File name: | 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe |
Full analysis: | https://app.any.run/tasks/a8e04b84-4e51-459e-963e-904541037985 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 13:18:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 6209D516E4CA3BB294C8EB296D265B2C |
SHA1: | 7D23625B69E9D0498538C3317053F6EDD97FB8F2 |
SHA256: | 9B0CB066877576F405C688D2D06A076897104968D42958DC4309B69C04F435A3 |
SSDEEP: | 3072:ftgACFxBaj+nL4IkcRDNiHGG6C57Q+hjXy5GXxLwOyR/2+KTRK7iwj+MfG+:ft9YxMj+L4hmHsXyYXOOSgNdwXG |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
LegalTrademarks: | Pexacev Hukip Ygapo Pusys Badep Rox |
---|---|
FileDescription: | Comile Esuq Wuhitac |
CompanyName: | PalmSource, Inc. |
ProductVersion: | 10, 3 |
OriginalFileName: | Rajqjr63ugg.exe |
FileVersion: | 10, 3, 3 |
InternalName: | Sox |
ProductName: | Ypitih |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 10.3.0.0 |
FileVersionNumber: | 10.3.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x12e79 |
UninitializedDataSize: | - |
InitializedDataSize: | 46080 |
CodeSize: | 78336 |
LinkerVersion: | 4 |
PEType: | PE32 |
TimeStamp: | 2000:11:18 16:20:42+01:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1568 | "C:\Users\admin\AppData\Local\Temp\9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe" | C:\Users\admin\AppData\Local\Temp\9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | Explorer.EXE | ||||||||||||
User: admin Company: PalmSource, Inc. Integrity Level: MEDIUM Description: Comile Esuq Wuhitac Exit code: 0 Version: 10, 3, 3 Modules
| |||||||||||||||
3944 | "C:\Windows\system32\svchost.exe" | C:\Windows\system32\svchost.exe | — | 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3988 | "C:\Users\admin\AppData\Local\Temp\9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe" | C:\Users\admin\AppData\Local\Temp\9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | — | 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
1276 | "C:\Windows\system32\mspaint.exe" | C:\Windows\system32\mspaint.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Paint Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
284 | taskeng.exe {676F38EF-2AEC-4A4B-BA70-4C8C7218D1B1} | C:\Windows\system32\taskeng.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Engine Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
552 | "C:\Windows\system32\Dwm.exe" | C:\Windows\system32\Dwm.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1172 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1372 | C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CTF Loader Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2724 | C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | C:\Windows\system32\DllHost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (1568) 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Screen Saver Pro 3.1 |
Value: C:\Users\admin\AppData\Roaming\ScreenSaverPro.scr | |||
(PID) Process: | (1568) 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1568) 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1568) 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1568) 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1568) 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (1568) 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1568) 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (1568) 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (1568) 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: |
PID | Process | Filename | Type | |
---|---|---|---|---|
1568 | 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NTDETECT.COM | executable | |
MD5:6209D516E4CA3BB294C8EB296D265B2C | SHA256:9B0CB066877576F405C688D2D06A076897104968D42958DC4309B69C04F435A3 | |||
1568 | 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | C:\Users\admin\AppData\Roaming\temp.bin | executable | |
MD5:6209D516E4CA3BB294C8EB296D265B2C | SHA256:9B0CB066877576F405C688D2D06A076897104968D42958DC4309B69C04F435A3 | |||
1568 | 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | C:\Users\admin\AppData\Roaming\ScreenSaverPro.scr | executable | |
MD5:6209D516E4CA3BB294C8EB296D265B2C | SHA256:9B0CB066877576F405C688D2D06A076897104968D42958DC4309B69C04F435A3 | |||
1568 | 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | C:\Users\admin\AppData\Local\Temp\9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe.gonewiththewings | executable | |
MD5:6209D516E4CA3BB294C8EB296D265B2C | SHA256:9B0CB066877576F405C688D2D06A076897104968D42958DC4309B69C04F435A3 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1276 | mspaint.exe | 199.2.137.29:7380 | j.joyyv03.com | Microsoft Corporation | US | whitelisted |
1568 | 9b0cb066877576f405c688d2d06a076897104968d42958dc4309b69c04f435a3.exe | 51.15.12.156:80 | apt.wipmania.net | Online S.a.s. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
apt.wipmania.net |
| suspicious |
api.wipmania.com |
| unknown |
j.joyyv03.com |
| malicious |
dns.msftncsi.com |
| shared |
j.balkr03.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1276 | mspaint.exe | Generic Protocol Command Decode | SURICATA STREAM TIMEWAIT ACK with wrong seq |