File name: | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5 |
Full analysis: | https://app.any.run/tasks/8c13f19e-473b-42dc-bfee-ffe50f27d3bc |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 10:13:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | A00D232D18B5E18ECEC1DE4FA452E910 |
SHA1: | 08A979CD93583A44BB813BBAC3E73346B6110D14 |
SHA256: | B564C3FBA8F32D45ED5161AD6080BD3AD2665E4CDED2F45E78E33DF2943436B5 |
SSDEEP: | 98304:m7sFSNYIYbE9WlSIViIpLlingPpjvB8s54HrR+OE3B7p7jnDH+lc/K1tahgIdQKQ:m7RY/hEIVp7+wGs54M39pn7gHaL5+hp |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | 6 |
OSVersion: | 5 |
EntryPoint: | 0x3899 |
UninitializedDataSize: | 16896 |
InitializedDataSize: | 4119040 |
CodeSize: | 28672 |
LinkerVersion: | 10 |
PEType: | PE32 |
TimeStamp: | 2010:12:07 14:21:18+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 07-Dec-2010 13:21:18 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 07-Dec-2010 13:21:18 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00006F1C | 0x00007000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.52395 |
.rdata | 0x00008000 | 0x00002A62 | 0x00002C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.39054 |
.data | 0x0000B000 | 0x003E66DC | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.43086 |
.ndata | 0x003F2000 | 0x00145000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00537000 | 0x00009168 | 0x00009200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.39929 |
.reloc | 0x00541000 | 0x01C7620E | 0x00003400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.46399 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.21712 | 968 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 4.24008 | 9640 | UNKNOWN | English - United States | RT_ICON |
3 | 4.37389 | 4264 | UNKNOWN | English - United States | RT_ICON |
4 | 4.63373 | 1128 | UNKNOWN | English - United States | RT_ICON |
102 | 2.71813 | 180 | UNKNOWN | English - United States | RT_DIALOG |
103 | 2.62308 | 62 | UNKNOWN | English - United States | RT_GROUP_ICON |
104 | 2.70992 | 344 | UNKNOWN | English - United States | RT_DIALOG |
105 | 2.73893 | 514 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.91148 | 248 | UNKNOWN | English - United States | RT_DIALOG |
110 | 2.82633 | 1638 | UNKNOWN | English - United States | RT_BITMAP |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3736 | "C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe" | C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
2156 | "C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe" | C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | explorer.exe | |
User: admin Integrity Level: HIGH | ||||
3212 | "C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsEDED.tmp" cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe\"" | C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsEDED.tmp | — | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe |
User: admin Integrity Level: HIGH Exit code: 1 | ||||
3776 | cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe\"" | C:\Windows\system32\cmd.exe | — | nsEDED.tmp |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3972 | powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe\" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3284 | "C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsF169.tmp" cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\"" | C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsF169.tmp | — | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe |
User: admin Integrity Level: HIGH Exit code: 1 | ||||
3740 | cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\"" | C:\Windows\system32\cmd.exe | — | nsF169.tmp |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1324 | powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3340 | "C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsFAA4.tmp" sc create -- binPath= ""C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe" /wl 1" | C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsFAA4.tmp | — | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2836 | sc create -- binPath= ""C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe" /wl 1" | C:\Windows\system32\sc.exe | — | nsFAA4.tmp |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3972) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1324) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2964) b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths |
Operation: | write | Name: | C:\Windows\uninstaller.dat |
Value: 0 | |||
(PID) Process: | (2964) b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths |
Operation: | write | Name: | C:\Windows\ZWY3N2NlMDA2ZGIyMzc.exe |
Value: 0 | |||
(PID) Process: | (2964) b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths |
Operation: | write | Name: | C:\Windows\system32\drivers\ODkwMjIxMTZkZ |
Value: 0 | |||
(PID) Process: | (2964) b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths |
Operation: | write | Name: | C:\Program Files\MDEyO |
Value: 0 | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT |
Operation: | write | Name: | DontReportInfectionInformation |
Value: 1 | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT |
Operation: | write | Name: | DontOfferThroughWUAU |
Value: 1 | |||
(PID) Process: | (2156) b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2156) b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3972 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TWZEUDH4XR642HXGGWCV.temp | — | |
MD5:— | SHA256:— | |||
1324 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NEG0RD93SI2JMK4SQISP.temp | — | |
MD5:— | SHA256:— | |||
2156 | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\JoNaet | — | |
MD5:— | SHA256:— | |||
2156 | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsF169.tmp | executable | |
MD5:763FBC0305F3DBC7503EC8B72A940CC8 | SHA256:96DF754F8621E111FD86C6B836908A806022567F76E40B878F60473E1815C5C5 | |||
2156 | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsEDED.tmp | executable | |
MD5:763FBC0305F3DBC7503EC8B72A940CC8 | SHA256:96DF754F8621E111FD86C6B836908A806022567F76E40B878F60473E1815C5C5 | |||
2156 | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\fqevGAuBjgL.dll | executable | |
MD5:41C479086355C2ACB263C6643BA1187C | SHA256:3C2FAD1EAFB2184F894FF582906FDEBA84EFA65CC6ECAB9E68D24D0013A4DAB7 | |||
2156 | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsFB22.tmp | executable | |
MD5:48AE036EA5F9100BAB7A41D1C61EDCFE | SHA256:1298C1A1E5ADAE488A5924D711767AEC709DE66097389B427F482473E5FA3755 | |||
2964 | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | C:\Windows\TEMP\nsvFBF6.tmp\JoNaet | — | |
MD5:— | SHA256:— | |||
1324 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0586DB8FF5249AD980CEC7BF2CBC3708 | SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2 | |||
3972 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0586DB8FF5249AD980CEC7BF2CBC3708 | SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2156 | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | POST | 200 | 217.182.14.231:80 | http://technologietazo.com/installer/downloadsLog?unique_id=4E6866CC50C0449534CA9B289FFFC4CB&affiliate_id=3673 | FR | — | — | malicious |
2240 | NTJjOGRkMz.exe | GET | 200 | 192.35.177.64:80 | http://crl.identrust.com/DSTROOTCAX3CRL.crl | US | der | 896 b | whitelisted |
2240 | NTJjOGRkMz.exe | GET | 200 | 217.182.14.231:80 | http://technologietazo.com/addon/mapping?v=n13.14.1.312&os_mj=6&os_mn=1&os_bitness=32&mid=bd232adea4e970199b37e073c5dfb03e&uid=4E6866CC50C0449534CA9B289FFFC4CB&aid=3673&aid2=none&ts=1552558433&ts2= | FR | binary | 30.3 Kb | malicious |
2240 | NTJjOGRkMz.exe | GET | 200 | 2.16.186.11:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.36 Kb | whitelisted |
2156 | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | POST | 200 | 217.182.14.231:80 | http://technologietazo.com/installer/urlsLog?unique_id=4E6866CC50C0449534CA9B289FFFC4CB&affiliate_id=3673&br=iexplore | FR | — | — | malicious |
2240 | NTJjOGRkMz.exe | GET | 200 | 2.16.186.27:80 | http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgPcX%2FjNtaug6Iw%2FukjUag3aZA%3D%3D | unknown | der | 527 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2156 | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | 217.182.14.231:80 | technologietazo.com | OVH SAS | FR | malicious |
2240 | NTJjOGRkMz.exe | 217.182.14.231:80 | technologietazo.com | OVH SAS | FR | malicious |
2156 | b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe | 217.182.14.231:443 | technologietazo.com | OVH SAS | FR | malicious |
2240 | NTJjOGRkMz.exe | 217.182.14.231:443 | technologietazo.com | OVH SAS | FR | malicious |
2240 | NTJjOGRkMz.exe | 2.16.186.11:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | whitelisted |
2240 | NTJjOGRkMz.exe | 192.35.177.64:80 | crl.identrust.com | IdenTrust | US | malicious |
2240 | NTJjOGRkMz.exe | 2.16.186.27:80 | ocsp.int-x3.letsencrypt.org | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
technologietazo.com |
| malicious |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
crl.identrust.com |
| whitelisted |
ocsp.int-x3.letsencrypt.org |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2240 | NTJjOGRkMz.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.Wajam Payload m3 |