File name: | cupk8.fgs |
Full analysis: | https://app.any.run/tasks/62c991af-a883-41b0-b9dc-94997e04829a |
Verdict: | Malicious activity |
Analysis date: | April 15, 2019, 12:09:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 81C53D624E9F01D8CA6BA58903422A68 |
SHA1: | 3A3A95C55EB9680F230099B4139384380B3B5296 |
SHA256: | A0FB07DD63013DC3DA559B0077B2DDFB8848FBD3F3ABB10DB930E652D3F61D77 |
SSDEEP: | 6144:gjvD2FdF+08hZq45q2CCu7dYReiJNHYxhu50a:grD0F+/0AqoJSTu50a |
.exe | | | Win64 Executable (generic) (76.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
ProductVersion: | 9.3.35.84 |
---|---|
ProductName: | Nothingcat |
LegalTrademarks: | Nothingcat |
FileVersion: | 9.3.35.84 |
FileDescription: | Nothingcat |
CompanyName: | Above make |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 9.3.35.84 |
FileVersionNumber: | 9.3.35.84 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0x1ed9 |
UninitializedDataSize: | - |
InitializedDataSize: | 245760 |
CodeSize: | 152576 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2017:04:15 11:41:21+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 15-Apr-2017 09:41:21 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | Above make |
FileDescription: | Nothingcat |
FileVersion: | 9.3.35.84 |
LegalTrademarks: | Nothingcat |
ProductName: | Nothingcat |
ProductVersion: | 9.3.35.84 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000108 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 15-Apr-2017 09:41:21 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0002523D | 0x00025400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.98385 |
.rdata | 0x00027000 | 0x0000CB28 | 0x0000CC00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.97991 |
.data | 0x00034000 | 0x0000465C | 0x00003E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.4816 |
.gfids | 0x00039000 | 0x00000124 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.09151 |
.rsrc | 0x0003A000 | 0x00029298 | 0x00029400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.13051 |
.reloc | 0x00064000 | 0x000015DC | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.64588 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.79597 | 346 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 0.960854 | 38056 | UNKNOWN | English - United States | RT_ICON |
3 | 1.05506 | 21640 | UNKNOWN | English - United States | RT_ICON |
4 | 0.93023 | 16936 | UNKNOWN | English - United States | RT_ICON |
5 | 1.16429 | 9640 | UNKNOWN | English - United States | RT_ICON |
6 | 1.24457 | 4264 | UNKNOWN | English - United States | RT_ICON |
7 | 1.4554 | 2440 | UNKNOWN | English - United States | RT_ICON |
8 | 1.54827 | 1128 | UNKNOWN | English - United States | RT_ICON |
31 | 2.83362 | 230 | UNKNOWN | English - United States | RT_DIALOG |
36 | 2.9154 | 256 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
OLEACC.dll |
SETUPAPI.dll |
USER32.dll |
WINMM.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3848 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\cupk8.fgs | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
272 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | rundll32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2112 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:272 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
272 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
272 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2112 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bing[2].txt | — | |
MD5:— | SHA256:— | |||
2112 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5WCXEHHL\search[1].txt | — | |
MD5:— | SHA256:— | |||
2112 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:24C93E3A685EE586E2A9EF1F24A790CC | SHA256:C724A580FA5533E201957A8B0157898D2616C341CECF4DA3F4ECDCAC32339D8B | |||
2112 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:FAF2720A517CB58B8E8F2AAD82266D9D | SHA256:5E0E435BACBE34882BD927616C6C83237A734A274F00558A5113D3948EC0B7A0 | |||
2112 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt | text | |
MD5:8720A4C5453F58E407D564532016FED8 | SHA256:7AAB4C1730D54F3EE373E71CF07AE301DADAD0E7A3D7BF08ED6B9C7B2BEC6B27 | |||
2112 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bing[1].txt | text | |
MD5:EC57B3C5AE6AE7E734011F27D1C3853C | SHA256:1A2D1F5C82A5576DFCBEB3E3259493C835388E55191AC2E3E1564EA50F475250 | |||
2112 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5WCXEHHL\search[1].htm | html | |
MD5:A6895D1E266DDA838D158F57A6EE9066 | SHA256:CE21A2F06D7942B67E1B0EF02393FA6DBF647FC2D33AB8E3D1A933A725987691 | |||
2112 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:2B6762C90B4C0B9F6CEF977B30EE456A | SHA256:310183346C48DA0B12587BAFDEF517FC997F27FBB42C60FE6015FDD81BD71FC8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2112 | iexplore.exe | GET | 301 | 2.16.186.16:80 | http://shell.windows.com/fileassoc/fileassoc.asp?Ext=fgs | unknown | — | — | whitelisted |
2112 | iexplore.exe | GET | 302 | 66.39.64.146:80 | http://file.org/extension/fgs | US | html | 214 b | whitelisted |
2112 | iexplore.exe | GET | 302 | 23.51.118.23:80 | http://go.microsoft.com/fwlink/?LinkId=57426&Ext=fgs | NL | — | — | whitelisted |
272 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
2112 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.6 Kb | whitelisted |
2112 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt | US | der | 969 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
272 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2112 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2112 | iexplore.exe | 2.16.186.16:80 | shell.windows.com | Akamai International B.V. | — | whitelisted |
272 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
— | — | 23.51.118.23:80 | go.microsoft.com | Akamai Technologies, Inc. | NL | whitelisted |
2112 | iexplore.exe | 66.39.64.146:80 | file.org | pair Networks | US | malicious |
2112 | iexplore.exe | 185.172.148.132:443 | kcdn.file.org | proinity GmbH | DE | malicious |
2112 | iexplore.exe | 52.164.210.24:443 | consent.cookiebot.com | Microsoft Corporation | IE | whitelisted |
2112 | iexplore.exe | 66.39.64.146:443 | file.org | pair Networks | US | malicious |
2112 | iexplore.exe | 172.217.18.10:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
shell.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
file.org |
| whitelisted |
kcdn.file.org |
| whitelisted |
consent.cookiebot.com |
| whitelisted |
code.jquery.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |