File name: | dq.exe |
Full analysis: | https://app.any.run/tasks/02b812fd-cad8-4725-9061-0d285cb8487e |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 22:19:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (console) Intel 80386, for MS Windows |
MD5: | 1F2FD5B115B48F2A060E11F60CD3D7F1 |
SHA1: | BDD4D645C491A34C6084543CB7F47B27B0A28611 |
SHA256: | DE7148BDE8009AEC346D978E6836E6AEC1AE741E1AD58851EBFBCEAB7C1B5348 |
SSDEEP: | 24576:mbaBr/DduQqmzhFfvRUKd/k6Ub1G8hzKP//7A3V3:VBrZkYZoRG8VKP//s3V3 |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Subsystem: | Windows command line |
---|---|
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0x9679a |
UninitializedDataSize: | - |
InitializedDataSize: | 380416 |
CodeSize: | 724480 |
LinkerVersion: | 14.29 |
PEType: | PE32 |
TimeStamp: | 2022:08:13 00:19:18+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 12-Aug-2022 22:19:18 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000108 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 12-Aug-2022 22:19:18 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000B0C04 | 0x000B0E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.61429 |
.rdata | 0x000B2000 | 0x0004AD74 | 0x0004AE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.20351 |
.data | 0x000FD000 | 0x00007E34 | 0x00005200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.88496 |
.rsrc | 0x00105000 | 0x000001E0 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.7123 |
.reloc | 0x00106000 | 0x00009C6C | 0x00009E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.59786 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.91161 | 381 | UNKNOWN | English - United States | RT_MANIFEST |
ADVAPI32.dll |
CRYPT32.dll |
KERNEL32.dll |
USER32.dll |
WS2_32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3596 | "C:\Users\admin\Desktop\dq.exe" | C:\Users\admin\Desktop\dq.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3360 | C:\Windows\system32\pcwrun.exe "C:\Users\admin\Desktop\dq.exe" | C:\Windows\system32\pcwrun.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Program Compatibility Troubleshooter Invoker Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3816 | C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\admin\AppData\Local\Temp\PCWE67D.xml /skip TRUE | C:\Windows\System32\msdt.exe | pcwrun.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Exit code: 4294967295 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1564 | C:\Windows\System32\sdiagnhost.exe -Embedding | C:\Windows\System32\sdiagnhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Scripted Diagnostics Native Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3892 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\zbo8pcza.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | sdiagnhost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
3432 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESEC3B.tmp" "c:\Users\admin\AppData\Local\Temp\CSCEC2A.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.5003 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
2516 | "C:\Users\admin\Desktop\dq.exe" | C:\Users\admin\Desktop\dq.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
|
(PID) Process: | (3816) msdt.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1564) sdiagnhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1564) sdiagnhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1564) sdiagnhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1564) sdiagnhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3596 | dq.exe | C:\Users\admin\ntuser.ini.protected | binary | |
MD5:6ED6D7F238B1CF5F1A127ED11AB4CB0C | SHA256:3F1CE1D93367E0F691BA4E5A73B1370F66EC2011473279E1ED6CD80675786BB5 | |||
3892 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCEC2A.tmp | res | |
MD5:72DB3E3DB1F6E329E5B3322CC71E506D | SHA256:6D2324E3BBADAE7E45C395C633460BD80AD56C68087363F2E391AA2D9A3219D8 | |||
3816 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_1221cd44-8ca7-40da-a3e8-2714e910365d\result\ResultReport.xml | xml | |
MD5:3ED9D40FDD9E6D02A36EBBB77FF90F9C | SHA256:E0F36D5A21681B78E59D9B3F06B615C0BD428CF1180CF27AE168BD3CD55F4DC4 | |||
3432 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESEC3B.tmp | o | |
MD5:642B8F0B3CF6EB6F9099D59473C73D5D | SHA256:E8A357038C5C863180BCDAD3B2476A57E78109469548B9CDB11C9A225DCD9B99 | |||
3892 | csc.exe | C:\Users\admin\AppData\Local\Temp\zbo8pcza.out | text | |
MD5:44C82C521743DA78CC5CC79A2C3CD315 | SHA256:8786DDFB30FC77D945DC1D48509E0948CD1CF723082B80A4BE69727F38E54AC4 | |||
1564 | sdiagnhost.exe | C:\Users\admin\AppData\Local\Temp\zbo8pcza.cmdline | text | |
MD5:31FF53EF390A09B69A271AA138C420FF | SHA256:2C4E32E18635A6B81685DF17C982A9825B1881DB590AF895C3F4A62942CD1F57 | |||
3892 | csc.exe | C:\Users\admin\AppData\Local\Temp\zbo8pcza.dll | executable | |
MD5:50D114B35572F5777A5CCFFF94B83570 | SHA256:789D209B90FB3E8783546522E401B088B98BC1622F206FF52697F6E412D39FB2 | |||
3892 | csc.exe | C:\Users\admin\AppData\Local\Temp\zbo8pcza.pdb | pdb | |
MD5:44EC1A10BFD77F0C5B95DA1220DF1A0A | SHA256:C29094EF64244BB8984237EAB16EA21E4BAF0E6A9F22C741FBA66D3CBE558AEA | |||
3360 | pcwrun.exe | C:\Users\admin\AppData\Local\Temp\PCWE67D.xml | xml | |
MD5:80681B26E76818EC8BB3F99F3C1B1D97 | SHA256:B32857E34DD8099890EC37E3D642C8738D942DEBA5FB85C0EDCB09FADCB7F0C2 | |||
3816 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_1221cd44-8ca7-40da-a3e8-2714e910365d\DiagPackage.diagpkg | html | |
MD5:18A906A43C1C3E27064DB30C81505234 | SHA256:041430D1F0AE14300C46BDCD917C882F4850DA3D6010E3FBF692023655BC406E |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|