API tools faq
paste
Advertisement
paladin316

2279Exes_531d0d40315f7d92be607134a7102641_exe_2019-09-18_13_30.txt

paladin316
Sep 18th, 2019
1,304
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.84 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 2279
  3. * MalFamily: ""
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_531d0d40315f7d92be607134a7102641.exe"
  8. * File Size: 384432
  9. * File Type: "MS-DOS executable"
  10. * SHA256: "3f305d68a6000f0ff2e27d67c11a87da00966a9ed81a18fe2f17b7120d561ed4"
  11. * MD5: "531d0d40315f7d92be607134a7102641"
  12. * SHA1: "3ee1a00ce30b70f9df3c2be6595a45c7d6a165ea"
  13. * SHA512: "60153eef64d88212ecc91bf7a0183a55d450d08bf17a01a6c3f9b7b1330e93aef0bc5f579e2aec89396863e5195ea7bee4cbeaf3b54e7de0f6d3cb39876660d7"
  14. * CRC32: "8DF7B8E2"
  15. * SSDEEP: "6144:Iv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:I4VOiF1WD7kE1dTYOi8V5u23zmWFy4"
  16.  
  17. * Process Execution:
  18. "gfsx4YKgH9MW5A.exe",
  19. "SQLSerasi.exe",
  20. "services.exe",
  21. "SQLSerasi.exe",
  22. "SQLSerasi.exe",
  23. "svchost.exe",
  24. "WerFault.exe",
  25. "WmiApSrv.exe",
  26. "svchost.exe",
  27. "svchost.exe",
  28. "WmiPrvSE.exe"
  29.  
  30.  
  31. * Executed Commands:
  32. "\"C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe\"",
  33. "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe ",
  34. "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe",
  35. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
  36. "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
  37. "C:\\Windows\\system32\\svchost.exe -k netsvcs",
  38. "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 2212 -s 400"
  39.  
  40.  
  41. * Signatures Detected:
  42.  
  43. "Description": "Behavioural detection: Executable code extraction",
  44. "Details":
  45.  
  46.  
  47. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  48. "Details":
  49.  
  50.  
  51. "Description": "At least one process apparently crashed during execution",
  52. "Details":
  53.  
  54.  
  55. "Description": "Anomalous file deletion behavior detected (10+)",
  56. "Details":
  57.  
  58. "DeletedFile": "C:\\Windows\\Temp\\WER173.tmp"
  59.  
  60.  
  61. "DeletedFile": "C:\\Windows\\Temp\\WER173.tmp.appcompat.txt"
  62.  
  63.  
  64. "DeletedFile": "C:\\Windows\\Temp\\WER173.tmp.appcompat.txt"
  65.  
  66.  
  67. "DeletedFile": "C:\\Windows\\Temp\\WER1E43.tmp"
  68.  
  69.  
  70. "DeletedFile": "C:\\Windows\\Temp\\WER1E43.tmp.WERInternalMetadata.xml"
  71.  
  72.  
  73. "DeletedFile": "C:\\Windows\\Temp\\WER2018.tmp"
  74.  
  75.  
  76. "DeletedFile": "C:\\Windows\\Temp\\WER2018.tmp.hdmp"
  77.  
  78.  
  79. "DeletedFile": "C:\\Windows\\Temp\\WER74CC.tmp"
  80.  
  81.  
  82. "DeletedFile": "C:\\Windows\\Temp\\WER74CC.tmp.mdmp"
  83.  
  84.  
  85. "DeletedFile": "C:\\Windows\\Temp\\WER173.tmp.appcompat.txt"
  86.  
  87.  
  88. "DeletedFile": "C:\\Windows\\Temp\\WER1E43.tmp.WERInternalMetadata.xml"
  89.  
  90.  
  91. "DeletedFile": "C:\\Windows\\Temp\\WER2018.tmp.hdmp"
  92.  
  93.  
  94. "DeletedFile": "C:\\Windows\\Temp\\WER74CC.tmp.mdmp"
  95.  
  96.  
  97.  
  98.  
  99. "Description": "Guard pages use detected - possible anti-debugging.",
  100. "Details":
  101.  
  102.  
  103. "Description": "A process attempted to delay the analysis task.",
  104. "Details":
  105.  
  106. "Process": "svchost.exe tried to sleep 365 seconds, actually delayed analysis time by 0 seconds"
  107.  
  108.  
  109.  
  110.  
  111. "Description": "Unconventionial language used in binary resources: Chinese (Simplified)",
  112. "Details":
  113.  
  114.  
  115. "Description": "The binary likely contains encrypted or compressed data.",
  116. "Details":
  117.  
  118. "section": "name: .MPRESS1, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00058200, virtual_size: 0x00063000"
  119.  
  120.  
  121.  
  122.  
  123. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  124. "Details":
  125.  
  126. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 15634167 times"
  127.  
  128.  
  129.  
  130.  
  131. "Description": "Installs itself for autorun at Windows startup",
  132. "Details":
  133.  
  134. "service name": "Microsoft SQL Serverai"
  135.  
  136.  
  137. "service path": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
  138.  
  139.  
  140.  
  141.  
  142. "Description": "Stack pivoting was detected when using a critical API",
  143. "Details":
  144.  
  145. "process": "svchost.exe:2480"
  146.  
  147.  
  148.  
  149.  
  150. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  151. "Details":
  152.  
  153.  
  154. "Description": "Checks the system manufacturer, likely for anti-virtualization",
  155. "Details":
  156.  
  157.  
  158. "Description": "Creates a copy of itself",
  159. "Details":
  160.  
  161. "copy": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
  162.  
  163.  
  164.  
  165.  
  166. "Description": "Drops a binary and executes it",
  167. "Details":
  168.  
  169. "binary": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
  170.  
  171.  
  172. "binary": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
  173.  
  174.  
  175.  
  176.  
  177.  
  178. * Started Service:
  179. "Microsoft SQL Serverai",
  180. "WerSvc",
  181. "wmiApSrv"
  182.  
  183.  
  184. * Mutexes:
  185. "IESQMMUTEX_0_208",
  186. "Local\\WERReportingForProcess2212",
  187. "Global\\6d8e9fcb-da10-11e9-9533-18c086cd4731",
  188. "Global\\RefreshRA_Mutex_Lib",
  189. "Global\\RefreshRA_Mutex",
  190. "Global\\RefreshRA_Mutex_Flag",
  191. "Global\\WmiApSrv"
  192.  
  193.  
  194. * Modified Files:
  195. "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe",
  196. "C:\\Windows\\Temp\\WER173.tmp.appcompat.txt",
  197. "C:\\Windows\\Temp\\WER1E43.tmp.WERInternalMetadata.xml",
  198. "C:\\Windows\\Temp\\WER2018.tmp.hdmp",
  199. "C:\\Windows\\Temp\\WER74CC.tmp.mdmp",
  200. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0997e792\\WER173.tmp.appcompat.txt",
  201. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0997e792\\WER1E43.tmp.WERInternalMetadata.xml",
  202. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0997e792\\WER2018.tmp.hdmp",
  203. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0997e792\\WER74CC.tmp.mdmp",
  204. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0997e792\\Report.wer",
  205. "\\??\\WMIDataDevice",
  206. "\\??\\PIPE\\samr",
  207. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
  208. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
  209. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
  210. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
  211. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
  212. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
  213. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
  214. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
  215.  
  216.  
  217. * Deleted Files:
  218. "C:\\Windows\\Temp\\WER173.tmp",
  219. "C:\\Windows\\Temp\\WER173.tmp.appcompat.txt",
  220. "C:\\Windows\\Temp\\WER1E43.tmp",
  221. "C:\\Windows\\Temp\\WER1E43.tmp.WERInternalMetadata.xml",
  222. "C:\\Windows\\Temp\\WER2018.tmp",
  223. "C:\\Windows\\Temp\\WER2018.tmp.hdmp",
  224. "C:\\Windows\\Temp\\WER74CC.tmp",
  225. "C:\\Windows\\Temp\\WER74CC.tmp.mdmp"
  226.  
  227.  
  228. * Modified Registry Keys:
  229. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Microsoft SQL Serverai",
  230. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\ConnectGroup",
  231. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\Description",
  232. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
  233. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
  234. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
  235. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\MarkTime",
  236. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
  237. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
  238. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
  239. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed",
  240. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
  241. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
  242. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
  243. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
  244. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
  245. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
  246. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
  247. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
  248. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
  249. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
  250. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
  251.  
  252.  
  253. * Deleted Registry Keys:
  254.  
  255. * DNS Communications:
  256.  
  257. "type": "A",
  258. "request": "ocsp.verisign.com",
  259. "answers":
  260.  
  261.  
  262. "type": "A",
  263. "request": "crl.verisign.com",
  264. "answers":
  265.  
  266.  
  267. "type": "A",
  268. "request": "sf.symcd.com",
  269. "answers":
  270.  
  271.  
  272. "type": "A",
  273. "request": "sf.symcb.com",
  274. "answers":
  275.  
  276.  
  277. "type": "A",
  278. "request": "d.nxxxn.ga",
  279. "answers":
  280.  
  281.  
  282. "type": "A",
  283. "request": "r.pengyou.com",
  284. "answers":
  285.  
  286.  
  287.  
  288. * Domains:
  289.  
  290. "ip": "0.0.0.1",
  291. "domain": "r.pengyou.com"
  292.  
  293.  
  294. "ip": "72.21.91.29",
  295. "domain": "sf.symcb.com"
  296.  
  297.  
  298. "ip": "72.21.91.29",
  299. "domain": "crl.verisign.com"
  300.  
  301.  
  302. "ip": "23.35.171.27",
  303. "domain": "sf.symcd.com"
  304.  
  305.  
  306. "ip": "23.35.171.27",
  307. "domain": "ocsp.verisign.com"
  308.  
  309.  
  310. "ip": "185.172.66.203",
  311. "domain": "d.nxxxn.ga"
  312.  
  313.  
  314.  
  315. * Network Communication - ICMP:
  316.  
  317. * Network Communication - HTTP:
  318.  
  319. * Network Communication - SMTP:
  320.  
  321. * Network Communication - Hosts:
  322.  
  323. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!