2335Exes_9404e036f198001e05c0c3f8b153459f_exe_2019-09-18_19_30.txt

1.  
2. * ID: 2335
3. * MalFamily: ""
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "Exes_9404e036f198001e05c0c3f8b153459f.exe"
8. * File Size: 384432
9. * File Type: "MS-DOS executable"
10. * SHA256: "847ec5fc091a7021c8265ba992d1845173bb0da58853ad262b185519c69b0357"
11. * MD5: "9404e036f198001e05c0c3f8b153459f"
12. * SHA1: "e522f7e7177bfe96c0a17e91336f21eb358b106a"
13. * SHA512: "bd2842eff2e3f0ce3c1b528918f763cab14301472174359428fdd6b133ae3478852c7b128de340a5962965e09f6129654f358c197f955df242fbff9629a5305c"
14. * CRC32: "063B5A63"
15. * SSDEEP: "6144:dv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:d4VOiF1WD7kE1dTYOi8V5u23zmWFy4"
16.  
17. * Process Execution:
18. "XqKoGBXmqFZZ.exe",
19. "SQLSerasi.exe",
20. "services.exe",
21. "SQLSerasi.exe",
22. "SQLSerasi.exe",
23. "svchost.exe",
24. "WerFault.exe",
25. "wermgr.exe",
26. "taskhost.exe",
27. "svchost.exe"
28.  
29.  
30. * Executed Commands:
31. "\"C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe\"",
32. "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe ",
33. "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe",
34. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
35. "taskhost.exe $(Arg0)",
36. "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
37. "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 1812 -s 388",
38. "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0a67549e\""
39.  
40.  
41. * Signatures Detected:
42.  
43. "Description": "Behavioural detection: Executable code extraction",
44. "Details":
45.  
46.  
47. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
48. "Details":
49.  
50.  
51. "Description": "At least one process apparently crashed during execution",
52. "Details":
53.  
54.  
55. "Description": "Creates RWX memory",
56. "Details":
57.  
58.  
59. "Description": "Anomalous file deletion behavior detected (10+)",
60. "Details":
61.  
62. "DeletedFile": "C:\\Windows\\Temp\\WER2B9D.tmp"
63.  
64.  
65. "DeletedFile": "C:\\Windows\\Temp\\WER2B9D.tmp.appcompat.txt"
66.  
67.  
68. "DeletedFile": "C:\\Windows\\Temp\\WER2B9D.tmp.appcompat.txt"
69.  
70.  
71. "DeletedFile": "C:\\Windows\\Temp\\WER2C59.tmp"
72.  
73.  
74. "DeletedFile": "C:\\Windows\\Temp\\WER2C59.tmp.WERInternalMetadata.xml"
75.  
76.  
77. "DeletedFile": "C:\\Windows\\Temp\\WER2CB8.tmp"
78.  
79.  
80. "DeletedFile": "C:\\Windows\\Temp\\WER2CB8.tmp.hdmp"
81.  
82.  
83. "DeletedFile": "C:\\Windows\\Temp\\WER3554.tmp"
84.  
85.  
86. "DeletedFile": "C:\\Windows\\Temp\\WER3554.tmp.mdmp"
87.  
88.  
89. "DeletedFile": "C:\\Windows\\Temp\\WER2B9D.tmp.appcompat.txt"
90.  
91.  
92. "DeletedFile": "C:\\Windows\\Temp\\WER2C59.tmp.WERInternalMetadata.xml"
93.  
94.  
95. "DeletedFile": "C:\\Windows\\Temp\\WER2CB8.tmp.hdmp"
96.  
97.  
98. "DeletedFile": "C:\\Windows\\Temp\\WER3554.tmp.mdmp"
99.  
100.  
101.  
102.  
103. "Description": "Guard pages use detected - possible anti-debugging.",
104. "Details":
105.  
106.  
107. "Description": "A process attempted to delay the analysis task.",
108. "Details":
109.  
110. "Process": "SQLSerasi.exe tried to sleep 362 seconds, actually delayed analysis time by 0 seconds"
111.  
112.  
113.  
114.  
115. "Description": "Drops a binary and executes it",
116. "Details":
117.  
118. "binary": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
119.  
120.  
121. "binary": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
122.  
123.  
124.  
125.  
126. "Description": "Unconventionial language used in binary resources: Chinese (Simplified)",
127. "Details":
128.  
129.  
130. "Description": "The binary likely contains encrypted or compressed data.",
131. "Details":
132.  
133. "section": "name: .MPRESS1, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00058200, virtual_size: 0x00063000"
134.  
135.  
136.  
137.  
138. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
139. "Details":
140.  
141. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 11232701 times"
142.  
143.  
144.  
145.  
146. "Description": "Installs itself for autorun at Windows startup",
147. "Details":
148.  
149. "service name": "Microsoft SQL Serverai"
150.  
151.  
152. "service path": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
153.  
154.  
155.  
156.  
157. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
158. "Details":
159.  
160.  
161. "Description": "Checks the system manufacturer, likely for anti-virtualization",
162. "Details":
163.  
164.  
165. "Description": "Creates a copy of itself",
166. "Details":
167.  
168. "copy": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
169.  
170.  
171.  
172.  
173.  
174. * Started Service:
175. "Microsoft SQL Serverai",
176. "WerSvc"
177.  
178.  
179. * Mutexes:
180. "IESQMMUTEX_0_208",
181. "Local\\WERReportingForProcess1812",
182. "Global\\47b3a153-da46-11e9-b470-18c086cd4732",
183. "Global\\\\xee\\xad\\xb0\\xcd\\x8b",
184. "WERUI_APPCRASH-afb8704922ff03e2c4fd8c0d4c9f65321fe4781",
185. "Global\\F659A567-8ACB-4E4A-92A7-5C2DD1884F72",
186. "Global\\__?_c:_programdata_microsoft_rac_statedata_racdatabase.sdf",
187. "Global\\__?_c:_programdata_microsoft_rac_statedata_racdatabase.sdf:x",
188. "Global\\__?_c:_programdata_microsoft_rac_statedata_racdatabase.sdf:splk:2712",
189. "Global\\5728c1ff-ae18-4a02-98df-85d69907ca9e:sqlce_se_lck:1",
190. "Global\\5728c1ff-ae18-4a02-98df-85d69907ca9e:sqlce_se_lck:2",
191. "Global\\5728c1ff-ae18-4a02-98df-85d69907ca9e:sqlce_se_lck:3"
192.  
193.  
194. * Modified Files:
195. "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe",
196. "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
197. "C:\\Windows\\Temp\\WER2B9D.tmp.appcompat.txt",
198. "C:\\Windows\\Temp\\WER2C59.tmp.WERInternalMetadata.xml",
199. "C:\\Windows\\Temp\\WER2CB8.tmp.hdmp",
200. "C:\\Windows\\Temp\\WER3554.tmp.mdmp",
201. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0a67549e\\WER2B9D.tmp.appcompat.txt",
202. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0a67549e\\WER2C59.tmp.WERInternalMetadata.xml",
203. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0a67549e\\WER2CB8.tmp.hdmp",
204. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0a67549e\\WER3554.tmp.mdmp",
205. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0a67549e\\Report.wer",
206. "C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat",
207. "C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf",
208. "\\Device\\LanmanDatagramReceiver"
209.  
210.  
211. * Deleted Files:
212. "C:\\Windows\\Temp\\WER2B9D.tmp",
213. "C:\\Windows\\Temp\\WER2B9D.tmp.appcompat.txt",
214. "C:\\Windows\\Temp\\WER2C59.tmp",
215. "C:\\Windows\\Temp\\WER2C59.tmp.WERInternalMetadata.xml",
216. "C:\\Windows\\Temp\\WER2CB8.tmp",
217. "C:\\Windows\\Temp\\WER2CB8.tmp.hdmp",
218. "C:\\Windows\\Temp\\WER3554.tmp",
219. "C:\\Windows\\Temp\\WER3554.tmp.mdmp"
220.  
221.  
222. * Modified Registry Keys:
223. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Microsoft SQL Serverai",
224. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\ConnectGroup",
225. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\Description",
226. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
227. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\MarkTime",
228. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
229. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
230. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
231. "HKEY_CURRENT_USER\\Software\\Microsoft\\SQMClient\\Reliability\\AdaptiveSqm\\ManifestInfo\\Version"
232.  
233.  
234. * Deleted Registry Keys:
235.  
236. * DNS Communications:
237.  
238. "type": "A",
239. "request": "ocsp.verisign.com",
240. "answers":
241.  
242.  
243. "type": "A",
244. "request": "crl.verisign.com",
245. "answers":
246.  
247.  
248. "type": "A",
249. "request": "sf.symcd.com",
250. "answers":
251.  
252.  
253. "type": "A",
254. "request": "sf.symcb.com",
255. "answers":
256.  
257.  
258. "type": "A",
259. "request": "d.nxxxn.ga",
260. "answers":
261.  
262.  
263. "type": "A",
264. "request": "r.pengyou.com",
265. "answers":
266.  
267.  
268.  
269. * Domains:
270.  
271. "ip": "0.0.0.1",
272. "domain": "r.pengyou.com"
273.  
274.  
275. "ip": "23.35.171.27",
276. "domain": "sf.symcd.com"
277.  
278.  
279. "ip": "23.35.171.27",
280. "domain": "ocsp.verisign.com"
281.  
282.  
283. "ip": "72.21.91.29",
284. "domain": "sf.symcb.com"
285.  
286.  
287. "ip": "185.172.66.203",
288. "domain": "d.nxxxn.ga"
289.  
290.  
291. "ip": "72.21.91.29",
292. "domain": "crl.verisign.com"
293.  
294.  
295.  
296. * Network Communication - ICMP:
297.  
298. * Network Communication - HTTP:
299.  
300. * Network Communication - SMTP:
301.  
302. * Network Communication - Hosts:
303.  
304. * Network Communication - IRC: