File name: | 44.exe |
Full analysis: | https://app.any.run/tasks/c9a32fa2-8bda-4c32-be2a-166a1455b9ad |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 23:56:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | AB882A80736C7A7F8F70530E9EEB5CCF |
SHA1: | A123B86E4B1D5DB92B3FA7DD74096C746D3F5238 |
SHA256: | AE9225C383CBDB69E7832115DFC7C235824C77B4F0A1BB7E5E51DC733AD47017 |
SSDEEP: | 384:9Zyt4DQolYxOoyi0q1eU+UEJ8cFQPzgIij+ZsNO3PlpJKkkjh/TzF7pWnS/greTn:3IouIli0Uezl86wuXQ/oP/+L |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
---|---|---|
.exe | | | Win64 Executable (generic) (21.3) |
.scr | | | Windows screen saver (10.1) |
.dll | | | Win32 Dynamic Link Library (generic) (5) |
.exe | | | Win32 Executable (generic) (3.4) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0xc37e |
UninitializedDataSize: | - |
InitializedDataSize: | 1536 |
CodeSize: | 41984 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 2022:01:24 23:09:32+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 24-Jan-2022 22:09:32 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 24-Jan-2022 22:09:32 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x0000A384 | 0x0000A400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.69817 |
.rsrc | 0x0000E000 | 0x00000400 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.51607 |
.reloc | 0x00010000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0815394 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3104 | "C:\Users\admin\AppData\Local\Temp\44.exe" | C:\Users\admin\AppData\Local\Temp\44.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM | ||||
2876 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\onemature.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8C5E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2876 | WINWORD.EXE | C:\Users\admin\Desktop\~$emature.rtf | pgc | |
MD5:C5E5236DE5F3F27E97320B153B07200B | SHA256:2EBA6F56888824D0BE0F38BAAB209116DB3B97EB2DEBA713823D612A5A3314DC | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7C820296-7C58-4DF7-B4B7-9591679D3582}.tmp | dbf | |
MD5:55E1C6E4FCFEE08639E79AC4EEE74674 | SHA256:DBF53B643A850DA057A79D4A1296DC2FF9B9B99AC51A067D5181C9BB7CE2D4B1 | |||
3104 | 44.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe | executable | |
MD5:AB882A80736C7A7F8F70530E9EEB5CCF | SHA256:AE9225C383CBDB69E7832115DFC7C235824C77B4F0A1BB7E5E51DC733AD47017 | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FE58BD3263BBE6FA48B7142052FD22E5 | SHA256:A35B2BA4F566C4BA90B4621A0BA927C20D047EBE1466A9572A25D3C8239D55B1 | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:4B6112A33A9C95FAD8E46C4331175B79 | SHA256:1AC9CC1474679841766FE3FDAF22D6B398B3B52A5F4A710BB2242C200B7922F5 | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\onemature.rtf.LNK | lnk | |
MD5:221D77E42827234AF423D2732CF0424B | SHA256:AD870E16000B7B928CE2715E3AF7E9F6A4E63889C503020A6D36D6138359899E | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B3FC6DAD-E4C0-40D2-82D6-E4CB97A2964B}.tmp | binary | |
MD5:FCA7C885B42EC5A935DF26CEB05E336E | SHA256:1FD28FE0A61964DC84DCA7221BBC21932E6157A5F630EC83E92589D218E3920E | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D547F7DE-2033-40BC-BF1E-17FB9986F4F3}.tmp | smt | |
MD5:5D4D94EE7E06BBB0AF9584119797B23A | SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 3.142.129.56:10529 | 8.tcp.ngrok.io | — | US | malicious |
— | — | 3.142.81.166:10529 | 8.tcp.ngrok.io | — | US | malicious |
3104 | 44.exe | 3.142.129.56:10529 | 8.tcp.ngrok.io | — | US | malicious |
— | — | 3.142.167.4:10529 | 8.tcp.ngrok.io | — | US | malicious |
3104 | 44.exe | 3.142.167.4:10529 | 8.tcp.ngrok.io | — | US | malicious |
3104 | 44.exe | 3.142.81.166:10529 | 8.tcp.ngrok.io | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
8.tcp.ngrok.io |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to a *.ngrok domain (ngrok.io) |
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to a *.ngrok domain (ngrok.io) |
3104 | 44.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 693 |
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to a *.ngrok domain (ngrok.io) |