File name: | f5d95a88f78ec551e648a68f084faecc98d94b22.exe |
Full analysis: | https://app.any.run/tasks/79a0a4d7-aa42-4f75-a471-5fff1b92cf3e |
Verdict: | Malicious activity |
Analysis date: | January 10, 2019, 19:49:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive |
MD5: | B34A49301F280A04D59AB288630855EE |
SHA1: | F5D95A88F78EC551E648A68F084FAECC98D94B22 |
SHA256: | E59515A8BAA2988627BA68C97928F77D11FD11F93527C7359C2D7897FD5FD464 |
SSDEEP: | 24576:f2O/Gl8O9ZwSPLY1C71LwR71+wmxhKbH3rUO46Gm:E8C71L48wmxUT3ie |
.exe | | | Win32 Executable MS Visual C++ (generic) (35.8) |
---|---|---|
.exe | | | Win64 Executable (generic) (31.7) |
.scr | | | Windows screen saver (15) |
.dll | | | Win32 Dynamic Link Library (generic) (7.5) |
.exe | | | Win32 Executable (generic) (5.1) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0xac87 |
UninitializedDataSize: | - |
InitializedDataSize: | 58880 |
CodeSize: | 74752 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2012:06:09 15:19:49+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-Jun-2012 13:19:49 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 09-Jun-2012 13:19:49 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0001231E | 0x00012400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.55555 |
.rdata | 0x00014000 | 0x00001D15 | 0x00001E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.99401 |
.data | 0x00016000 | 0x00017724 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.54914 |
.CRT | 0x0002E000 | 0x00000020 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.394141 |
.rsrc | 0x0002F000 | 0x0000C2C0 | 0x0000C400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.48584 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.20816 | 1464 | Latin 1 / Western European | English - United States | RT_MANIFEST |
7 | 3.24143 | 556 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 3.26996 | 974 | Latin 1 / Western European | English - United States | RT_STRING |
9 | 3.04375 | 530 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 3.16254 | 776 | Latin 1 / Western European | English - United States | RT_STRING |
11 | 3.06352 | 380 | Latin 1 / Western European | English - United States | RT_STRING |
12 | 2.33959 | 102 | Latin 1 / Western European | English - United States | RT_STRING |
100 | 1.91924 | 20 | Latin 1 / Western European | Process Default Language | RT_GROUP_ICON |
101 | 4.19099 | 2998 | Latin 1 / Western European | English - United States | RT_BITMAP |
ASKNEXTVOL | 3.42597 | 646 | Latin 1 / Western European | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3132 | "C:\Users\admin\AppData\Local\Temp\f5d95a88f78ec551e648a68f084faecc98d94b22.exe" | C:\Users\admin\AppData\Local\Temp\f5d95a88f78ec551e648a68f084faecc98d94b22.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3012 | "C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe" fld=ktl | C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe | — | f5d95a88f78ec551e648a68f084faecc98d94b22.exe |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
4080 | C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe C:\Users\admin\AppData\Local\Temp\88465914\HAWRN | C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe | lwh.exe | |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
3248 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | lwh.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 4.6.1055.0 built by: NETFXREL2 |
(PID) Process: | (3132) f5d95a88f78ec551e648a68f084faecc98d94b22.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3132) f5d95a88f78ec551e648a68f084faecc98d94b22.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (4080) lwh.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | qwertyhfdsd.exe |
Value: C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe C:\Users\admin\AppData\Local\Temp\88465914\FLD_KT~1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3132 | f5d95a88f78ec551e648a68f084faecc98d94b22.exe | C:\Users\admin\AppData\Local\Temp\88465914\plv.mp4 | text | |
MD5:61F1AA2F3A4EC269B21904A9501F5F67 | SHA256:DBADEF1663555F8D0AA056A87CF9E7403926B26D44D45198982973E41836DD95 | |||
3132 | f5d95a88f78ec551e648a68f084faecc98d94b22.exe | C:\Users\admin\AppData\Local\Temp\88465914\ibw.mp4 | text | |
MD5:7CBA224E33403861F74573F8464D3D2F | SHA256:AD912169922C0F25F333CF4235429B63C567E349080A4CB6C78F2F49F8279F7E | |||
3132 | f5d95a88f78ec551e648a68f084faecc98d94b22.exe | C:\Users\admin\AppData\Local\Temp\88465914\mlk.mp4 | text | |
MD5:240A4E26582B6D589FF0E49C72E1007A | SHA256:768BB11A1A76F4704FC35EA39E8F8926B998E1A2D1DADF87E7042AE29E3966E2 | |||
3132 | f5d95a88f78ec551e648a68f084faecc98d94b22.exe | C:\Users\admin\AppData\Local\Temp\88465914\fjd.pdf | text | |
MD5:EA3E95E581795A8FAD88E8F5BC6523BB | SHA256:FCE44787111ED976DA4EADE1D9FF438D1854BC4B3A9A44C71936BE4B8BCD53CA | |||
3132 | f5d95a88f78ec551e648a68f084faecc98d94b22.exe | C:\Users\admin\AppData\Local\Temp\88465914\olh.mp3 | text | |
MD5:7B4BC7C28EA0FFB5BA1B2668B5E49DCD | SHA256:5D3CB61FEFFAB53D0E3A8B651191AE33A309FF163E0D3A807F0B454FB5903BB8 | |||
3132 | f5d95a88f78ec551e648a68f084faecc98d94b22.exe | C:\Users\admin\AppData\Local\Temp\88465914\mvk.xl | text | |
MD5:B94467AEF46E19383EB48C5A2471AFE3 | SHA256:C4C434AE9D22A3249C53AF8C683ADEBD148E658C08F433533A1F067B3219D556 | |||
3132 | f5d95a88f78ec551e648a68f084faecc98d94b22.exe | C:\Users\admin\AppData\Local\Temp\88465914\kwp.xl | text | |
MD5:60BCE68219AC22682488F4B02405694E | SHA256:DD206DE951223BE9B409FE0884603B17B35FF409AE19253E4B12EC09C77934E1 | |||
3132 | f5d95a88f78ec551e648a68f084faecc98d94b22.exe | C:\Users\admin\AppData\Local\Temp\88465914\idn.docx | text | |
MD5:B0341DF38A4783109002AB4CF33C9D55 | SHA256:C2073FFEBE269E494A467760438C9F2A34C109584965555E4A5FFE2FEBEB4858 | |||
3132 | f5d95a88f78ec551e648a68f084faecc98d94b22.exe | C:\Users\admin\AppData\Local\Temp\88465914\etl.mp3 | text | |
MD5:6C39E2343BD4BEDB8810AE1CA1F6E9C0 | SHA256:7F3050A43EFBD6D2E67C43E11002A3C99CE47E06F39A99BF645A1CC1667A0EFA | |||
3132 | f5d95a88f78ec551e648a68f084faecc98d94b22.exe | C:\Users\admin\AppData\Local\Temp\88465914\fld=ktl | text | |
MD5:2AB49FF2E034D5C9CD371AA68FB4B67B | SHA256:04A711B91241C5D9B0513F02535B46C3CD9181ACE04C6A673DDE5DA1486373DF |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3248 | RegSvcs.exe | 45.249.90.124:1609 | idea1com2002.duckdns.org | Korea Telecom | KR | malicious |
Domain | IP | Reputation |
---|---|---|
idea1com2002.duckdns.org |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |