2342Exes_9404e036f198001e05c0c3f8b153459f_exe_2019-09-18_19_30.txt

1.  
2. * ID: 2342
3. * MalFamily: ""
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "Exes_9404e036f198001e05c0c3f8b153459f.exe"
8. * File Size: 384432
9. * File Type: "MS-DOS executable"
10. * SHA256: "847ec5fc091a7021c8265ba992d1845173bb0da58853ad262b185519c69b0357"
11. * MD5: "9404e036f198001e05c0c3f8b153459f"
12. * SHA1: "e522f7e7177bfe96c0a17e91336f21eb358b106a"
13. * SHA512: "bd2842eff2e3f0ce3c1b528918f763cab14301472174359428fdd6b133ae3478852c7b128de340a5962965e09f6129654f358c197f955df242fbff9629a5305c"
14. * CRC32: "063B5A63"
15. * SSDEEP: "6144:dv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:d4VOiF1WD7kE1dTYOi8V5u23zmWFy4"
16.  
17. * Process Execution:
18. "8oVwDhaSSVnB1.exe",
19. "SQLSerasi.exe",
20. "services.exe",
21. "SQLSerasi.exe",
22. "SQLSerasi.exe",
23. "svchost.exe",
24. "WerFault.exe",
25. "wermgr.exe"
26.  
27.  
28. * Executed Commands:
29. "\"C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe\"",
30. "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe ",
31. "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe",
32. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
33. "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 3968 -s 400",
34. "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_02338d1c\""
35.  
36.  
37. * Signatures Detected:
38.  
39. "Description": "Behavioural detection: Executable code extraction",
40. "Details":
41.  
42.  
43. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
44. "Details":
45.  
46.  
47. "Description": "At least one process apparently crashed during execution",
48. "Details":
49.  
50.  
51. "Description": "Scheduled file move on reboot detected",
52. "Details":
53.  
54. "File Move on Reboot": "Old: C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_02338d1c\\Report.wer.tmp -> New: C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_02338d1c\\Report.wer"
55.  
56.  
57.  
58.  
59. "Description": "Anomalous file deletion behavior detected (10+)",
60. "Details":
61.  
62. "DeletedFile": "C:\\Windows\\Temp\\WER11FF.tmp"
63.  
64.  
65. "DeletedFile": "C:\\Windows\\Temp\\WER11FF.tmp.appcompat.txt"
66.  
67.  
68. "DeletedFile": "C:\\Windows\\Temp\\WER11FF.tmp.appcompat.txt"
69.  
70.  
71. "DeletedFile": "C:\\Windows\\Temp\\WER20A6.tmp"
72.  
73.  
74. "DeletedFile": "C:\\Windows\\Temp\\WER20A6.tmp.WERInternalMetadata.xml"
75.  
76.  
77. "DeletedFile": "C:\\Windows\\Temp\\WER2162.tmp"
78.  
79.  
80. "DeletedFile": "C:\\Windows\\Temp\\WER2162.tmp.hdmp"
81.  
82.  
83. "DeletedFile": "C:\\Windows\\Temp\\WER8EE3.tmp"
84.  
85.  
86. "DeletedFile": "C:\\Windows\\Temp\\WER8EE3.tmp.mdmp"
87.  
88.  
89. "DeletedFile": "C:\\Windows\\Temp\\WER11FF.tmp.appcompat.txt"
90.  
91.  
92. "DeletedFile": "C:\\Windows\\Temp\\WER20A6.tmp.WERInternalMetadata.xml"
93.  
94.  
95. "DeletedFile": "C:\\Windows\\Temp\\WER2162.tmp.hdmp"
96.  
97.  
98. "DeletedFile": "C:\\Windows\\Temp\\WER8EE3.tmp.mdmp"
99.  
100.  
101.  
102.  
103. "Description": "Unconventionial language used in binary resources: Chinese (Simplified)",
104. "Details":
105.  
106.  
107. "Description": "The binary likely contains encrypted or compressed data.",
108. "Details":
109.  
110. "section": "name: .MPRESS1, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00058200, virtual_size: 0x00063000"
111.  
112.  
113.  
114.  
115. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
116. "Details":
117.  
118. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 3807556 times"
119.  
120.  
121.  
122.  
123. "Description": "Installs itself for autorun at Windows startup",
124. "Details":
125.  
126. "service name": "Microsoft SQL Serverai"
127.  
128.  
129. "service path": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
130.  
131.  
132.  
133.  
134. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
135. "Details":
136.  
137.  
138. "Description": "Checks the system manufacturer, likely for anti-virtualization",
139. "Details":
140.  
141.  
142. "Description": "Creates a copy of itself",
143. "Details":
144.  
145. "copy": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
146.  
147.  
148.  
149.  
150. "Description": "Drops a binary and executes it",
151. "Details":
152.  
153. "binary": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
154.  
155.  
156. "binary": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
157.  
158.  
159.  
160.  
161.  
162. * Started Service:
163. "Microsoft SQL Serverai",
164. "WerSvc"
165.  
166.  
167. * Mutexes:
168. "IESQMMUTEX_0_208",
169. "Local\\WERReportingForProcess3968",
170. "Global\\d79c916b-da47-11e9-81e8-18c086cd4733",
171. "Global\\\\xee\\xad\\xb0\\xcd\\x8f",
172. "WERUI_APPCRASH-afb8704922ff03e2c4fd8c0d4c9f65321fe4781"
173.  
174.  
175. * Modified Files:
176. "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe",
177. "C:\\Windows\\Temp\\WER11FF.tmp.appcompat.txt",
178. "C:\\Windows\\Temp\\WER20A6.tmp.WERInternalMetadata.xml",
179. "C:\\Windows\\Temp\\WER2162.tmp.hdmp",
180. "C:\\Windows\\Temp\\WER8EE3.tmp.mdmp",
181. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_02338d1c\\WER11FF.tmp.appcompat.txt",
182. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_02338d1c\\WER20A6.tmp.WERInternalMetadata.xml",
183. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_02338d1c\\WER2162.tmp.hdmp",
184. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_02338d1c\\WER8EE3.tmp.mdmp",
185. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_02338d1c\\Report.wer",
186. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_02338d1c\\Report.wer.tmp"
187.  
188.  
189. * Deleted Files:
190. "C:\\Windows\\Temp\\WER11FF.tmp",
191. "C:\\Windows\\Temp\\WER11FF.tmp.appcompat.txt",
192. "C:\\Windows\\Temp\\WER20A6.tmp",
193. "C:\\Windows\\Temp\\WER20A6.tmp.WERInternalMetadata.xml",
194. "C:\\Windows\\Temp\\WER2162.tmp",
195. "C:\\Windows\\Temp\\WER2162.tmp.hdmp",
196. "C:\\Windows\\Temp\\WER8EE3.tmp",
197. "C:\\Windows\\Temp\\WER8EE3.tmp.mdmp",
198. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_02338d1c\\Report.wer.tmp"
199.  
200.  
201. * Modified Registry Keys:
202. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Microsoft SQL Serverai",
203. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\ConnectGroup",
204. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\Description",
205. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
206. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\MarkTime",
207. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
208. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
209. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord"
210.  
211.  
212. * Deleted Registry Keys:
213.  
214. * DNS Communications:
215.  
216. "type": "A",
217. "request": "ocsp.verisign.com",
218. "answers":
219.  
220.  
221. "type": "A",
222. "request": "crl.verisign.com",
223. "answers":
224.  
225.  
226. "type": "A",
227. "request": "sf.symcd.com",
228. "answers":
229.  
230.  
231. "type": "A",
232. "request": "sf.symcb.com",
233. "answers":
234.  
235.  
236. "type": "A",
237. "request": "d.nxxxn.ga",
238. "answers":
239.  
240.  
241. "type": "A",
242. "request": "r.pengyou.com",
243. "answers":
244.  
245.  
246.  
247. * Domains:
248.  
249. "ip": "23.35.171.27",
250. "domain": "ocsp.verisign.com"
251.  
252.  
253. "ip": "23.35.171.27",
254. "domain": "sf.symcd.com"
255.  
256.  
257. "ip": "72.21.91.29",
258. "domain": "crl.verisign.com"
259.  
260.  
261. "ip": "0.0.0.1",
262. "domain": "r.pengyou.com"
263.  
264.  
265. "ip": "185.172.66.203",
266. "domain": "d.nxxxn.ga"
267.  
268.  
269. "ip": "72.21.91.29",
270. "domain": "sf.symcb.com"
271.  
272.  
273.  
274. * Network Communication - ICMP:
275.  
276. * Network Communication - HTTP:
277.  
278. * Network Communication - SMTP:
279.  
280. * Network Communication - Hosts:
281.  
282. * Network Communication - IRC: