download: | WindowsUpdateAgent30-x86.exe |
Full analysis: | https://app.any.run/tasks/62303f3f-9181-47af-8237-61c40fa1f71a |
Verdict: | Malicious activity |
Analysis date: | September 11, 2019, 07:01:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | F723820B8656E82958FA7ED854A7EEFE |
SHA1: | 50186EC913A4896A92D72E5E5384693BF3A71182 |
SHA256: | B2512E0C2786F72ED41559580261C782A13FB5EA7FE23878873F83ECAEEEC25F |
SSDEEP: | 196608:JCYrZoYags7mTwGklC0ZLeTWrDccd4sieKCfO7:JCgZJdHkl7ZJd4sVKJ7 |
.exe | | | MS generic-sfx Cabinet File Unpacker (32/64bit MSCFU) (82.5) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (7.3) |
.exe | | | Win64 Executable (generic) (6.5) |
.dll | | | Win32 Dynamic Link Library (generic) (1.5) |
.exe | | | Win32 Executable (generic) (1) |
ProductVersion: | 6.2.0029.0 |
---|---|
ProductName: | Microsoft® Windows® Operating System |
OriginalFileName: | SFXCAB.EXE |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
InternalName: | SFXCAB.EXE |
FileVersion: | 6.2.0029.0 (SRV03_QFE.031113-0918) |
FileDescription: | Self-Extracting Cabinet |
CompanyName: | Microsoft Corporation |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 6.2.29.0 |
FileVersionNumber: | 6.2.29.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 5.2 |
OSVersion: | 5.2 |
EntryPoint: | 0x5a45 |
UninitializedDataSize: | - |
InitializedDataSize: | 72704 |
CodeSize: | 31232 |
LinkerVersion: | 7.1 |
PEType: | PE32 |
TimeStamp: | 2005:06:28 18:55:01+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 28-Jun-2005 16:55:01 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | Microsoft Corporation |
FileDescription: | Self-Extracting Cabinet |
FileVersion: | 6.2.0029.0 (SRV03_QFE.031113-0918) |
InternalName: | SFXCAB.EXE |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
OriginalFilename: | SFXCAB.EXE |
ProductName: | Microsoft® Windows® Operating System |
ProductVersion: | 6.2.0029.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 28-Jun-2005 16:55:01 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x00007982 | 0x00007A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.61008 |
.data | 0x0000A000 | 0x000110D4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.513491 |
.rsrc | 0x0001C000 | 0x00000988 | 0x0066CE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.99967 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.5279 | 904 | UNKNOWN | English - United States | RT_VERSION |
100 | 3.0946 | 282 | UNKNOWN | English - United States | RT_DIALOG |
107 | 2.9591 | 224 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
msvcrt.dll |
ntdll.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3700 | "C:\Users\admin\AppData\Local\Temp\WindowsUpdateAgent30-x86.exe" | C:\Users\admin\AppData\Local\Temp\WindowsUpdateAgent30-x86.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Self-Extracting Cabinet Exit code: 3221226540 Version: 6.2.0029.0 (SRV03_QFE.031113-0918) | ||||
2200 | "C:\Users\admin\AppData\Local\Temp\WindowsUpdateAgent30-x86.exe" | C:\Users\admin\AppData\Local\Temp\WindowsUpdateAgent30-x86.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Self-Extracting Cabinet Exit code: 0 Version: 6.2.0029.0 (SRV03_QFE.031113-0918) | ||||
3596 | c:\95f2a22b31ec5089dcb17509054f\wusetup.exe | c:\95f2a22b31ec5089dcb17509054f\wusetup.exe | — | WindowsUpdateAgent30-x86.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Update Setup Exit code: 0 Version: 7.4.7600.226 (winmain_wtr_wsus3sp2(wmbla).090806-1834) | ||||
4016 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2816 | C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3860 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005B8" "000002D4" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3596) wusetup.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore |
Operation: | write | Name: | SrCreateRp (Enter) |
Value: 400000000000000084BBD8D46E68D5010C0E0000E00D0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3596) wusetup.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
Operation: | write | Name: | SppCreate (Enter) |
Value: 400000000000000084BBD8D46E68D5010C0E0000E00D0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3596) wusetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
Operation: | write | Name: | LastIndex |
Value: 24 | |||
(PID) Process: | (3596) wusetup.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4000000000000000D22D2CD56E68D5010C0E0000E00D0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3596) wusetup.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000D22D2CD56E68D5010C0E0000840C0000E80300000100000000000000000000003883AA308A84294EBE2CCBF77A853ED70000000000000000 | |||
(PID) Process: | (4016) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000941938D56E68D501B00F0000380D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (4016) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000941938D56E68D501B00F000020080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (4016) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000941938D56E68D501B00F000010090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (4016) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000941938D56E68D501B00F000018090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (4016) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
Operation: | write | Name: | IDENTIFY (Leave) |
Value: 4000000000000000A2403FD56E68D501B00F000010090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2200 | WindowsUpdateAgent30-x86.exe | C:\95f2a22b31ec5089dcb17509054f\wsus3setup.cat | cat | |
MD5:7B76EFA4678DEB12A8AC1FC587C66A50 | SHA256:663EED13B50646164114FEE3F5598BCCE4B26BD752113D30073DD01BD643BE99 | |||
2200 | WindowsUpdateAgent30-x86.exe | C:\95f2a22b31ec5089dcb17509054f\WUClient-SelfUpdate-Core-TopLevel.cab | compressed | |
MD5:FB59D11E7CE0880CD564CFE1E60933C0 | SHA256:92514168119F26A7149FEB0C01C5DF39EC75700DDE193EFCBF5644DD992A0942 | |||
2200 | WindowsUpdateAgent30-x86.exe | C:\95f2a22b31ec5089dcb17509054f\WUClient-SelfUpdate-ActiveX.cab | compressed | |
MD5:232CCCBB86D2AFAE9B60C42D23D885B9 | SHA256:F2D9F27A725B6AEC105B42D434EFA683D3B8A85F87B87A47A846703C5166163A | |||
2200 | WindowsUpdateAgent30-x86.exe | C:\95f2a22b31ec5089dcb17509054f\winhttp.dll | executable | |
MD5:D9CCCBCA7DBFB45D91FCB6FAF3B9AC08 | SHA256:4E0C219B0A0C7399FBD3C0728340BECF159B97035D4DA17BE1E5829A093B027C | |||
2200 | WindowsUpdateAgent30-x86.exe | C:\95f2a22b31ec5089dcb17509054f\WUClient-SelfUpdate-Aux-TopLevel.cab | compressed | |
MD5:0A0FE198EFE05D6FA8F4DC48DD8CAAD3 | SHA256:12F355D099956D93817AC4F249242FDA428F9FED7B03B03438D019384D3F2101 | |||
2200 | WindowsUpdateAgent30-x86.exe | C:\95f2a22b31ec5089dcb17509054f\wuapi.dll.mui_cs | executable | |
MD5:5BF1513CBBC13BEC47AAC5DDF4A69FDC | SHA256:5F39E907FC7B29DB086CF5B33DF23CED1410F1104E904B1D98635A875E826DB6 | |||
2200 | WindowsUpdateAgent30-x86.exe | C:\95f2a22b31ec5089dcb17509054f\wuapi.dll.mui_fi | executable | |
MD5:7566307C21A344FDDBB52B407A5D410F | SHA256:D428743C5E7258B60903A1AC27962D8FCA4F3E8D2391F5A36BF49664B6848670 | |||
2200 | WindowsUpdateAgent30-x86.exe | C:\95f2a22b31ec5089dcb17509054f\wuapi.dll.mui_en | executable | |
MD5:52CF3B23095C47043FC060D9F1A74D2E | SHA256:D33206182504C9AFC64B7A7F3CD0574E3C1F79361D0E459527FA4F788F666401 | |||
2200 | WindowsUpdateAgent30-x86.exe | C:\95f2a22b31ec5089dcb17509054f\wuapi.dll | executable | |
MD5:009758CC06B7F55B4A4D16A66E243C24 | SHA256:B3993D09584736B0FA80839450B1A4F46C6C8FE393CE25ECB0B51EE9545B5E55 | |||
2200 | WindowsUpdateAgent30-x86.exe | C:\95f2a22b31ec5089dcb17509054f\msxml3.dll | executable | |
MD5:E7A3FCB568797785750308DD6DB2BDC0 | SHA256:E56FAAC4EA3C7C392FDE178851599EE4DF244B0AF743F8D2239EB093704AFA71 |