analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Itunes.exe

Full analysis: https://app.any.run/tasks/4c34dc3a-e095-49b7-a098-da46ceeb4f6b
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: January 11, 2019, 01:58:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
remcos
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable, MZ for MS-DOS
MD5:

29BB97ED6FEA2A62D527FA3CA2BB12F4

SHA1:

4D320765124770BFBDD93E92C40C024F932C17E5

SHA256:

08D81DD24CC5E21A89F9BB3EC816671DEF2650A6684D8279FAF149028F0E5912

SSDEEP:

768:ZNnmZ/8vPlLUdhfJ8v6utFpVsuRregrWChgzQ9b7Dsr1:Hnwu4DejVLyOhgzUYr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • Itunes.exe (PID: 2688)
      • Itunes.exe (PID: 3320)

    • REMCOS RAT was detected

      • Itunes.exe (PID: 2688)
      • winlog.exe (PID: 2672)

    • Changes the autorun value in the registry

      • Itunes.exe (PID: 3320)
      • winlog.exe (PID: 2672)

    • Saves itself using automatic execution at hidden regitry location

      • Itunes.exe (PID: 3320)
      • winlog.exe (PID: 2672)

    • UAC/LUA settings modification

      • reg.exe (PID: 2596)
      • reg.exe (PID: 2648)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3280)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Itunes.exe (PID: 3320)
      • winlog.exe (PID: 2672)

    • Modifies the open verb of a shell class

      • Itunes.exe (PID: 3320)
      • Itunes.exe (PID: 2688)

    • Executable content was dropped or overwritten

      • Itunes.exe (PID: 3320)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 4012)
      • cmd.exe (PID: 3396)

    • Creates files in the program directory

      • Itunes.exe (PID: 3320)

    • Connects to unusual port

      • winlog.exe (PID: 2672)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x192ec
UninitializedDataSize: -
InitializedDataSize: 36864
CodeSize: 61440
LinkerVersion: 6
PEType: PE32
TimeStamp: 2017:01:05 20:50:18+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Jan-2017 19:50:18
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0040
Pages in file: 0x0001
Relocations: 0x0000
Size of header: 0x0002
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0xB400
OEM information: 0xCD09
Address of NE header: 0x00000040

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 05-Jan-2017 19:50:18
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.MPRESS1
0x00001000
0x00018000
0x00007200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99285
.MPRESS2V\x0e
0x00019000
0x00000E56
0x00001000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.61446
.rsrc
0x0001A000
0x00000DB8
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.26296

Resources

Title
Entropy
Size
Codepage
Language
Type
1
6.57569
3240
Latin 1 / Western European
English - United States
RT_ICON
102
1.91924
20
Latin 1 / Western European
English - United States
RT_GROUP_ICON
SETTINGS
0
425
Latin 1 / Western European
UNKNOWN
RT_RCDATA

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.DLL
MSVCP60.dll
MSVCRT.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
WINMM.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
12
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REMCOS itunes.exe no specs eventvwr.exe no specs eventvwr.exe itunes.exe cmd.exe no specs reg.exe no specs cmd.exe no specs ping.exe no specs #REMCOS winlog.exe cmd.exe no specs reg.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2688"C:\Users\admin\AppData\Local\Temp\Itunes.exe" C:\Users\admin\AppData\Local\Temp\Itunes.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3756"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exeItunes.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Event Viewer Snapin Launcher
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2512"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exe
Itunes.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Viewer Snapin Launcher
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3320"C:\Users\admin\AppData\Local\Temp\Itunes.exe" C:\Users\admin\AppData\Local\Temp\Itunes.exe
eventvwr.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
4012/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fC:\Windows\System32\cmd.exeItunes.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2596C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3280cmd /c ""C:\Users\admin\AppData\Local\Temp\install.bat" "C:\Windows\system32\cmd.exeItunes.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4080PING 127.0.0.1 -n 2 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2672"C:\Program Files\winlog\winlog.exe" C:\Program Files\winlog\winlog.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3396/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fC:\Windows\System32\cmd.exewinlog.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
813
Read events
783
Write events
26
Delete events
4

Modification events

(PID) Process:(2688) Itunes.exeKey:HKEY_CURRENT_USER\Software\remcos_zsizyrtrxw
Operation:writeName:origmsc
Value:
£}xF&ð“쐖ê·y`7É¢ºí€Â’u€ðøŸ¬þ I¶‘w
(PID) Process:(2688) Itunes.exeKey:HKEY_CLASSES_ROOT\mscfile\shell\open\command
Operation:writeName:
Value:
C:\Users\admin\AppData\Local\Temp\Itunes.exe
(PID) Process:(2688) Itunes.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2688) Itunes.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3320) Itunes.exeKey:HKEY_CLASSES_ROOT\mscfile\shell\open\command
Operation:writeName:
Value:
%SystemRoot%\system32\mmc.exe "%1" %*
(PID) Process:(3320) Itunes.exeKey:HKEY_CURRENT_USER\Software\remcos_zsizyrtrxw
Operation:delete valueName:origmsc
Value:
£}xF&ð“쐖ê·y`7É¢ºí€Â’u€ðøŸ¬þ I¶‘w
(PID) Process:(3320) Itunes.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:winlog
Value:
"C:\Program Files\winlog\winlog.exe"
(PID) Process:(3320) Itunes.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Operation:writeName:winlog
Value:
"C:\Program Files\winlog\winlog.exe"
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2672winlog.exeC:\Users\admin\AppData\Local\Temp\uninstall.battext
MD5:5DE3FAF790BC275C33A3842A88EDBD3D
SHA256:C443CBCAD6462EDAB04E3C01F5C0B3A74EDE6D31E97D1B62BFD59657E6365930
3320Itunes.exeC:\Program Files\winlog\winlog.exeexecutable
MD5:29BB97ED6FEA2A62D527FA3CA2BB12F4
SHA256:08D81DD24CC5E21A89F9BB3EC816671DEF2650A6684D8279FAF149028F0E5912
3320Itunes.exeC:\Users\admin\AppData\Local\Temp\install.battext
MD5:4669D23BD07E498555D5B4791E0B21A7
SHA256:46A58615C0319073C34E97F167F17298BA1369B874141379B79FC218313B15DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2672
winlog.exe
77.139.170.143:2404
erterhtreh567.dynamic-dns.net
Hot-Net internet services Ltd.
IL
malicious

DNS requests

Domain
IP
Reputation
erterhtreh567.dynamic-dns.net
  • 77.139.170.143
malicious

Threats

PID
Process
Class
Message
2672
winlog.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Itunes.exe