download: | 699.exe |
Full analysis: | https://app.any.run/tasks/bba51187-05c4-4959-b82d-bc7d8b31b6b0 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | November 08, 2018, 14:25:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 5789CFF32F02E907AFB3F6BFBDC20FAD |
SHA1: | B17C516326CB2945E0306CAC11A84BBA25129D57 |
SHA256: | ED12A14AADBB33B0DAE558663A9F2B1A54FB308CA3341C94D48AA2AA47791D16 |
SSDEEP: | 12288:00F01vWbwH6Vue3wjnWNFrN8nH63ZEPQUEWwHc6rna:90MbQWwDq8nH6JIEWnf |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
ProductVersion: | 1.7.7.289 |
---|---|
OriginalFileName: | Clipping |
ProductName: | Clipping |
Comments: | Lying Popularized Lpx |
LegalCopyright: | Vice Media (C) |
CompanyName: | Vice Media |
LegalTrademarks: | Vice Media (C) |
FileDescription: | Lying Popularized Lpx |
PrivateBuild: | 1.7.7.289 |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.7.7.289 |
FileVersionNumber: | 1.7.7.289 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1cf1d |
UninitializedDataSize: | - |
InitializedDataSize: | 463360 |
CodeSize: | 201728 |
LinkerVersion: | 10 |
PEType: | PE32 |
TimeStamp: | 2018:11:07 21:49:12+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 07-Nov-2018 20:49:12 |
Detected languages: |
|
PrivateBuild: | 1.7.7.289 |
FileDescription: | Lying Popularized Lpx |
LegalTrademarks: | Vice Media (C) |
CompanyName: | Vice Media |
LegalCopyright: | Vice Media (C) |
Comments: | Lying Popularized Lpx |
ProductName: | Clipping |
OriginalFilename: | Clipping |
ProductVersion: | 1.7.7.289 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 07-Nov-2018 20:49:12 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000313F0 | 0x00031400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.69657 |
.rdata | 0x00033000 | 0x0000E1DA | 0x0000E200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.19933 |
.data | 0x00042000 | 0x00003D00 | 0x00001C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.824 |
.rsrc | 0x00046000 | 0x0006134C | 0x00061400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.66651 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.06868 | 752 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 4.14703 | 16936 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 5.0277 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 4.87724 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 5.65832 | 2440 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 5.48113 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
101 | 2.94141 | 90 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
373 | 0 | 2 | Latin 1 / Western European | English - United States | AFX_DIALOG_LAYOUT |
377 | 4 | 16 | Latin 1 / Western European | English - United States | RT_RCDATA |
378 | 3.50034 | 2386 | Latin 1 / Western European | English - United States | RT_RCDATA |
ADVAPI32.dll |
AVIFIL32.dll |
COMDLG32.dll |
GDI32.dll |
IMM32.dll |
KERNEL32.dll |
NETAPI32.dll |
OLEAUT32.dll |
SHELL32.dll |
SHLWAPI.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3876 | "C:\Users\admin\Desktop\699.exe" | C:\Users\admin\Desktop\699.exe | explorer.exe | |
User: admin Company: Vice Media Integrity Level: MEDIUM Description: Lying Popularized Lpx Exit code: 3221225612 |
(PID) Process: | (3876) 699.exe | Key: | HKEY_CURRENT_USER\Software\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E00780067006D0077007500740062000000 | |||
(PID) Process: | (3876) 699.exe | Key: | HKEY_CURRENT_USER\Software\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A40000525341310008000001000100A71F4050DD213FACBB8A2EAAF549E59BAE7075858341A6384B962CFB499EAA9603DA0220687A5613F888388AE154C5549E894416A6392C61921259E8EC246534E536A5019E5AF85D0CB015138D3CDA9D23115E840CB52C47A0B2CC962680F3F8F5935C83A0C896E0AE78CCFBF87A71C66F5A3C8BABC8CE9C356B7C5F5387B5EFB74C4319B230D84FB73BDAA2127F1EFF9D164AF9334A6978E912A7E6A06CFF4330DCCE8C2F5F6E217DA0F7366F6B2CBCA8CB6EF12B537DCC9FD655F3C6A8112BEBC089DC62A4B673E0F44CD3D0F95157437AA2695DB2756CDC39CB33EE65E66D907EA06FECD6ADFFCE034CE9BC8FC7CA48F49FBAFD9B406F17CC02FC9358AEE0 | |||
(PID) Process: | (3876) 699.exe | Key: | HKEY_CURRENT_USER\Software\keys_data\data |
Operation: | write | Name: | private |
Value: 94040000BB7431882198F5B7FAD7E7656F233B43D07A2314C51D32301A16369577178B938BE843A57AF647A8287B733B4F8CDCD33811C12FF81DD66C2610BDAE4A232EB2AC93263D9C08FCF6509349B33FC9FC21AF3AFE066484D7FCC37B697F3D43E011CE55F4EDCC3400718FB97C1F99F32917E637D53C7AB780B28AD40659CC74BC92C5498093976CE7B9B8E64A4236511A48B7D423A16BFCB60E2A8436DAA2B5075E11E02F96D02F7949395DD070F11893F068FC1BE7B74030D64BEAA83AEDE62C529C4238AA1F22704285941D1FDC0B9C6D402F5EA43AD2B6C779D2F558AE6F42CC7CF60B61E09E2F3FEB9E4D07F713B59CE1FE35722CB4BEDE39EAD69A82BA411663CC1ED8FCC7F7503A8D2210553A1B4C05642E3F8986E9E9206D47CDF592041A1D7212D577B9C6BDF3E6168F48C3452A6B50227E71034355ECFF6F2EF82B101D20BB9EA136BDB93D70CA45C25B3A7BAC2A3388A514CEB86FD238AB2947082CB10C25463CD75D9960EF1ACBD8B820FC5993FF518BB7F34E03457A0D722EEF0CF2FC7CA97F4F49738DCCACFA0312CF706E7F0E2EFFEF0F2F2DE376FD577295AF32C679AB920737DB40FAE35D87CA87723CEDCE0B4B3164481ACA3B24066BD790FAF1F5C01B3CD763C1C126F4F2DEEB336B6AE5C8A3005F292E1FD58D378A793E3882FBA9CDBE7521BC6B7A62ACCC0DF802FC430BFE55425A25CF3D067B2CEB302CAD06588520630202263BC2D5F081418E01A969C4936171122AB063E5AD1369843C1D68FADA8E454E1767D344F0DB58E277A21AC7B17726497525D4560F774CAECAF3B78376A6051D62181BB716B58EE8B0C05EE64689A74B16149B25C66983004E14D425C349DD8AADDE059856984806CBF1FFC55F48454F79404D1385E0D8348E272AB149C45F32D6A931A344CEEFE3CD4C37CF03CF48B9BC36C2598093FBAA3DD4163D03F48E43370CF8BAE2FD7FCD7F64842CAEE9BA6CE38A683E5660D17CDE1760716BC6D40FE4F27F59CA614D9D1F1620D96C72A947EDE5F0CBC333DDC98A632D0C23D8FC30C6C66682147892BB7E0B98CE1C8E5A12D30587E8CC32027A2B58AFD597B8FB6BC839FF8D2940662E84EAC825BAEEE155F134286FA93A6F0671D58C3018181CEC6F654B3CD403A06A3FB5769EEBD6EFF7E1EA7EE8B39A56AA2C9AA2F121089DA24C0D0E612388A0411F91CE7F1CE29B4B6A1C7BA60E43F04D8AAFBB9FAB95B64D54F351A06215B0BFE8E906EC343D613E8E8D7310AC172E58A05AF8731F06F43CA10FF57530173D9F7F901ED8E3CE59E4623FFB568AB94BD601498A16481970BB499287BABC394AB361065F9C28C86A055F1B1978B897FF58619C5D7B271105F520E41CA17A270F0B1C344D6203E5C03FBB210663FEFDE6D3F74E6653B016D5EEFAFF2E6545F08D0F179BF29207F5BEDC3FE106CC311DC28F65AA6DB46511C77CCDAF84D00FA4265806C96269DF55AAF9AA4874B411D4116BC6C8E13340C88E487BFF7435F4F0ED6DE4B52E3E01C1683DA5004E929F3020E570DCB2F278CF3D6FF16127B1441A32BCCE3D069CDE409B1F5A2C0B1E18C800F5BE4B4AF0D0F27079DD837F483293CF897552E941EDC69D72871A7407C62D0F46D1F0FFFA4410849717B3BC804E1D6056867E42A02BA72C1A8C2392F68212A4A2BB23F68E40F6908814AD4EA359DAE554F6BCFF35B4522F0AB7C19CEC6C6C0EAD351138539958B57F3C087DB72AB425EE18DC8BCE6D1C012B9C6FFE2B87FC24698907100E36458C6222C08BE571DEFB55F12D41391B5C446E49925FCFF9181002CB2B77BD06EACEA92A61844032AE7C20C5A972B72C8A40BB1024CAF4A8D96AA890F5F5FC8880F24FBB2A0F654FF357228A8F73335F65AF876176FF4A7F274C2CC6CA63DD18E3813A3D1FC38B8C84BF499F6EBFFA346BEF367992B305F9F08C6CEA11C97DA6F9F8E94003DEFF2A662181496BF633E88B1C5497537CF9C9F7680C666CC5D9F7F6171174141C47D5E5F018C0905A1E5059B06FFE342FE7EBDEDE44E3D26DCCD1FF7A5EC7C7589401F9EEF33E7D2A14E856F5E887C60AB61B4D8312A93DCBDBC769D3E58695F4A8006D9AD6818A1F0E8E9EC5D80BFE9B2D3677803155DA53EAFAF1447E77A815D671901819DF0B7B23866257A06F179AA51D918CAB13641931F64C7B2239F5656EC9ABE94FBF06FE6E0A9AA58A6FDFE4B5E44B67CB077590C37350E71931D4B0F890B1B3FD4DC17A88DB9C41E046E681CD5257BD2F8839780FD69B67F07ABEF9F75C34876333F2B72BAF8B4B97BDD9E0987D96B81B25DB68CE13619D31CC5E761B437EDA4014F0D495F2A9A1B4C77EDBE2808D5CB4BEAFBAD02066D2549E0D294D2B7907166397F3B3 |