Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2344
- * MalFamily: ""
- * MalScore: 10.0
- * File Name: "Exes_9404e036f198001e05c0c3f8b153459f.exe"
- * File Size: 384432
- * File Type: "MS-DOS executable"
- * SHA256: "847ec5fc091a7021c8265ba992d1845173bb0da58853ad262b185519c69b0357"
- * MD5: "9404e036f198001e05c0c3f8b153459f"
- * SHA1: "e522f7e7177bfe96c0a17e91336f21eb358b106a"
- * SHA512: "bd2842eff2e3f0ce3c1b528918f763cab14301472174359428fdd6b133ae3478852c7b128de340a5962965e09f6129654f358c197f955df242fbff9629a5305c"
- * CRC32: "063B5A63"
- * SSDEEP: "6144:dv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:d4VOiF1WD7kE1dTYOi8V5u23zmWFy4"
- * Process Execution:
- "vJKx4yZ4V6AZjf.exe",
- "SQLSerasi.exe",
- "services.exe",
- "SQLSerasi.exe",
- "SQLSerasi.exe",
- "svchost.exe",
- "WerFault.exe",
- "wermgr.exe",
- "WmiApSrv.exe",
- "svchost.exe",
- "taskhost.exe",
- "WmiPrvSE.exe"
- * Executed Commands:
- "\"C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe\"",
- "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe ",
- "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
- "C:\\Windows\\system32\\svchost.exe -k netsvcs",
- "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 2792 -s 400",
- "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0909176b\""
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "At least one process apparently crashed during execution",
- "Details":
- "Description": "Scheduled file move on reboot detected",
- "Details":
- "File Move on Reboot": "Old: C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0909176b\\Report.wer.tmp -> New: C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0909176b\\Report.wer"
- "Description": "Anomalous file deletion behavior detected (10+)",
- "Details":
- "DeletedFile": "C:\\Windows\\Temp\\WERF4E0.tmp"
- "DeletedFile": "C:\\Windows\\Temp\\WERF4E0.tmp.appcompat.txt"
- "DeletedFile": "C:\\Windows\\Temp\\WERF4E0.tmp.appcompat.txt"
- "DeletedFile": "C:\\Windows\\Temp\\WER5020.tmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER5020.tmp.WERInternalMetadata.xml"
- "DeletedFile": "C:\\Windows\\Temp\\WER509E.tmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER509E.tmp.hdmp"
- "DeletedFile": "C:\\Windows\\Temp\\WERE8A9.tmp"
- "DeletedFile": "C:\\Windows\\Temp\\WERE8A9.tmp.mdmp"
- "DeletedFile": "C:\\Windows\\Temp\\WERF4E0.tmp.appcompat.txt"
- "DeletedFile": "C:\\Windows\\Temp\\WER5020.tmp.WERInternalMetadata.xml"
- "DeletedFile": "C:\\Windows\\Temp\\WER509E.tmp.hdmp"
- "DeletedFile": "C:\\Windows\\Temp\\WERE8A9.tmp.mdmp"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "Unconventionial language used in binary resources: Chinese (Simplified)",
- "Details":
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .MPRESS1, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00058200, virtual_size: 0x00063000"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 10026054 times"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "service name": "Microsoft SQL Serverai"
- "service path": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "wermgr.exe:1820"
- "process": "WmiPrvSE.exe:3048"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Checks the system manufacturer, likely for anti-virtualization",
- "Details":
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
- "binary": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
- * Started Service:
- "Microsoft SQL Serverai",
- "WerSvc",
- "wmiApSrv"
- * Mutexes:
- "IESQMMUTEX_0_208",
- "Local\\WERReportingForProcess2792",
- "Global\\0ee9dcff-da48-11e9-9533-18c086cd4731",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Flag",
- "Global\\WmiApSrv",
- "Global\\\\xee\\xad\\xb0\\xcd\\x96",
- "WERUI_APPCRASH-afb8704922ff03e2c4fd8c0d4c9f65321fe4781"
- * Modified Files:
- "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
- "C:\\Windows\\Temp\\WERF4E0.tmp.appcompat.txt",
- "C:\\Windows\\Temp\\WER5020.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\Temp\\WER509E.tmp.hdmp",
- "C:\\Windows\\Temp\\WERE8A9.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0909176b\\WERF4E0.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0909176b\\WER5020.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0909176b\\WER509E.tmp.hdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0909176b\\WERE8A9.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0909176b\\Report.wer",
- "\\??\\WMIDataDevice",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0909176b\\Report.wer.tmp"
- * Deleted Files:
- "C:\\Windows\\Temp\\WERF4E0.tmp",
- "C:\\Windows\\Temp\\WERF4E0.tmp.appcompat.txt",
- "C:\\Windows\\Temp\\WER5020.tmp",
- "C:\\Windows\\Temp\\WER5020.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\Temp\\WER509E.tmp",
- "C:\\Windows\\Temp\\WER509E.tmp.hdmp",
- "C:\\Windows\\Temp\\WERE8A9.tmp",
- "C:\\Windows\\Temp\\WERE8A9.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0909176b\\Report.wer.tmp"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Microsoft SQL Serverai",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\ConnectGroup",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\Description",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\MarkTime",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "ocsp.verisign.com",
- "answers":
- "type": "A",
- "request": "crl.verisign.com",
- "answers":
- "type": "A",
- "request": "sf.symcd.com",
- "answers":
- "type": "A",
- "request": "sf.symcb.com",
- "answers":
- "type": "A",
- "request": "d.nxxxn.ga",
- "answers":
- "type": "A",
- "request": "r.pengyou.com",
- "answers":
- * Domains:
- "ip": "0.0.0.1",
- "domain": "r.pengyou.com"
- "ip": "72.21.91.29",
- "domain": "sf.symcb.com"
- "ip": "72.21.91.29",
- "domain": "crl.verisign.com"
- "ip": "185.172.66.203",
- "domain": "d.nxxxn.ga"
- "ip": "23.35.171.27",
- "domain": "sf.symcd.com"
- "ip": "23.35.171.27",
- "domain": "ocsp.verisign.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement