File name: | mb(1).exe |
Full analysis: | https://app.any.run/tasks/6dc5c63f-fb7e-46ea-b775-24ec6236fbf9 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 10, 2019, 20:50:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C4B41BF26795658600B414C7DF4E0910 |
SHA1: | 1CC18725235741B3824B705ED6311CEA92AADAD7 |
SHA256: | BCE4C97DAA3AE1C1702046B2F8D7952AB076DA8B6C9544331B08E76DE21C005D |
SSDEEP: | 3072:x4Xvkt4x64t/iQC2mC1mKtwqIwq1RUvXOS+xA/TAMF:l+64Qywjt1P6x |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
ProductVersion: | 5.10.6.80 |
---|---|
LegalCopyright: | Copyright (C) 2017, yusabo |
InternalName: | cexagis.exe |
FileVersion: | 5.10.6.80 |
CharacterSet: | Unknown (A56B) |
LanguageCode: | Unknown (457A) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Unknown (0x40534) |
FileFlags: | (none) |
FileFlagsMask: | 0x004f |
ProductVersionNumber: | 3.0.0.0 |
FileVersionNumber: | 7.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x7d63 |
UninitializedDataSize: | - |
InitializedDataSize: | 508928 |
CodeSize: | 121856 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2017:07:13 06:43:50+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 13-Jul-2017 04:43:50 |
Detected languages: |
|
FileVersion: | 5.10.6.80 |
InternalName: | cexagis.exe |
LegalCopyright: | Copyright (C) 2017, yusabo |
ProductVersion: | 5.10.6.80 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000110 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 9 |
Time date stamp: | 13-Jul-2017 04:43:50 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x0002E000 | 0x00004B08 | 0x00004C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.75211 |
.data | 0x0001F000 | 0x0000DB1C | 0x0000D200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.160372 |
.idata | 0x0002D000 | 0x00000B38 | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.21405 |
.mysec | 0x00033000 | 0x00000004 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0815394 |
.mysec2 | 0x00034000 | 0x00001004 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 0.044687 |
.gfids | 0x00036000 | 0x000000AC | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.72516 |
.rsrc | 0x00037000 | 0x00067414 | 0x00067600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.72196 |
.reloc | 0x0009F000 | 0x0000116C | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.49359 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.38936 | 476 | UNKNOWN | Croatian - Croatia | RT_VERSION |
2 | 1.29015 | 1128 | UNKNOWN | Croatian - Croatia | RT_ICON |
3 | 0.910809 | 9640 | UNKNOWN | Croatian - Croatia | RT_ICON |
4 | 1.11044 | 4264 | UNKNOWN | Croatian - Croatia | RT_ICON |
5 | 0.593571 | 67624 | UNKNOWN | Croatian - Croatia | RT_ICON |
6 | 0.800247 | 16936 | UNKNOWN | Croatian - Croatia | RT_ICON |
12 | 3.20476 | 852 | UNKNOWN | Croatian - Croatia | RT_STRING |
101 | 3.01528 | 594 | UNKNOWN | Croatian - Croatia | RT_DIALOG |
128 | 2.76511 | 90 | UNKNOWN | Croatian - Croatia | RT_GROUP_ICON |
150 | 6.16608 | 50260 | UNKNOWN | Croatian - Croatia | RT_BITMAP |
GDI32.dll |
KERNEL32.dll |
MSIMG32.dll |
USER32.dll |
ole32.dll |
Title | Ordinal | Address |
---|---|---|
_Niasjdfnsoda@4 | 1 | 0x000079A0 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3132 | "C:\Users\admin\AppData\Local\Temp\mb(1).exe" | C:\Users\admin\AppData\Local\Temp\mb(1).exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3328 | C:\Users\admin\49506060639303040\winsvcs.exe | C:\Users\admin\49506060639303040\winsvcs.exe | mb(1).exe | |
User: admin Integrity Level: MEDIUM | ||||
1436 | C:\Users\admin\AppData\Local\Temp\2573913150.exe | C:\Users\admin\AppData\Local\Temp\2573913150.exe | winsvcs.exe | |
User: admin Integrity Level: MEDIUM | ||||
3152 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | 2573913150.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3132) mb(1).exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Microsoft Windows Services |
Value: C:\Users\admin\49506060639303040\winsvcs.exe | |||
(PID) Process: | (3132) mb(1).exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Microsoft Windows Services |
Value: C:\Users\admin\49506060639303040\winsvcs.exe | |||
(PID) Process: | (3328) winsvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection |
Operation: | write | Name: | DisableScanOnRealtimeEnable |
Value: 1 | |||
(PID) Process: | (3328) winsvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection |
Operation: | write | Name: | DisableOnAccessProtection |
Value: 1 | |||
(PID) Process: | (3328) winsvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection |
Operation: | write | Name: | DisableBehaviorMonitoring |
Value: 1 | |||
(PID) Process: | (3328) winsvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center |
Operation: | write | Name: | AntiVirusOverride |
Value: 1 | |||
(PID) Process: | (3328) winsvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center |
Operation: | write | Name: | UpdatesOverride |
Value: 1 | |||
(PID) Process: | (3328) winsvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center |
Operation: | write | Name: | FirewallOverride |
Value: 1 | |||
(PID) Process: | (3328) winsvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center |
Operation: | write | Name: | AntiVirusDisableNotify |
Value: 1 | |||
(PID) Process: | (3328) winsvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center |
Operation: | write | Name: | UpdatesDisableNotify |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1436 | 2573913150.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
1436 | 2573913150.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData | — | |
MD5:— | SHA256:— | |||
1436 | 2573913150.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings | — | |
MD5:— | SHA256:— | |||
1436 | 2573913150.exe | C:\Users\admin\FXLTVFJ-DECRYPT.txt | text | |
MD5:4DF9E72BC464637E69F89DF67755FB87 | SHA256:4DCA3EF0E02F41F28FF18F3033949AF1DA17E22E082B4D2BCBB2CE56EDAF8846 | |||
3328 | winsvcs.exe | C:\Users\admin\AppData\Local\Temp\2573913150.exe | executable | |
MD5:5A31E0AE80102A6B25FA0CA56CF7C15E | SHA256:DC92A406EC40D1356ABBD8DD8EA8CA90AE84516B741D3D898F892DB31D470480 | |||
1436 | 2573913150.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata | — | |
MD5:— | SHA256:— | |||
1436 | 2573913150.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\FXLTVFJ-DECRYPT.txt | text | |
MD5:4DF9E72BC464637E69F89DF67755FB87 | SHA256:4DCA3EF0E02F41F28FF18F3033949AF1DA17E22E082B4D2BCBB2CE56EDAF8846 | |||
1436 | 2573913150.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\FXLTVFJ-DECRYPT.txt | text | |
MD5:4DF9E72BC464637E69F89DF67755FB87 | SHA256:4DCA3EF0E02F41F28FF18F3033949AF1DA17E22E082B4D2BCBB2CE56EDAF8846 | |||
1436 | 2573913150.exe | C:\Users\admin\49506060639303040\FXLTVFJ-DECRYPT.txt | text | |
MD5:4DF9E72BC464637E69F89DF67755FB87 | SHA256:4DCA3EF0E02F41F28FF18F3033949AF1DA17E22E082B4D2BCBB2CE56EDAF8846 | |||
1436 | 2573913150.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\FXLTVFJ-DECRYPT.txt | text | |
MD5:4DF9E72BC464637E69F89DF67755FB87 | SHA256:4DCA3EF0E02F41F28FF18F3033949AF1DA17E22E082B4D2BCBB2CE56EDAF8846 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1436 | 2573913150.exe | GET | — | 78.46.77.98:80 | http://www.2mmotorsport.biz/ | DE | — | — | suspicious |
3328 | winsvcs.exe | GET | — | 92.63.197.48:80 | http://92.63.197.48/m/1.exe | RU | — | — | malicious |
3328 | winsvcs.exe | GET | 200 | 92.63.197.48:80 | http://92.63.197.48/m/1.exe | RU | executable | 247 Kb | malicious |
1436 | 2573913150.exe | POST | 404 | 217.26.53.161:80 | http://www.haargenau.biz/news/image/soamesde.png | CH | html | 11.1 Kb | malicious |
1436 | 2573913150.exe | GET | 200 | 217.26.53.161:80 | http://www.haargenau.biz/ | CH | html | 13.3 Kb | malicious |
1436 | 2573913150.exe | GET | 200 | 136.243.13.215:80 | http://www.holzbock.biz/ | DE | html | 1.78 Kb | suspicious |
3328 | winsvcs.exe | GET | 404 | 92.63.197.48:80 | http://92.63.197.48/m/2.exe | RU | html | 178 b | malicious |
3328 | winsvcs.exe | GET | 404 | 92.63.197.48:80 | http://92.63.197.48/m/3.exe | RU | html | 178 b | malicious |
3328 | winsvcs.exe | GET | 404 | 92.63.197.48:80 | http://92.63.197.48/m/4.exe | RU | html | 178 b | malicious |
3328 | winsvcs.exe | GET | 404 | 92.63.197.48:80 | http://92.63.197.48/m/3.exe | RU | html | 178 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3328 | winsvcs.exe | 92.63.197.48:80 | — | — | RU | malicious |
1436 | 2573913150.exe | 138.201.162.99:80 | www.fliptray.biz | Hetzner Online GmbH | DE | malicious |
1436 | 2573913150.exe | 78.46.77.98:80 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
1436 | 2573913150.exe | 192.185.159.253:80 | www.pizcam.com | CyrusOne LLC | US | malicious |
1436 | 2573913150.exe | 136.243.13.215:80 | www.holzbock.biz | Hetzner Online GmbH | DE | suspicious |
1436 | 2573913150.exe | 138.201.162.99:443 | www.fliptray.biz | Hetzner Online GmbH | DE | malicious |
1436 | 2573913150.exe | 74.220.215.73:80 | www.bizziniinfissi.com | Unified Layer | US | malicious |
1436 | 2573913150.exe | 217.26.53.161:80 | www.haargenau.biz | Hostpoint AG | CH | malicious |
1436 | 2573913150.exe | 78.46.77.98:443 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
1436 | 2573913150.exe | 83.138.82.107:80 | www.swisswellness.com | hostNET Medien GmbH | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
www.2mmotorsport.biz |
| unknown |
www.haargenau.biz |
| unknown |
www.bizziniinfissi.com |
| malicious |
www.holzbock.biz |
| unknown |
www.fliptray.biz |
| malicious |
www.pizcam.com |
| unknown |
www.swisswellness.com |
| whitelisted |
www.hotelweisshorn.com |
| unknown |
www.whitepod.com |
| whitelisted |
www.hardrockhoteldavos.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3328 | winsvcs.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3328 | winsvcs.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
3328 | winsvcs.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3328 | winsvcs.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
3328 | winsvcs.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3328 | winsvcs.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3328 | winsvcs.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3328 | winsvcs.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
3328 | winsvcs.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3328 | winsvcs.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |