download: | wordle_windows_0_2.exe |
Full analysis: | https://app.any.run/tasks/30d30256-c1f5-40f1-a552-37d655b29044 |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 19:10:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | EFECA44E62236AFFE49B5B66049E385A |
SHA1: | 9CA715B5E3591BC04C582ACA4BD27A1524F42132 |
SHA256: | 97E5770485780B365DB1BF8B3A101C1D1D88154BF62AB6D96A83024EBD845A4B |
SSDEEP: | 196608:kJotydtkPm9FHDG2kOYlB62INLRCa81COSzHeo3WS6:kJaPE02W9IKrsOSbeoM |
.exe | | | InstallShield setup (36.8) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (26.6) |
.exe | | | Win64 Executable (generic) (23.6) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
InternalName: | wordle |
---|---|
OriginalFileName: | wordle_windows_0_2.exe |
ProductVersion: | 0.2 |
ProductName: | Wordle |
LegalCopyright: | - |
FileVersion: | 0.2 |
FileDescription: | Wordle |
CompanyName: | - |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Unknown |
FileOS: | Win32 |
FileFlags: | Debug |
FileFlagsMask: | 0x0017 |
ProductVersionNumber: | 0.2.0.0 |
FileVersionNumber: | 0.2.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x25cc0 |
UninitializedDataSize: | - |
InitializedDataSize: | 216576 |
CodeSize: | 232448 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2018:12:07 11:47:38+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 07-Dec-2018 10:47:38 |
Detected languages: |
|
CompanyName: | - |
FileDescription: | Wordle |
FileVersion: | 0.2 |
LegalCopyright: | - |
ProductName: | Wordle |
ProductVersion: | 0.2 |
OriginalFilename: | wordle_windows_0_2.exe |
InternalName: | wordle |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 07-Dec-2018 10:47:38 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00038A85 | 0x00038C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.67683 |
.rdata | 0x0003A000 | 0x00019386 | 0x00019400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.32397 |
.data | 0x00054000 | 0x00012EE4 | 0x00001E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.10263 |
.rsrc | 0x00067000 | 0x00004E00 | 0x00004E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.56041 |
.reloc | 0x0006C000 | 0x00003BCC | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.6709 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.17909 | 1244 | UNKNOWN | UNKNOWN | RT_MANIFEST |
2 | 5.03916 | 2216 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 4.93195 | 3752 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 7.91261 | 8327 | UNKNOWN | UNKNOWN | RT_ICON |
101 | 3.19761 | 302 | UNKNOWN | English - United States | RT_DIALOG |
103 | 3.05366 | 286 | UNKNOWN | English - United States | RT_DIALOG |
104 | 2.62517 | 226 | UNKNOWN | English - United States | RT_DIALOG |
1001 | 2.52704 | 62 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
ADVAPI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
USER32.dll |
ole32.dll |
Title | Ordinal | Address |
---|---|---|
_Java_com_install4j_runtime_installer_platform_win32_ACLHandling_addACE@40 | 1 | 0x00017583 |
_Java_com_install4j_runtime_installer_platform_win32_FileVersion_compare0@16 | 2 | 0x00017EE0 |
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getDriveType0@12 | 3 | 0x00018319 |
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getPathFromRegistry0@12 | 4 | 0x0001816B |
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getShortPathName0@12 | 5 | 0x00018378 |
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getSpecialFolder0@16 | 6 | 0x00018131 |
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getSystemDirectory0@8 | 7 | 0x000182B7 |
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getUniversalPathName0@12 | 8 | 0x000183FF |
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getWindowsDirectory0@8 | 9 | 0x00018227 |
_Java_com_install4j_runtime_installer_platform_win32_Misc_broadcastSettingChange0@8 | 10 | 0x000192BB |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3280 | "C:\Users\admin\AppData\Local\Temp\wordle_windows_0_2.exe" | C:\Users\admin\AppData\Local\Temp\wordle_windows_0_2.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Wordle Exit code: 0 Version: 0.2 | ||||
4088 | c:\PROGRA~1\java\JRE18~1.0_9\bin\java.exe -version | c:\PROGRA~1\java\JRE18~1.0_9\bin\java.exe | — | wordle_windows_0_2.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2596 | "C:\Users\admin\AppData\Local\Temp\wordle_windows_0_2.exe" __i4j_lang_restart -J-Xmx128m -J-Dinstall4j.commIdentifier=\\.\pipe\i4jcomm0 -J-Dinstall4j.helperAppId=installer -J-Duser.language=en -J-Dinstall4j.language=en -J-Dinstall4j.systemLanguage=en -J-Dexe4j.unextractedPositionRestart=2597793 -J-Dinstall4j.commIdentifier=\\.\pipe\i4jcomm0 -J-Dinstall4j.helperLog=false -J-Dinstall4j.dontUninstallServices=false "-J-Dexe4j.semaphoreName=Local\c:_users_admin_appdata_local_temp_wordle_windows_0_2.exe" | C:\Users\admin\AppData\Local\Temp\wordle_windows_0_2.exe | wordle_windows_0_2.exe | |
User: admin Integrity Level: HIGH Description: Wordle Exit code: 0 Version: 0.2 | ||||
4076 | "C:\Users\admin\AppData\Local\Temp\wordle_windows_0_2.exe" __i4j_windel C:\Users\admin\AppData\Local\Temp\i4j7578698201214960744.tmp | C:\Users\admin\AppData\Local\Temp\wordle_windows_0_2.exe | — | wordle_windows_0_2.exe |
User: admin Integrity Level: MEDIUM Description: Wordle Exit code: 0 Version: 0.2 | ||||
2980 | "C:\Program Files\wordle\Wordle.exe" | C:\Program Files\wordle\Wordle.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3984 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3280) wordle_windows_0_2.exe | Key: | HKEY_CURRENT_USER\Software\ej-technologies\exe4j\pids |
Operation: | write | Name: | c:\users\admin\appdata\local\temp\wordle_windows_0_2.exe |
Value: 3280 | |||
(PID) Process: | (3280) wordle_windows_0_2.exe | Key: | HKEY_CURRENT_USER\Software\ej-technologies\exe4j |
Operation: | write | Name: | InstallStarted_3280 |
Value: 1 | |||
(PID) Process: | (3280) wordle_windows_0_2.exe | Key: | HKEY_CURRENT_USER\Software\ej-technologies\exe4j |
Operation: | write | Name: | InstallStarted |
Value: 1 | |||
(PID) Process: | (3280) wordle_windows_0_2.exe | Key: | HKEY_CURRENT_USER\Software\ej-technologies\exe4j\jvms\c:/program files/java/jre1.8.0_92/bin/java.exe |
Operation: | write | Name: | LastWriteTime |
Value: 40942D4BC73ED401 | |||
(PID) Process: | (3280) wordle_windows_0_2.exe | Key: | HKEY_CURRENT_USER\Software\ej-technologies\exe4j\jvms\c:/program files/java/jre1.8.0_92/bin/java.exe |
Operation: | write | Name: | Version |
Value: 1.8.0_92 | |||
(PID) Process: | (3280) wordle_windows_0_2.exe | Key: | HKEY_CURRENT_USER\Software\ej-technologies\exe4j |
Operation: | write | Name: | InstallStarted_3280 |
Value: 0 | |||
(PID) Process: | (3280) wordle_windows_0_2.exe | Key: | HKEY_CURRENT_USER\Software\ej-technologies\exe4j |
Operation: | write | Name: | InstallStarted |
Value: 0 | |||
(PID) Process: | (3280) wordle_windows_0_2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3280) wordle_windows_0_2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3280) wordle_windows_0_2.exe | Key: | HKEY_CURRENT_USER\Software\ej-technologies\exe4j |
Operation: | delete value | Name: | InstallStarted_3280 |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3280 | wordle_windows_0_2.exe | C:\Users\admin\AppData\Local\Temp\i4j_nlog_1.log | text | |
MD5:B063145F4C71862191B2A40FEE7EB879 | SHA256:477D7D20073D70ACA92FA0A72DDDF83BC5AC7D3D27F1693D124B7C9FFB9239B8 | |||
3280 | wordle_windows_0_2.exe | C:\Users\admin\AppData\Local\Temp\e4jDBF.tmp_dir1556046671\i4jparams.conf | xml | |
MD5:2FDB5B176363CAC7C3FDFABC6057AC01 | SHA256:230FB5A544762EAE93B5C328CEF58CC7EADFF7F6D3575B17B9F0584AC645997C | |||
3280 | wordle_windows_0_2.exe | C:\Users\admin\AppData\Local\Temp\e4jDBF.tmp_dir1556046671\MessagesDefault | text | |
MD5:CDB52F89ADE5948798B33719D364A2CD | SHA256:AAD8C2109686ADF1D15C13EC307FFB4A1FDEF6971EC2EC1EC4419A59FEB967C5 | |||
3280 | wordle_windows_0_2.exe | C:\Users\admin\AppData\Local\Temp\e4jDBF.tmp_dir1556046671\i4j_extf_1_1xg8ule.txt | text | |
MD5:0EF864944F65C4306F19B34181537383 | SHA256:B30064C6A59123CB52A3EC5400B5220E17B86208AC6B8F54216F631A9D8093D1 | |||
3280 | wordle_windows_0_2.exe | C:\Users\admin\AppData\Local\Temp\e4jDBF.tmp_dir1556046671\i4jruntime.jar | compressed | |
MD5:BFBC7DD645E3CE681B6DC75C7E75437B | SHA256:3DE34B00BB36B8CD8CBBBC17E065EF8B9215006BC5AEC9888DDB0389BBA77325 | |||
3280 | wordle_windows_0_2.exe | C:\Users\admin\AppData\Local\Temp\e4jDBF.tmp_dir1556046671\stats.properties | text | |
MD5:EFD532407CDBD986509BB9F3447A4493 | SHA256:7079216DB15EE41A10C0F62028272AEA323E2D97F707A9A788B308DBFFAF81BB | |||
3280 | wordle_windows_0_2.exe | C:\Users\admin\AppData\Local\Temp\e4jDBF.tmp_dir1556046671\user.jar | compressed | |
MD5:226D845A757304FA37CA7A3A5B2E9B40 | SHA256:CFAEA39E0AB3A2F0D932EEA9B805B7E37422907B9F797C16C8BD8C3D4B4EBE44 | |||
3280 | wordle_windows_0_2.exe | C:\Users\admin\AppData\Local\Temp\e4jDBF.tmp_dir1556046671\i4j_extf_0_1xg8ule.utf8 | text | |
MD5:CDB52F89ADE5948798B33719D364A2CD | SHA256:AAD8C2109686ADF1D15C13EC307FFB4A1FDEF6971EC2EC1EC4419A59FEB967C5 | |||
3280 | wordle_windows_0_2.exe | C:\Users\admin\AppData\Local\Temp\e4jDBF.tmp_dir1556046671\i4j_extf_2_1xg8ule_x7nby6.png | image | |
MD5:F6DFE7474B27F1D3EADF2E2FBC22C255 | SHA256:AD32F1717727377B4BB48BC8320E8E1BF87FF493FAAC1D17C554299A7D128C08 | |||
3280 | wordle_windows_0_2.exe | C:\Users\admin\AppData\Local\Temp\e4jDBF.tmp_dir1556046671\launchers.xml | xml | |
MD5:9885C8ACCF27DDEB44C4CDE2BC8F4BC8 | SHA256:96C12B5B38EA0B31FE3502CB6DA49CA7B80E6618CDA89CD6F819FA52FBE6911A |