 0x0000006E | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.26052 |
.tls | 0x0002F000 | 0x00000014 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00030000 | 0x0000005C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.35256 |
.reloc | 0x00031000 | 0x00002BD8 | 0x00002C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.54323 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
4090 | 3.18737 | 464 | UNKNOWN | UNKNOWN | RT_STRING |
4091 | 3.50315 | 508 | UNKNOWN | UNKNOWN | RT_STRING |
4092 | 3.36848 | 196 | UNKNOWN | UNKNOWN | RT_STRING |
4093 | 3.38569 | 304 | UNKNOWN | UNKNOWN | RT_STRING |
4094 | 3.25466 | 796 | UNKNOWN | UNKNOWN | RT_STRING |
4095 | 3.35521 | 852 | UNKNOWN | UNKNOWN | RT_STRING |
4096 | 3.31066 | 696 | UNKNOWN | UNKNOWN | RT_STRING |
OKNT | 7.99961 | 438480 | UNKNOWN | English - United States | CQYS |
DVCLAL | 4 | 16 | UNKNOWN | UNKNOWN | RT_RCDATA |
PACKAGEINFO | 5.08347 | 396 | UNKNOWN | UNKNOWN | RT_RCDATA |
advapi32.dll |
kernel32.dll |
kernel32.dll (delay-loaded) |
netapi32.dll |
oleaut32.dll |
user32.dll |
version.dll |
Title | Ordinal | Address |
---|---|---|
dbkFCallWrapperAddr | 1 | 0x00029628 |
__dbk_fcall_wrapper | 2 | 0x0000B5E4 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3100 | "C:\Users\admin\AppData\Local\Temp\ec768bb5afb0ed028c354b3ed10ca3ce.exe" | C:\Users\admin\AppData\Local\Temp\ec768bb5afb0ed028c354b3ed10ca3ce.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3820 | C:\Windows\system32\regsvr32.exe -s C:\Users\admin\AppData\Local\Temp\EC768B~1.DLL f1 C:\Users\admin\AppData\Local\Temp\EC768B~1.EXE@3100 | C:\Windows\system32\regsvr32.exe | — | ec768bb5afb0ed028c354b3ed10ca3ce.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3676 | C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\EC768B~1.DLL,f0 | C:\Windows\system32\rundll32.exe | regsvr32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3100 | ec768bb5afb0ed028c354b3ed10ca3ce.exe | C:\Users\admin\AppData\Local\Temp\ec768bb5afb0ed028c354b3ed10ca3ce.dll | executable | |
MD5:772935A18948183668ACD6A3A89A3258 | SHA256:973F1A4C6F34D0BFE0AAB4248BCF53C23D82A4A72DCD6120167123DEE858BDD0 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3676 | rundll32.exe | 74.142.24.152:443 | — | Time Warner Cable Internet LLC | US | malicious |
3676 | rundll32.exe | 115.123.116.123:443 | — | — | CN | malicious |
3676 | rundll32.exe | 4.86.161.167:443 | — | Level 3 Communications, Inc. | US | unknown |
PID | Process | Class | Message |
---|---|---|---|
3676 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
3676 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
3676 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |