File name: | TempLAM93.exe |
Full analysis: | https://app.any.run/tasks/7bb50bf4-0d73-4e15-88dd-f2b1074ab614 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 23, 2019, 08:12:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | 1D3C726B9521AC58F61CA22CC1C18B68 |
SHA1: | A64E3A3B57A3BEBF464569B485E464EA15B87AA5 |
SHA256: | E80D142E0E27FE37FCD18768812E97EF5F73F60175CDFCE0049D63F3A08E5EEA |
SSDEEP: | 3072:mM3cKLN/xBeIuXQcd22ZjNRmPVJpoSXeYU2IjmE4fI568b+uMwUG7UYw2sFIUTD6:mM3ciNZBeXQANNRmPluHLmf86i2wUG7l |
.exe | | | UPX compressed Win32 Executable (64.2) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.6) |
.exe | | | Win32 Executable (generic) (10.6) |
.exe | | | Generic Win/DOS Executable (4.7) |
.exe | | | DOS Executable Generic (4.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2017:08:30 18:46:17+02:00 |
PEType: | PE32 |
LinkerVersion: | 10 |
CodeSize: | 159744 |
InitializedDataSize: | 28672 |
UninitializedDataSize: | 176128 |
EntryPoint: | 0x52130 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.0.0.0 |
ProductVersionNumber: | 1.0.0.0 |
FileFlagsMask: | 0x004f |
FileFlags: | (none) |
FileOS: | Unknown (0x40534) |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Unknown (457A) |
CharacterSet: | Unknown (A56B) |
FileVersion: | 8.4.9.55 |
InternalName: | sewumi.exe |
LegalCopyright: | Copyright (C) 2018, difihixubizup |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 30-Aug-2017 16:46:17 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 30-Aug-2017 16:46:17 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x0002B000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x0002C000 | 0x00027000 | 0x00026400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.7611 |
.rsrc | 0x00053000 | 0x00007000 | 0x00007000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.61619 |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.DLL |
SHELL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Users\admin\AppData\Local\Temp\TempLAM93.exe" | C:\Users\admin\AppData\Local\Temp\TempLAM93.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
2536 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | TempLAM93.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3448 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2932) TempLAM93.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E006D006400700067007A00690061000000 | |||
(PID) Process: | (2932) TempLAM93.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A40000525341310008000001000100C9056693D2F774E3E646C0FC674623030A7B7238FCBB598CFF0704ED3B53F230732C353ABCA9C36AC3E7EED5424DA967788062BF7BF2769204B871443F0D13CA1F12F8F8CED383D737029DC55D2332419602D8D213C63956B5B99C5B5BC6B4586655EF4D2C2FEB6518E38CA4B23FD75784E954B559C0AD7D3E812B1AE5531A82D7CC0D11649C3D42AA1CF8F82733F7FFE7000FE36DAB6ED2C341F2EDF630D3DA360BDB2C1EA619E82B710CF8372D9C53FE76A745D4C6DC6E60F3015ADE41A051C43F4D1DC4E6638BD0D81596A488B55B67DD5A9DE1D76033380C80C1666AEB9989A659A6A1A1E6EE35C08DF7E41722E1D8401FD05331CD5EBCCED9F6933826BC | |||
(PID) Process: | (2932) TempLAM93.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data |
Operation: | write | Name: | private |
Value: 940400000AC1FB4A469D67F98710DAA3DEF7E9B559D60875C1FB915419C1C13A55C8C06F5035809735AFB4745711D30A403DF8574065E28396A56F82711B8756D959152B7B34C6BFC61A2BF75AA84CEA4B1F44E5ADB8DA43941FD14186E67AF66A7EB86C512C72247A438DAC569E39C4796E3F60A14A741D63E20EE31B8FD95353BF8CB5AD32ECF43B582BC4AAB8FC705025233E2AB5E9075E9C3A93D60D3514459C02D11C396D1030D21D1CAC879A3F59B01F7C9C539585776158869A6D7E86FBA549265D6ADADA2EA8408C8749F645496925D7191314B472709D18A0413899A0EE2D49A4A4577EB35EA9C646E34E9F05ACAA0780EBC227D656AC7EE994352C9C8BFA0B1170726BA1BA759A52361DEFE29C26ED9065216BFB317F85FF36843CC11D6B19BA6C3EEB47CDAB6E659BEA9BEE669369564364DCDDA676FFACC5DADEE267521A917BEE993CAB07245F9A08480856C0B6A5333E571B22F4C7E8287363A3D663BE452D28E49497521B5D947A54C6108E45377FEE8C0D69279F94FC8B89A2AEDD8B83B72C740F097239DBB5E9005CFA2BB1961A8E6B33552E183DFB436EE14C5419FE956C2AE448C0EB859586542CAB868384A3B797EB50F818742B6D1831DEDA51E18587E64235760875E4F2CBD9A9061621304A1E4FB712AD3082B6F075280FBFB3F913781820DF61FDF854BFEC7E96C8F9803496EEF9E1D0C80F7B11B232EA2B8F314BAEC6139D4B6559ACC12504430495D3667AD74B166E1D6011FD5EFDC486A7EEBF36379BF6B3E6586085F85077AE94927AE4D161F011161D269387971C756697F2099E6D443B4A9EB1CA109469A904857875EC1C7423192B0F73A23201206598F05DEC4164D5AC4E0B0ED626DA2857704D0D91D14729077992E972786A76E0A2A9C18B6F0DFC24A649AD7CB9F0365A8CABE18F9F00A9C5FB932388D208080DF979152E3331FB29521F46E5CB9ACC9CD4881B4023772C059E98B819E0A4B12263CBF77AE0FD3259C45E5A2B8927945F1D54877D02AF39BE741EC5E0637DAFA0D550348B9329C296860CC713905E229445F31ADFCABB909D4768A81A138F7186969401FF835640AB10E50BEFDB5A938E4FFC6A0A5389123314783344F084F4236F2D04863B68EEEAF970F7EB81CC2AAB291112D8703AF010566B0A00A213A6D29DDFA6F156FB4FFE46984FF8FED46F9F2BC383F1919C7A56BCD3258F59C50372980789F283CF2DFDA7CE64B5F5851A45B9856787D6983481FE4026A1ECD8B52C4EC22B458439A917973AF8CB02230E8FD7B4BD73CC9F3ED8C21F10535D44E4F8C0C07C0AEF0371280D96090F258732FC7E4EAF8C17AFE1BE3ADFF3877FA0B337FCD42E7540DD0C9490A7F190E905A8665826AD1EA9FFB526D5A473908AECC8A2B8F45BFE53AD827B3E10CCE784B330BA33D375128E29E6F8B44C8BF830776E82C515A9DD0ED0BE2A79DB18E96EB8A46156CD64D1A9F348E43D427CE5110800390E6E80A62100EAEE09C1A5550B88A81F532D8B9746AB32577F533FD4367AD1BA7B2F9299DC9522C3535AEB766AC7D5B423195EEFD4F438014C2D8A12645BA2B5C58C69CB4F3056BF79613FE821D8A3065F7A634A021899CD2B96C23222358005D0E28444239F737B7767CCC93F84F22E25BA3283156EDB500FFDB822005438676BE7083BA2E7F04EAC37B00C52EABEB7FC5A26003301C5F0D5B72B15E1C948A4F0A762B5F4321FA04ABB6336E576EB609076F90938D7F43542754BD6EC5BB311AD3A44012F747BD58E61D7C572A3FF6F285205BF344C9B5644A538E67416D0D649BFDA0EC46DB34097D2792F6493C1AA08B24851384B56AAF36120680314CCAF033D4AFD83056B32E2D4E7A5E722CBAE1D2BDBE3CFE6B8001B8F99866ADA33CFECE8224F78560BB156BA2E138530B8C257880B24A3F52FC499198D3B34316823C956D22A45D8B241F05C1D46C7AC648A86DA361E9647BB55F931A578D2E668051AFCE43FC60CDD942B2529E74EB078F1A1A89AC51E46E768C79B6D71A7490856DCB9241B2D00D6C6738CA2840158ABD747DC3B60F4C6D58020C06EA750F0EEC12A092880CEEA56E401B84EF0166DD6F91AC04F1CB9580930CD81BF95145FAAF4E20FD3EC7F539000FEE74CEBC1BF862BDE002404895808990C8600C96798BD19D4025023B320EB5BC1957BD4E89C4242E219D840F92A388C58D4AF18076E1DC0726E9B9DAD43132FF5B912775DBF8C137F8DDD4159AF11A4DE6976E98C4E8A5556978C683DA4CE67855EAB389E63004A2411098F4FC0C2BAEF13413B2C25096938BBF296C04D88647A2BCBDE4CE2B092399FAC6197001DD98BED6CFF72E5706536C1D4F0D1F70F91E3435CC3EA8AE3AE36B27E | |||
(PID) Process: | (2932) TempLAM93.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2932) TempLAM93.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2932) TempLAM93.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TempLAM93_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2932) TempLAM93.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TempLAM93_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2932) TempLAM93.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TempLAM93_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2932) TempLAM93.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TempLAM93_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2932) TempLAM93.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TempLAM93_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2932 | TempLAM93.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
2932 | TempLAM93.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
2932 | TempLAM93.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.mdpgzia | — | |
MD5:— | SHA256:— | |||
2932 | TempLAM93.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{05ed3515-06b3-48f6-8cf2-bf24b1bf0727}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2932 | TempLAM93.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{16d74681-6bc3-4c44-97f0-8b8dfefe2355}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2932 | TempLAM93.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{38e8535f-27d0-4352-aa3a-ce4178930102}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2932 | TempLAM93.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{3cc0f82b-873a-4e59-b89f-689fbdf88af9}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2932 | TempLAM93.exe | C:\Config.Msi\MDPGZIA-DECRYPT.txt | text | |
MD5:EFB3A6376481BA7CDA1BAF2E931E807E | SHA256:0A568344D4FCE55B7E7A50E970C4F78CA4CBA8462F0335ABC0B58DBD8CD69415 | |||
2932 | TempLAM93.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\MDPGZIA-DECRYPT.txt | text | |
MD5:EFB3A6376481BA7CDA1BAF2E931E807E | SHA256:0A568344D4FCE55B7E7A50E970C4F78CA4CBA8462F0335ABC0B58DBD8CD69415 | |||
2932 | TempLAM93.exe | C:\MDPGZIA-DECRYPT.txt | text | |
MD5:EFB3A6376481BA7CDA1BAF2E931E807E | SHA256:0A568344D4FCE55B7E7A50E970C4F78CA4CBA8462F0335ABC0B58DBD8CD69415 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2932 | TempLAM93.exe | GET | 301 | 138.201.162.99:80 | http://www.kakaocorp.link/ | DE | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2932 | TempLAM93.exe | 138.201.162.99:443 | www.kakaocorp.link | Hetzner Online GmbH | DE | malicious |
2932 | TempLAM93.exe | 138.201.162.99:80 | www.kakaocorp.link | Hetzner Online GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
www.kakaocorp.link |
| malicious |