File name: | Fireflysetup.exe |
Full analysis: | https://app.any.run/tasks/5b558d5e-39fe-4e83-ab03-e843b0b16c92 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 08:33:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | B3E5E0B34C36AD17C2CD628B213A1C69 |
SHA1: | E033864D487FDB1D1764FEB6AEBB0971074EDBBF |
SHA256: | 8F64829B9B2236C2741925A9B90E09298C13038D297D4E225DBF2D72C74915F8 |
SSDEEP: | 98304:ZBOv4nRd2J2arJ6m56Gxmq7o90VRHRhEUX6KPeBpM1abVZLI4Sw+EmG3p/Gs:ZB4cRd2J22MmXmq7VRXTeBki/I9EmOp/ |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2017:08:02 10:53:06+02:00 |
PEType: | PE32 |
LinkerVersion: | 2.25 |
CodeSize: | 1077248 |
InitializedDataSize: | 18650624 |
UninitializedDataSize: | - |
EntryPoint: | 0x12dd001 |
OSVersion: | 5 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.3.9.12 |
ProductVersionNumber: | 1.3.9.12 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Unknown (042A) |
CharacterSet: | Unknown (04EA) |
CompanyName: | BitCrypt Group. |
FileDescription: | BitCrypt Group - Personal DTP Install |
FileVersion: | 1.3.9.12 |
InternalName: | InstallFireFly |
LegalCopyright: | - |
LegalTrademarks: | - |
OriginalFileName: | - |
ProductName: | InstallFireFly |
ProductVersion: | 1.3.9.12 |
Comments: | - |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 02-Aug-2017 08:53:06 |
Detected languages: |
|
CompanyName: | BitCrypt Group. |
FileDescription: | BitCrypt Group - Personal DTP Install |
FileVersion: | 1.3.9.12 |
InternalName: | InstallFireFly |
LegalCopyright: | - |
LegalTrademarks: | - |
OriginalFilename: | - |
ProductName: | InstallFireFly |
ProductVersion: | 1.3.9.12 |
Comments: | - |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 12 |
Time date stamp: | 02-Aug-2017 08:53:06 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00106000 | 0x00058E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99935 |
.itext | 0x00107000 | 0x00001000 | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.31138 |
.data | 0x00108000 | 0x00011000 | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.97506 |
.bss | 0x00119000 | 0x00007000 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00120000 | 0x00005000 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.9438 |
.didata | 0x00125000 | 0x00001000 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.24243 |
.tls | 0x00126000 | 0x00001000 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00127000 | 0x00001000 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.737414 |
.reloc | 0x00128000 | 0x00016000 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x0013E000 | 0x0119F000 | 0x004F0600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99973 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.32263 | 792 | UNKNOWN | Russian - Russia | RT_VERSION |
2 | 2.75039 | 67624 | UNKNOWN | English - Australia | RT_ICON |
3 | 3.22421 | 16936 | UNKNOWN | English - Australia | RT_ICON |
4 | 3.47275 | 9640 | UNKNOWN | English - Australia | RT_ICON |
5 | 3.95426 | 4264 | UNKNOWN | English - Australia | RT_ICON |
6 | 4.72225 | 1128 | UNKNOWN | English - Australia | RT_ICON |
7 | 0 | 308 | UNKNOWN | English - United States | RT_CURSOR |
4076 | 0 | 532 | UNKNOWN | UNKNOWN | RT_STRING |
4077 | 0 | 860 | UNKNOWN | UNKNOWN | RT_STRING |
4078 | 0 | 908 | UNKNOWN | UNKNOWN | RT_STRING |
advapi32.dll |
comctl32.dll |
gdi32.dll |
kernel32.dll |
msimg32.dll |
netapi32.dll |
ole32.dll |
oleaut32.dll |
setupapi.dll |
shell32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3832 | "C:\Users\admin\Desktop\Fireflysetup.exe" | C:\Users\admin\Desktop\Fireflysetup.exe | — | explorer.exe |
User: admin Company: BitCrypt Group. Integrity Level: MEDIUM Description: BitCrypt Group - Personal DTP Install Exit code: 3221226540 Version: 1.3.9.12 | ||||
2376 | "C:\Users\admin\Desktop\Fireflysetup.exe" | C:\Users\admin\Desktop\Fireflysetup.exe | explorer.exe | |
User: admin Company: BitCrypt Group. Integrity Level: HIGH Description: BitCrypt Group - Personal DTP Install Exit code: 0 Version: 1.3.9.12 | ||||
3572 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{60013775-2535-3229-d022-713e589f1d6f}\cbdisk.inf" "0" "64ed60303" "00000548" "WinSta0\Default" "00000544" "208" "c:\users\admin\appdata\local\temp\{4793b220-2873-417d-a16e-dfadb15a0b66}" | C:\Windows\system32\DrvInst.exe | svchost.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3128 | rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3f6a6f93-aa26-3fde-f9d5-a6342f42775e} Global\{7a506922-93f3-4406-c472-d9173af4444c} C:\Windows\System32\DriverStore\Temp\{2f354448-4a86-269e-dc04-164b5e5ecf1c}\cbdisk.inf C:\Windows\System32\DriverStore\Temp\{2f354448-4a86-269e-dc04-164b5e5ecf1c}\cbdisk.cat | C:\Windows\system32\rundll32.exe | — | DrvInst.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3040 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2164 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005D8" "000005D4" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2668 | DrvInst.exe "2" "211" "ROOT\STORLIB\0000" "C:\Windows\INF\oem4.inf" "cbdisk.inf:ELDOS.NTx86:StorLibBus_Device:2.1.86.0:root\cbdisk_storlib_bus2" "64ed60303" "00000548" "000005BC" "000005D8" | C:\Windows\system32\DrvInst.exe | svchost.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3412 | "C:\Windows\system32\regsvr32.exe" /n /s /i:"{4793B220-2873-417d-A16E-DFADB15A0B66}" "C:\Users\admin\AppData\Local\Temp\{4793B220-2873-417d-A16E-DFADB15A0B66}\i386\CbDiskNetRdr2.dll" | C:\Windows\system32\regsvr32.exe | Fireflysetup.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
992 | "C:\Windows\system32\regsvr32.exe" /n /s /i:"{4793B220-2873-417d-A16E-DFADB15A0B66}" "C:\Users\admin\AppData\Local\Temp\{4793B220-2873-417d-A16E-DFADB15A0B66}\i386\CbDiskMntNtf2.dll" | C:\Windows\system32\regsvr32.exe | Fireflysetup.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2568 | "C:\Program Files\firefly\RSystems.exe" /install /silent | C:\Program Files\firefly\RSystems.exe | — | Fireflysetup.exe |
User: admin Company: BitCrypt Jsc Integrity Level: HIGH Description: BitCrypt Jsc - Personal DTP Exit code: 0 Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2376 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\CabF84.tmp | — | |
MD5:— | SHA256:— | |||
2376 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\TarF85.tmp | — | |
MD5:— | SHA256:— | |||
2376 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\CabF95.tmp | — | |
MD5:— | SHA256:— | |||
2376 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\TarF96.tmp | — | |
MD5:— | SHA256:— | |||
2376 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\CabFA7.tmp | — | |
MD5:— | SHA256:— | |||
2376 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\TarFA8.tmp | — | |
MD5:— | SHA256:— | |||
2376 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\CabFB9.tmp | — | |
MD5:— | SHA256:— | |||
2376 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\TarFC9.tmp | — | |
MD5:— | SHA256:— | |||
2376 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\{4793B220-2873-417d-A16E-DFADB15A0B66}\i386\cbdisk2.sys | executable | |
MD5:3E6210658BF995C27F95477813B8739A | SHA256:FA2B6F0B351A3CA53FF29214DCF8E101DC67A4342CFE90A7E4B79CEB0C2B2673 | |||
2376 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\CabFEA.tmp | — | |
MD5:— | SHA256:— |