File name: | fuck_spheres.exe |
Full analysis: | https://app.any.run/tasks/e5ab6600-6459-487a-9b56-a582f5fd045b |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 18:18:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | EB08CF518184DEB024CADC8097B80026 |
SHA1: | E28524C60A4D17CEE7A95759F01E768F414DB8EE |
SHA256: | 978FCAEF114B868A1FD879E1B0135ABF7CB5CF6AC203BCA205F798256E536EC6 |
SSDEEP: | 98304:wSmAvJGSqp7Ju1G64ESktXr/ZLeL7X70hz+iCD9mPpMG+B4N4kK4dRnF5rQZFJwe:wVAxGllUBFXr/kn7gz+txmbukF5rOFOe |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
---|---|---|
.exe | | | Win64 Executable (generic) (23.8) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
.exe | | | Generic Win/DOS Executable (1.7) |
AssemblyVersion: | 10.1.18362.1 |
---|---|
ProductVersion: | 10.1.18362.1 |
ProductName: | Windows Software Development Kit - Windows 10.0.18362.1 |
OriginalFileName: | winsdksetupEVIL.exe |
LegalCopyright: | Copyright (c) Microsoft Corporation. All rights reserved. |
InternalName: | winsdksetupEVIL.exe |
FileVersion: | 10.1.18362.1 |
FileDescription: | Windows Software Development Kit - Windows 10.0.18362.1 |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 10.1.18362.1 |
FileVersionNumber: | 10.1.18362.1 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x56154e |
UninitializedDataSize: | - |
InitializedDataSize: | 2560 |
CodeSize: | 5633536 |
LinkerVersion: | 11 |
PEType: | PE32 |
TimeStamp: | 2019:10:09 15:50:58+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-Oct-2019 13:50:58 |
FileDescription: | Windows Software Development Kit - Windows 10.0.18362.1 |
FileVersion: | 10.1.18362.1 |
InternalName: | winsdksetupEVIL.exe |
LegalCopyright: | Copyright (c) Microsoft Corporation. All rights reserved. |
OriginalFilename: | winsdksetupEVIL.exe |
ProductName: | Windows Software Development Kit - Windows 10.0.18362.1 |
ProductVersion: | 10.1.18362.1 |
Assembly Version: | 10.1.18362.1 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 09-Oct-2019 13:50:58 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x0055F554 | 0x0055F600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.99901 |
.rsrc | 0x00562000 | 0x00000790 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.33019 |
.reloc | 0x00564000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.0831 | 756 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3200 | "C:\Users\admin\AppData\Local\Temp\fuck_spheres.exe" | C:\Users\admin\AppData\Local\Temp\fuck_spheres.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Windows Software Development Kit - Windows 10.0.18362.1 Exit code: 3221226540 Version: 10.1.18362.1 | ||||
3364 | "C:\Users\admin\AppData\Local\Temp\fuck_spheres.exe" | C:\Users\admin\AppData\Local\Temp\fuck_spheres.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: Windows Software Development Kit - Windows 10.0.18362.1 Exit code: 0 Version: 10.1.18362.1 | ||||
2972 | "C:\Users\admin\AppData\Local\Temp\winsdksetup.exe" | C:\Users\admin\AppData\Local\Temp\winsdksetup.exe | fuck_spheres.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Software Development Kit - Windows 10.0.18362.1 Version: 10.1.18362.1 | ||||
552 | "C:\Windows\Temp\{EF33738E-EB02-4BF4-93AD-A68CDA5BB433}\.cr\winsdksetup.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\winsdksetup.exe" -burn.filehandle.attached=148 -burn.filehandle.self=156 | C:\Windows\Temp\{EF33738E-EB02-4BF4-93AD-A68CDA5BB433}\.cr\winsdksetup.exe | winsdksetup.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Software Development Kit - Windows 10.0.18362.1 Version: 10.1.18362.1 | ||||
2844 | "C:\Users\admin\Documents\crypto.exe" | C:\Users\admin\Documents\crypto.exe | fuck_spheres.exe | |
User: admin Integrity Level: HIGH | ||||
1696 | "C:\Users\admin\AppData\Local\Temp\hdd.exe" | C:\Users\admin\AppData\Local\Temp\hdd.exe | — | fuck_spheres.exe |
User: admin Company: Apache Software Foundation Integrity Level: HIGH Description: ApacheBench command line utility Exit code: 0 Version: 2.2.14 | ||||
2520 | "C:\Users\admin\Documents\crypto.exe" | C:\Users\admin\Documents\crypto.exe | crypto.exe | |
User: admin Integrity Level: HIGH | ||||
3052 | "C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.be\winsdksetup.exe" -q -burn.elevated BurnPipe.{5235E579-47C3-4ED5-B253-A8084F156FC4} {C867AF44-D30A-448E-BB91-59371DC06513} 552 | C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.be\winsdksetup.exe | winsdksetup.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Software Development Kit - Windows 10.0.18362.1 Version: 10.1.18362.1 | ||||
2124 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2128 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "00000534" "00000394" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3364 | fuck_spheres.exe | C:\Users\admin\AppData\Local\Temp\hdd.exe | executable | |
MD5:D0511453B926C19EA41ABD77540AD47E | SHA256:63240BA3F70D0CD48612E5C5DFB1AA9F6ECB49B9BE98F24A0070EF60C20C7AF4 | |||
2844 | crypto.exe | C:\Users\admin\AppData\Local\Temp\_MEI28442\Crypto.Cipher._AES.pyd | executable | |
MD5:587D83FB55A1EFC29200EC4B832D4FCE | SHA256:B8506860D4B68ED2DC99EFAD8562163744DD91EF35CCC1E48464E92B714F6B39 | |||
3364 | fuck_spheres.exe | C:\Users\admin\Documents\crypto.exe | executable | |
MD5:00994D2447C8056673B5FFDA86288AC4 | SHA256:A5F4C11F256121E56576978E42693BDBD2C722619EE06A4565DE0825E7A967B4 | |||
552 | winsdksetup.exe | C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\Microsoft.Diagnostics.Tracing.EventSource.dll | executable | |
MD5:AD9250C9725E55E11729256336ACCD56 | SHA256:F9836C19B55583433141CBC1AE4542E65919ABB0753E806B29740A732526B685 | |||
3364 | fuck_spheres.exe | C:\Users\admin\AppData\Local\Temp\winsdksetup.exe | executable | |
MD5:31BBF735442CC6BDBE416274256B0210 | SHA256:2E28117E82B4D02FE30D564B835ACE9976612609271265872F20F2256A9C506B | |||
552 | winsdksetup.exe | C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\BootstrapperCore.dll | executable | |
MD5:789476090439024462CF3694B8090B7D | SHA256:9C900B865AAAB23622C23E6F2EB22DFC881109351FE06F07CD7CC69C80CB55D2 | |||
552 | winsdksetup.exe | C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\mbahost.dll | executable | |
MD5:2BA10D77A0DD711803D905EA64444369 | SHA256:36547E04B852794C0DB49EC3C64D7DEE428E3AC933B965A85D52785481E01A07 | |||
552 | winsdksetup.exe | C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\UserExperienceManifest.xml | text | |
MD5:98E3CA0FF7B6DADEA3C65299086A3D3F | SHA256:F23BAD2532BBA72318CBFD1FB78A35E0D6B4AB9EBA65010233A5D781D0EA89E3 | |||
552 | winsdksetup.exe | C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\Microsoft.Bootstrapper.Presentation.dll | executable | |
MD5:28A709345DC0BD3E55C0C7A0B4C68BEE | SHA256:10DD4F2220903EBD9D4842126FA457835EAC0E0495F129B6CD36905F3DC6B779 | |||
552 | winsdksetup.exe | C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\license.rtf | text | |
MD5:1C2304FD72C13D32E690924A5CB0F150 | SHA256:863A7B97EBD8FC2BA102FD7F12183CC75E281C5637F9A6CCB341CD0A2CFED297 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
552 | winsdksetup.exe | GET | 302 | 2.19.38.59:80 | http://go.microsoft.com/fwlink/?prd=11966&pver=1.0&plcid=0x409&clcid=0x409&ar=Windows10&sar=SDK&o1=10.0.18362.1 | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
552 | winsdksetup.exe | 2.19.38.59:80 | go.microsoft.com | Akamai International B.V. | — | whitelisted |
552 | winsdksetup.exe | 2.18.233.19:443 | download.microsoft.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
go.microsoft.com |
| whitelisted |
download.microsoft.com |
| whitelisted |