File name: | msdos8.exe |
Full analysis: | https://app.any.run/tasks/e663779c-ffcb-4f0e-8ab3-6c32636d0156 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 20:11:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (console) Intel 80386, for MS Windows |
MD5: | 04F72876094B3A422952DB1F8C80B4E8 |
SHA1: | 1E9FC306E08004DD2040E784FAF0FA91F272B57A |
SHA256: | D2A9007CCA3D0A73D76FAE8DA7397F4469E57248A88C7117063AAF2FC5BEE240 |
SSDEEP: | 6144:T5aWbksiNTB5r3RvQ1yv0ooZ93QnHAlfPj8XS+fS0TsdKEjJJbX4+t:T5atNTzrVbvPoZ93cg9j8XRS0m3bX4+t |
.exe | | | Win32 Executable MS Visual C++ (generic) (41) |
---|---|---|
.exe | | | Win64 Executable (generic) (36.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.6) |
.exe | | | Win32 Executable (generic) (5.9) |
.exe | | | Win16/32 Executable Delphi generic (2.7) |
Subsystem: | Windows command line |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x1000 |
UninitializedDataSize: | - |
InitializedDataSize: | 293376 |
CodeSize: | 70144 |
LinkerVersion: | 2.5 |
PEType: | PE32 |
TimeStamp: | 2018:02:01 21:18:05+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 01-Feb-2018 20:18:05 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 01-Feb-2018 20:18:05 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.code | 0x00001000 | 0x0000387E | 0x00003A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.52797 |
.text | 0x00005000 | 0x0000D642 | 0x0000D800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.54615 |
.rdata | 0x00013000 | 0x000033A8 | 0x00003400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.11033 |
.data | 0x00017000 | 0x0000178C | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.10203 |
.rsrc | 0x00019000 | 0x000433A0 | 0x00043400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.99852 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.92322 | 611 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
0630E1F034BC743DD5D78A2E1AEFAC2E9A3C3D13 | 3.70044 | 13 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
1CEA0796F9D84DA3DAD17E932DF68EB0BC2C92FA | 6.93134 | 174 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
2A73DF5F96B60ECE8FC5223FB0830B72 | 7.9801 | 8838 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
42DD95861E | 0 | 1 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
4FCD3EDBA1C40B58F4257CF56039246A1A17DEFC | 7.99931 | 264704 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
6CD1C1A3C32CE5D7CE324A07AB3D2A7A31E0BDDD | 5.80689 | 60 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
8D376DB5AAC5D908684DBFB486F4A772 | 3.23593 | 14 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
COMCTL32.DLL |
GDI32.DLL |
KERNEL32.dll |
MSVCRT.dll |
OLE32.DLL |
SHELL32.DLL |
SHLWAPI.DLL |
USER32.DLL |
WINMM.DLL |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2964 | "C:\Users\admin\AppData\Local\Temp\msdos8.exe" | C:\Users\admin\AppData\Local\Temp\msdos8.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
3084 | "C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\9E82.tmp\9E83.tmp\9E84.bat C:\Users\admin\AppData\Local\Temp\msdos8.exe" | C:\Windows\system32\cmd.exe | — | msdos8.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3380 | MODE CON:COLS=70 LINES=30 | C:\Windows\system32\mode.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: DOS Device MODE Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1568 | C:\Users\admin\AppData\Local\Temp\9E82.tmp\9E83.tmp\extd.exe "/center" "" "" "" "" "" "" "" "" | C:\Users\admin\AppData\Local\Temp\9E82.tmp\9E83.tmp\extd.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3684 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\sleep.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
4068 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\sleep.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
1164 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\sleep.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2328 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\sleep.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
1856 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\sleep.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2756 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\sleep.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
|
(PID) Process: | (3084) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3084) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3084) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3084) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3084 | cmd.exe | C:\Users\admin\AppData\Local\Temp\9E82.tmp\9E83.tmp\ _ | text | |
MD5:41592D82557C2C0673D44C6B911979B9 | SHA256:3E5D061AEA43255524E889E5CB646C4EB3B861187612F1B3D708AC54621A45F9 | |||
3084 | cmd.exe | C:\Users\admin\AppData\Local\Temp\9E82.tmp\9E83.tmp\ MICROSOFT CORPORATION _ | text | |
MD5:41592D82557C2C0673D44C6B911979B9 | SHA256:3E5D061AEA43255524E889E5CB646C4EB3B861187612F1B3D708AC54621A45F9 | |||
3084 | cmd.exe | C:\Users\admin\AppData\Local\Temp\9E82.tmp\9E83.tmp\[dead.com]_ | text | |
MD5:41592D82557C2C0673D44C6B911979B9 | SHA256:3E5D061AEA43255524E889E5CB646C4EB3B861187612F1B3D708AC54621A45F9 | |||
3084 | cmd.exe | C:\Users\admin\AppData\Local\Temp\sleep.vbs | text | |
MD5:DDA70E3363EAFD586B94086F733DFBE7 | SHA256:CD5093DF594BB694A254C1F1045C2C18023831CA4508C6B6D964BAA53F9A6DC4 | |||
3084 | cmd.exe | C:\Users\admin\AppData\Local\Temp\9E82.tmp\9E83.tmp\ MS-DOS (VER 6.6.6) _ | text | |
MD5:41592D82557C2C0673D44C6B911979B9 | SHA256:3E5D061AEA43255524E889E5CB646C4EB3B861187612F1B3D708AC54621A45F9 | |||
2964 | msdos8.exe | C:\Users\admin\AppData\Local\Temp\9E82.tmp\9E83.tmp\9E84.bat | text | |
MD5:ED593AFAE4FB08BF7D0E2342AF3A3DAC | SHA256:E4C569727A440DA59D06CB8A77CB9B2970762FD9D9998B6774F02B37AA0E89D2 | |||
2964 | msdos8.exe | C:\Users\admin\AppData\Local\Temp\9E82.tmp\9E83.tmp\extd.exe | executable | |
MD5:38CE85E4580071C40BB204EDFB85A303 | SHA256:F0FFDDCF4B507A617D6883889F5167CC6C2D27015EF63AD3E014DB314CD8F465 |