File name: | 4DD3.exe |
Full analysis: | https://app.any.run/tasks/979b231c-7c2b-4463-850a-eeb26876be8e |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 14:29:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
MIME: | application/x-dosexec |
File info: | PE32 executable (DLL) (console) Intel 80386, for MS Windows |
MD5: | ED60C95C805DBAEE92C90C3AB930085A |
SHA1: | EC4FA2E62BE62A7BD1A67157BA46D1B022837575 |
SHA256: | D35574D2CC42B4EDBF217A86639864422FBE02443250A36EB2CD11B22F165C39 |
SSDEEP: | 24576:YbhBoIcENh5n8O+0KFaMtZKBaNmPA/I/aa5o:YbnoIcEhn8VkMtZKx/aa5o |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
ProductVersion: | 6.1.7601.17514 |
---|---|
ProductName: | Microsoft® Windows® Operating System |
OriginalFileName: | ntdll.dll |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
InternalName: | ntdll.dll |
FileVersion: | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
FileDescription: | NT Layer DLL |
CompanyName: | Microsoft Corporation |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Dynamic link library |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 6.1.7601.17514 |
FileVersionNumber: | 6.1.7601.17514 |
Subsystem: | Windows command line |
SubsystemVersion: | 6.1 |
ImageVersion: | 6.1 |
OSVersion: | 6.1 |
EntryPoint: | 0x0000 |
UninitializedDataSize: | - |
InitializedDataSize: | 406016 |
CodeSize: | 872448 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2010:11:20 13:05:02+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 20-Nov-2010 12:05:02 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | Microsoft Corporation |
FileDescription: | NT Layer DLL |
FileVersion: | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
InternalName: | ntdll.dll |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
OriginalFilename: | ntdll.dll |
ProductName: | Microsoft® Windows® Operating System |
ProductVersion: | 6.1.7601.17514 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 20-Nov-2010 12:05:02 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000D4D66 | 0x000D4E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.81471 |
RT | 0x000D6000 | 0x000001DC | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.59855 |
.data | 0x000D7000 | 0x00008064 | 0x00006C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.683427 |
.rsrc | 0x000E0000 | 0x000560D8 | 0x00056200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.33271 |
.reloc | 0x00137000 | 0x00004C3C | 0x00004E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.67729 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.53644 | 896 | UNKNOWN | English - United States | RT_VERSION |
Title | Ordinal | Address |
---|---|---|
8 | 0x000120A0 | |
RtlActivateActivationContextUnsafeFast | 9 | 0x00052FED |
RtlDeactivateActivationContextUnsafeFast | 10 | 0x00053063 |
RtlInterlockedPushListSList | 11 | 0x00035ACC |
RtlUlongByteSwap | 12 | 0x00035B50 |
RtlUlonglongByteSwap | 13 | 0x00035B60 |
RtlUshortByteSwap | 14 | 0x00035B40 |
ExpInterlockedPopEntrySListEnd | 15 | 0x00035A8F |
ExpInterlockedPopEntrySListFault | 16 | 0x00035A8D |
ExpInterlockedPopEntrySListResume | 17 | 0x00035A64 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2220 | "windanr.exe" | C:\Windows\system32\windanr.exe | — | qemu-ga.exe |
User: admin Integrity Level: MEDIUM | ||||
1724 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3728 | "C:\Windows\System32\rundll32.exe" "C:\Users\admin\Desktop\4DD3.exe", #1 | C:\Windows\System32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
304 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2556 | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
832 | C:\Windows\system32\svchost.exe -k netsvcs | C:\Windows\System32\svchost.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3260 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | explorer.exe | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 | ||||
2256 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | explorer.exe | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3260 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\oprA3EE.tmp | — | |
MD5:— | SHA256:— | |||
3260 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\oprA42D.tmp | — | |
MD5:— | SHA256:— | |||
3260 | opera.exe | C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp | — | |
MD5:— | SHA256:— | |||
3260 | opera.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0SR3L7Y9NRZZ8A61MMBL.temp | — | |
MD5:— | SHA256:— | |||
3260 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprAFD7.tmp | — | |
MD5:— | SHA256:— | |||
3260 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\oprAFD8.tmp | — | |
MD5:— | SHA256:— | |||
3260 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\oprAFE8.tmp | — | |
MD5:— | SHA256:— | |||
3260 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml | xml | |
MD5:1A1EF5EC06416A21FE90DA5F8E0463BE | SHA256:AFE2C97AC4DC1685FF579D1F8FD9F502BBB4842C79902444B3FE23EFABDBD9C2 | |||
3260 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:D6966F30A6EE8BFBBEA877D27B751198 | SHA256:196242921F03A71E8A4074C8B110DDE626AB6C5C8C6165E615352A9FBC0AD42B | |||
3260 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat | binary | |
MD5:AE73BC337CB2ECA8CCE5C46C97C7E7B8 | SHA256:CF42530D7DD8C0285220613F09EF091A70FFC26CE6422737041E45435FDFB8EE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2256 | opera.exe | GET | 200 | 172.217.22.46:80 | http://clients1.google.com/complete/search?q=goo&client=opera-suggest-omnibox&hl=de | US | text | 96 b | whitelisted |
3260 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 528 b | whitelisted |
2256 | opera.exe | GET | — | 216.58.206.14:80 | http://google.com/ | US | — | — | whitelisted |
2256 | opera.exe | GET | 200 | 172.217.22.46:80 | http://clients1.google.com/complete/search?q=googl&client=opera-suggest-omnibox&hl=de | US | text | 101 b | whitelisted |
2256 | opera.exe | GET | 400 | 185.26.182.93:80 | http://sitecheck2.opera.com/?host=google.com&hdn=5cHJ/4cINcLBl65Ju%2BOcTQ== | unknown | html | 150 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3260 | opera.exe | 185.26.182.93:443 | certs.opera.com | Opera Software AS | — | whitelisted |
2256 | opera.exe | 185.26.182.93:80 | certs.opera.com | Opera Software AS | — | whitelisted |
2256 | opera.exe | 172.217.22.46:80 | clients1.google.com | Google Inc. | US | whitelisted |
3260 | opera.exe | 93.184.220.29:80 | crl4.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2256 | opera.exe | 216.58.206.14:80 | — | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
clients1.google.com |
| whitelisted |
sitecheck2.opera.com |
| whitelisted |