File name: | DriveMgr.exe_ |
Full analysis: | https://app.any.run/tasks/9ab3ce51-906f-4396-b160-bebda9a44212 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 08:28:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 3E192565C63C8106F2B97696556E39D0 |
SHA1: | 270F87AD68F9C2FF6F21E613051DC93B8D673C75 |
SHA256: | A5D73594E10402ADFF9180BD4D85818D4E5FBE363193C6A26BBD468A52368F96 |
SSDEEP: | 384:VFl9ooXxU7s/uG67epLs1szUQxErIay2vWpQ6e21BV7ISlDqzhr3:7l9G7s/uGhpLH5EoXBV7VWzF |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x471a |
UninitializedDataSize: | - |
InitializedDataSize: | 17408 |
CodeSize: | 14848 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2020:09:12 21:35:21+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 12-Sep-2020 19:35:21 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 12-Sep-2020 19:35:21 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000038B2 | 0x00003A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.7829 |
.rdata | 0x00005000 | 0x0000363F | 0x00003800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.32249 |
.data | 0x00009000 | 0x000003D4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.04474 |
.rsrc | 0x0000A000 | 0x000001B4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.09798 |
.reloc | 0x0000B000 | 0x0000071C | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.86957 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.79597 | 346 | Latin 1 / Western European | English - United States | RT_MANIFEST |
ADVAPI32.dll |
KERNEL32.dll |
MSVCRT.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
WININET.dll |
ole32.dll |
urlmon.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1500 | "C:\Users\admin\AppData\Local\Temp\DriveMgr.exe_.exe" | C:\Users\admin\AppData\Local\Temp\DriveMgr.exe_.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1260 | C:\15144161123675\svchost.exe | C:\15144161123675\svchost.exe | DriveMgr.exe_.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1500 | DriveMgr.exe_.exe | C:\15144161123675\svchost.exe | executable | |
MD5:3E192565C63C8106F2B97696556E39D0 | SHA256:A5D73594E10402ADFF9180BD4D85818D4E5FBE363193C6A26BBD468A52368F96 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1260 | svchost.exe | GET | — | 64.70.19.203:80 | http://seuufhehfueugheh.ws/1 | US | — | — | malicious |
1260 | svchost.exe | GET | — | 64.70.19.203:80 | http://seuufhehfueugheh.ws/2 | US | — | — | malicious |
1260 | svchost.exe | GET | — | 64.70.19.203:80 | http://seuufhehfueugheh.ws/3 | US | — | — | malicious |
1260 | svchost.exe | GET | — | 64.70.19.203:80 | http://seuufhehfueugheh.ws/5 | US | — | — | malicious |
1260 | svchost.exe | GET | — | 64.70.19.203:80 | http://seuufhehfueugheh.ws/4 | US | — | — | malicious |
1260 | svchost.exe | GET | — | 64.70.19.203:80 | http://feuhdeuhduhuehdh.ws/2 | US | — | — | malicious |
1260 | svchost.exe | GET | — | 64.70.19.203:80 | http://feuhdeuhduhuehdh.ws/1 | US | — | — | malicious |
1260 | svchost.exe | GET | — | 64.70.19.203:80 | http://feuhdeuhduhuehdh.ws/3 | US | — | — | malicious |
1500 | DriveMgr.exe_.exe | GET | 404 | 185.215.113.84:80 | http://tsrv1.ws/tldr.php?inf=1 | PT | html | 564 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1260 | svchost.exe | 64.70.19.203:80 | seuufhehfueugheh.ws | Savvis | US | malicious |
1500 | DriveMgr.exe_.exe | 185.215.113.84:80 | tsrv1.ws | Ebonyhorizon Telecomunicacoes S.A. | PT | malicious |
Domain | IP | Reputation |
---|---|---|
tsrv1.ws |
| malicious |
worm.ws |
| malicious |
worm.top |
| malicious |
seuufhehfueugheh.ws |
| malicious |
feuhdeuhduhuehdh.ws |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1500 | DriveMgr.exe_.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 21 |
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |