File name: | wsetup.exe |
Full analysis: | https://app.any.run/tasks/13906f3d-b362-4486-a6d4-ce697b18478a |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 11:43:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | D621F450D24942018C1C25C267DCD9AC |
SHA1: | 788E529B512FDF729F3B75941DDCEBA8B626CD3C |
SHA256: | A4E5DB28A8508DF1CA9CC8839B0D409D450B07DE8FD253A9CCDD2C0914B70A0D |
SSDEEP: | 98304:GfK3k0cYf1T/xNWgkB42q6Te+MTXjTqmUrqfGoPp8PMWRa3LF/eEoUwoD:t3k0l7wgkO2q6TzMTzcrqeoPeP147FGc |
.exe | | | InstallShield setup (36.8) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (26.6) |
.exe | | | Win64 Executable (generic) (23.6) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
ProductVersion: | 5, 8, 0, 0 |
---|---|
LegalCopyright: | 青岛锐普信息科技有限公司 |
FileVersion: | 5.8.0.0 |
FileDescription: | 统计网上直报 |
CompanyName: | 青岛锐普信息科技有限公司 |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 5.8.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x4ebbf |
UninitializedDataSize: | - |
InitializedDataSize: | 159232 |
CodeSize: | 442368 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2009:02:14 03:23:32+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 14-Feb-2009 02:23:32 |
Detected languages: |
|
CompanyName: | 青岛锐普信息科技有限公司 |
___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________: | - |
FileDescription: | 统计网上直报 |
_________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________: | - |
FileVersion: | 5.8.0.0 |
LegalCopyright: | 青岛锐普信息科技有限公司 |
ProductVersion: | 5, 8, 0, 0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 14-Feb-2009 02:23:32 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0006BEB9 | 0x0006C000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.56344 |
.rdata | 0x0006D000 | 0x0001C328 | 0x0001C400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.30347 |
.data | 0x0008A000 | 0x000084FC | 0x00003400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.43697 |
.rsrc | 0x00093000 | 0x00007450 | 0x00007600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.35658 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.79597 | 346 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.02695 | 308 | Latin 1 / Western European | Chinese - PRC | RT_CURSOR |
3 | 2.74274 | 180 | Latin 1 / Western European | Chinese - PRC | RT_CURSOR |
4 | 2.34038 | 308 | Latin 1 / Western European | Chinese - PRC | RT_CURSOR |
5 | 2.34004 | 308 | Latin 1 / Western European | Chinese - PRC | RT_CURSOR |
6 | 2.51649 | 308 | Latin 1 / Western European | Chinese - PRC | RT_CURSOR |
7 | 2.45401 | 308 | Latin 1 / Western European | Chinese - PRC | RT_CURSOR |
8 | 2.34864 | 308 | Latin 1 / Western European | Chinese - PRC | RT_CURSOR |
9 | 2.82349 | 352 | Latin 1 / Western European | UNKNOWN | RT_DIALOG |
10 | 2.34864 | 308 | Latin 1 / Western European | Chinese - PRC | RT_CURSOR |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
OLEACC.dll (delay-loaded) |
OLEAUT32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3096 | "C:\wsetup.exe" | C:\wsetup.exe | — | explorer.exe |
User: admin Company: 青岛锐普信息科技有限公司 Integrity Level: MEDIUM Description: 统计网上直报 Exit code: 3221226540 Version: 5.8.0.0 | ||||
3436 | "C:\wsetup.exe" | C:\wsetup.exe | explorer.exe | |
User: admin Company: 青岛锐普信息科技有限公司 Integrity Level: HIGH Description: 统计网上直报 Exit code: 0 Version: 5.8.0.0 | ||||
2848 | C:\Windows\system32\Regsvr32.exe "C:\Windows\msscript.ocx" /s | C:\Windows\system32\Regsvr32.exe | — | wsetup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3648 | C:\Windows\system32\Regsvr32.exe "C:\Windows\SdcaTsa.ocx" /s | C:\Windows\system32\Regsvr32.exe | — | wsetup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3288 | C:\Windows\system32\Regsvr32.exe "C:\Windows\JITSecurityTool.ocx" /s | C:\Windows\system32\Regsvr32.exe | — | wsetup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3948 | "C:\Program Files\ͳ¼ÆÍøÉÏÖ±±¨\P_Sips_Client_CA.exe" | C:\Program Files\ͳ¼ÆÍøÉÏÖ±±¨\P_Sips_Client_CA.exe | wsetup.exe | |
User: admin Company: 青岛锐普信息科技 Integrity Level: HIGH Version: 5.0.0.10 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3436 | wsetup.exe | C:\Users\admin\AppData\Local\Temp\YingInstall20190718124404647.xml | xml | |
MD5:BE18776E567ACE4A7E6C54C60F29D0EF | SHA256:1D1386473CA18A0556A54D182D202072C54D98401F63861955E16A2647F0C258 | |||
3436 | wsetup.exe | C:\Windows\Ying-UnInstall.exe | executable | |
MD5:044DA05D21FF441E83F5CAE3C3F4244F | SHA256:8644CD32212D443C49755D2BF9A00D33876FB64D9D3AA67DDF6294744B48E962 | |||
3436 | wsetup.exe | C:\Windows\watermark.dll | executable | |
MD5:EBF58FA810A8DDFCB345EF3429736AF6 | SHA256:EB9C2A332568CA397E47F9BA932F22ECFB6401FFF9E2BF40E815B5CD016F9E03 | |||
3436 | wsetup.exe | C:\Users\admin\Desktop\ÔËÐÐͳ¼ÆÍøÉÏÖ±±¨.Lnk | lnk | |
MD5:D731A78D9C8BD54BB609C05B4D95D234 | SHA256:F68D01DEF8D3248C9E53236EC58BF99FCA9E1561ECF206A290CC16688E6F85ED | |||
3436 | wsetup.exe | C:\Program Files\ͳ¼ÆÍøÉÏÖ±±¨\Update.exe | executable | |
MD5:9CE2808DB93BA8B5B0A5BDEAF5F10FBB | SHA256:C92312C482A9909D781E33C70124E341AE34B288875F6FC8D4D3FAA940AEC331 | |||
3436 | wsetup.exe | C:\Windows\sdcatsaclient.dll | executable | |
MD5:B9EC876D8566A71CC674C2792F8B0013 | SHA256:E036DF490EE9426FCA4F4E9DCC60C5F7F2C59BAAA050B1E9C9ECCCD8C21E11D9 | |||
3436 | wsetup.exe | C:\Windows\jca30api.dll | executable | |
MD5:8DBCF392B87FF14BFCB7641189ACD34E | SHA256:51ACD28F344F38030A9BEEFE843320884983EC0898323C86644D280C9B172110 | |||
3436 | wsetup.exe | C:\Program Files\ͳ¼ÆÍøÉÏÖ±±¨\ͳ¼ÆÍøÉÏÖ±±¨ 5.0.UCIP | xml | |
MD5:BE18776E567ACE4A7E6C54C60F29D0EF | SHA256:1D1386473CA18A0556A54D182D202072C54D98401F63861955E16A2647F0C258 | |||
3436 | wsetup.exe | C:\Windows\system32\YingInstall\409.ini | text | |
MD5:536132C69DEC86E76C12397F5E407DE1 | SHA256:3996CA0C3D3260A838CDD3D52BE565B77DC103261FB28464B9C186ED8A7A40DE | |||
3436 | wsetup.exe | C:\Windows\JITSecurityTool.ocx | executable | |
MD5:F4A084D1B0490682E630416B0A8727BF | SHA256:88EC6610B00E606627F59053A71D443B8A1A42140C91765211A33F0F76D60BE7 |