File name:

GnSetup.exe

Full analysis: https://app.any.run/tasks/44d3f349-0d81-4416-ba3d-52d8a09b3a8d
Verdict: Malicious activity
Analysis date: February 07, 2024, 20:11:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

DCF79239DF7168800311A6FDD8E065BC

SHA1:

787E6FAD249DFEB0713B11A81D51D498C2D2A126

SHA256:

0AA9070E1C656A9BF83E0B46D76CAE3133E5D5B9BF880C48B2400124059FF318

SSDEEP:

24576:sJqlaxMTCU514MWXblr3lL62WtrG9JTfcPCS1JLvZLy/XFab5:sJqlaxMTCU514NXblr3lL62WtrG9JTfa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • GnSetup.exe (PID: 392)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • GnSetup.exe (PID: 392)

    • Reads the Internet Settings

      • GnBots.exe (PID: 3748)
      • GnSetup.exe (PID: 392)

    • Connects to the server without a host name

      • GnBots.exe (PID: 3748)
      • GnSetup.exe (PID: 392)

    • Connects to unusual port

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Starts CMD.EXE for commands execution

      • GnBots.exe (PID: 3748)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 3876)

    • Executable content was dropped or overwritten

      • GnSetup.exe (PID: 392)

  • INFO

    • Creates files in the program directory

      • GnSetup.exe (PID: 392)

    • Reads the computer name

      • GnBots.exe (PID: 3748)
      • GnSetup.exe (PID: 392)

    • Reads the machine GUID from the registry

      • GnBots.exe (PID: 3748)
      • GnSetup.exe (PID: 392)

    • Checks supported languages

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Reads Environment values

      • GnBots.exe (PID: 3748)
      • GnSetup.exe (PID: 392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2055:06:29 05:51:21+02:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 631808
InitializedDataSize: 221696
UninitializedDataSize: -
EntryPoint: 0x9c36e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: GnSetup48
FileVersion: 1.0.0.0
InternalName: GnSetup.exe
LegalCopyright: Copyright © 2022
LegalTrademarks: -
OriginalFileName: GnSetup.exe
ProductName: GnSetup48
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start gnsetup.exe gnbots.exe cmd.exe no specs netstat.exe no specs findstr.exe no specs gnsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
392"C:\Users\admin\AppData\Local\Temp\GnSetup.exe" C:\Users\admin\AppData\Local\Temp\GnSetup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
GnSetup48
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\gnsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1652"C:\Users\admin\AppData\Local\Temp\GnSetup.exe" C:\Users\admin\AppData\Local\Temp\GnSetup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
GnSetup48
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\gnsetup.exe
c:\windows\system32\ntdll.dll
1812findstr ":5508.*LISTENING"C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3748"C:\Users\admin\Documents\Outlook Files\New folder\GnBots\GnBots.exe" C:\Users\admin\Documents\Outlook Files\New folder\GnBots\GnBots.exe
GnSetup.exe
User:
admin
Company:
GnBots
Integrity Level:
HIGH
Description:
GnBots
Exit code:
0
Version:
5.0.0.0
Modules
Images
c:\users\admin\documents\outlook files\new folder\gnbots\gnbots.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3868netstat -an -o -p tcpC:\Windows\System32\NETSTAT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netstat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\iphlpapi.dll
3876"cmd" /c netstat -an -o -p tcp|findstr ":5508.*LISTENING"C:\Windows\System32\cmd.exeGnBots.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 451
Read events
2 440
Write events
11
Delete events
0

Modification events

(PID) Process:(392) GnSetup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Width
Value:
318
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Height
Value:
288
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
51
Suspicious files
3
Text files
35
Unknown types
0

Dropped files

PID
Process
Filename
Type
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AccountLib.dllexecutable
MD5:868B9BAC46DD752C5B8E46D4F0EEE227
SHA256:C4037BC64E4A122745E527933BDF652A704A5C779A8D37DFDEB2C4C5057A25F3
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\ApiLib.dllexecutable
MD5:8F64C2417570545E740A62FA4EE91486
SHA256:0098C2F3D7E94E2ED19266D7F7400B7659F9839C74F92D17819570E142CF5E30
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\BlockLib.dllexecutable
MD5:EB3401FB26161AE79C7CC8F17ED772D6
SHA256:CCF24B3A8A69B6086B05D67133687A01087A4D684B289B7EFA0B0B0848CE4ED6
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\ApiLib.dll.configxml
MD5:AB897E865F3DD9AA43BCD5B3CD6CC082
SHA256:ED083854DF6FE59C018686E97B696D7E1CB1F112FA7A65D90B882A37E1B5527D
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AppsLib.dll.configxml
MD5:140448A36D19CCF750518E374D6C2B83
SHA256:7FA32C2670163A40E64A134210B81437DF444D7EBF207EEE84EF4F4ED693E6C7
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AForge.dllexecutable
MD5:02C63F568E598AAD85DD401D7B26E82A
SHA256:966A474060A8ACA70C73BA09D0B6FE2353035961C7107B9003EF879C010FF8DA
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AForge.Math.dllexecutable
MD5:C69973F674D9D113411D0FA2D1DBE222
SHA256:A4F24C9A46705C66FF7838C3A4C61759F5BA58EE8A5B061D05340C61D790C0B7
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AppsLib.dllexecutable
MD5:E2AE7E52BBF5F8CF8260B372260CC4D0
SHA256:BC36DEA6FBB82088BF015359ED4C21149F9622BB7DFACBF16E64F44E6479DFF3
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\tmp\GnBots.zipcompressed
MD5:6913AD130D9452FDAB973EDF5409595A
SHA256:440A02ED5FF49EEC93EAD74B4131118E51D85D84A340CCB8FACBE08B3D160F61
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\BlockLib.dll.configxml
MD5:D6FA3814C18FB33D2F049BCF6087B82B
SHA256:9E9DEA3890762E4A33E67E0F3B334D99853044FD4C787EEE5C83C6AED39AD31B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
10
DNS requests
0
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
392
GnSetup.exe
GET
200
167.71.15.182:80
http://167.71.15.182/gn/versions/GnBots.zip
unknown
compressed
12.7 Mb
unknown
3748
GnBots.exe
GET
200
167.71.15.182:80
http://167.71.15.182/gn/news.html
unknown
html
1.96 Kb
unknown
392
GnSetup.exe
GET
200
128.199.37.84:3000
http://128.199.37.84:3000/platformversion
unknown
binary
1.02 Kb
unknown
3748
GnBots.exe
GET
200
64.225.82.44:3000
http://64.225.82.44:3000/v2/apps
unknown
binary
1.27 Kb
unknown
3748
GnBots.exe
GET
200
64.225.82.44:3000
http://64.225.82.44:3000/v2/emus
unknown
binary
271 b
unknown
3748
GnBots.exe
GET
200
64.225.82.44:3000
http://64.225.82.44:3000/platformversion
unknown
binary
1.02 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
392
GnSetup.exe
167.71.15.182:80
DIGITALOCEAN-ASN
NL
unknown
392
GnSetup.exe
128.199.37.84:3000
DIGITALOCEAN-ASN
NL
unknown
3748
GnBots.exe
167.71.15.182:80
DIGITALOCEAN-ASN
NL
unknown
3748
GnBots.exe
64.225.82.44:3000
DIGITALOCEAN-ASN
NL
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
392
GnSetup.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
392
GnSetup.exe
Potentially Bad Traffic
ET HUNTING Terse Request for Zip File (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GnSetup.exe