File name: | HSE-GG-64.exe |
Full analysis: | https://app.any.run/tasks/e136d369-dc07-4a8a-8bbd-16a9f8497622 |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 07:49:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 7B7946F2AB59350E1021C114F3B1E0DC |
SHA1: | B9662B9E4F11361FACFCDF53607063C95FFF7941 |
SHA256: | B0503818B24F88522173F6576E3C68EA2147EFC8FF2D614CC2E2F5DF82929562 |
SSDEEP: | 196608:Fy6IWsBhl09sjS71SB76K38zJ45cz5L1zZkjn6JUjbOEmZcNGAenyRjvrm7:FGW8hxjiUt8GczymJCqSNGAenyRvrm |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2020-Oct-14 19:55:06 |
Detected languages: |
|
Debug artifacts: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 272 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2020-Oct-14 19:55:06 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 923134 | 923136 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.57534 |
.rdata | 929792 | 172020 | 172032 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.9976 |
.data | 1101824 | 18276 | 7680 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.92966 |
.rsrc | 1122304 | 12577986 | 12578304 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.95951 |
.reloc | 13701120 | 35472 | 35840 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.66711 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.90449 | 270376 | Latin 1 / Western European | English - United States | RT_ICON |
2 | 5.89491 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 4.99484 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 5.33342 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 4.09873 | 67624 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 4.73917 | 16936 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 4.50481 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
8 | 3.63961 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 4.10295 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
10 | 3.30785 | 16936 | Latin 1 / Western European | English - United States | RT_ICON |
ADVAPI32.dll |
GDI32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
WININET.dll |
WS2_32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3128 | "C:\Users\admin\AppData\Local\Temp\HSE-GG-64.exe" | C:\Users\admin\AppData\Local\Temp\HSE-GG-64.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM | ||||
3552 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1288 | cmd /c mkdir "C:\HSE Reports\Environment\January" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1524 | cmd /c mkdir "C:\HSE Reports\Environment\February" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2476 | cmd /c mkdir "C:\HSE Reports\Environment\March" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2392 | cmd /c mkdir "C:\HSE Reports\Environment\April" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3080 | cmd /c mkdir "C:\HSE Reports\Environment\May" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1036 | cmd /c mkdir "C:\HSE Reports\Environment\June" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3428 | cmd /c mkdir "C:\HSE Reports\Environment\July" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1568 | cmd /c mkdir "C:\HSE Reports\Environment\August" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRC6BB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3128 | HSE-GG-64.exe | C:\Users\admin\AppData\Local\Temp\30755792.dat | compressed | |
MD5:65AA14C21DBEC820E40D931B89EAFD14 | SHA256:2A9D6ED8CC28F897AC675CE5B60080CF47DF9D3F27E00AAC459EDC76C0A587FD | |||
3128 | HSE-GG-64.exe | C:\Users\admin\AppData\Local\Temp\30755791.dat | compressed | |
MD5:BDE59F78213751F69D606ED159630C68 | SHA256:E07A4159E23EC374D0A528CB2D8BEA31FA43FF8F93F3E2C00139B8F23ABE6072 | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\SpreadsheetTools\Runtime.dll | binary | |
MD5:5593C48F492F084CCA2A5ECB487E907B | SHA256:D0442E4DD01BCC913522352B7328450A590763548E8FB5F7DA9A2CC463DBC0D8 | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7A1B166A.emf | emf | |
MD5:7E439F6441A46AED43E8B95C9F72A271 | SHA256:362920A6CB23411A9EB975930AEC1BD080928E5F09618C77FF84EFCFCD31CA90 | |||
3128 | HSE-GG-64.exe | C:\Users\admin\AppData\Local\Temp\30758951.dat | image | |
MD5:E9E96B44BCBC9551C378033A3B11B84F | SHA256:0E16D3A5FEA56E02CD778DFAC8857FDA51319F94EC4F8CE9887701E59DDDC786 | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BB4EAFC.emf | emf | |
MD5:1BCAC4829303DFBDD3AB71DA06E05D72 | SHA256:6455AC3B457C8DD83A01E1172B8FD9B730E56D535F932EF475D4600A78081228 | |||
3128 | HSE-GG-64.exe | C:\Users\admin\AppData\Local\Temp\30758952.dat | compressed | |
MD5:988EE9067E400933C8C059A9B51DB722 | SHA256:4A81461C5BBB444B9B3F20064E0E3387B666A5C71CD71E302C9FD26D247D93E7 | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5F2B4AB0.emf | emf | |
MD5:F51A200E293E0CCA4E1CB3CFEBB57FF1 | SHA256:389BD57FB3343DDF50F1785AC68EDFA1856286A687852679F2E4ED2C82FC3FCE | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8904F43E.emf | emf | |
MD5:3AF4F2F90E59E71494790811A38E9220 | SHA256:0C2D62ED49B02C50B39D33574B4EE6CA234B280558EF2258950EE3DEAD8A0BE8 |