| File name: | C:\Users\admin\Desktop\Preview.exe |
| Full analysis: | https://app.any.run/tasks/c5e79956-bd0c-436b-9380-f4c3bcd5468f |
| Verdict: | Malicious activity |
| Analysis date: | February 04, 2020, 22:22:46 |
| OS: | Windows 8.1 Professional (build: 9600, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 7F48367462B57C4DDC809279FAC60C55 |
| SHA1: | 73BB3C6296A7E458E05B746A060463CFDC265080 |
| SHA256: | A87F07BD569A7268C5A5D2C1AD0F89A288D66852A75033B9137A8483C47E41DA |
| SSDEEP: | 3072:jhze7UWhJw3Q8Zc6nVnCCdUbG4aW45g11vW16m4IMIwWr1xE/IlT6b:WrmnVhUbpaRW11O16m4YdxyQlTe |
MALICIOUS
Changes the login/logoff helper path in the registry
- plugin.exe (PID: 2824)
- plugin.exe (PID: 2548)
- plugin.exe (PID: 2452)
- plugin.exe (PID: 856)
Application was injected by another process
- explorer.exe (PID: 1464)
Changes settings of System certificates
- plugin.exe (PID: 2824)
- plugin.exe (PID: 2452)
Runs injected code in another process
- plugin.exe (PID: 2824)
SUSPICIOUS
Executed via COM
- rundll32.exe (PID: 1576)
- mobsync.exe (PID: 2272)
- rundll32.exe (PID: 2192)
Creates files in the program directory
- Preview.exe (PID: 3160)
- WerFault.exe (PID: 256)
- WerFault.exe (PID: 1068)
- WerFault.exe (PID: 1544)
Checks supported languages
- taskmgr.exe (PID: 1420)
Executable content was dropped or overwritten
- Preview.exe (PID: 3160)
Starts itself from another location
- Preview.exe (PID: 3160)
- Preview.exe (PID: 1056)
Reads Environment values
- WerFault.exe (PID: 2876)
Creates executable files which already exist in Windows
- WerFault.exe (PID: 2876)
INFO
Manual execution by user
- Preview.exe (PID: 1056)
- taskmgr.exe (PID: 1420)
- taskmgr.exe (PID: 3140)
- WerFault.exe (PID: 2876)
- plugin.exe (PID: 2452)
Reads the software policy settings
- plugin.exe (PID: 2824)
- plugin.exe (PID: 2452)
Dropped object may contain Bitcoin addresses
- WerFault.exe (PID: 2876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:02:04 20:38:44+01:00 |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 61440 |
| InitializedDataSize: | 131072 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xece0 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.1 |
| ProductVersionNumber: | 1.0.0.1 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | - |
| FileDescription: | GridCtrlDemo MFC Application |
| FileVersion: | 1, 0, 0, 1 |
| InternalName: | GridCtrlDemo |
| LegalCopyright: | Copyright (C) 1998 |
| LegalTrademarks: | - |
| OriginalFileName: | GridCtrlDemo.EXE |
| ProductName: | GridCtrlDemo Application |
| ProductVersion: | 1, 0, 0, 1 |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 04-Feb-2020 19:38:44 |
| Detected languages: |
|
| CompanyName: | - |
| FileDescription: | GridCtrlDemo MFC Application |
| FileVersion: | 1, 0, 0, 1 |
| InternalName: | GridCtrlDemo |
| LegalCopyright: | Copyright (C) 1998 |
| LegalTrademarks: | - |
| OriginalFilename: | GridCtrlDemo.EXE |
| ProductName: | GridCtrlDemo Application |
| ProductVersion: | 1, 0, 0, 1 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x000000F0 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 4 |
| Time date stamp: | 04-Feb-2020 19:38:44 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x0000EA34 | 0x0000F000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.10905 |
.rdata | 0x00010000 | 0x0000390C | 0x00004000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.54776 |
.data | 0x00014000 | 0x000003EC | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.22915 |
.rsrc | 0x00015000 | 0x0001AD28 | 0x0001B000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.89964 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 3.3492 | 804 | UNKNOWN | English - United States | RT_VERSION |
7 | 2.11194 | 76 | UNKNOWN | English - United States | RT_STRING |
100 | 3.53669 | 738 | UNKNOWN | English - United States | RT_DIALOG |
102 | 3.55752 | 3018 | UNKNOWN | English - Australia | RT_DIALOG |
128 | 1.91924 | 20 | UNKNOWN | English - Australia | RT_GROUP_ICON |
141 | 4.40478 | 1320 | UNKNOWN | English - Australia | RT_BITMAP |
12184 | 6.88701 | 95556 | UNKNOWN | English - Australia | DZCASSDZGT |
Imports
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
MFC42.DLL |
MSVCP60.dll |
MSVCRT.dll |
USER32.dll |
ole32.dll |
Total processes
104
Monitored processes
20
Malicious processes
4
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 256 | C:\Windows\system32\WerFault.exe -u -p 2548 -s 504 | C:\Windows\system32\WerFault.exe | — | plugin.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 6.3.9600.16384 (winblue_rtm.130821-1623) Modules
| |||||||||||||||
| 280 | C:\ProgramData\UBlockPlugin\plugin.exe | C:\Windows\system32\secinit.exe | plugin.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Security Init Exit code: 3221225477 Version: 6.3.9600.16384 (winblue_rtm.130821-1623) Modules
| |||||||||||||||
| 856 | "C:\ProgramData\UBlockPlugin\plugin.exe" | C:\ProgramData\UBlockPlugin\plugin.exe | userinit.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: GridCtrlDemo MFC Application Exit code: 3221225477 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
| 1056 | "C:\Users\admin\Desktop\Preview.exe" | C:\Users\admin\Desktop\Preview.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: GridCtrlDemo MFC Application Exit code: 0 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
| 1068 | C:\Windows\system32\WerFault.exe -u -p 2908 -s 168 | C:\Windows\system32\WerFault.exe | — | secinit.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 6.3.9600.16384 (winblue_rtm.130821-1623) Modules
| |||||||||||||||
| 1420 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Manager Exit code: 0 Version: 6.3.9600.16384 (winblue_rtm.130821-1623) Modules
| |||||||||||||||
| 1464 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1287 Version: 6.3.9600.17031 (winblue_gdr.140221-1952) Modules
| |||||||||||||||
| 1544 | C:\Windows\system32\WerFault.exe -u -p 1616 -s 168 | C:\Windows\system32\WerFault.exe | — | secinit.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 6.3.9600.16384 (winblue_rtm.130821-1623) Modules
| |||||||||||||||
| 1576 | C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.3.9600.16384 (winblue_rtm.130821-1623) Modules
| |||||||||||||||
| 1616 | C:\ProgramData\UBlockPlugin\plugin.exe | C:\Windows\system32\secinit.exe | plugin.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Security Init Exit code: 3221225477 Version: 6.3.9600.16384 (winblue_rtm.130821-1623) Modules
| |||||||||||||||
Total events
1 081
Read events
912
Write events
168
Delete events
1
Modification events
| (PID) Process: | (1464) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\10b\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1464) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\10b\52C64B7E |
| Operation: | write | Name: | @sendmail.dll,-21 |
Value: Desktop (create shortcut) | |||
| (PID) Process: | (1464) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\10b\52C64B7E |
| Operation: | write | Name: | @zipfldr.dll,-10148 |
Value: Compressed (zipped) folder | |||
| (PID) Process: | (1464) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\10b\52C64B7E |
| Operation: | write | Name: | @sendmail.dll,-4 |
Value: Mail recipient | |||
| (PID) Process: | (1464) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\10b\52C64B7E |
| Operation: | write | Name: | @C:\Windows\system32\FXSRESM.dll,-120 |
Value: Fax recipient | |||
| (PID) Process: | (1464) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | LangID |
Value: 0904 | |||
| (PID) Process: | (1464) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\Windows\system32\WFS.exe.FriendlyAppName |
Value: Microsoft Windows Fax and Scan | |||
| (PID) Process: | (1464) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\Windows\system32\WFS.exe.ApplicationCompany |
Value: Microsoft Corporation | |||
| (PID) Process: | (1464) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\Program Files\Skype\Phone\Skype.exe.FriendlyAppName |
Value: Skype | |||
| (PID) Process: | (1464) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\Program Files\Skype\Phone\Skype.exe.ApplicationCompany |
Value: Skype Technologies S.A. | |||
Executable files
2
Suspicious files
5
Text files
2
Unknown types
6
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2876 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WER9E7D.tmp.appcompat.txt | — | |
MD5:— | SHA256:— | |||
| 2876 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WER9E9D.tmp.WERInternalMetadata.xml | — | |
MD5:— | SHA256:— | |||
| 2876 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_e568c6de1e567386a44ca4a2cfb968619dfea70_d9f2c416_cab_0b299eba\memory.hdmp | — | |
MD5:— | SHA256:— | |||
| 2876 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_e568c6de1e567386a44ca4a2cfb968619dfea70_d9f2c416_cab_0b299eba\Report.wer.tmp | — | |
MD5:— | SHA256:— | |||
| 2876 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WAX9E5C.tmp | — | |
MD5:— | SHA256:— | |||
| 3160 | Preview.exe | C:\ProgramData\UBlockPlugin\plugin.exe | executable | |
MD5:— | SHA256:— | |||
| 2876 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_e568c6de1e567386a44ca4a2cfb968619dfea70_d9f2c416_cab_0b299eba\WER9E9D.tmp.WERInternalMetadata.xml | xml | |
MD5:— | SHA256:— | |||
| 1068 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_secinit.exe_2a5d748b165b23af182742457c1e50d6d12f6b_5ad80c12_0439c05c\Report.wer | binary | |
MD5:— | SHA256:— | |||
| 1068 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\secinit.exe.2908.dmp | dmp | |
MD5:— | SHA256:— | |||
| 2876 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_e568c6de1e567386a44ca4a2cfb968619dfea70_d9f2c416_cab_0b299eba\WER9E7D.tmp.appcompat.txt | xml | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
2
DNS requests
0
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2824 | plugin.exe | GET | 200 | 108.62.118.46:443 | https://108.62.118.46/api/update/MDM2MzNkYWE3ZTNiZWFiMDUzMGM3OTU5OWRlNzgyNzllZDAyY2MxZWE3YjA3MDVhN2VlZGExMjJhMzFmNjIyYmZkZjJiMmU2NDIyYzQzNTE4MTc5NmIwYzQ2ZTJiMWZiZTczZGI1YWExOGEwZTRiNTYzMzlkODQ5N2I2OGQ1Y2VkMTQ1MTQ5MDY1NDNmZWY4NjdjYTgzYzE5NTIyZDlhYmRlMGEyMTNkNjAzNGVlMDdiZmRmNDM5YTBlOGVjM2E0YTE5NzliYTU1MTBmZGU2MDIwNjIzNjc1ZjNmZDdiNWFmMWY4YTkxNmFjZmJiOGJiY2QwNTBkYjUzMjc2NjgwMWJjOTFkYjY3MjdjNjIyZGRhZDc1YzdhYTc0MjU1MzE4ZWIyNDI1ZmJiNzUyYzI0N2QyYjM2ZQ== | US | text | 1.79 Kb | unknown |
2452 | plugin.exe | GET | 200 | 108.62.118.46:443 | https://108.62.118.46/api/update/MDM2MzNkYWE3ZTNiZWFiMDUzMGM3OTU5OWRlNzgyNzllZDAyY2MxZWE3YjA3MDVhN2VlZGExMjJhMzFmNjIyYmZkZjJiMmU2NDIyYzQzNTE4MTc5NmIwYzQ2ZTJiMWZiZTczZGI1YWExOGEwZTRiNTYzMzlkODQ5N2I2OGQ1Y2VkMTQ1MTQ5MDY1NDNmZWY4NjdjYTgzYzE5NTIyZDlhYmRlMGEyMTNkNjAzNGVlMDdiZmRmNDM5YTBlOGVjM2E0YTE5NzliYTU1MTBmZGU2MDIwNjIzNjc1ZjNmZDdiNWFmMWY4YTkxNmFjZmJiOGJiY2QwNTBkYjUzMjc2NjgwMWJjOTFkYjY3MjdjNjIyZGRhZDc1YzdhYTc0MjU1MzE4ZWIyNDI1ZmJhMzQ1Y2E1Y2MwOWY3ZDk3 | US | text | 236 b | unknown |
2824 | plugin.exe | GET | 200 | 108.62.118.46:443 | https://108.62.118.46/api/download/MDM2MzNkYWE3ZTNiZWFiMDUzMGM3OTU5OWRlNzgyNzllZDAyY2MxZWE3YjA3MDVhN2VlZGExMjJhMzFmNjIyYmZkZjJiMmU2NDIyYzQzNTE4MTc5NmIwYzQ2ZTJiMWZiZTczZGI1YWExOGEwZTRiNTYzMzlkODQ5N2I2OGQ1Y2VkMTE3MWU5MTMxNDJhZmFhMzVkMmQ3OWJjNTJjYzZhOWQyNWI3NjcxNmM2MWU4MDdhMzhjMTdjOTUxODZjYmYxZjJjOTk1YTc1MQ== | US | binary | 332 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2824 | plugin.exe | 108.62.118.46:443 | — | Nobis Technology Group, LLC | US | unknown |
2452 | plugin.exe | 108.62.118.46:443 | — | Nobis Technology Group, LLC | US | unknown |
DNS requests
Threats
Process | Message |
|---|---|
Preview.exe | SHIMVIEW: ShimInfo(Complete)
|
Preview.exe | SHIMVIEW: ShimInfo(Complete)
|
rundll32.exe | SHIMVIEW: ShimInfo(Complete)
|
plugin.exe | SHIMVIEW: ShimInfo(Complete)
|
plugin.exe | SHIMVIEW: ShimInfo(Complete)
|
secinit.exe | SHIMVIEW: ShimInfo(Complete)
|
rundll32.exe | SHIMVIEW: ShimInfo(Complete)
|
plugin.exe | SHIMVIEW: ShimInfo(Complete)
|
secinit.exe | SHIMVIEW: ShimInfo(Complete)
|