File name: | SpaceSniffer.exe |
Full analysis: | https://app.any.run/tasks/b74628a7-6e75-4157-abc7-4c6344d370ed |
Verdict: | Malicious activity |
Analysis date: | March 31, 2023, 21:08:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | B310E7335EAE66A533E985B377E81612 |
SHA1: | C89D16C2D7DF9E44EE4FAA44A54B70EC39B9178A |
SHA256: | FC0629D450F8A57BC93E1BA1CDEF0BFF49C1A4CF0725C2A1F52116FD67D9FE8E |
SSDEEP: | 24576:jkbul+AAcfmIK0BHS7u8OcnKFImpXu2aGVC3B9mQJ+iKc9k0nfw69IDcYJe1LCyl:R+mbK0JSnepKGITmS869CsO0xTLbA58 |
.scr | | | Windows screen saver (60.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (20.8) |
.exe | | | Generic Win/DOS Executable (9.2) |
.exe | | | DOS Executable Generic (9.2) |
.vxd | | | VXD Driver (0.1) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2016:10:02 08:57:01+00:00 |
ImageFileCharacteristics: | Executable, No line numbers, No symbols, Large address aware, 32-bit |
PEType: | PE32 |
LinkerVersion: | 5 |
CodeSize: | 1806336 |
InitializedDataSize: | 368640 |
UninitializedDataSize: | - |
EntryPoint: | 0x187c |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.3.0.2 |
ProductVersionNumber: | 1.3.0.2 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Italian |
CharacterSet: | Windows, Latin1 |
CompanyName: | Uderzo Software e Consulenza Informatica |
FileDescription: | Disk space analysis tool |
FileVersion: | 1.3.0.2 |
InternalName: | SpaceSniffer |
LegalCopyright: | Copyright 2007-2016 Uderzo Umberto |
LegalTrademarks: | - |
OriginalFileName: | SpaceSniffer.exe |
ProductName: | SpaceSniffer |
ProductVersion: | 1.3.0.2 |
Comments: | - |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 02-Oct-2016 08:57:01 |
Detected languages: |
|
CompanyName: | Uderzo Software e Consulenza Informatica |
FileDescription: | Disk space analysis tool |
FileVersion: | 1.3.0.2 |
InternalName: | SpaceSniffer |
LegalCopyright: | Copyright 2007-2016 Uderzo Umberto |
LegalTrademarks: | - |
OriginalFilename: | SpaceSniffer.exe |
ProductName: | SpaceSniffer |
ProductVersion: | 1.3.0.2 |
Comments: | - |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000200 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 9 |
Time date stamp: | 02-Oct-2016 08:57:01 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x001B9000 | 0x001B8400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.4919 |
.data | 0x001BA000 | 0x0005A000 | 0x00027E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.98403 |
.tls | 0x00214000 | 0x00001000 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00215000 | 0x00001000 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.210826 |
.idata | 0x00216000 | 0x00004000 | 0x00003A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.2239 |
.didata | 0x0021A000 | 0x00001000 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.12065 |
.edata | 0x0021B000 | 0x00001000 | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.25691 |
.rsrc | 0x0021C000 | 0x0002F000 | 0x0002E200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.56255 |
.reloc | 0x0024B000 | 0x00021000 | 0x00020600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.69632 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.92313 | 850 | UNKNOWN | Italian - Italy | RT_MANIFEST |
2 | 5.58922 | 1736 | UNKNOWN | Italian - Italy | RT_ICON |
3 | 5.46562 | 2216 | UNKNOWN | Italian - Italy | RT_ICON |
4 | 5.09737 | 3752 | UNKNOWN | Italian - Italy | RT_ICON |
5 | 3.95686 | 1128 | UNKNOWN | Italian - Italy | RT_ICON |
6 | 4.03824 | 2440 | UNKNOWN | Italian - Italy | RT_ICON |
7 | 3.76661 | 4264 | UNKNOWN | Italian - Italy | RT_ICON |
8 | 3.82269 | 9640 | UNKNOWN | Italian - Italy | RT_ICON |
4077 | 3.25764 | 2096 | UNKNOWN | UNKNOWN | RT_STRING |
4078 | 3.26307 | 2520 | UNKNOWN | UNKNOWN | RT_STRING |
ADVAPI32.DLL |
COMCTL32.DLL |
COMDLG32.DLL |
DWMAPI.DLL |
GDI32.DLL |
KERNEL32.DLL |
MSIMG32.DLL |
OLE32.DLL |
OLEAUT32.DLL |
SHELL32.DLL |
Title | Ordinal | Address |
---|---|---|
__GetExceptDLLinfo | 1 | 0x000018D5 |
@@Drivenode_source@Initialize | 2 | 0x000023DC |
@@Drivenode_source@Finalize | 3 | 0x000023EC |
@@Filenode_source@Initialize | 4 | 0x00002584 |
@@Filenode_source@Finalize | 5 | 0x00002594 |
@@Filesystemnode_source@Initialize | 6 | 0x00007D44 |
@@Filesystemnode_source@Finalize | 7 | 0x00007D54 |
@@Foldernode_source@Initialize | 8 | 0x00007E14 |
@@Foldernode_source@Finalize | 9 | 0x00007E24 |
@@Freespacenode_source@Initialize | 10 | 0x00007F44 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1900 | "C:\Users\admin\AppData\Local\Temp\SpaceSniffer.exe.scr" /S | C:\Users\admin\AppData\Local\Temp\SpaceSniffer.exe.scr | explorer.exe | ||||||||||||
User: admin Company: Uderzo Software e Consulenza Informatica Integrity Level: MEDIUM Description: Disk space analysis tool Exit code: 0 Version: 1.3.0.2 Modules
| |||||||||||||||
3064 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3196 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2376 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3416 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (1900) SpaceSniffer.exe.scr | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | NodeSlots |
Value: 0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
(PID) Process: | (1900) SpaceSniffer.exe.scr | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | MRUListEx |
Value: 0C000000000000000B00000001000000020000000D00000007000000060000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
(PID) Process: | (1900) SpaceSniffer.exe.scr | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 |
Operation: | write | Name: | MRUListEx |
Value: 020000000100000000000000040000000500000003000000FFFFFFFF | |||
(PID) Process: | (1900) SpaceSniffer.exe.scr | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 |
Operation: | write | Name: | MRUListEx |
Value: 09000000080000000700000006000000050000000400000003000000010000000000000002000000FFFFFFFF | |||
(PID) Process: | (1900) SpaceSniffer.exe.scr | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | MRUListEx |
Value: 010000000C000000000000000B000000020000000D00000007000000060000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
(PID) Process: | (1900) SpaceSniffer.exe.scr | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1900) SpaceSniffer.exe.scr | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{e1a82db4-a9f0-11e7-b142-806e6f6e6963} |
Operation: | delete value | Name: | NeedToPurge |
Value: 1 | |||
(PID) Process: | (1900) SpaceSniffer.exe.scr | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 |
Operation: | write | Name: | MRUListEx |
Value: 00000000090000000800000007000000060000000500000004000000030000000100000002000000FFFFFFFF | |||
(PID) Process: | (1900) SpaceSniffer.exe.scr | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | NodeSlots |
Value: 020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
(PID) Process: | (1900) SpaceSniffer.exe.scr | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 |
Operation: | write | Name: | MRUListEx |
Value: 010000000200000000000000040000000500000003000000FFFFFFFF |
PID | Process | Filename | Type | |
---|---|---|---|---|
2376 | dllhost.exe | C:\$RECYCLE.BIN\S-1-5-21-1302019708-1500728564-335382590-1000\$IIII9SK | binary | |
MD5:957D3EEC0F4E1510C20ADA6F506B6DAA | SHA256:F52C10AE6C1E549E4B5316A20D47B46352F5B40C47290A1CB1F02F52240A6E13 | |||
3064 | dllhost.exe | C:\$RECYCLE.BIN\S-1-5-21-1302019708-1500728564-335382590-1000\$IGIPKH8 | binary | |
MD5:960D50310EC9B4D106CE455454113059 | SHA256:A08D9C97F4CCB6147D9EBFB6C7DF0D0D0AD6717FCEE27F088272A93CBC4819DD | |||
3196 | dllhost.exe | C:\Program Files\Microsoft Office\Office14\PROOF\IntroducingPowerPoint2010.potx | compressed | |
MD5:24FE60EE51C8C93444B20F23A1254F86 | SHA256:4520AFDDBE38F95781B9D517B4BD7B56160414E10DC1D8D4B7E31588A2EF923D |