File name: | 仙女CXK.exe |
Full analysis: | https://app.any.run/tasks/5799014b-101f-44c9-8947-7aa713635d54 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 02:57:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | B1D431B340E3E451997AA2DA21827C9B |
SHA1: | 53BFB2463E2756D1C13C070AD857A4B67F66675D |
SHA256: | E7493E3C994D607C08AEDF329A20FE3EDFCDB9D45E6364B0519D701237C118D2 |
SSDEEP: | 196608:lpkr2dY/aBcjJOBHOBIQBajMtWvoJiLE1+XgRKz89G/4ZSb0Funwh6DsN2PIpCrJ:lpkr2dY/aBcjJOBHOBIQBajMtWvoJiL9 |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
---|---|---|
.exe | | | Win64 Executable (generic) (23.8) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
.exe | | | Generic Win/DOS Executable (1.7) |
AssemblyVersion: | 1.0.0.0 |
---|---|
ProductVersion: | 1.0.0.0 |
ProductName: | 仙女CXK |
OriginalFileName: | 仙女CXK.exe |
LegalTrademarks: | - |
LegalCopyright: | © 2020 ઇ仙女之梦ଓ |
InternalName: | 仙女CXK.exe |
FileVersion: | 1.0.0.0 |
FileDescription: | 仙女CXK |
CompanyName: | - |
Comments: | virus |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x87b40e |
UninitializedDataSize: | - |
InitializedDataSize: | 131584 |
CodeSize: | 8885760 |
LinkerVersion: | 80 |
PEType: | PE32 |
TimeStamp: | 2100:02:18 00:21:49+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 12-Jan-1964 16:53:33 |
Debug artifacts: |
|
Comments: | virus |
CompanyName: | - |
FileDescription: | 仙女CXK |
FileVersion: | 1.0.0.0 |
InternalName: | 仙女CXK.exe |
LegalCopyright: | © 2020 ઇ仙女之梦ଓ |
LegalTrademarks: | - |
OriginalFilename: | 仙女CXK.exe |
ProductName: | 仙女CXK |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 12-Jan-1964 16:53:33 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x00879414 | 0x00879600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.89861 |
.rsrc | 0x0087C000 | 0x0001FF34 | 0x00020000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.97506 |
.reloc | 0x0089C000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.93168 | 3018 | UNKNOWN | UNKNOWN | RT_MANIFEST |
32512 | 1.59047 | 20 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3864 | "C:\Users\admin\AppData\Local\Temp\仙女CXK.exe" | C:\Users\admin\AppData\Local\Temp\仙女CXK.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: 仙女CXK Exit code: 3221226540 Version: 1.0.0.0 | ||||
3684 | "C:\Users\admin\AppData\Local\Temp\仙女CXK.exe" | C:\Users\admin\AppData\Local\Temp\仙女CXK.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: 仙女CXK Version: 1.0.0.0 | ||||
3052 | taskkill /f /im explorer.exe | C:\Windows\system32\taskkill.exe | — | 仙女CXK.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3172 | taskkill /f /im explorer.exe | C:\Windows\system32\taskkill.exe | — | 仙女CXK.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
256 | taskkill /f /im taskmgr.exe | C:\Windows\system32\taskkill.exe | — | 仙女CXK.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3104 | cmd /c takeown /f c:\windows\system32\taskmgr.exe /a | C:\Windows\system32\cmd.exe | — | 仙女CXK.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3096 | cmd /c echo y|cacls c:\windows\system32\taskmgr.exe /p %username%:f | C:\Windows\system32\cmd.exe | — | 仙女CXK.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3748 | cmd /c del /q /f c:\windows\system32\taskmgr.exe | C:\Windows\system32\cmd.exe | — | 仙女CXK.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2588 | C:\Users\admin\AppData\Local\Temp\fairyvirus.exe | C:\Users\admin\AppData\Local\Temp\fairyvirus.exe | — | 仙女CXK.exe |
User: admin Integrity Level: HIGH Description: fairyvirus Version: 1.0.0.0 | ||||
2616 | takeown /f c:\windows\system32\taskmgr.exe /a | C:\Windows\system32\takeown.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Takes ownership of a file Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2588) fairyvirus.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: fairyvirus.exe | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layout |
Operation: | write | Name: | Scancode Map |
Value: 00000000000000006E00000000000E0000003A00000053E000004FE000001C0000000100000047E0000052E00000380000001D0000002A0000005BE000004500000051E0000049E000005EE0000037E0000038E000001DE00000360000005CE00000460000005FE00000390000000F00000063E0000016E00000520000004F00000050000000510000004B0000004C0000004D0000004700000048000000490000004A0000003700000053000000350000004E0000001CE000003B0000003C0000003D0000003D0000003E0000003F000000400000004100000042000000430000004400000057000000580000006400000065000000660000004BE000004DE0000048E0000050E00000280000000C000000330000003400000035000000270000001A0000002B0000001B000000290000000D0000000B00000002000000030000000400000005000000060000000700000008000000090000000A0000001E000000300000002E0000002000000012000000210000002200000023000000170000002400000025000000260000003200000031000000180000001900000010000000130000001F00000014000000160000002F000000110000002D000000150000002C00000000000000000000000000 | |||
(PID) Process: | (2588) fairyvirus.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MPEG2Demultiplexer |
Operation: | write | Name: | StreamType |
Value: 0 | |||
(PID) Process: | (2588) fairyvirus.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MPEG2Demultiplexer |
Operation: | write | Name: | WriteCapture |
Value: 0 | |||
(PID) Process: | (2588) fairyvirus.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MPEG2Demultiplexer |
Operation: | write | Name: | WriteCaptureDir |
Value: c:\dm.capture\ | |||
(PID) Process: | (2588) fairyvirus.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MPEG2Demultiplexer |
Operation: | write | Name: | WriteCapturePath |
Value: | |||
(PID) Process: | (2588) fairyvirus.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2588) fairyvirus.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2588) fairyvirus.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2588) fairyvirus.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences |
Operation: | write | Name: | LastScreensaverSetThreadExecutionState |
Value: 2147483648 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2588 | fairyvirus.exe | C:\Users\admin\AppData\Local\Temp\cxk.mp4 | — | |
MD5:— | SHA256:— | |||
3684 | 仙女CXK.exe | C:\Users\admin\AppData\Local\Temp\AxInterop.WMPLib.dll | executable | |
MD5:80C588BB7ED0BD76B7567026C82A9012 | SHA256:BD63FB388C368EC62C135EBB65A0CBF092346D047069F50408F51EA63B7A47E4 | |||
3684 | 仙女CXK.exe | C:\Users\admin\AppData\Local\Temp\cppGDI1.exe | executable | |
MD5:C481A0CDE1748DF58D897F7457CF3DE5 | SHA256:1C7AAC37669A0D306998F08C59FEE94612C607483DC730349E3CC09A27854834 | |||
3684 | 仙女CXK.exe | C:\Users\admin\AppData\Local\Temp\mbrqwq.exe | executable | |
MD5:22E312630F8F059E0F4FA49275AD56AA | SHA256:93A836CDE4E9A7E493446334682CF543CB7D08A6CF557B90A2C38E2495DF8247 | |||
3684 | 仙女CXK.exe | C:\Users\admin\AppData\Local\Temp\cppGDI2.exe | executable | |
MD5:F2A57B2D281D56FB605487FFE79B9B50 | SHA256:354647AB0E0BF246438979D808CE970C16AC8EA4F1E62C070D68BBC8104D61EB | |||
3684 | 仙女CXK.exe | C:\Users\admin\AppData\Local\Temp\qaqaq.bat | text | |
MD5:6A28416EA641B970D9BB1B18613758AC | SHA256:52F44FA811FF337DE015867F52FC5C3AB27FF749B05D9B03AADB44FAF49607D2 | |||
3684 | 仙女CXK.exe | C:\Users\admin\AppData\Local\Temp\Interop.WMPLib.dll | executable | |
MD5:A4D073B89521E0ED9ABFF5B192FB64C1 | SHA256:FFF50CDAEAA05A7EB8E559490DB0274387A941D21F34A308D3E8C1F088026605 | |||
3684 | 仙女CXK.exe | C:\Users\admin\AppData\Local\Temp\fairyvirus.exe | executable | |
MD5:CD67F5260F63260A88D3A832CAE9C740 | SHA256:18C46170F54AE4CFE633BDCFCF523DA8E30B43DAB4FC7ECCC7B969C74C704616 |