download: | download.php |
Full analysis: | https://app.any.run/tasks/7c1b484c-5c70-4f87-ac43-fd66780027e8 |
Verdict: | Malicious activity |
Analysis date: | June 16, 2019, 08:20:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 1F19A5F196D8D79880D9B66D160034B6 |
SHA1: | D859A19D4C614A789D302F4EDD2E4DF65A2C0869 |
SHA256: | EF1423999CBEFD4F2A3A98ACEE2B194A4260268CB4517ABDA9F12963E866B7E5 |
SSDEEP: | 49152:bO19djKdy5E/hVtfp0JqIfKJ2kIo/t/zIWy2aGJ7ndnaD4f23D:b0dZE/P70JryJLZ7IEaGFdaM+z |
.exe | | | NSIS - Nullsoft Scriptable Install System (91.9) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (3.3) |
.exe | | | Win64 Executable (generic) (3) |
.dll | | | Win32 Dynamic Link Library (generic) (0.7) |
.exe | | | Win32 Executable (generic) (0.4) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x4046 |
UninitializedDataSize: | - |
InitializedDataSize: | 155136 |
CodeSize: | 24064 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2003:03:16 18:41:08+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 16-Mar-2003 17:41:08 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 16-Mar-2003 17:41:08 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00005DCA | 0x00005E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.47033 |
.rdata | 0x00007000 | 0x000011D4 | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.23449 |
.data | 0x00009000 | 0x00023BFC | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.01799 |
.rsrc | 0x0002D000 | 0x00001000 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.56443 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.50665 | 744 | UNKNOWN | English - United States | RT_ICON |
102 | 2.73222 | 184 | UNKNOWN | English - United States | RT_DIALOG |
103 | 2.16096 | 20 | UNKNOWN | English - United States | RT_GROUP_ICON |
104 | 2.69903 | 316 | UNKNOWN | English - United States | RT_DIALOG |
105 | 2.66174 | 256 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.93214 | 348 | UNKNOWN | English - United States | RT_DIALOG |
107 | 2.61256 | 196 | UNKNOWN | English - United States | RT_DIALOG |
109 | 3.22336 | 872 | UNKNOWN | English - United States | RT_BITMAP |
111 | 2.48825 | 96 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3444 | "C:\Users\admin\AppData\Local\Temp\download.php.exe" | C:\Users\admin\AppData\Local\Temp\download.php.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
2384 | "C:\Users\admin\AppData\Local\Temp\download.php.exe" | C:\Users\admin\AppData\Local\Temp\download.php.exe | explorer.exe | |
User: admin Integrity Level: HIGH | ||||
2312 | "C:\Users\admin\AppData\Local\Temp\wmaudioredist.exe" /Q /R:N | C:\Users\admin\AppData\Local\Temp\wmaudioredist.exe | — | download.php.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2408 | "C:\Program Files\Winamp\AOD\AOLOnDesktop.exe" | C:\Program Files\Winamp\AOD\AOLOnDesktop.exe | — | download.php.exe |
User: admin Integrity Level: HIGH | ||||
3808 | "C:\Program Files\Winamp\Winamp.exe" /INSTALL | C:\Program Files\Winamp\Winamp.exe | — | download.php.exe |
User: admin Company: Nullsoft Integrity Level: HIGH Description: Winamp Version: 2.95 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2384 | download.php.exe | C:\Users\admin\AppData\Local\Temp\wmaudioredist.exe | — | |
MD5:— | SHA256:— | |||
2384 | download.php.exe | C:\Program Files\Winamp\winampmb.htm | html | |
MD5:601D39B04A3C48F7FE2D56274D425B41 | SHA256:7F553795C636392A5BE97370B871947732249A4BF46B7D1064B598D795C0FD05 | |||
2384 | download.php.exe | C:\Program Files\Winamp\Plugins\in_cdda.dll | executable | |
MD5:1D231CE9B3CC4A24612D1F4EBDE357F4 | SHA256:A68A3AB17416DBADFA22D186954E35CEFA8A1A0049A7AE1862613EBD36600B02 | |||
2384 | download.php.exe | C:\Program Files\Winamp\winamp.m3u | text | |
MD5:A9FCF40B19E3F8CB024C56C5877E7455 | SHA256:DFBCBDD41A68CB584FEC4810494577D9C17D1445D5883572B6770B257150701F | |||
2384 | download.php.exe | C:\Program Files\Winamp\Plugins\out_wm.dll | executable | |
MD5:24CDEEB658E64C9C4A76520DD4FE1D4F | SHA256:22448FF8CED438A1B9E8ECC416A432774988C24424CA860CB56BD91FE616FF3F | |||
2384 | download.php.exe | C:\Program Files\Winamp\Plugins\gen_ml.dll | executable | |
MD5:9F47DA50AD3FFE958294E11F85B576AF | SHA256:09DE665B9EC98AB46321DEB2C8F7AA1699172850E52AC28E6D65A6CB44EEE9D5 | |||
2384 | download.php.exe | C:\Program Files\Winamp\Plugins\in_midi.dll | executable | |
MD5:52CE9FC1E48894BAEE807BE0831966B3 | SHA256:0BD2A9BA4E883D78FFB62F3BB00F703BD4DF4177688AA3C7990A3505F1224B0D | |||
2384 | download.php.exe | C:\Program Files\Winamp\whatsnew.txt | text | |
MD5:A94750CF375C4E33882F4C4B1CB3EBEA | SHA256:FAAE09C2B587503C21569B8B50F2BB0045D4C79F74FC964A68AA7755975F6898 | |||
2384 | download.php.exe | C:\Program Files\Winamp\Plugins\enc_vorbis.dll | executable | |
MD5:B00281645BBBEA2E6638C96620642B27 | SHA256:91AB948E6A690A2B8EFEC0A9D9B6EB4EFE8572BD41591F7CDCF4BE9C6E062AA5 | |||
2384 | download.php.exe | C:\Program Files\Winamp\winampa.exe | executable | |
MD5:5CDC66EF7A6F570A583BD72C23E68FF2 | SHA256:CCAC28D8D019EC3589D1A8E6E1B7212B270320A9542749EF8510D844A5A2B917 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 404 | 5.39.58.65:80 | http://www.winamp.com/browser/ | FR | html | 179 b | malicious |
— | — | GET | 404 | 5.39.58.65:80 | http://www.winamp.com/update/do_im.jhtml?ID=C3258228D33D3944A1B76CAC5D4723BB&ZIP=&EMAIL=&ML=n&NETCREATIONS=n&OBJS=wa2.95&V=2.95 | FR | html | 216 b | malicious |
— | — | GET | 404 | 5.39.58.65:80 | http://www.winamp.com/update/updatelinks.jhtml?i=y&v=2.95&r=n | FR | html | 222 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 5.39.58.65:80 | www.winamp.com | OVH SAS | FR | suspicious |
Domain | IP | Reputation |
---|---|---|
www.winamp.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |