analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

WABMIG.exe

Full analysis: https://app.any.run/tasks/a0cbd135-c487-4fa4-8baa-9d34104e2d4f
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: September 19, 2019, 02:20:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
tflower
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E78BF898854113285FE9EF1AB739562F

SHA1:

0F148B43480CC2B5205A7F4700A34CC4E0FDC3E8

SHA256:

FF879EF72DB2A3837304E0517F725B0F87FDAD6E6DC45E0175C585CAB33FDCED

SSDEEP:

24576:aXQ+a21G15QF4oXAfPNCaZI34RqyKP/vFULJzDurjc7:aAIO5VXHRqyKP/vCRDurjc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Deletes shadow copies

      • WABMIG.exe (PID: 3672)
    • Changes the autorun value in the registry

      • WABMIG.exe (PID: 3672)
    • Starts BCDEDIT.EXE to disable recovery

      • WABMIG.exe (PID: 3672)
    • Actions looks like stealing of personal data

      • WABMIG.exe (PID: 3672)
    • TFlower was detected

      • WABMIG.exe (PID: 3672)
    • Dropped file may contain instructions of ransomware

      • WABMIG.exe (PID: 3672)
    • Modifies files in Chrome extension folder

      • WABMIG.exe (PID: 3672)
  • SUSPICIOUS

    • Writes to a desktop.ini file (may be used to cloak folders)

      • WABMIG.exe (PID: 3672)
    • Reads the cookies of Mozilla Firefox

      • WABMIG.exe (PID: 3672)
    • Creates files in the user directory

      • WABMIG.exe (PID: 3672)
  • INFO

    • Reads settings of System Certificates

      • WABMIG.exe (PID: 3672)
    • Dropped object may contain TOR URL's

      • WABMIG.exe (PID: 3672)
    • Dropped object may contain Bitcoin addresses

      • WABMIG.exe (PID: 3672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:08:06 16:39:25+02:00
PEType: PE32
LinkerVersion: 14.16
CodeSize: 728064
InitializedDataSize: 2547200
UninitializedDataSize: -
EntryPoint: 0x3126
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.18362.1
ProductVersionNumber: 10.0.18362.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft (R) Contacts Import Tool
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
InternalName: WABMIG.EXE
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WABMIG.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.18362.1

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 06-Aug-2019 14:39:25
Detected languages:
  • English - United States
CompanyName: Microsoft Corporation
FileDescription: Microsoft (R) Contacts Import Tool
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
InternalName: WABMIG.EXE
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: WABMIG.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.18362.1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 06-Aug-2019 14:39:25
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000B1B52
0x000B1C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.62198
.rdata
0x000B3000
0x0004A82E
0x0004AA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.21565
.data
0x000FE000
0x0020DA08
0x00006C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.80355
.reloc
0x0030C000
0x00009C94
0x00009E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.60626
.rsrc
0x00316000
0x0000B828
0x0000BA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.23593

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.88123
1064
UNKNOWN
English - United States
RT_MANIFEST
2
4.88123
1064
UNKNOWN
English - United States
RT_MANIFEST
3
3.63064
488
UNKNOWN
UNKNOWN
RT_ICON
4
3.24793
296
UNKNOWN
UNKNOWN
RT_ICON
5
5.22742
3752
UNKNOWN
UNKNOWN
RT_ICON
6
5.99243
2216
UNKNOWN
UNKNOWN
RT_ICON
7
5.15003
1736
UNKNOWN
UNKNOWN
RT_ICON
8
3.26368
1384
UNKNOWN
UNKNOWN
RT_ICON
9
7.90842
13221
UNKNOWN
UNKNOWN
RT_ICON
10
4.73133
9640
UNKNOWN
UNKNOWN
RT_ICON

Imports

ADVAPI32.dll
CRYPT32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
WININET.dll
WS2_32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TFLOWER wabmig.exe vssadmin.exe no specs bcdedit.exe no specs bcdedit.exe no specs bcdedit.exe no specs bcdedit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3672"C:\Users\admin\AppData\Local\Temp\WABMIG.exe" C:\Users\admin\AppData\Local\Temp\WABMIG.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) Contacts Import Tool
Exit code:
0
Version:
10.0.18362.1 (WinBuild.160101.0800)
2692vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWABMIG.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2812bcdedit.exe /set {default} recoveryenabled noC:\Windows\system32\bcdedit.exeWABMIG.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2068bcdedit.exe /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.exeWABMIG.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2968bcdedit.exe /set {current} recoveryenabled noC:\Windows\system32\bcdedit.exeWABMIG.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3084bcdedit.exe /set {current} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.exeWABMIG.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
379
Read events
350
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1 124
Text files
33
Unknown types
2

Dropped files

PID
Process
Filename
Type
3672WABMIG.exeC:\Users\admin\ntuser.inibinary
MD5:A8A246D11345CAEC8B86B00F40801E56
SHA256:A1BE05FCF56AD1B86B1073FAF9A2FC7EC2562C7B0EE1059F6D46C1D09C247402
3672WABMIG.exeC:\Users\admin\Desktop\countryrecommended.jpgbinary
MD5:3A651303EBE77091ED2660871D149375
SHA256:C9CF6169DB125C9E832D92C07FB13B3F078D2077CB4C003249F15F7758C8902C
3672WABMIG.exeC:\Users\admin\Desktop\desktop.inibinary
MD5:44D504674573D91A7BC7201E76C84770
SHA256:BD8852D8C8FA383F9A21692B810936311F2CC8FBB7BF603446F8B32BE7F27F18
3672WABMIG.exeC:\Users\admin\Desktop\gardenengland.rtfbinary
MD5:66B7E8D558D1AD375616A35064D482F1
SHA256:3B88DCE2D788E03674FEBBBC97269AC50D6EBBCD3AAB49696F156C0DAE9C9FBF
3672WABMIG.exeC:\Users\admin\Desktop\monthability.pngbinary
MD5:AACE2B837BFD84AC39C1280BFC8BF9D9
SHA256:E902EEE91CC2E9D61C56F5FD21508C687A35CF826B69B43D68C92E447F2BB2A0
3672WABMIG.exeC:\Users\admin\Documents\rateswin.rtfbinary
MD5:D8AD49964B68C0BC481728AD58F175B2
SHA256:FEE71D29DF355A36C28E56F7C3B3802F8634EC6C919CD779821CF2ADC93DFDCF
3672WABMIG.exeC:\Users\admin\Desktop\cardshorse.pngbinary
MD5:76DBF74FB14AAEF67ED4BEA3DD1FE286
SHA256:78583BF010F30D345138113A545E3798F7F867C46E8DB3437A02BB9D9532D834
3672WABMIG.exeC:\Users\admin\Contacts\desktop.inibinary
MD5:0914342D6E37A54CAA194B43BB6D5C92
SHA256:5E570064E0C3C90D46665A2AF659084056CBEAECB12D925C9FAAF0268F8D855F
3672WABMIG.exeC:\Users\admin\Documents\desktop.inibinary
MD5:A2D33460CE90E57C60AFE551B71A2B80
SHA256:CC9AEF2F938CED86B58C5D5DCB67C21304CBCA20ADB7D76E6509778EBBE00819
3672WABMIG.exeC:\Users\Public\desktop.inibinary
MD5:1CBB624ACC70F09F36574133F2C42C87
SHA256:2C48AA40C5D4C62D10DA5D2A85482C7621DDC0F08219D35B69E6C8D3DBBC0ED7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3672
WABMIG.exe
205.185.216.42:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
3672
WABMIG.exe
89.46.105.91:443
www.affittofacilesicuro.com
Aruba S.p.A.
IT
unknown

DNS requests

Domain
IP
Reputation
www.affittofacilesicuro.com
  • 89.46.105.91
whitelisted
www.download.windowsupdate.com
  • 205.185.216.42
  • 205.185.216.10
whitelisted

Threats

No threats detected
No debug info