File name: | d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce |
Full analysis: | https://app.any.run/tasks/c79bb15a-b6fc-4585-affc-ae8fc4cec45c |
Verdict: | Malicious activity |
Analysis date: | December 05, 2022, 21:57:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 8D65244421B6A050DC3AA9639277C4D8 |
SHA1: | 2D9E0403FB319BF3FE4E58FCE745ABD21F3BABEE |
SHA256: | D465E61CB369D3A5AB4B58F01889D7BF10510F5C50F19AADC628821662181FCE |
SSDEEP: | 6144:2e34nAr5S53BAcAyYJKc0n2Ihv3DPpyugqHjQpXcKM33xS:4A6ADd02IRDhyugqHwXcKM38 |
.exe | | | NSIS - Nullsoft Scriptable Install System (94.8) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (3.4) |
.dll | | | Win32 Dynamic Link Library (generic) (0.7) |
.exe | | | Win32 Executable (generic) (0.5) |
.exe | | | Generic Win/DOS Executable (0.2) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2009-Dec-05 22:50:52 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 216 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2009-Dec-05 22:50:52 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.44011 |
.rdata | 28672 | 4764 | 5120 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.04684 |
.data | 36864 | 154712 | 1024 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.801 |
.ndata | 192512 | 61440 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rsrc | 253952 | 2768 | 3072 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.39962 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.50665 | 744 | UNKNOWN | English - United States | RT_ICON |
103 | 2.16096 | 20 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.66174 | 256 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.88094 | 284 | UNKNOWN | English - United States | RT_DIALOG |
111 | 2.48825 | 96 | UNKNOWN | English - United States | RT_DIALOG |
1 (#2) | 5.21482 | 958 | UNKNOWN | English - United States | RT_MANIFEST |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
856 | "C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe" | C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
1232 | "C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe" | C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | Explorer.EXE | |
User: admin Integrity Level: HIGH | ||||
3344 | "C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\fcpw.exe" 4100 terminus.fon ao2.txt | C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\fcpw.exe | — | d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe |
User: admin Integrity Level: HIGH Exit code: 0 |
(PID) Process: | (1232) d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts |
Operation: | write | Name: | Terminus |
Value: terminus.fon | |||
(PID) Process: | (1232) d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager |
Operation: | write | Name: | PendingFileRenameOperations |
Value: \??\C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\ |
PID | Process | Filename | Type | |
---|---|---|---|---|
1232 | d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\td1.txt | text | |
MD5:22504D6DF2E85CBCADFDC594F100F956 | SHA256:E1D596F02D9CCEBF0261CE1D69B26281C4783082B00356CD04ECE0744A9B9017 | |||
1232 | d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\ge2.txt | text | |
MD5:EA7D7822027F0B4B158D0339D83CAFE8 | SHA256:2F5D7A5C033276749B03A515C4D6A48B03261B441F3A61571F2459F110FD49E9 | |||
1232 | d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\ll2.txt | text | |
MD5:782E13664A026B50BB5687079FB89DA2 | SHA256:965942BD6C5DC0EC7D35D82776E3B7108C842F0B14F60DAA79CF81810D87632F | |||
1232 | d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\ij1.txt | text | |
MD5:A82892C09D94796741C5D333D7ADBD55 | SHA256:8E2286205EC5A701BBC477E72DCEAAAADEE0353CAD5C69C9E24004EAF79D6FA9 | |||
1232 | d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\terminus.fon | executable | |
MD5:3C648282A62A4C72CAB1C56FFC77B2B3 | SHA256:A79D6DD3C392D29249C9C2A31C15007978F276AB94E8FA94D8970CD104824F38 | |||
1232 | d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\ao2.txt | text | |
MD5:2DC5E3E6AE5E6CF1264A945353BAEC5F | SHA256:373AA56DF1EBC44DCD6E0DE5CA6CB308E660D885CC7E80AA489C3928C3547D78 | |||
1232 | d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\dv1.txt | text | |
MD5:8FE7D0477F630992A0A0BAE830481D8B | SHA256:BC32799C1EEEBA159449D0BC1FCCBDD0A44BAA3E7255C3832E1107457548A84E | |||
1232 | d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\OFL.TXT | text | |
MD5:9CADB26F4C5C005618C5AE74F041EC54 | SHA256:DC367FAB3ACE2C26C893D1EE21823863096EF57C995A249CCAC03E2B80E2E8E3 | |||
1232 | d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\hi2-ka2.txt | text | |
MD5:2FA46F9D5D914AC959EA16D11A17F670 | SHA256:E520FECEFFAFCB0F9E660FE024DE695CCD21B2040EE14452670AE9B22E19D3BA | |||
1232 | d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe | C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\AUTHORS | text | |
MD5:AE271043C5301F304AEA2B8696DBF5E5 | SHA256:7A5E955BAAF28951CF5D75D8F13B48273B02A9569D25210D6486BA8656F8AF27 |