Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2335
- * MalFamily: ""
- * MalScore: 10.0
- * File Name: "Exes_9404e036f198001e05c0c3f8b153459f.exe"
- * File Size: 384432
- * File Type: "MS-DOS executable"
- * SHA256: "847ec5fc091a7021c8265ba992d1845173bb0da58853ad262b185519c69b0357"
- * MD5: "9404e036f198001e05c0c3f8b153459f"
- * SHA1: "e522f7e7177bfe96c0a17e91336f21eb358b106a"
- * SHA512: "bd2842eff2e3f0ce3c1b528918f763cab14301472174359428fdd6b133ae3478852c7b128de340a5962965e09f6129654f358c197f955df242fbff9629a5305c"
- * CRC32: "063B5A63"
- * SSDEEP: "6144:dv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:d4VOiF1WD7kE1dTYOi8V5u23zmWFy4"
- * Process Execution:
- "XqKoGBXmqFZZ.exe",
- "SQLSerasi.exe",
- "services.exe",
- "SQLSerasi.exe",
- "SQLSerasi.exe",
- "svchost.exe",
- "WerFault.exe",
- "wermgr.exe",
- "taskhost.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe\"",
- "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe ",
- "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "taskhost.exe $(Arg0)",
- "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
- "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 1812 -s 388",
- "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0a67549e\""
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "At least one process apparently crashed during execution",
- "Details":
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Anomalous file deletion behavior detected (10+)",
- "Details":
- "DeletedFile": "C:\\Windows\\Temp\\WER2B9D.tmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER2B9D.tmp.appcompat.txt"
- "DeletedFile": "C:\\Windows\\Temp\\WER2B9D.tmp.appcompat.txt"
- "DeletedFile": "C:\\Windows\\Temp\\WER2C59.tmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER2C59.tmp.WERInternalMetadata.xml"
- "DeletedFile": "C:\\Windows\\Temp\\WER2CB8.tmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER2CB8.tmp.hdmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER3554.tmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER3554.tmp.mdmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER2B9D.tmp.appcompat.txt"
- "DeletedFile": "C:\\Windows\\Temp\\WER2C59.tmp.WERInternalMetadata.xml"
- "DeletedFile": "C:\\Windows\\Temp\\WER2CB8.tmp.hdmp"
- "DeletedFile": "C:\\Windows\\Temp\\WER3554.tmp.mdmp"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "SQLSerasi.exe tried to sleep 362 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
- "binary": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
- "Description": "Unconventionial language used in binary resources: Chinese (Simplified)",
- "Details":
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .MPRESS1, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00058200, virtual_size: 0x00063000"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 11232701 times"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "service name": "Microsoft SQL Serverai"
- "service path": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Checks the system manufacturer, likely for anti-virtualization",
- "Details":
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe"
- * Started Service:
- "Microsoft SQL Serverai",
- "WerSvc"
- * Mutexes:
- "IESQMMUTEX_0_208",
- "Local\\WERReportingForProcess1812",
- "Global\\47b3a153-da46-11e9-b470-18c086cd4732",
- "Global\\\\xee\\xad\\xb0\\xcd\\x8b",
- "WERUI_APPCRASH-afb8704922ff03e2c4fd8c0d4c9f65321fe4781",
- "Global\\F659A567-8ACB-4E4A-92A7-5C2DD1884F72",
- "Global\\__?_c:_programdata_microsoft_rac_statedata_racdatabase.sdf",
- "Global\\__?_c:_programdata_microsoft_rac_statedata_racdatabase.sdf:x",
- "Global\\__?_c:_programdata_microsoft_rac_statedata_racdatabase.sdf:splk:2712",
- "Global\\5728c1ff-ae18-4a02-98df-85d69907ca9e:sqlce_se_lck:1",
- "Global\\5728c1ff-ae18-4a02-98df-85d69907ca9e:sqlce_se_lck:2",
- "Global\\5728c1ff-ae18-4a02-98df-85d69907ca9e:sqlce_se_lck:3"
- * Modified Files:
- "C:\\Program Files (x86)\\Microsoft SQL Server\\SQLSerasi.exe",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
- "C:\\Windows\\Temp\\WER2B9D.tmp.appcompat.txt",
- "C:\\Windows\\Temp\\WER2C59.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\Temp\\WER2CB8.tmp.hdmp",
- "C:\\Windows\\Temp\\WER3554.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0a67549e\\WER2B9D.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0a67549e\\WER2C59.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0a67549e\\WER2CB8.tmp.hdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0a67549e\\WER3554.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_SQLSerasi.exe_afb8704922ff03e2c4fd8c0d4c9f65321fe4781_cab_0a67549e\\Report.wer",
- "C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat",
- "C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf",
- "\\Device\\LanmanDatagramReceiver"
- * Deleted Files:
- "C:\\Windows\\Temp\\WER2B9D.tmp",
- "C:\\Windows\\Temp\\WER2B9D.tmp.appcompat.txt",
- "C:\\Windows\\Temp\\WER2C59.tmp",
- "C:\\Windows\\Temp\\WER2C59.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\Temp\\WER2CB8.tmp",
- "C:\\Windows\\Temp\\WER2CB8.tmp.hdmp",
- "C:\\Windows\\Temp\\WER3554.tmp",
- "C:\\Windows\\Temp\\WER3554.tmp.mdmp"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Microsoft SQL Serverai",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\ConnectGroup",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\Description",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Microsoft SQL Serverai\\MarkTime",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\SQMClient\\Reliability\\AdaptiveSqm\\ManifestInfo\\Version"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "ocsp.verisign.com",
- "answers":
- "type": "A",
- "request": "crl.verisign.com",
- "answers":
- "type": "A",
- "request": "sf.symcd.com",
- "answers":
- "type": "A",
- "request": "sf.symcb.com",
- "answers":
- "type": "A",
- "request": "d.nxxxn.ga",
- "answers":
- "type": "A",
- "request": "r.pengyou.com",
- "answers":
- * Domains:
- "ip": "0.0.0.1",
- "domain": "r.pengyou.com"
- "ip": "23.35.171.27",
- "domain": "sf.symcd.com"
- "ip": "23.35.171.27",
- "domain": "ocsp.verisign.com"
- "ip": "72.21.91.29",
- "domain": "sf.symcb.com"
- "ip": "185.172.66.203",
- "domain": "d.nxxxn.ga"
- "ip": "72.21.91.29",
- "domain": "crl.verisign.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement