File name: | 명예훼손관련 고소장.doc .exe.exe |
Full analysis: | https://app.any.run/tasks/8ac1e079-b16b-43fb-8cfd-dec65991e5e2 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | February 19, 2019, 08:50:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | E14D560DCECAE7F87299ADDCF58FDC81 |
SHA1: | 2608DEBE4E3007D591D56DDA54B666018E0557DB |
SHA256: | D5DD88ED9B17649779F95155532ED44CBDE00625DDB3AAD817CC7DE58F0513C2 |
SSDEEP: | 3072:gDRcmxnuHZGmSbC9pMD/m/gR0TVfCC6RcjfE4wUBWlQ2LW96McnZEXG/lIDYY:d4wGpb8umo0TEC6GjtwU6Q2LW9RcEG/g |
.exe | | | UPX compressed Win32 Executable (64.2) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.6) |
.exe | | | Win32 Executable (generic) (10.6) |
.exe | | | Generic Win/DOS Executable (4.7) |
.exe | | | DOS Executable Generic (4.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:06:22 23:26:51+02:00 |
PEType: | PE32 |
LinkerVersion: | 9 |
CodeSize: | 167936 |
InitializedDataSize: | 12288 |
UninitializedDataSize: | 155648 |
EntryPoint: | 0x4f9e0 |
OSVersion: | 5 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.0.0.0 |
ProductVersionNumber: | 1.0.0.0 |
FileFlagsMask: | 0x004f |
FileFlags: | (none) |
FileOS: | Unknown (0x40534) |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Unknown (457A) |
CharacterSet: | Unknown (A56B) |
FileVersion: | 4.1.3.31 |
InternalName: | sirube.exe |
LegalCopyright: | Copyright (C) 2018, masocesumogi |
ProductVersion: | 4.1.3.31 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 22-Jun-2018 21:26:51 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 22-Jun-2018 21:26:51 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x00026000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x00027000 | 0x00029000 | 0x00028C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.77825 |
.rsrc | 0x00050000 | 0x00003000 | 0x00002600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.74485 |
GDI32.dll |
KERNEL32.DLL |
MSIMG32.dll |
SHELL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3108 | "C:\Users\admin\AppData\Local\Temp\49c605eb-c5c2-4518-bd66-8a385b334608.exe" | C:\Users\admin\AppData\Local\Temp\49c605eb-c5c2-4518-bd66-8a385b334608.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
2964 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3920 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3108) 49c605eb-c5c2-4518-bd66-8a385b334608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E006F00730069006A006F0070000000 | |||
(PID) Process: | (3108) 49c605eb-c5c2-4518-bd66-8a385b334608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A4000052534131000800000100010063A917043A83BA2E50EC614066F444653E0CDE89A5C4D9E02990CEB9A1F3688D8F8ECDF714CC777E8F2D98CCD0DA765F3BCF1056518B4EC4E63C49AA1D47AC289EFC194E1AD3C278757725653516F9C063399FC27CE5B77CCA778B0C17687A618FBCE042DD856B40DC2B7F37A730CB858D368381EABB7B2A85F1418BEED4825462F2334EAC42F0EBD48D64A3013B0E2EF7B4612EBE9529E6A559113B775B6FFF827117735EEEB712755D84FE35818F5AEC3255089B67F86FCE042DBA11C58896682223CD906D96F3C46E04B527505921766D17D2B0EB3EAE4CF1215CDE55188341034F8FAE5CE867F267D7FF6EDC374A99B48C6ED813861F36BAFC97794DF4D3 | |||
(PID) Process: | (3108) 49c605eb-c5c2-4518-bd66-8a385b334608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | private |
Value: 940400003ED980E904CAB7A54D7FBB671FFAA00E6E306EC8FADE5EF4F53D4EA001E45C642A020CC685DC90763226EF4915A343B926C716996925AAA7255479B24D47A9ECC9D715801D025C049521F6B2C3094281CB8957FC69E1C181AA185220FB0B12908716010B1B6F6A2539480A0A6742219BE4022C03A1BE38CBDABA84F1C1D9F84EF0E07048536D8312E2AEA7DDD32B7D9D8447171FD12A4D006631DC0D306377B4B84BCC10CA394A621FE5B53D08BC5D97F34B99F53C90FEFB5B63490033400046744FA09DF72401689AE07963FE977818CE740BEF1025280504BD2630AD84A2C3558F6017E2F8D007D58B8B9B393D6F93482EE3E31AC2F8467DC78A90D27A229F1B90137477936C90D7DD8BBDE13A2E4D23EA218676C9A1D439CA7AC40BE5EDAEC57D6046BD8AFCE0E0BD7451F566A016CBBA09042C6420E4DF9DEBDEA8176E48D441E4B66A3AAF3D705C5F20D4385647C42C8EC8EC9A6CE699C2FA7EA295B9BD7B2BE3A97F3D8B928917DF88FEA7DDA40D0F637D9452E93111D6F8C0FA6B6A2750A7DAF2B7199D55D1BCE5220D073333ACF15E21FF4549ED0B616BC4C249C92E90A6F6661278B79F43CE5E56ED3FF8D5D64D02E0B368460E94DB924876FE31880CE15CCD68727B58CF2246A5DA0B7CCE6082EF02AF1AFE11AF53FF976CC504EB23148ED1C9A90BCD1E8EBAA74BECC806CBB0637BFC5EA220216869064CCD203083DF202C5F3C2E2CE0B69559294EE6320059DCF4DA011EC907B65F1E1FBCB63AF13F3B0FA6F3B49FB324A25417D8F25E8824DA61C6DE47D8FE74D583D1983F6071E2E48F6DD5471B2AAC1058D13F663C34AEB8434935BEE472BE7932E0CB8FE434B082180524FB9544C96A610AEBF4517D8812DF8B5BB6D7A2F13F8977FED9F8D548A145D770CD6D133BAEFBD8A196D73DDD22456B82891EFD1B81822EC8680C4AB7A2163406A2BF553112FBF2A8274BB403E98B432A2A0AC5F6228D713CB35201E518EA45D4414C77A8C76FA1A401ADF4A879E9F332232882A430EECF49E08D2FBF4520EE7335B2BD3146AA05C16C554E818A67DED36138959B14B3D0E7298A39E1A1F7B70E89D8515C3763F5BC38D2A5F29C62BC82FE02835BBD90C4A4DC7C11030BEEBCCD4C9AFB44D5BFD72FD1187E0F62935B487BDE3B7CE726481DA6F2265D4132C9C38C7051D4ECB3D69BF9A198A9DE4D35DEBD1EF6FC363D6388CADD5071436A57997442860CC53E09A0D835EA30885C7662DE4EECA3B0FD7FB9AF974213E88244DB900003DDE41A2A3186A04F7E555849C0476D4EA7A9DFAD8D1559A69E23D6AB7BF519D0EFB3AFF1B1E431BA8ABB1DA900FAD97C9A55238A95BF09ED819DB011D0C96143506ECE1034AC5C5DD16447BDBA68D45C499E31DDD2BBAD4C17BF758A2F952A1DD0E5F970F23A3E1668B972A4E7E2153766ADD7CA70CCF53E52B67D39C935C8D869C2FC96DB056D2C783FEF502A3FE8BD3AB3BA0F89458EB3D7A93371BD38546688B403A7C65C0AC86E9B053D9A79D134C662C07AD6CB19FB237B4A0BF5A3870C5B6A09CCFF9B7F0D921D6FE3DDD763B6ED7652E85750A45450F034C793A85A13F51906651851E46B33A6B3C4BED9868E8486C60C27B93A6A549544FEB2411698516D08BE53EC9361AAB310BD87E10F5CC93D9EEC7BC033FDC6BA1A06A31900ED3EE1E3BB33B05CD180EAACC9ACB7C6F4CCE60649960B6719B987ED637227FBB9E7C6A9FF8FC37B798FC0AFB28D5CBACD2F21BC7BD0B80AA49604C75854624D7CADA9D04132D115AABA27505853AFC207DBD9ECAE178AF2F06A1F3A26FA5BC6F1D88792FA0A6A78159797BC5FAC380F7721AB93DE1CA6F1E3F3930144949FF5E0C68C3D440B90DF5BB1A031952EB29A777F3A51E37671BDBA6B309B6EE77456E0F2430AFA2F67521B583211AF1AD9E1B57DE0AE0B0923F9C67CEB245E685C4D859CF66A65C7E814823B650569ACACF2237305161A38F64CF304996F147152539D8DE970863168AE15E0D060FC16C33548C0D82AF20A03E8D0AA56CCB94B47616480981998120B548D2DA4EEFF505546ECAC8C6289E343F39BF87CD67686A4E5EB93684D3B94B957D374833AF13841083D5D948B6E7343BC4AAF86A37707295B384DBEC3AC77519BC8102B9A78900194286746D639AC08A64700872EB11E2BD3E2AB64A62F0DC0B70F234DB826BA2221111B1EF2CF195F9DCDE6464CE88415D248C51D74E070B3867D4E13D96F4CA6EE45762CF0CE57B6AA0A3425E57710C1987CC44FA32BEBABC54CA62A9F67F97752C6795D025760D2C2F38E8F0C2DC74C54D0F248FA799303CEC9C0AD80A5EBE794590296400294100B348B9AA67D183830AC2CA5600A1BD6C86B138CF6 | |||
(PID) Process: | (3108) 49c605eb-c5c2-4518-bd66-8a385b334608.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3108) 49c605eb-c5c2-4518-bd66-8a385b334608.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3108) 49c605eb-c5c2-4518-bd66-8a385b334608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\49c605eb-c5c2-4518-bd66-8a385b334608_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3108) 49c605eb-c5c2-4518-bd66-8a385b334608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\49c605eb-c5c2-4518-bd66-8a385b334608_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3108) 49c605eb-c5c2-4518-bd66-8a385b334608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\49c605eb-c5c2-4518-bd66-8a385b334608_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3108) 49c605eb-c5c2-4518-bd66-8a385b334608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\49c605eb-c5c2-4518-bd66-8a385b334608_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3108) 49c605eb-c5c2-4518-bd66-8a385b334608.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\49c605eb-c5c2-4518-bd66-8a385b334608_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.osijop | — | |
MD5:— | SHA256:— | |||
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{05ed3515-06b3-48f6-8cf2-bf24b1bf0727}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{16d74681-6bc3-4c44-97f0-8b8dfefe2355}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{38e8535f-27d0-4352-aa3a-ce4178930102}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{3cc0f82b-873a-4e59-b89f-689fbdf88af9}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi.osijop | binary | |
MD5:CECA95EC83DFE2945706924B726CCE96 | SHA256:16F2FFA149754D899908EDFA4599D593A4AED368FBC02B1B19AB5F9EDF3570DD | |||
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | C:\Config.Msi\OSIJOP-DECRYPT.txt | text | |
MD5:3BEBAF2D13D49592319B626068571160 | SHA256:CF124F47872138DFE6FB06848479A8FA81A723998C366F4E736516AA4D3D2C56 | |||
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | C:\MSOCache\OSIJOP-DECRYPT.txt | text | |
MD5:3BEBAF2D13D49592319B626068571160 | SHA256:CF124F47872138DFE6FB06848479A8FA81A723998C366F4E736516AA4D3D2C56 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | GET | 301 | 185.52.2.154:80 | http://www.kakaocorp.link/ | NL | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 172.217.23.174:80 | — | Google Inc. | US | whitelisted |
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | 185.52.2.154:443 | www.kakaocorp.link | RouteLabel V.O.F. | NL | suspicious |
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | 185.52.2.154:80 | www.kakaocorp.link | RouteLabel V.O.F. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
3108 | 49c605eb-c5c2-4518-bd66-8a385b334608.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab v.5 SSL Connection |