Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2279
- * MalFamily: ""
- * MalScore: 10.0
- * File Name: "Exes_531d0d40315f7d92be607134a7102641.exe"
- * File Size: 384432
- * File Type: "MS-DOS executable"
- * SHA256: "3f305d68a6000f0ff2e27d67c11a87da00966a9ed81a18fe2f17b7120d561ed4"
- * MD5: "531d0d40315f7d92be607134a7102641"
- * SHA1: "3ee1a00ce30b70f9df3c2be6595a45c7d6a165ea"
- * SHA512: "60153eef64d88212ecc91bf7a0183a55d450d08bf17a01a6c3f9b7b1330e93aef0bc5f579e2aec89396863e5195ea7bee4cbeaf3b54e7de0f6d3cb39876660d7"
- * CRC32: "8DF7B8E2"
- * SSDEEP: "6144:Iv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:I4VOiF1WD7kE1dTYOi8V5u23zmWFy4"
- * Process Execution:
- "gfsx4YKgH9MW5A.exe",
- "SQLSerasi.exe",
- "services.exe",
- "SQLSerasi.exe",
- "SQLSerasi.exe",
- "svchost.exe",
- "WerFault.exe",
- "WmiApSrv.exe",
- "svchost.exe",
- "svchost.exe",
- "WmiPrvSE.exe"
- * Executed Commands:
- "\"C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe\"",
- "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe ",
- "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
- "C:\\Windows\\system32\\svchost.exe -k netsvcs",
- "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 2212 -s 400"
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "At least one process apparently crashed during execution",
- "Details":
- "Description": "Anomalous file deletion behavior detected (10+)",
- "Details":
- "DeletedFile": "C:\\Windows\\Temp\\WER173.tmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER173.tmp.appcompat.txt"
- "DeletedFile": "C:\\Windows\\Temp\\WER173.tmp.appcompat.txt"
- "DeletedFile": "C:\\Windows\\Temp\\WER1E43.tmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER1E43.tmp.WERInternalMetadata.xml"
- "DeletedFile": "C:\\Windows\\Temp\\WER2018.tmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER2018.tmp.hdmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER74CC.tmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER74CC.tmp.mdmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER173.tmp.appcompat.txt"
- "DeletedFile": "C:\\Windows\\Temp\\WER1E43.tmp.WERInternalMetadata.xml"
- "DeletedFile": "C:\\Windows\\Temp\\WER2018.tmp.hdmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER74CC.tmp.mdmp"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "svchost.exe tried to sleep 365 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Unconventionial language used in binary resources: Chinese (Simplified)",
- "Details":
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .MPRESS1, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00058200, virtual_size: 0x00063000"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 15634167 times"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "service name": "Microsoft SQL Serverai"
- "service path": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "svchost.exe:2480"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Checks the system manufacturer, likely for anti-virtualization",
- "Details":
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
- "binary": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
- * Started Service:
- "Microsoft SQL Serverai",
- "WerSvc",
- "wmiApSrv"
- * Mutexes:
- "IESQMMUTEX_0_208",
- "Local\\WERReportingForProcess2212",
- "Global\\6d8e9fcb-da10-11e9-9533-18c086cd4731",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Flag",
- "Global\\WmiApSrv"
- * Modified Files:
- "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe",
- "C:\\Windows\\Temp\\WER173.tmp.appcompat.txt",
- "C:\\Windows\\Temp\\WER1E43.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\Temp\\WER2018.tmp.hdmp",
- "C:\\Windows\\Temp\\WER74CC.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0997e792\\WER173.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0997e792\\WER1E43.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0997e792\\WER2018.tmp.hdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0997e792\\WER74CC.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0997e792\\Report.wer",
- "\\??\\WMIDataDevice",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
- * Deleted Files:
- "C:\\Windows\\Temp\\WER173.tmp",
- "C:\\Windows\\Temp\\WER173.tmp.appcompat.txt",
- "C:\\Windows\\Temp\\WER1E43.tmp",
- "C:\\Windows\\Temp\\WER1E43.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\Temp\\WER2018.tmp",
- "C:\\Windows\\Temp\\WER2018.tmp.hdmp",
- "C:\\Windows\\Temp\\WER74CC.tmp",
- "C:\\Windows\\Temp\\WER74CC.tmp.mdmp"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Microsoft SQL Serverai",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\ConnectGroup",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\Description",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\MarkTime",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "ocsp.verisign.com",
- "answers":
- "type": "A",
- "request": "crl.verisign.com",
- "answers":
- "type": "A",
- "request": "sf.symcd.com",
- "answers":
- "type": "A",
- "request": "sf.symcb.com",
- "answers":
- "type": "A",
- "request": "d.nxxxn.ga",
- "answers":
- "type": "A",
- "request": "r.pengyou.com",
- "answers":
- * Domains:
- "ip": "0.0.0.1",
- "domain": "r.pengyou.com"
- "ip": "72.21.91.29",
- "domain": "sf.symcb.com"
- "ip": "72.21.91.29",
- "domain": "crl.verisign.com"
- "ip": "23.35.171.27",
- "domain": "sf.symcd.com"
- "ip": "23.35.171.27",
- "domain": "ocsp.verisign.com"
- "ip": "185.172.66.203",
- "domain": "d.nxxxn.ga"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement