File name: | Fireflysetup.exe |
Full analysis: | https://app.any.run/tasks/8ddef5c5-e6b5-4a99-b6e1-5970de9c2279 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 08:36:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | B3E5E0B34C36AD17C2CD628B213A1C69 |
SHA1: | E033864D487FDB1D1764FEB6AEBB0971074EDBBF |
SHA256: | 8F64829B9B2236C2741925A9B90E09298C13038D297D4E225DBF2D72C74915F8 |
SSDEEP: | 98304:ZBOv4nRd2J2arJ6m56Gxmq7o90VRHRhEUX6KPeBpM1abVZLI4Sw+EmG3p/Gs:ZB4cRd2J22MmXmq7VRXTeBki/I9EmOp/ |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Comments: | - |
---|---|
ProductVersion: | 1.3.9.12 |
ProductName: | InstallFireFly |
OriginalFileName: | - |
LegalTrademarks: | - |
LegalCopyright: | - |
InternalName: | InstallFireFly |
FileVersion: | 1.3.9.12 |
FileDescription: | BitCrypt Group - Personal DTP Install |
CompanyName: | BitCrypt Group. |
CharacterSet: | Unknown (04EA) |
LanguageCode: | Unknown (042A) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.3.9.12 |
FileVersionNumber: | 1.3.9.12 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x12dd001 |
UninitializedDataSize: | - |
InitializedDataSize: | 18650624 |
CodeSize: | 1077248 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 2017:08:02 10:53:06+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 02-Aug-2017 08:53:06 |
Detected languages: |
|
CompanyName: | BitCrypt Group. |
FileDescription: | BitCrypt Group - Personal DTP Install |
FileVersion: | 1.3.9.12 |
InternalName: | InstallFireFly |
LegalCopyright: | - |
LegalTrademarks: | - |
OriginalFilename: | - |
ProductName: | InstallFireFly |
ProductVersion: | 1.3.9.12 |
Comments: | - |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 12 |
Time date stamp: | 02-Aug-2017 08:53:06 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00106000 | 0x00058E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99935 |
.itext | 0x00107000 | 0x00001000 | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.31138 |
.data | 0x00108000 | 0x00011000 | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.97506 |
.bss | 0x00119000 | 0x00007000 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00120000 | 0x00005000 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.9438 |
.didata | 0x00125000 | 0x00001000 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.24243 |
.tls | 0x00126000 | 0x00001000 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00127000 | 0x00001000 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.737414 |
.reloc | 0x00128000 | 0x00016000 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x0013E000 | 0x0119F000 | 0x004F0600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99973 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.32263 | 792 | UNKNOWN | Russian - Russia | RT_VERSION |
2 | 2.75039 | 67624 | UNKNOWN | English - Australia | RT_ICON |
3 | 3.22421 | 16936 | UNKNOWN | English - Australia | RT_ICON |
4 | 3.47275 | 9640 | UNKNOWN | English - Australia | RT_ICON |
5 | 3.95426 | 4264 | UNKNOWN | English - Australia | RT_ICON |
6 | 4.72225 | 1128 | UNKNOWN | English - Australia | RT_ICON |
7 | 0 | 308 | UNKNOWN | English - United States | RT_CURSOR |
4076 | 0 | 532 | UNKNOWN | UNKNOWN | RT_STRING |
4077 | 0 | 860 | UNKNOWN | UNKNOWN | RT_STRING |
4078 | 0 | 908 | UNKNOWN | UNKNOWN | RT_STRING |
advapi32.dll |
comctl32.dll |
gdi32.dll |
kernel32.dll |
msimg32.dll |
netapi32.dll |
ole32.dll |
oleaut32.dll |
setupapi.dll |
shell32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2148 | "C:\Users\admin\Desktop\Fireflysetup.exe" | C:\Users\admin\Desktop\Fireflysetup.exe | — | explorer.exe |
User: admin Company: BitCrypt Group. Integrity Level: MEDIUM Description: BitCrypt Group - Personal DTP Install Exit code: 3221226540 Version: 1.3.9.12 | ||||
1692 | "C:\Users\admin\Desktop\Fireflysetup.exe" | C:\Users\admin\Desktop\Fireflysetup.exe | explorer.exe | |
User: admin Company: BitCrypt Group. Integrity Level: HIGH Description: BitCrypt Group - Personal DTP Install Exit code: 0 Version: 1.3.9.12 | ||||
2804 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{731e7bf0-300e-7188-dcc0-326b48161869}\cbdisk.inf" "0" "64ed60303" "00000544" "WinSta0\Default" "000005A0" "208" "c:\users\admin\appdata\local\temp\{4793b220-2873-417d-a16e-dfadb15a0b66}" | C:\Windows\system32\DrvInst.exe | svchost.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3200 | rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{1567cfb1-8d3a-7ace-8253-476f9db54556} Global\{5a85bcc6-895f-0b55-2a05-12092b65ff0c} C:\Windows\System32\DriverStore\Temp\{3571d862-6914-58b8-9638-0d63bc7cf64b}\cbdisk.inf C:\Windows\System32\DriverStore\Temp\{3571d862-6914-58b8-9638-0d63bc7cf64b}\cbdisk.cat | C:\Windows\system32\rundll32.exe | — | DrvInst.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3560 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3984 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005D0" "000005CC" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1440 | DrvInst.exe "2" "211" "ROOT\STORLIB\0000" "C:\Windows\INF\oem4.inf" "cbdisk.inf:ELDOS.NTx86:StorLibBus_Device:2.1.86.0:root\cbdisk_storlib_bus2" "64ed60303" "00000544" "000004AC" "000005D0" | C:\Windows\system32\DrvInst.exe | svchost.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2508 | "C:\Windows\system32\regsvr32.exe" /n /s /i:"{4793B220-2873-417d-A16E-DFADB15A0B66}" "C:\Users\admin\AppData\Local\Temp\{4793B220-2873-417d-A16E-DFADB15A0B66}\i386\CbDiskNetRdr2.dll" | C:\Windows\system32\regsvr32.exe | Fireflysetup.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4016 | "C:\Windows\system32\regsvr32.exe" /n /s /i:"{4793B220-2873-417d-A16E-DFADB15A0B66}" "C:\Users\admin\AppData\Local\Temp\{4793B220-2873-417d-A16E-DFADB15A0B66}\i386\CbDiskMntNtf2.dll" | C:\Windows\system32\regsvr32.exe | Fireflysetup.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3916 | "C:\Program Files\firefly\RSystems.exe" /install /silent | C:\Program Files\firefly\RSystems.exe | — | Fireflysetup.exe |
User: admin Company: BitCrypt Jsc Integrity Level: HIGH Description: BitCrypt Jsc - Personal DTP Exit code: 0 Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1692 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\Cab8028.tmp | — | |
MD5:— | SHA256:— | |||
1692 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\Tar8039.tmp | — | |
MD5:— | SHA256:— | |||
1692 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\Cab8049.tmp | — | |
MD5:— | SHA256:— | |||
1692 | Fireflysetup.exe | C:\Windows\vdisk.cab | compressed | |
MD5:2C5D55BB6D0D8E7700DD92CB9D4B04DC | SHA256:3A1D42CE0DB50B7D304F078032428D3C31894E88A2594FE5D4280D6275D3E365 | |||
1692 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\Tar804A.tmp | — | |
MD5:— | SHA256:— | |||
1692 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\Cab805B.tmp | — | |
MD5:— | SHA256:— | |||
1692 | Fireflysetup.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:5F1F00F66264111CC6E36935A07431D8 | SHA256:78610C09CA4B001B03EAE7955D06949B9612A60131069E029FCC95CF33FE2CFC | |||
1692 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\{4793B220-2873-417d-A16E-DFADB15A0B66}\ia64\cbdiskNetRdr2.dll | executable | |
MD5:0CC39441AE89293F2E5E2FEB45D34DB4 | SHA256:EF68AA67C96760E903DC73FAEA13D62428611A4F30FF292FB579A909F61DDD79 | |||
1692 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\{4793B220-2873-417d-A16E-DFADB15A0B66}\ia64\cbdisk2.sys | executable | |
MD5:2FD00B054454006FF3FF669FC07C6DB2 | SHA256:462097D33C2D01ACA5BFFE2DDBB87ED446FB756D74CA72D9A2CB2661BACECF3E | |||
1692 | Fireflysetup.exe | C:\Users\admin\AppData\Local\Temp\{4793B220-2873-417d-A16E-DFADB15A0B66}\cbdisk.cat | cat | |
MD5:72157DAF2112DDB528E9BB51F3DC4362 | SHA256:D07302905722CE839535065E09EFBC60F12C309987C9BC291B45A0F57A8B84B5 |