File name: | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9 |
Full analysis: | https://app.any.run/tasks/e271abc3-f3de-4440-b87d-c0c5c8f0e4f7 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 08:40:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | A3C22E2F449F09814C0E24C499D1C9A2 |
SHA1: | 454BEF599195E5C6C82C2A6EE381AACA8899D9F8 |
SHA256: | 9A429B84F416346DE08EBE452FCA6705A00FA5F3D345857BF5CB4ED0546549F9 |
SSDEEP: | 3072:hJaWDaGRTtZumcr6yfTjGcqUE9ZRGwUVOYHfZEXhHLtmDYjRhmek:z7btZuZfTjpqFcwKOYHfiXhrCQR7 |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (62) |
---|---|---|
.exe | | | Win64 Executable (generic) (23.3) |
.dll | | | Win32 Dynamic Link Library (generic) (5.5) |
.exe | | | Win32 Executable (generic) (3.8) |
.exe | | | Win16/32 Executable Delphi generic (1.7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x2eb5e |
UninitializedDataSize: | - |
InitializedDataSize: | 512 |
CodeSize: | 183296 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 2019:06:17 11:55:54+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 17-Jun-2019 09:55:54 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 2 |
Time date stamp: | 17-Jun-2019 09:55:54 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x0002CB64 | 0x0002CC00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.39984 |
.reloc | 0x00030000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3608 | "C:\Users\admin\AppData\Local\Temp\9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe" | C:\Users\admin\AppData\Local\Temp\9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3996 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\campusweight.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2804 | "C:\Users\admin\AppData\Local\Temp\9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe" | C:\Users\admin\AppData\Local\Temp\9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3996 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1337.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3996 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D40ED17F838C08142D2050F63A3156BE | SHA256:B534221B95F851D7A71BF0842EB138803536EA050CF9D9E5BDD61CBF85129AF9 | |||
3996 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\campusweight.rtf.LNK | lnk | |
MD5:6BA0AB5B0DAB68CD15246409E01C95EC | SHA256:08204E91D4BA4358C744545A8906C243445670F4EBB9656AA04052E8BC63779E | |||
3608 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lWHEMsIY.url | text | |
MD5:D6A97210A96CCBC0D3A3CA84C0F056F4 | SHA256:A375F595CDF206354F08B642F72267C7BE76F342515DF3B05A5569422041F001 | |||
3996 | WINWORD.EXE | C:\Users\admin\Desktop\~$mpusweight.rtf | pgc | |
MD5:5241E4C0C647C002D7549A9EDA4EF263 | SHA256:52004BB7D3412F98C6676F29A48EE8DCEB543701D4F131A695CCE8F0EA4DB6D9 | |||
3608 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | C:\Users\admin\AppData\Roaming\PLA\rundll32.exe | executable | |
MD5:A3C22E2F449F09814C0E24C499D1C9A2 | SHA256:9A429B84F416346DE08EBE452FCA6705A00FA5F3D345857BF5CB4ED0546549F9 | |||
3996 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:DCC7CED926D600030726485442F94E64 | SHA256:31335C5BE8D137AB762B2EB64029BFAB32A6BD350E1AAD901F5298EAFB6C74AB | |||
3608 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | C:\Users\admin\AppData\Roaming\PLA\GGUMTFyS.vbs | text | |
MD5:BB45B214AC0AC64FCD1A2A2B6B8D7431 | SHA256:C37A662978C00318CA20C2135ED5278C9D7AC84F96B68ADDD39C6F810A32BE4C | |||
3996 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2804 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | GET | 200 | 216.239.38.21:80 | http://ifconfig.me/ip | US | text | 15 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2804 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | 216.239.38.21:80 | ifconfig.me | Google Inc. | US | whitelisted |
2804 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | 149.154.167.220:443 | api.telegram.org | Telegram Messenger LLP | GB | malicious |
2804 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | 77.88.21.38:25 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
2804 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | 93.158.134.38:25 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
2804 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | 213.180.193.38:25 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
2804 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | 213.180.204.38:25 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
2804 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | 87.250.250.38:25 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
Domain | IP | Reputation |
---|---|---|
ifconfig.me |
| shared |
smtp.yandex.com |
| shared |
dns.msftncsi.com |
| shared |
api.telegram.org |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2804 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup Domain (ifconfig .me) |
2804 | 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ifconfig. me) |
Process | Message |
---|---|
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|