File name: | dq.exe |
Full analysis: | https://app.any.run/tasks/0430f50f-d725-4d50-8da9-b4c30d654c1e |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 22:29:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (console) Intel 80386, for MS Windows |
MD5: | 16BBABDC9BE056D7D686DC5535715E3D |
SHA1: | A2505DE50DBDEEB2D52A1D946BE6344B5068AA30 |
SHA256: | E561CD233ED889E0C1DEAE74658551DDF868C7357ECCE771E2B1A72D3E40F21D |
SSDEEP: | 24576:l+HiN6nK8BKB17BRAsG+Ax87G8hjKP/Nqo3V3:Ai+rY0SG81KP/Nqo3V3 |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2022:08:13 00:29:33+02:00 |
PEType: | PE32 |
LinkerVersion: | 14.29 |
CodeSize: | 723968 |
InitializedDataSize: | 380416 |
UninitializedDataSize: | - |
EntryPoint: | 0x9664a |
OSVersion: | 6 |
ImageVersion: | - |
SubsystemVersion: | 6 |
Subsystem: | Windows command line |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 12-Aug-2022 22:29:33 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000108 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 12-Aug-2022 22:29:33 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000B0AB4 | 0x000B0C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.61502 |
.rdata | 0x000B2000 | 0x0004AD74 | 0x0004AE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.20322 |
.data | 0x000FD000 | 0x00007E34 | 0x00005200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.88659 |
.rsrc | 0x00105000 | 0x000001E0 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.7123 |
.reloc | 0x00106000 | 0x00009C5C | 0x00009E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.5903 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.91161 | 381 | UNKNOWN | English - United States | RT_MANIFEST |
ADVAPI32.dll |
CRYPT32.dll |
KERNEL32.dll |
USER32.dll |
WS2_32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1300 | "C:\Users\admin\Desktop\dq.exe" | C:\Users\admin\Desktop\dq.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1300 | dq.exe | C:\Users\admin\Links\desktop.ini.protected | binary | |
MD5:15FB653FD6E758A4004CECA4375226C8 | SHA256:F34FD5116D35FBCE21953DE4A83266FABE190C953EAAF93412810DC783B9B060 | |||
1300 | dq.exe | C:\Users\admin\Pictures\desktop.ini.protected | binary | |
MD5:6D54ECC02429C137CED724E21427FE38 | SHA256:700437FB851AB3BFDB41D4BD4BC5BA9F883FAC23C2E44493CA9A035CA2A04F90 | |||
1300 | dq.exe | C:\Users\admin\Contacts\desktop.ini.protected | binary | |
MD5:7F4503765E0217D1CA9898FF8B04C6CB | SHA256:0E7DC6CB2DA22E07F06C4C3E2189C6B9C1CA7DD9577DEAB5453A189EF5624FEC | |||
1300 | dq.exe | C:\Users\admin\Documents\commissionenvironmental.rtf.protected | binary | |
MD5:C4EE77A0419BD4B25005B118126FE8DB | SHA256:B1A5EE4953CD251692A1DBAE1BAE481FD79783A54F2DA7FEE587639FC0F06D5D | |||
1300 | dq.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.protected | binary | |
MD5:E42FDCFCC0B394302F82A1893C55BB26 | SHA256:0839EECAD27FF81D93686F9C94DD3DD76420B3D474A802773C85020040560560 | |||
1300 | dq.exe | C:\Users\admin\Favorites\desktop.ini.protected | binary | |
MD5:942916E6F4F94C610D9BBB86CE89FA6F | SHA256:E549684F91BDBC9351DF3F920805875DD0F360FE90490110CFF018286B29335A | |||
1300 | dq.exe | C:\Users\admin\Music\desktop.ini.protected | binary | |
MD5:A6B218D95DDB8536EDA8A73E4F756F5C | SHA256:38185A1D034763AFCC2CB86171C0808D1CF12A55C67846882316AD8F90258415 | |||
1300 | dq.exe | C:\Users\admin\Downloads\desktop.ini.protected | binary | |
MD5:4332BD83EE02AE421E9825CC27530A20 | SHA256:E21548C80CA45425B7662D28E48292E018A5D79103409084BEAE994D903A51B7 | |||
1300 | dq.exe | C:\Users\admin\ntuser.ini.protected | binary | |
MD5:147D81D28B1092CE6D84DA8DB4F81E74 | SHA256:217713096AE8CC920BEC659CC3523BC26CFAC691A9E93F8ED799216601DD8D0C | |||
1300 | dq.exe | C:\Users\admin\Contacts\admin.contact.protected | binary | |
MD5:016B09CEEF7A8E0CE4A6E5CAC6275523 | SHA256:A1249F4104101D76D146E0999807E98B147052DC765D441DDE9D63A38FCB88F5 |