File name: | Install.exe |
Full analysis: | https://app.any.run/tasks/d56a9797-3ad2-43d4-8eef-2adb6593bbc4 |
Verdict: | Malicious activity |
Analysis date: | October 04, 2022, 20:38:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | E2462DFF81E09C335DD89F711C7A2FBA |
SHA1: | 5B9BADC4D85F1CE4912772507523AB062A730D4E |
SHA256: | FCD60B5BD3815F1C591ADA33B9A46D4126C216DC32CC7B946352A938844138BD |
SSDEEP: | 6144:qG1wX8iQS7SP8FRguKgHMQj6WAcZ0te0nhhX/AgdvotX9VRZefVu4F2O971Nd:qgwtFK4Fj/MNhl/d8X9VRZetu40QpNd |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Sep-01 17:30:37 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 272 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2022-Sep-01 17:30:37 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 56201 | 56320 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.57153 |
.rdata | 61440 | 31340 | 31744 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.64676 |
.data | 94208 | 4988 | 2560 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.27832 |
.rsrc | 102400 | 263552 | 263680 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.96442 |
.reloc | 368640 | 4208 | 4608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.25754 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.14944 | 1741 | UNKNOWN | English - United States | RT_MANIFEST |
101 | 7.96765 | 261632 | UNKNOWN | English - United States | EXE |
ADVAPI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
SHLWAPI.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3684 | "C:\Users\admin\AppData\Local\Temp\Install.exe" | C:\Users\admin\AppData\Local\Temp\Install.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3792 | "C:\Users\admin\AppData\Local\Temp\Install.exe" | C:\Users\admin\AppData\Local\Temp\Install.exe | Explorer.EXE | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2588 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | — | taskeng.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
2400 | C:\Windows\System32\dllhost.exe /Processid:{b3e962c9-5e9f-40b2-869c-6026d2a7e5b2} | C:\Windows\System32\dllhost.exe | winlogon.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2400) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\$77config\pid |
Operation: | write | Name: | svc32 |
Value: 2400 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2588 | powershell.EXE | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
2588 | powershell.EXE | C:\Windows\TEMP\dll1j0gw.sbt.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2588 | powershell.EXE | C:\Windows\TEMP\syq2aqmc.khz.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |