File name: | DraftableCompare.exe |
Full analysis: | https://app.any.run/tasks/50613c66-f7ff-4ec8-aefd-cd98feb95c37 |
Verdict: | Malicious activity |
Analysis date: | May 14, 2019, 23:27:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 4DD1BBDC08B9C120AF5CC34A592CF917 |
SHA1: | F575F63888977250399F9513E82D8C11288B7223 |
SHA256: | E1283A9491E435D6ACFE54871E6BE8B036B713A14E2A1C244D908F0B6E4DDB12 |
SSDEEP: | 12288:bDPdsil5fCMggBIiMVO26kk+FGzeMb01JQntLOCVkoSrUf:bD1s2ts96kTMemVuc |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
ProductVersion: | 14.0.23107.0 |
---|---|
ProductName: | - |
OriginalFileName: | setup.exe |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
InternalName: | setup.exe |
FileVersion: | 14.0.23107.0 built by: D14REL |
FileDescription: | Setup |
CompanyName: | - |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 14.0.23107.0 |
FileVersionNumber: | 14.0.23107.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | 10 |
OSVersion: | 5.1 |
EntryPoint: | 0x330c2 |
UninitializedDataSize: | - |
InitializedDataSize: | 481792 |
CodeSize: | 364544 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2015:07:07 08:26:33+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 07-Jul-2015 06:26:33 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | - |
FileDescription: | Setup |
FileVersion: | 14.0.23107.0 built by: D14REL |
InternalName: | setup.exe |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
OriginalFilename: | setup.exe |
ProductName: | - |
ProductVersion: | 14.0.23107.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000118 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 07-Jul-2015 06:26:33 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00058E58 | 0x00059000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.39733 |
.data | 0x0005A000 | 0x00003D2C | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.69795 |
.idata | 0x0005E000 | 0x0000152A | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.45654 |
.rsrc | 0x00060000 | 0x0006EF64 | 0x0006F000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.27334 |
.reloc | 0x000CF000 | 0x00003B4C | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.60243 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.22945 | 1378 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 2.59785 | 3752 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 2.61852 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 1.63426 | 1384 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 7.87399 | 7820 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 3.07929 | 16936 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 3.33247 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
8 | 3.65064 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 3.99341 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
10 | 7.07398 | 1885 | Latin 1 / Western European | English - United States | RT_ICON |
ADVAPI32.dll (delay-loaded) |
CRYPT32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
Secur32.dll |
USER32.dll |
WININET.dll |
msi.dll |
ole32.dll |
Title | Ordinal | Address |
---|---|---|
_DecodePointerInternal@4 | 1 | 0x0001FC22 |
_EncodePointerInternal@4 | 2 | 0x0001FC3D |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2232 | "C:\Users\admin\AppData\Local\Temp\DraftableCompare.exe" | C:\Users\admin\AppData\Local\Temp\DraftableCompare.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: Setup Exit code: 0 Version: 14.0.23107.0 built by: D14REL | ||||
3656 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe | DraftableCompare.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ClickOnce Version: 4.6.1055.0 built by: NETFXREL2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3656 | dfsvc.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2989C0A878FE45C610C8177194428257 | binary | |
MD5:E70D15A6E54EFC438BAB9538FE5A333B | SHA256:13591250CDB827D41FAFECAECE51C6258CD736629A47FDC25209249C1387EC7A | |||
3656 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\6W5M0EHZ.TB8\QMY1OTN3.KWC\Draftable.CompareTool.exe.manifest | xml | |
MD5:755770E2A5C75C9271C2AAADD7EB31C2 | SHA256:775AFC4E689D524803900FAE20D3D4AB2D0F87833882B93E52343673E186610D | |||
3656 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\5LX3VG0V.P09\BLDAYOJZ.LPK.application | xml | |
MD5:EDE9EF4AC78C47252E3210EC4B633281 | SHA256:8814D166FC41920E55C9C044B330E3E74469BB968868731EC0C0DAAAE128BA7C | |||
3656 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\6W5M0EHZ.TB8\QMY1OTN3.KWC\x64\netlib40.dll | executable | |
MD5:C17A925588D8A56F9AD5766E166C9FEA | SHA256:2D3EA99A938C238D5E92227DDB7F7922F288AB48865600806CAC542DC9EBDAFF | |||
2232 | DraftableCompare.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\Draftable.CompareTool[1].application | xml | |
MD5:EDE9EF4AC78C47252E3210EC4B633281 | SHA256:8814D166FC41920E55C9C044B330E3E74469BB968868731EC0C0DAAAE128BA7C | |||
2232 | DraftableCompare.exe | C:\Users\admin\AppData\Local\Temp\VSD3EC2.tmp\install.log | binary | |
MD5:95F029F6B8C00AEAFF181AD5098A103F | SHA256:13FD579F0438C5E72851B5CDE8BBEA098B704D8FE98C7F359BF70A46920E4EFA | |||
3656 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\6W5M0EHZ.TB8\QMY1OTN3.KWC\x86\netlib40.dll | executable | |
MD5:3E8830A03A8D57B2E4256825A51F1908 | SHA256:5E6FEE67F82DD622E258E189B2A977F96994B511F9C3AA60D5D1406598408E4F | |||
3656 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\6W5M0EHZ.TB8\QMY1OTN3.KWC\x86\ixclib40.dll | executable | |
MD5:B3E29AA23E676A202C8428BF9BCA5051 | SHA256:BF03F3950BDEA7D0374593D611FB39447388DBC26FCE3EB50DEB7F011828FB0A | |||
3656 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\6W5M0EHZ.TB8\QMY1OTN3.KWC\x64\xccdx40.dll | executable | |
MD5:39886F4270E543400FB275F04454364B | SHA256:A1FFB2D409B06D6AD5D73ABE66D150EFFF31AEC3630F1E1E943B552451EE2BC8 | |||
3656 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\6W5M0EHZ.TB8\QMY1OTN3.KWC\Draftable.CompareTool.exe.config | xml | |
MD5:F88174F5AC9E81E96D55D3CED7B98EAC | SHA256:B916AB3F2816A4153B552333E7E72528DD036080BF04F5A8E5FA40540B87089A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3656 | dfsvc.exe | GET | 200 | 104.18.10.39:80 | http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt | US | der | 1.30 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2232 | DraftableCompare.exe | 52.216.100.123:443 | draftable-compare.s3.amazonaws.com | Amazon.com, Inc. | US | unknown |
3656 | dfsvc.exe | 52.216.100.123:443 | draftable-compare.s3.amazonaws.com | Amazon.com, Inc. | US | unknown |
3656 | dfsvc.exe | 104.18.11.39:80 | cacerts.digicert.com | Cloudflare Inc | US | shared |
— | — | 104.18.10.39:80 | cacerts.digicert.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
draftable-compare.s3.amazonaws.com |
| shared |
cacerts.digicert.com |
| whitelisted |
Process | Message |
---|---|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
|