File name: | ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387 |
Full analysis: | https://app.any.run/tasks/ddcfd6de-2f9e-4548-8e45-cc5d714a52fe |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 03:54:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | CFA482B23FA7A59641A6B816D56A3C58 |
SHA1: | 0CD9753113E29FD460DCDCFFB21F364B3C5A14AA |
SHA256: | BA87D97A4C7DEC4E2EEF997190F5F875C8564395BF3C95BD95055F447C495387 |
SSDEEP: | 12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DhKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWMKrKe |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2019-Oct-31 06:08:40 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 272 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2019-Oct-31 06:08:40 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 469942 | 470016 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.54453 |
.rdata | 475136 | 175538 | 175616 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.69449 |
.data | 651264 | 19304 | 14848 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.77903 |
.rsrc | 671744 | 480 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.70824 |
.reloc | 675840 | 23164 | 23552 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.56882 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.91161 | 381 | UNKNOWN | English - United States | RT_MANIFEST |
ADVAPI32.dll |
CRYPT32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
MPR.dll |
NETAPI32.dll |
OLEAUT32.dll |
RstrtMgr.DLL |
SHELL32.dll |
WS2_32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3248 | "C:\Users\admin\Desktop\ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387.exe" | C:\Users\admin\Desktop\ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2304 | C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3576 | "C:\Users\admin\Desktop\ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387.exe" | C:\Users\admin\Desktop\ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387.exe | — | DllHost.exe |
User: admin Integrity Level: HIGH | ||||
2664 | vssadmin.exe Delete Shadows /All /Quiet | C:\Windows\system32\vssadmin.exe | — | ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2920 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2460 | bcdedit.exe /set {default} recoveryenabled No | C:\Windows\system32\bcdedit.exe | — | ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3828 | bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\system32\bcdedit.exe | — | ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4044 | wbadmin DELETE SYSTEMSTATEBACKUP | C:\Windows\system32\wbadmin.exe | — | ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® BLB Backup Exit code: 4294967293 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2336 | wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest | C:\Windows\system32\wbadmin.exe | — | ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® BLB Backup Exit code: 4294967293 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
360 | wmic.exe SHADOWCOPY /nointeractive | C:\Windows\System32\Wbem\wmic.exe | — | ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 44124 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3540 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | etl | |
MD5:9B35C5F7C24AB584F2FC8265DD79051C | SHA256:543B56DDD700F0892AA95E9F601372494A233BC0EC703CD863542FE621F10D38 | |||
3048 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.0.etl | etl | |
MD5:9B35C5F7C24AB584F2FC8265DD79051C | SHA256:543B56DDD700F0892AA95E9F601372494A233BC0EC703CD863542FE621F10D38 | |||
3844 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | etl | |
MD5:1BB329C14F5CF964F2628F22B861622E | SHA256:47125966991ACFC2C38A378FD750CE4026EA0A97B6B98B380636BFB98504B55E | |||
2336 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | etl | |
MD5:50D9A9348AA2D03CE8EBFD12D3A690B7 | SHA256:05A042A64A7A9A5367F144FCA287429A29D3EC44E64F714876E368E52BAA7475 | |||
3844 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.0.etl | etl | |
MD5:576686A6F78CD8699BEEA3895E13B380 | SHA256:0427D84951509E072DDECD157828703FB00C9B29C150C418C30CC9B085DE1969 | |||
3048 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | etl | |
MD5:9EB08CB244578BE3BCD2EB7F63EC0E6C | SHA256:5898E7E12C606F601FF249FF3CBFDE8763FE192FBEBE3FD642CF07F9C9A758D1 | |||
4044 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | etl | |
MD5:50D9A9348AA2D03CE8EBFD12D3A690B7 | SHA256:05A042A64A7A9A5367F144FCA287429A29D3EC44E64F714876E368E52BAA7475 | |||
3540 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.0.etl | etl | |
MD5:1BB329C14F5CF964F2628F22B861622E | SHA256:47125966991ACFC2C38A378FD750CE4026EA0A97B6B98B380636BFB98504B55E | |||
3576 | ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387.exe | C:\Users\admin\AppData\Roaming\svhost.exe | executable | |
MD5:CFA482B23FA7A59641A6B816D56A3C58 | SHA256:BA87D97A4C7DEC4E2EEF997190F5F875C8564395BF3C95BD95055F447C495387 | |||
2760 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.0.etl | etl | |
MD5:E4E2F1FB82EBCB8675C4613FC8C5DF6C | SHA256:CF2F84CB5BE2996B9070A9EFAF034DDF0CD26DEECBE5E4CE553B7A0A508D97A5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1208 | chrome.exe | GET | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | crx | 242 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 192.168.100.2:445 | — | — | — | whitelisted |
1208 | chrome.exe | 216.58.206.193:443 | clients2.googleusercontent.com | GOOGLE | US | whitelisted |
1208 | chrome.exe | 34.104.35.123:80 | edgedl.me.gvt1.com | GOOGLE | US | whitelisted |
1208 | chrome.exe | 172.217.20.67:443 | ssl.gstatic.com | GOOGLE | US | whitelisted |
1208 | chrome.exe | 172.217.17.206:443 | clients2.google.com | GOOGLE | US | whitelisted |
— | — | 192.168.100.2:139 | — | — | — | whitelisted |
1208 | chrome.exe | 142.250.187.163:443 | clientservices.googleapis.com | GOOGLE | US | whitelisted |
1208 | chrome.exe | 142.250.187.131:443 | update.googleapis.com | GOOGLE | US | whitelisted |
1208 | chrome.exe | 172.217.169.109:443 | accounts.google.com | GOOGLE | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
clientservices.googleapis.com |
| whitelisted |
clients2.google.com |
| whitelisted |
accounts.google.com |
| shared |
clients2.googleusercontent.com |
| whitelisted |
update.googleapis.com |
| whitelisted |
edgedl.me.gvt1.com |
| whitelisted |
ssl.gstatic.com |
| whitelisted |