download: | rc7redone.exe |
Full analysis: | https://app.any.run/tasks/86248556-094c-4d9d-b3e0-d6422b02df06 |
Verdict: | Malicious activity |
Analysis date: | August 25, 2019, 12:17:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 66A2244A5BECC91366D927006D5C2967 |
SHA1: | 05AE7F9E6D81AF1B9B0BB3834BC8B20C8DE6C4B1 |
SHA256: | DEA04AE20524D1F51505011B6C2E2D56321D986D26D2A1CD5BB34FDEA78B62E9 |
SSDEEP: | 3072:mOxN8/IiSA6zxXhx+Gvp+GVZ5IyPPPTVBCWmk0hhhhhhhhhhhhhhhhhhhhhhhh2Y:mOxXjvpxZ/PPPTVBjteH |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
---|---|---|
.exe | | | Win64 Executable (generic) (21.3) |
.scr | | | Windows screen saver (10.1) |
.dll | | | Win32 Dynamic Link Library (generic) (5) |
.exe | | | Win32 Executable (generic) (3.4) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2076:04:11 21:01:08+02:00 |
PEType: | PE32 |
LinkerVersion: | 48 |
CodeSize: | 651776 |
InitializedDataSize: | 2048 |
UninitializedDataSize: | - |
EntryPoint: | 0xa10b2 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 6 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.0.0.0 |
ProductVersionNumber: | 1.0.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
Comments: | - |
CompanyName: | - |
FileDescription: | RC7REDONE |
FileVersion: | 1.0.0.0 |
InternalName: | RC7REDONE.exe |
LegalCopyright: | Copyright © 2019 |
LegalTrademarks: | - |
OriginalFileName: | RC7REDONE.exe |
ProductName: | RC7REDONE |
ProductVersion: | 1.0.0.0 |
AssemblyVersion: | 1.0.0.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 06-Mar-1940 12:32:52 |
Debug artifacts: |
|
Comments: | - |
CompanyName: | - |
FileDescription: | RC7REDONE |
FileVersion: | 1.0.0.0 |
InternalName: | RC7REDONE.exe |
LegalCopyright: | Copyright © 2019 |
LegalTrademarks: | - |
OriginalFilename: | RC7REDONE.exe |
ProductName: | RC7REDONE |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 06-Mar-1940 12:32:52 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x0009F0B8 | 0x0009F200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.39945 |
.rsrc | 0x000A2000 | 0x000005AC | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.12466 |
.reloc | 0x000A4000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3524 | "C:\Users\admin\AppData\Local\Temp\rc7redone.exe" | C:\Users\admin\AppData\Local\Temp\rc7redone.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: RC7REDONE Exit code: 3762504530 Version: 1.0.0.0 | ||||
3704 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3148 | "C:\Program Files\Internet Explorer\iexplore.exe" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3940 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3148 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1764 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Exit code: 0 Version: 26,0,0,131 | ||||
3648 | "C:\Program Files\Internet Explorer\iexplore.exe" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3904 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3648 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2460 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Exit code: 0 Version: 26,0,0,131 | ||||
2636 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3604 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\sinape.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3148 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3148 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AOT4S2Y0\sinape_rar[1].txt | — | |
MD5:— | SHA256:— | |||
3148 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\StructuredQuery.log | text | |
MD5:56731FEB6695FE8CD5EA9002B58D054F | SHA256:B9FC0A3062A068E64678A3B4D37FFA0AA18E25525DC57C4A8B2E3EE32A5B4E46 | |||
3940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:930289691BEF82E029566581898113EA | SHA256:BF54388FDBF399A05831E4FAA93635B2BE17DFC171582A274A557BE2A1AE16CB | |||
3940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K7S9DBCX\app[1].js | text | |
MD5:54CFC945293FF769616451BABDCE038C | SHA256:232555C7291EC261A98090DF629D525090376774A511B438074A700D65D92537 | |||
3940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AOT4S2Y0\logo-anonfile[1].png | image | |
MD5:B02F4A2776B104D3144E3829D2A3BDA3 | SHA256:A9D65E88B9F25A240E8664F636534F0B7C368DC3B491B463723860F87CA0605E | |||
3940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K7S9DBCX\js[1] | text | |
MD5:76D702F92D64CBA97E7B795B5BC7F4E2 | SHA256:427CAF72CA5AA023A70135769A98569DF363B42C28D23970D8D2D8DF176F9287 | |||
3940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AOT4S2Y0\sinape_rar[1].htm | html | |
MD5:0BC8C6CD56514ECC15D00D53DD1779AC | SHA256:236DFB786BDDBF2DE66019C1F772885F62B7158A18509FD122EE2C3E15EE824B | |||
3940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K7S9DBCX\anonfile[1].css | text | |
MD5:FC056343EE59A457D68F2B59CB82F0C5 | SHA256:2C8C7E689A476BB3A2AA7403A2436BD1C7495484C2714B58CA7C14AF4F845EAF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3940 | iexplore.exe | GET | 200 | 2.16.106.186:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | unknown | compressed | 56.6 Kb | whitelisted |
3940 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 56.6 Kb | whitelisted |
3940 | iexplore.exe | GET | 301 | 194.32.146.60:80 | http://anonfile.com/35o7a448nd/sinape_rar | unknown | html | 178 b | whitelisted |
3148 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3940 | iexplore.exe | GET | 200 | 13.224.197.157:80 | http://x.ss2.us/x.cer | US | der | 1.27 Kb | whitelisted |
3940 | iexplore.exe | GET | 200 | 13.224.197.19:80 | http://x.ss2.us/x.cer | US | der | 1.27 Kb | whitelisted |
3904 | iexplore.exe | GET | 301 | 194.32.146.60:80 | http://anonfile.com/s3pcac45n7 | unknown | html | 178 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3940 | iexplore.exe | 151.101.2.217:443 | vjs.zencdn.net | Fastly | US | suspicious |
3148 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3940 | iexplore.exe | 194.32.146.60:443 | anonfile.com | — | — | unknown |
3940 | iexplore.exe | 194.32.146.60:80 | anonfile.com | — | — | unknown |
3940 | iexplore.exe | 23.111.8.154:443 | oss.maxcdn.com | netDNA | US | unknown |
— | — | 151.101.2.217:443 | vjs.zencdn.net | Fastly | US | suspicious |
3940 | iexplore.exe | 172.217.16.174:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
3940 | iexplore.exe | 172.217.18.104:443 | www.googletagmanager.com | Google Inc. | US | suspicious |
3940 | iexplore.exe | 104.18.39.148:443 | shermore.info | Cloudflare Inc | US | shared |
3940 | iexplore.exe | 13.224.197.18:443 | d3ud741uvs727m.cloudfront.net | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
anonfile.com |
| whitelisted |
vjs.zencdn.net |
| whitelisted |
oss.maxcdn.com |
| whitelisted |
www.googletagmanager.com |
| whitelisted |
d3ud741uvs727m.cloudfront.net |
| whitelisted |
shermore.info |
| whitelisted |
www.google-analytics.com |
| whitelisted |
rappenedstoric.info |
| unknown |
x.ss2.us |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .to TLD |
— | — | Potentially Bad Traffic | ET DNS Query for .to TLD |