File name: | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43 |
Full analysis: | https://app.any.run/tasks/d0fc3d5f-cbbc-4449-9b0b-27e003881efe |
Verdict: | Malicious activity |
Analysis date: | January 11, 2019, 09:28:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | EFE317B99CCBF0AE948E3D5B64E119F0 |
SHA1: | B94BC220D392487E022EC1F22E50B0E79B08E2FB |
SHA256: | E273ADB9C5133A21C4F8258A52DC5E5EB8A2E8EFEC7C69C68B6BEE7BC8CA1D43 |
SSDEEP: | 3072:hLnq+T5/mc3yMuxZjEytD6+zVVxEkqQcqkAgy/doqieH8s36Be:hR5/6tlN6Qgev5368 |
.dll | | | Win32 Dynamic Link Library (generic) (38.2) |
---|---|---|
.exe | | | Win32 Executable (generic) (26.2) |
.exe | | | Win16/32 Executable Delphi generic (12) |
.exe | | | Generic Win/DOS Executable (11.6) |
.exe | | | DOS Executable Generic (11.6) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x35a1 |
UninitializedDataSize: | - |
InitializedDataSize: | 1384960 |
CodeSize: | 389632 |
LinkerVersion: | 5.12 |
PEType: | PE32 |
TimeStamp: | 2018:01:22 22:22:09+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 22-Jan-2018 21:22:09 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 22-Jan-2018 21:22:09 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0005F064 | 0x0005F200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 2.5352 |
.rdata | 0x00061000 | 0x00001093 | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.77027 |
.data | 0x00063000 | 0x0015E288 | 0x00149C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.01121 |
.rsrc | 0x001C2000 | 0x000072A8 | 0x00007400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.05865 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 1.98048 | 20 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
2 | 2.02322 | 20 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
3 | 2.16096 | 20 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
4 | 2.06096 | 20 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
5 | 2.16096 | 20 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
6 | 2.02322 | 20 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
advapi32.dll |
comdlg32.dll |
gdi32.dll |
kernel32.dll |
mapi32.dll |
mshtml.dll |
msvcrt.dll |
ole32.dll |
shell32.dll |
user32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3004 | "C:\Users\admin\AppData\Local\Temp\e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe" | C:\Users\admin\AppData\Local\Temp\e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2268 | -zj | C:\Program Files\Windows Media Player\wmplayer.exe | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Version: 12.0.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3004) e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\ZSCU |
Operation: | write | Name: | ojmpw |
Value: 58E0928B527AB8A9E0D97AE8E81DDA3ADAD5FEE74F762B4B693EE035492B1C74EAAE3550F4A4C02D19DDA4FC6BCC41CCB6397F4F1DEC5DC636E139C1944BBE4B06FD91A26F9A9006AA9AAA987057BEED4E9BBB37910E16EE77B78492D2B89E37C9B74B8AB103151AB63F1CE1852615513407867CF9180ECAAE5B027849E768E1C3BFED4D0291AD36FA4C1F9BA7B9E48A139B322A66402ACEB68675F3237D35267BBBA28258A8A8792D13748454465A11C7B886AFA7C3E674CA46D8D5A974665AF2687E55D99E83049FDF798B1C5BCF832DAED97A782E5162789A670147213D9244558A1E8603A29E4CF238D3C2648DF675067A90F828588E1EC3E5599669040B84C280784D4ED1FC55DB4D78222D072725626993BE09CDDCA0DAC0C3CCFFB2764445EC5326B3961E02748B09920B70F207C2A5DB24D667E060523ED55836403CFC7A4D17864988867150578F066345D833C767D32B1A10102D4286C04127C4204473652749AAD01C5115D60BE86147C929B400BEE68A5879770816B2CFB6F058ABFDD87B8BCAFD8E4D2CBE884FD0A3EF1863631EC843E7667F4D372B5DB4A796AFAD5B00714F91C11164C5C3C9BBA7C3F28A31605E6A2BF7F238559F6CBD74D01F60AF3E4802E221A7521BEF72830BB80898398CFF21828CE96E88A71553E674D3E27544B77DD815FA28E112696445F9F7DE2BD8CB2264307DA336C4ED0E43628A33E83499E6BBE3F725DE925380A6ED80FD11675DA0CF32120AA0427470EEA96F929CC730EA39872532849B5AAB223663EDC99D914F42C2AEB7C18499B73840AC0F5F6DC397DCB3F9BE10C3FD632290CABD88F17D7F4AF9B90DE5EFEDB22E2AF5316061CB6E807136784217E96149D098D70F4765B099CEF8626D2336CDF683A0CAC65FC155F0450BEE19B44A0C6A431132CDD0CE691AC7465DA57ED0FB949E676C34A57103BC1DF1EAB05C2221D4B72FE97AC6BC1ECD58C834A72E259AEA960F40801E259C42C4F9B299FC5D8C683A6A3CF32C822DE8FB1202DDA840A85109DFCB8C53C8E52B632F3E64BF75C31597DAB7AC8FA648644197EDDAB351C0FF99F5BBA1E893F1BA8F11F05A92FE3CA89761ECAE306A5E7A87E50BB4482E468CBBFD62247FF9BC1C40AAC0F75C6882B38823E003A784CC8BBB561581DAE5AD0CCF8C616ACF391483ED6D36A486E3786032047966571CC99EA45487D0068BB19DA5700C09F208F40F56D971374F0A130E2B773CCA2B8399EE8291688B140757C35D7DB28667D010E8B03916AC69C5231F95E2E9F329CBFE1EB8AE809A58B2D5852DAD250C67FEDD2F088CC4C2174A04CC4C3ABD0C8BD09156048793E319CB9366BE7DFE5BF0386E6D4AEBF7F9F3F59754E014B68BF1F263EBA45BDF017774996AF72F532A75BE7259144DC776D98BC3FE4743F042D03553F3BA94B8E84F46F67FDE225123AD3535C887F01616C35019E1DA031C73FACD313235B899121B301268DB2AE80F95A29F47437814EA8754A71D1E8401CA3F834F8A9FA1F6CB0EA4EFA1C2A4BC9BCB8FB22AAC70ACCADFF9AC8F5B81909A5A87EA3AE2AFB3F397CC0B900867DA72CF601110DD8FC17C28BFFD1F7A1E9E74AC925735FEA801EBB984B0433E9305F3CAE4F2407998B398B7EA3EF39CF3EEE65EB0DF452E5A663E39C7B849676846E1B9AD5DC318F43795D84AB3DE05B4118BF7F4E5EE0CF9C8E5CEBCDC22CE7558CA8AE9DE17E8B4FA16D977D858FA850F62FA4D858ACF70B1AC9E6F9EDB4C288B63E91C35CFFFBBD00D017CD59540C5D81FE4A7064FB00BB761C8023A126E2894932B3EE7BD7EB3E052385A2D03B24851C77FFC6ACF2F05A7A91222E387BD5EAB55B8C823E8B9C72112ED7703BC75C94EC528DD6930D8645FD4B5DB4D735D6ED302A6E229D8FB33F82EBD337215285123D85DE86B8B79C6FE55D85D00729DA684790BBD582EA9C5255D2930AADEF7D1C0C43232E16818943196AD459A323FD3B62C988961F4AC1DC3F14FD4493D5E07D0A9D509E2D853C1E2B5A83A706E80B72E38EAB90DCCF3916AC6E7D48ED64A74853BF2B73B4A016ED38575D369437260B270854081D5F91CC63F61132D9CB717C70CCCA6024D1D5F1D6F7AC4E65D4B7BF494CC8BFA4045B3553B3C3BB23A2475DCF62DB78C5C019C2677B20796573A733E46CBA494C100C63F29A135F354D2C50D7B9F4BDE4C0AF7C9AF6449C080EE5142050BAF4DC6B382E94CE6A8A1D90B2F0664FB2636E2522AA032DA00FB5C8A06CF8236CF2716D1AA5889F3D692258F7D418863555D43948B1FF9B735505E68D9CBAB465C77ED6029F90E43C39FFDA7A4266F322E0691 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3004 | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | C:\ProgramData\xiq\ygphgcu.got | binary | |
MD5:5551130C468E64B6C11587AAB9442AE7 | SHA256:61D766B3FB69634B88E37524E0A46094D70B589C97731BC511BCC2D6BCDC1737 | |||
3004 | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | C:\ProgramData\xiq\kxhfs.gaj | binary | |
MD5:78DE3D2D57C4F766117A912CE4C0B4A3 | SHA256:9B3FB5A19CF4EAAFCD212CF169A90CCC8AA7318868481386D3305673DEA111B2 | |||
3004 | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | C:\Users\admin\AppData\Local\Temp\aodtep.eud | binary | |
MD5:47FBE0E00CB722B6B9C94242741471E3 | SHA256:3AA0133369D6BFCDFABB4A73CF8D71AF77D4A1EAD7401DED7CCD4651DF220513 | |||
3004 | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | C:\Users\admin\AppData\Local\Temp\zscuza.ref | binary | |
MD5:65FE5500BA13C454696F1018093638C9 | SHA256:66A888C8ADDADC6CCC6474D4D18B273CB6A06DDFEECA08C843EF9AE74DA9424C |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3004 | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | 8.8.4.4:53 | — | Google Inc. | US | whitelisted |
3004 | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
— | — | 8.8.4.4:53 | — | Google Inc. | US | whitelisted |
2268 | wmplayer.exe | 8.8.4.4:53 | — | Google Inc. | US | whitelisted |
2268 | wmplayer.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
microsoft.com |
| whitelisted |
trhsi.com |
| malicious |
ohaojz.net |
| unknown |
kvuptnv.com |
| unknown |
vraaxgezeffy.pw |
| malicious |
cbsoscccqz.com |
| unknown |
cxosqt.net |
| unknown |
nzllenx.net |
| unknown |
hxtmvmhegvkj.net |
| unknown |
qbnaxdutbz.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3004 | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
3004 | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
3004 | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
3004 | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
3004 | e273adb9c5133a21c4f8258a52dc5e5eb8a2e8efec7c69c68b6bee7bc8ca1d43.exe | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |