File name: | challenge.exe |
Full analysis: | https://app.any.run/tasks/b01c4112-e455-4cb8-9754-4539e13e698b |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 16:12:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | A2F33095EF25B4D5B061EB53A7FE6548 |
SHA1: | B38A8CB06507ADB966DFDB809403F8F7F64CA534 |
SHA256: | B0D41E9B8C941D207A0958B92F57083DD9B9246958BD32E2E6E90C4EE0E12419 |
SSDEEP: | 24576:sHMFgBanP6wJlYixpC9gbYstRiNhmREhf4gnlzY1hcP0GeN53U:sHmgq1sUJOLlucev3U |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x9d410 |
UninitializedDataSize: | - |
InitializedDataSize: | 623104 |
CodeSize: | 768000 |
LinkerVersion: | 10 |
PEType: | PE32 |
TimeStamp: | 2020:03:23 02:28:10+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 23-Mar-2020 01:28:10 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 23-Mar-2020 01:28:10 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000BB674 | 0x000BB800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.84409 |
.data | 0x000BD000 | 0x0008CB68 | 0x0000DC00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.436021 |
.rsrc | 0x0014A000 | 0x00008128 | 0x00008200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.3864 |
.reloc | 0x00153000 | 0x00098000 | 0x00067000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 7.73651 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.59146 | 2216 | UNKNOWN | Spanish - Colombia | RT_ICON |
2 | 5.66171 | 1736 | UNKNOWN | Spanish - Colombia | RT_ICON |
3 | 5.30736 | 1384 | UNKNOWN | Spanish - Colombia | RT_ICON |
4 | 5.29177 | 4264 | UNKNOWN | Spanish - Colombia | RT_ICON |
5 | 5.00679 | 2440 | UNKNOWN | Spanish - Colombia | RT_ICON |
6 | 5.00346 | 1128 | UNKNOWN | Spanish - Colombia | RT_ICON |
7 | 6.38956 | 9640 | UNKNOWN | Spanish - Colombia | RT_ICON |
8 | 6.81585 | 4264 | UNKNOWN | Spanish - Colombia | RT_ICON |
25 | 3.13413 | 564 | UNKNOWN | Divehi - Maldives | RT_STRING |
26 | 3.24387 | 1278 | UNKNOWN | Divehi - Maldives | RT_STRING |
GDI32.dll |
KERNEL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2956 | "C:\Users\admin\AppData\Local\Temp\challenge.exe" | C:\Users\admin\AppData\Local\Temp\challenge.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3544 | "C:\Users\admin\AppData\Local\Temp\challenge.exe" | C:\Users\admin\AppData\Local\Temp\challenge.exe | challenge.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
124 | icacls "C:\Users\admin\AppData\Local\c58b7cbd-61ee-46e0-875b-d3b840b32a7a" /deny *S-1-1-0:(OI)(CI)(DE,DC) | C:\Windows\system32\icacls.exe | — | challenge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3488 | "C:\Users\admin\AppData\Local\Temp\challenge.exe" --Admin IsNotAutoStart IsNotTask | C:\Users\admin\AppData\Local\Temp\challenge.exe | challenge.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2104 | "C:\Users\admin\AppData\Local\Temp\challenge.exe" --Admin IsNotAutoStart IsNotTask | C:\Users\admin\AppData\Local\Temp\challenge.exe | challenge.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
2804 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2104 | challenge.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\geo[1].json | binary | |
MD5:2BCBF0CD4C0832115E45930E51DA84C3 | SHA256:5BA486280373A92E787E21045804D0F21221733331630064790993AD8491E5B5 | |||
3544 | challenge.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | der | |
MD5:93995AD095112907CFC088998C161574 | SHA256:FD16D238BCAC3441688E7CA940C27BB02DF8F0BF43B26D8E551414A18748C1CC | |||
3544 | challenge.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:459CBCB375424ECE984BE4EA83BD0BFB | SHA256:0411C4D57B484C7F7631996A06FE66CD527BAA80B30F8B02B2CB92716F8E6828 | |||
3544 | challenge.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | binary | |
MD5:2FB358D1323E0228D9A514C291DC8043 | SHA256:D5C5C6EB8434373A9D9682647E812108AD2AB4F8B2AFBFB6AA515E6E09590AA0 | |||
3544 | challenge.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:F7DCB24540769805E5BB30D193944DCE | SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA | |||
3544 | challenge.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | binary | |
MD5:B025C2AF9438BFBE5FA1FF070C6B91E5 | SHA256:D0F02F4EB9786A67F665AC5465BB24300EE3C5DF92C9E91871B3C62A499513C1 | |||
3544 | challenge.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | der | |
MD5:C04F441D0220712231531A90823834DB | SHA256:055641D3987AE98E2DD627D3214EA8084AE773A3DF9592191B86977C752A29E7 | |||
3544 | challenge.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\geo[1].json | binary | |
MD5:2BCBF0CD4C0832115E45930E51DA84C3 | SHA256:5BA486280373A92E787E21045804D0F21221733331630064790993AD8491E5B5 | |||
3544 | challenge.exe | C:\Users\admin\AppData\Local\c58b7cbd-61ee-46e0-875b-d3b840b32a7a\challenge.exe | executable | |
MD5:A2F33095EF25B4D5B061EB53A7FE6548 | SHA256:B0D41E9B8C941D207A0958B92F57083DD9B9246958BD32E2E6E90C4EE0E12419 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3544 | challenge.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 727 b | whitelisted |
3544 | challenge.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | US | der | 471 b | whitelisted |
3544 | challenge.exe | GET | 200 | 23.216.77.80:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ae62cb3ff0f7f47b | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3544 | challenge.exe | 23.216.77.80:80 | ctldl.windowsupdate.com | NTT DOCOMO, INC. | US | suspicious |
3544 | challenge.exe | 162.0.217.254:443 | api.2ip.ua | AirComPlus Inc. | CA | suspicious |
3544 | challenge.exe | 172.64.155.188:80 | ocsp.comodoca.com | — | US | suspicious |
2104 | challenge.exe | 162.0.217.254:443 | api.2ip.ua | AirComPlus Inc. | CA | suspicious |
Domain | IP | Reputation |
---|---|---|
api.2ip.ua |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
kotob.top |
| malicious |
tzgl.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET POLICY External IP Address Lookup DNS Query (2ip .ua) |
3544 | challenge.exe | Potentially Bad Traffic | ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) |
2104 | challenge.exe | Potentially Bad Traffic | ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) |
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |