analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DraftableCompare.exe

Full analysis: https://app.any.run/tasks/50613c66-f7ff-4ec8-aefd-cd98feb95c37
Verdict: Malicious activity
Analysis date: May 14, 2019, 23:27:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4DD1BBDC08B9C120AF5CC34A592CF917

SHA1:

F575F63888977250399F9513E82D8C11288B7223

SHA256:

E1283A9491E435D6ACFE54871E6BE8B036B713A14E2A1C244D908F0B6E4DDB12

SSDEEP:

12288:bDPdsil5fCMggBIiMVO26kk+FGzeMb01JQntLOCVkoSrUf:bD1s2ts96kTMemVuc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • dfsvc.exe (PID: 3656)
    • Changes settings of System certificates

      • dfsvc.exe (PID: 3656)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • dfsvc.exe (PID: 3656)
    • Reads internet explorer settings

      • dfsvc.exe (PID: 3656)
    • Reads Environment values

      • dfsvc.exe (PID: 3656)
    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 3656)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

ProductVersion: 14.0.23107.0
ProductName: -
OriginalFileName: setup.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: setup.exe
FileVersion: 14.0.23107.0 built by: D14REL
FileDescription: Setup
CompanyName: -
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 14.0.23107.0
FileVersionNumber: 14.0.23107.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: 10
OSVersion: 5.1
EntryPoint: 0x330c2
UninitializedDataSize: -
InitializedDataSize: 481792
CodeSize: 364544
LinkerVersion: 14
PEType: PE32
TimeStamp: 2015:07:07 08:26:33+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 07-Jul-2015 06:26:33
Detected languages:
  • English - United States
Debug artifacts:
  • setup.pdb
CompanyName: -
FileDescription: Setup
FileVersion: 14.0.23107.0 built by: D14REL
InternalName: setup.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: setup.exe
ProductName: -
ProductVersion: 14.0.23107.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 07-Jul-2015 06:26:33
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00058E58
0x00059000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.39733
.data
0x0005A000
0x00003D2C
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.69795
.idata
0x0005E000
0x0000152A
0x00001600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.45654
.rsrc
0x00060000
0x0006EF64
0x0006F000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.27334
.reloc
0x000CF000
0x00003B4C
0x00003C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.60243

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.22945
1378
Latin 1 / Western European
English - United States
RT_MANIFEST
2
2.59785
3752
Latin 1 / Western European
English - United States
RT_ICON
3
2.61852
2216
Latin 1 / Western European
English - United States
RT_ICON
4
1.63426
1384
Latin 1 / Western European
English - United States
RT_ICON
5
7.87399
7820
Latin 1 / Western European
English - United States
RT_ICON
6
3.07929
16936
Latin 1 / Western European
English - United States
RT_ICON
7
3.33247
9640
Latin 1 / Western European
English - United States
RT_ICON
8
3.65064
4264
Latin 1 / Western European
English - United States
RT_ICON
9
3.99341
1128
Latin 1 / Western European
English - United States
RT_ICON
10
7.07398
1885
Latin 1 / Western European
English - United States
RT_ICON

Imports

ADVAPI32.dll (delay-loaded)
CRYPT32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
Secur32.dll
USER32.dll
WININET.dll
msi.dll
ole32.dll

Exports

Title
Ordinal
Address
_DecodePointerInternal@4
1
0x0001FC22
_EncodePointerInternal@4
2
0x0001FC3D
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start draftablecompare.exe dfsvc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2232"C:\Users\admin\AppData\Local\Temp\DraftableCompare.exe" C:\Users\admin\AppData\Local\Temp\DraftableCompare.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup
Exit code:
0
Version:
14.0.23107.0 built by: D14REL
3656"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
DraftableCompare.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClickOnce
Version:
4.6.1055.0 built by: NETFXREL2
Total events
235
Read events
168
Write events
0
Delete events
0

Modification events

No data
Executable files
56
Suspicious files
4
Text files
47
Unknown types
1

Dropped files

PID
Process
Filename
Type
3656dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2989C0A878FE45C610C8177194428257binary
MD5:E70D15A6E54EFC438BAB9538FE5A333B
SHA256:13591250CDB827D41FAFECAECE51C6258CD736629A47FDC25209249C1387EC7A
3656dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\6W5M0EHZ.TB8\QMY1OTN3.KWC\Draftable.CompareTool.exe.manifestxml
MD5:755770E2A5C75C9271C2AAADD7EB31C2
SHA256:775AFC4E689D524803900FAE20D3D4AB2D0F87833882B93E52343673E186610D
3656dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\5LX3VG0V.P09\BLDAYOJZ.LPK.applicationxml
MD5:EDE9EF4AC78C47252E3210EC4B633281
SHA256:8814D166FC41920E55C9C044B330E3E74469BB968868731EC0C0DAAAE128BA7C
3656dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\6W5M0EHZ.TB8\QMY1OTN3.KWC\x64\netlib40.dllexecutable
MD5:C17A925588D8A56F9AD5766E166C9FEA
SHA256:2D3EA99A938C238D5E92227DDB7F7922F288AB48865600806CAC542DC9EBDAFF
2232DraftableCompare.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\Draftable.CompareTool[1].applicationxml
MD5:EDE9EF4AC78C47252E3210EC4B633281
SHA256:8814D166FC41920E55C9C044B330E3E74469BB968868731EC0C0DAAAE128BA7C
2232DraftableCompare.exeC:\Users\admin\AppData\Local\Temp\VSD3EC2.tmp\install.logbinary
MD5:95F029F6B8C00AEAFF181AD5098A103F
SHA256:13FD579F0438C5E72851B5CDE8BBEA098B704D8FE98C7F359BF70A46920E4EFA
3656dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\6W5M0EHZ.TB8\QMY1OTN3.KWC\x86\netlib40.dllexecutable
MD5:3E8830A03A8D57B2E4256825A51F1908
SHA256:5E6FEE67F82DD622E258E189B2A977F96994B511F9C3AA60D5D1406598408E4F
3656dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\6W5M0EHZ.TB8\QMY1OTN3.KWC\x86\ixclib40.dllexecutable
MD5:B3E29AA23E676A202C8428BF9BCA5051
SHA256:BF03F3950BDEA7D0374593D611FB39447388DBC26FCE3EB50DEB7F011828FB0A
3656dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\6W5M0EHZ.TB8\QMY1OTN3.KWC\x64\xccdx40.dllexecutable
MD5:39886F4270E543400FB275F04454364B
SHA256:A1FFB2D409B06D6AD5D73ABE66D150EFFF31AEC3630F1E1E943B552451EE2BC8
3656dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\6W5M0EHZ.TB8\QMY1OTN3.KWC\Draftable.CompareTool.exe.configxml
MD5:F88174F5AC9E81E96D55D3CED7B98EAC
SHA256:B916AB3F2816A4153B552333E7E72528DD036080BF04F5A8E5FA40540B87089A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3656
dfsvc.exe
GET
200
104.18.10.39:80
http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
US
der
1.30 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2232
DraftableCompare.exe
52.216.100.123:443
draftable-compare.s3.amazonaws.com
Amazon.com, Inc.
US
unknown
3656
dfsvc.exe
52.216.100.123:443
draftable-compare.s3.amazonaws.com
Amazon.com, Inc.
US
unknown
3656
dfsvc.exe
104.18.11.39:80
cacerts.digicert.com
Cloudflare Inc
US
shared
104.18.10.39:80
cacerts.digicert.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
draftable-compare.s3.amazonaws.com
  • 52.216.100.123
shared
cacerts.digicert.com
  • 104.18.11.39
  • 104.18.10.39
whitelisted

Threats

No threats detected
Process
Message
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230