File name:

GnSetup.exe

Full analysis: https://app.any.run/tasks/44d3f349-0d81-4416-ba3d-52d8a09b3a8d
Verdict: Malicious activity
Analysis date: February 07, 2024, 20:11:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

DCF79239DF7168800311A6FDD8E065BC

SHA1:

787E6FAD249DFEB0713B11A81D51D498C2D2A126

SHA256:

0AA9070E1C656A9BF83E0B46D76CAE3133E5D5B9BF880C48B2400124059FF318

SSDEEP:

24576:sJqlaxMTCU514MWXblr3lL62WtrG9JTfcPCS1JLvZLy/XFab5:sJqlaxMTCU514NXblr3lL62WtrG9JTfa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • GnSetup.exe (PID: 392)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • GnSetup.exe (PID: 392)

    • Connects to the server without a host name

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Reads the Internet Settings

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Connects to unusual port

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Executable content was dropped or overwritten

      • GnSetup.exe (PID: 392)

    • Starts CMD.EXE for commands execution

      • GnBots.exe (PID: 3748)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 3876)

  • INFO

    • Checks supported languages

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Reads the computer name

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Reads the machine GUID from the registry

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Creates files in the program directory

      • GnSetup.exe (PID: 392)

    • Reads Environment values

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2055:06:29 05:51:21+02:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 631808
InitializedDataSize: 221696
UninitializedDataSize: -
EntryPoint: 0x9c36e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: GnSetup48
FileVersion: 1.0.0.0
InternalName: GnSetup.exe
LegalCopyright: Copyright © 2022
LegalTrademarks: -
OriginalFileName: GnSetup.exe
ProductName: GnSetup48
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start gnsetup.exe gnbots.exe cmd.exe no specs netstat.exe no specs findstr.exe no specs gnsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
392"C:\Users\admin\AppData\Local\Temp\GnSetup.exe" C:\Users\admin\AppData\Local\Temp\GnSetup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
GnSetup48
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\gnsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1652"C:\Users\admin\AppData\Local\Temp\GnSetup.exe" C:\Users\admin\AppData\Local\Temp\GnSetup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
GnSetup48
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\gnsetup.exe
c:\windows\system32\ntdll.dll
1812findstr ":5508.*LISTENING"C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3748"C:\Users\admin\Documents\Outlook Files\New folder\GnBots\GnBots.exe" C:\Users\admin\Documents\Outlook Files\New folder\GnBots\GnBots.exe
GnSetup.exe
User:
admin
Company:
GnBots
Integrity Level:
HIGH
Description:
GnBots
Exit code:
0
Version:
5.0.0.0
Modules
Images
c:\users\admin\documents\outlook files\new folder\gnbots\gnbots.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3868netstat -an -o -p tcpC:\Windows\System32\NETSTAT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netstat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\iphlpapi.dll
3876"cmd" /c netstat -an -o -p tcp|findstr ":5508.*LISTENING"C:\Windows\System32\cmd.exeGnBots.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 451
Read events
2 440
Write events
11
Delete events
0

Modification events

(PID) Process:(392) GnSetup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Width
Value:
318
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Height
Value:
288
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
51
Suspicious files
3
Text files
35
Unknown types
0

Dropped files

PID
Process
Filename
Type
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\tmp\GnBots.zipcompressed
MD5:6913AD130D9452FDAB973EDF5409595A
SHA256:440A02ED5FF49EEC93EAD74B4131118E51D85D84A340CCB8FACBE08B3D160F61
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AForge.Math.dllexecutable
MD5:C69973F674D9D113411D0FA2D1DBE222
SHA256:A4F24C9A46705C66FF7838C3A4C61759F5BA58EE8A5B061D05340C61D790C0B7
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AForge.Imaging.dllexecutable
MD5:5392A22226E960D4AE7E408913C49D6C
SHA256:107DA9260B6D2796335B516F043B360250001FEB0AE3B1C8422F90B5B9F6E282
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AutoUpdater.NET.xmlxml
MD5:386AFCE38BE912756C1531656AC7AD63
SHA256:00B3903F7AC16AED890A632747E499534CC76846A5A0167D9C0D620DF3E888F9
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\ApiLib.dllexecutable
MD5:8F64C2417570545E740A62FA4EE91486
SHA256:0098C2F3D7E94E2ED19266D7F7400B7659F9839C74F92D17819570E142CF5E30
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AForge.dllexecutable
MD5:02C63F568E598AAD85DD401D7B26E82A
SHA256:966A474060A8ACA70C73BA09D0B6FE2353035961C7107B9003EF879C010FF8DA
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AppsLib.dll.configxml
MD5:140448A36D19CCF750518E374D6C2B83
SHA256:7FA32C2670163A40E64A134210B81437DF444D7EBF207EEE84EF4F4ED693E6C7
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\ApiLib.dll.configxml
MD5:AB897E865F3DD9AA43BCD5B3CD6CC082
SHA256:ED083854DF6FE59C018686E97B696D7E1CB1F112FA7A65D90B882A37E1B5527D
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\BlockLib.dllexecutable
MD5:EB3401FB26161AE79C7CC8F17ED772D6
SHA256:CCF24B3A8A69B6086B05D67133687A01087A4D684B289B7EFA0B0B0848CE4ED6
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\BotLib.dll.configxml
MD5:CD31947158353F522BAE8936EC6E73DE
SHA256:8D76CB844FFC30D9B019211667BA861D428A9534B6F483EC2495B772907277EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
10
DNS requests
0
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
392
GnSetup.exe
GET
200
167.71.15.182:80
http://167.71.15.182/gn/versions/GnBots.zip
unknown
compressed
12.7 Mb
3748
GnBots.exe
GET
200
167.71.15.182:80
http://167.71.15.182/gn/news.html
unknown
html
1.96 Kb
3748
GnBots.exe
GET
200
64.225.82.44:3000
http://64.225.82.44:3000/v2/emus
unknown
binary
271 b
3748
GnBots.exe
GET
200
64.225.82.44:3000
http://64.225.82.44:3000/v2/apps
unknown
binary
1.27 Kb
3748
GnBots.exe
GET
200
64.225.82.44:3000
http://64.225.82.44:3000/platformversion
unknown
binary
1.02 Kb
392
GnSetup.exe
GET
200
128.199.37.84:3000
http://128.199.37.84:3000/platformversion
unknown
binary
1.02 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
392
GnSetup.exe
167.71.15.182:80
DIGITALOCEAN-ASN
NL
unknown
392
GnSetup.exe
128.199.37.84:3000
DIGITALOCEAN-ASN
NL
unknown
3748
GnBots.exe
167.71.15.182:80
DIGITALOCEAN-ASN
NL
unknown
3748
GnBots.exe
64.225.82.44:3000
DIGITALOCEAN-ASN
NL
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
Potentially Bad Traffic
ET HUNTING Terse Request for Zip File (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
GnSetup.exe