File name: | PhotoViewer_1567336589_chenbin_004.exe |
Full analysis: | https://app.any.run/tasks/d67ae70b-b757-43c1-a90c-4d769e4bfeff |
Verdict: | Malicious activity |
Analysis date: | November 08, 2018, 06:56:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 3F56D321FE1C641C8332330048DA9585 |
SHA1: | 269C4C5B8F362EE10D1B07634091E54AE2DFBDE3 |
SHA256: | 94F8DA554BADDE07262DAA78BF2103866EC42202B56B98C2930444177C40BB8E |
SSDEEP: | 196608:ySf1WDFtd844trHSijias2g1FKmVCaQnCVhvHYv/9+:ySf1ktdj4tuJaveKGbQnCVJHYv/M |
.exe | | | Win32 Executable (generic) (3.6) |
---|---|---|
.exe | | | Generic Win/DOS Executable (1.6) |
.exe | | | DOS Executable Generic (1.5) |
ProductVersion: | 1.4.0.6 |
---|---|
ProductName: | ABC看图 |
OriginalFileName: | install.exe |
LegalCopyright: | Copyright © 2016 上海展盟网络科技有限公司 All Rights Reserved |
InternalName: | install.exe |
FileVersion: | 1.4.0.6 |
FileDescription: | ABC看图安装包 |
CompanyName: | 上海展盟网络科技有限公司 |
CharacterSet: | Unicode |
LanguageCode: | Chinese (Simplified) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.4.0.6 |
FileVersionNumber: | 1.4.0.6 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0xa52ee |
UninitializedDataSize: | - |
InitializedDataSize: | 8582144 |
CodeSize: | 1135616 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2018:07:12 11:11:16+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 12-Jul-2018 09:11:16 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | 上海展盟网络科技有限公司 |
FileDescription: | ABC看图安装包 |
FileVersion: | 1.4.0.6 |
InternalName: | install.exe |
LegalCopyright: | Copyright © 2016 上海展盟网络科技有限公司 All Rights Reserved |
OriginalFilename: | install.exe |
ProductName: | ABC看图 |
ProductVersion: | 1.4.0.6 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000130 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 7 |
Time date stamp: | 12-Jul-2018 09:11:16 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00115269 | 0x00115400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.51654 |
.rdata | 0x00117000 | 0x0003A3A0 | 0x0003A400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.25712 |
.data | 0x00152000 | 0x00006764 | 0x00002C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.36545 |
.gfids | 0x00159000 | 0x000001D4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.60591 |
.tls | 0x0015A000 | 0x00000009 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.rsrc | 0x0015B000 | 0x007DFA60 | 0x007DFC00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.99632 |
.reloc | 0x0093B000 | 0x0000E794 | 0x0000E800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.58008 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.01722 | 2318 | UNKNOWN | Chinese - PRC | RT_MANIFEST |
2 | 3.18698 | 67624 | UNKNOWN | Chinese - PRC | RT_ICON |
3 | 3.40373 | 16936 | UNKNOWN | Chinese - PRC | RT_ICON |
4 | 4.10391 | 9640 | UNKNOWN | Chinese - PRC | RT_ICON |
5 | 3.80108 | 4264 | UNKNOWN | Chinese - PRC | RT_ICON |
6 | 4.21505 | 1128 | UNKNOWN | Chinese - PRC | RT_ICON |
7 | 1.76997 | 60 | UNKNOWN | Chinese - PRC | RT_STRING |
103 | 3.24033 | 284 | UNKNOWN | Chinese - PRC | RT_DIALOG |
109 | 1.79879 | 16 | UNKNOWN | Chinese - PRC | RT_ACCELERATOR |
128 | 2.79908 | 90 | UNKNOWN | Chinese - PRC | RT_GROUP_ICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
IMM32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2312 | "C:\Users\admin\AppData\Local\Temp\PhotoViewer_1567336589_chenbin_004.exe" | C:\Users\admin\AppData\Local\Temp\PhotoViewer_1567336589_chenbin_004.exe | — | explorer.exe |
User: admin Company: 上海展盟网络科技有限公司 Integrity Level: MEDIUM Description: ABC看图安装包 Exit code: 3221226540 Version: 1.4.0.6 | ||||
2852 | "C:\Users\admin\AppData\Local\Temp\PhotoViewer_1567336589_chenbin_004.exe" | C:\Users\admin\AppData\Local\Temp\PhotoViewer_1567336589_chenbin_004.exe | explorer.exe | |
User: admin Company: 上海展盟网络科技有限公司 Integrity Level: HIGH Description: ABC看图安装包 Exit code: 0 Version: 1.4.0.6 | ||||
2092 | "C:\Windows\System32\taskkill.exe" /f /im PhotoViewer.exe | C:\Windows\System32\taskkill.exe | — | PhotoViewer_1567336589_chenbin_004.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2644 | "C:\Windows\System32\taskkill.exe" /f /im Photomanager.exe | C:\Windows\System32\taskkill.exe | — | PhotoViewer_1567336589_chenbin_004.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
548 | "C:\Windows\System32\taskkill.exe" /f /im PdfReader.exe | C:\Windows\System32\taskkill.exe | — | PhotoViewer_1567336589_chenbin_004.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2744 | "C:\Windows\System32\taskkill.exe" /f /im Update.exe | C:\Windows\System32\taskkill.exe | — | PhotoViewer_1567336589_chenbin_004.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2820 | "C:\Windows\System32\taskkill.exe" /f /im Report.exe | C:\Windows\System32\taskkill.exe | — | PhotoViewer_1567336589_chenbin_004.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3000 | "C:\Windows\system32\regsvr32.exe" /s /u C:\Users\admin\AppData\Roaming\PhotoViewer\ShellExt.dll | C:\Windows\system32\regsvr32.exe | — | PhotoViewer_1567336589_chenbin_004.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
128 | "C:\Windows\system32\regsvr32.exe" /s /u C:\Users\admin\AppData\Roaming\PhotoViewer\Checker.dll | C:\Windows\system32\regsvr32.exe | — | PhotoViewer_1567336589_chenbin_004.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2348 | "C:\Windows\system32\regsvr32.exe" /s C:\Users\admin\AppData\Roaming\PhotoViewer\ShellExt.dll | C:\Windows\system32\regsvr32.exe | — | PhotoViewer_1567336589_chenbin_004.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2852 | PhotoViewer_1567336589_chenbin_004.exe | C:\Users\admin\AppData\Local\Temp\ABCPhotoView.7z | — | |
MD5:— | SHA256:— | |||
2852 | PhotoViewer_1567336589_chenbin_004.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\Update.exe | executable | |
MD5:2DEE0EE5C0A7FF338D9E2F086FF2BFE9 | SHA256:824A2A84BC4755C3DB90F718FDB1D2DB90B2CB64DFC1FE35F4466DD5315D6568 | |||
2852 | PhotoViewer_1567336589_chenbin_004.exe | C:\Users\admin\AppData\Local\Temp\CheckABCPhotoView.7z.md5 | text | |
MD5:0D1044734AB2ECE1EF358078F22BCB4F | SHA256:F5C6BCD4DD597BAE2A7FCA045B733A89587D5D3B8376EA9904B1CD75D873A993 | |||
2852 | PhotoViewer_1567336589_chenbin_004.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\ShellExt.dll | executable | |
MD5:A5FA380C2EDC87D16144162556E78F11 | SHA256:117C89423657FE95C13DCB110FE3D4C09355AC9E7E1D6F39E1FA136492074E21 | |||
2852 | PhotoViewer_1567336589_chenbin_004.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\Report.exe | executable | |
MD5:0A90936A39CD85D0C1802FBAB21AC636 | SHA256:4D078E3B3E17D6C775274862C92D29DCCDF5757593F2877DD9E9018E5EDCA0D5 | |||
836 | svchost.exe | C:\Windows\appcompat\programs\RecentFileCache.bcf | txt | |
MD5:9A24B65FCBC1386B75BEF6D800F00467 | SHA256:CA84D551051C7FEEEB2E618C1ED21EF3A5511C3F4937EB969629F58AEADF58E6 | |||
2852 | PhotoViewer_1567336589_chenbin_004.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\pdfium.dll | executable | |
MD5:34DD4F28F701CB4DADDDAA695D55DF34 | SHA256:5AE8EBBFFFCF975CAA73F3BE633D78F8D6880C64E3B5C3DDB10C5677CFA402EE | |||
2852 | PhotoViewer_1567336589_chenbin_004.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\PdfReader.exe | executable | |
MD5:C14884CEA81CC1B9982E70D1258C2F81 | SHA256:616EE40B0FA843442AFB44D9EE62C9CD186003C3FC504A2AEB940C21DD82B715 | |||
2852 | PhotoViewer_1567336589_chenbin_004.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\imgdecoder-gdip.dll | executable | |
MD5:E7792D2B17939D6D80A5794EBA388412 | SHA256:7566429F97D19E0710F9E4FD273B22C39867A9D812C9DC3E8E193AA314090F55 | |||
2852 | PhotoViewer_1567336589_chenbin_004.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\Uninst.exe | executable | |
MD5:1D71B3B59C88CCF19FCEA9214D4866D3 | SHA256:653A7B08CD449407F970BDD8255F0B5AF49128D9AB95E664F9A616006CEE1871 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3240 | Report.exe | GET | — | 117.50.8.146:80 | http://kantu.shzhanmeng.com/2.gif?proj=kantu&food=D5CmfUa6EOoz/uWnaEtDZXgwy658l4b/w/zm2qlL2w9iFbjGTa205QLCT+2L5NHuQcW2ISZX5QI/fCSxuKnH8YkfLJhyb7/8KWBXghSrdscUaoND97CcdjOpxuJrRnCaWP3lZz6bi7NeqMhJtbZUipLbozzBQcILbZtlJwsL/3zQBeUk3TDS/P2SMYaghrImTFrj9DyOh1Pu3Uh7eAm6IJVQxk1k | CN | — | — | malicious |
3260 | PhotoViewer.exe | GET | — | 113.215.232.5:80 | http://down2.abckantu.com/n/kantu/parameter.xml | CN | — | — | suspicious |
3260 | PhotoViewer.exe | GET | — | 119.167.216.173:80 | http://ktnews.7654.com/ | CN | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3260 | PhotoViewer.exe | 119.167.216.173:80 | ktnews.7654.com | CHINA UNICOM China169 Backbone | CN | suspicious |
— | — | 113.215.232.5:80 | down2.abckantu.com | Huashu media&Network Limited | CN | suspicious |
3240 | Report.exe | 117.50.8.146:80 | kantu.shzhanmeng.com | China Unicom Beijing Province Network | CN | malicious |
Domain | IP | Reputation |
---|---|---|
kantu.shzhanmeng.com |
| malicious |
ktnews.7654.com |
| malicious |
down2.abckantu.com |
| unknown |