1468567241.exe

世元 何

The application 1468567241.exe by 世元 何 has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in.
Publisher:
世元 何  (signed and verified)

MD5:
31e3e8785182deb239a9db6cccc56265

SHA-1:
fadcb125d0e4879cf13dfd6bffa1551ba65ed0ab

SHA-256:
9603493ab8c3e4e1cb85f19a547338d00e6d4bd91a468ab1e9a288512309d7ae

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/12/2017 7:20:59 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Mzip (M)
16.11.11.1

File size:
1 MB (1,093,736 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\1468567241.exe

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
5/3/2016 9:00:00 PM

Valid to:
5/4/2017 8:59:59 PM

Subject:
CN=世元 何, OU=Individual Developer, O=No Organization Affiliation, L=重庆, S=重庆, C=CN

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
70F6347DB1CBD91C6E2ECAA87711C6FF

File PE Metadata
Compilation timestamp:
7/4/2016 6:06:59 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:SeKJ+xuDzDwjuXKp80+90r1QgpYaogM7sN7zwQ995:32Dwc90j2aoqAQ995

Entry address:
0xA10BA

Entry point:
E8, 25, 0F, 01, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 51, 53, 8B, 5D, 08, 56, 57, 33, FF, 39, 7D, 14, 75, 10, 3B, DF, 75, 10, 39, 7D, 0C, 75, 12, 33, C0, 5F, 5E, 5B, C9, C3, 3B, DF, 74, 07, 8B, 4D, 0C, 3B, CF, 77, 1B, E8, C0, 0A, 00, 00, 6A, 16, 5E, 89, 30, 57, 57, 57, 57, 57, E8, 6D, E0, FF, FF, 83, C4, 14, 8B, C6, EB, D5, 8B, 55, 10, 39, 7D, 14, 74, 0B, 3B, D7, 75, 07, 33, C0, 66, 89, 03, EB, D2, 6A, 02, 8B, C3, 89, 4D, FC, 5E, 66, 39, 38, 74, 07, 03, C6, FF, 4D, FC, 75, F4, 39, 7D, FC, 74, E0, 83...
 
[+]

Code size:
814 KB (833,536 bytes)

Scheduled Task
Task name:
Tools_Update_{CFAC34AB-5DB5-4dea-94EC-1D42E3942873}

Trigger:
Logon (Runs on logon)

Description:
Tools update check when system start. It will automatically unload if there is no Tools soft.


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-68-138-50.us-west-2.compute.amazonaws.com  (54.68.138.50:80)

TCP (HTTP):
Connects to ec2-54-71-99-84.us-west-2.compute.amazonaws.com  (54.71.99.84:80)

TCP (HTTP):
Connects to ec2-52-205-101-0.compute-1.amazonaws.com  (52.205.101.0:80)

TCP (HTTP):
Connects to ec2-34-200-202-177.compute-1.amazonaws.com  (34.200.202.177:80)

TCP (HTTP):
Connects to ec2-34-192-86-237.compute-1.amazonaws.com  (34.192.86.237:80)

TCP (HTTP):

TCP (HTTP):
Connects to ec2-34-192-147-223.compute-1.amazonaws.com  (34.192.147.223:80)

TCP (HTTP):
Connects to a23-35-213-132.deploy.static.akamaitechnologies.com  (23.35.213.132:80)

TCP (HTTP):
Connects to a104-122-200-115.deploy.static.akamaitechnologies.com  (104.122.200.115:80)

TCP (HTTP):
Connects to ec2-52-200-155-121.compute-1.amazonaws.com  (52.200.155.121:80)

TCP (HTTP):
Connects to a104-88-227-175.deploy.static.akamaitechnologies.com  (104.88.227.175:80)

TCP (HTTP):
Connects to a23-77-193-139.deploy.static.akamaitechnologies.com  (23.77.193.139:80)

TCP (HTTP):
Connects to a104-109-48-109.deploy.static.akamaitechnologies.com  (104.109.48.109:80)

TCP (HTTP):
Connects to a23-76-252-124.deploy.static.akamaitechnologies.com  (23.76.252.124:80)

TCP (HTTP):
Connects to ec2-52-204-49-223.compute-1.amazonaws.com  (52.204.49.223:80)

TCP (HTTP):
Connects to a23-50-198-184.deploy.static.akamaitechnologies.com  (23.50.198.184:80)

TCP (HTTP):

TCP (HTTP):
Connects to a104-88-200-69.deploy.static.akamaitechnologies.com  (104.88.200.69:80)

TCP (HTTP):
Connects to a104-79-243-200.deploy.static.akamaitechnologies.com  (104.79.243.200:80)

TCP (HTTP):
Connects to i0-h0-s2002.p0-pmo.cdngp.net  (174.35.82.71:80)

Remove 1468567241.exe - Powered by Reason Core Security