| File name: | gk.exe |
| Full analysis: | https://app.any.run/tasks/fd738515-0b8b-47aa-ab8f-7e046d5ffa6f |
| Verdict: | Malicious activity |
| Analysis date: | January 19, 2024, 16:21:44 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5: | 7091F5E0B823EF775E98DA89DAC7B3B5 |
| SHA1: | 1771DD51DA9B19A8CAEF032959CB9BF48B026078 |
| SHA256: | 0B0E52ADE98A42E1A3C04F6AEAD17AFF2817561C34678F8FED58C7188B4706ED |
| SSDEEP: | 768:j3aOhX2RJkizwZ2iK2qPPm6wCl03tx+y4YM2WJ/SF:nhGRJkizQHKtTnG3tx+9Y3KU |
MALICIOUS
MYDOOM has been detected (SURICATA)
- gk.exe (PID: 2044)
Drops the executable file immediately after the start
- gk.exe (PID: 2044)
SUSPICIOUS
Executable content was dropped or overwritten
- gk.exe (PID: 2044)
Reads the Internet Settings
- gk.exe (PID: 2044)
The process creates files with name similar to system file names
- gk.exe (PID: 2044)
Connects to SMTP port
- gk.exe (PID: 2044)
Connects to unusual port
- gk.exe (PID: 2044)
INFO
Reads the computer name
- gk.exe (PID: 2044)
Checks supported languages
- gk.exe (PID: 2044)
Create files in a temporary directory
- gk.exe (PID: 2044)
Checks proxy server information
- gk.exe (PID: 2044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (38.2) |
|---|---|---|
| .exe | | | Win32 EXE Yoda's Crypter (37.5) |
| .dll | | | Win32 Dynamic Link Library (generic) (9.2) |
| .exe | | | Win32 Executable (generic) (6.3) |
| .exe | | | Clipper DOS Executable (2.8) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 0000:00:00 00:00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 7 |
| CodeSize: | 20480 |
| InitializedDataSize: | 4096 |
| UninitializedDataSize: | 24576 |
| EntryPoint: | 0xb4a0 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
33
Monitored processes
1
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2044 | "C:\Users\admin\AppData\Local\Temp\gk.exe" | C:\Users\admin\AppData\Local\Temp\gk.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
521
Read events
519
Write events
2
Delete events
0
Modification events
| (PID) Process: | (2044) gk.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2044) gk.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
11
Suspicious files
6
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2044 | gk.exe | C:\Users\admin\AppData\Local\Temp\lsass.exe | executable | |
MD5:7091F5E0B823EF775E98DA89DAC7B3B5 | SHA256:0B0E52ADE98A42E1A3C04F6AEAD17AFF2817561C34678F8FED58C7188B4706ED | |||
| 2044 | gk.exe | C:\Users\admin\AppData\Local\Temp\tmpE458.tmp | executable | |
MD5:7091F5E0B823EF775E98DA89DAC7B3B5 | SHA256:0B0E52ADE98A42E1A3C04F6AEAD17AFF2817561C34678F8FED58C7188B4706ED | |||
| 2044 | gk.exe | C:\Users\admin\AppData\Local\Temp\tmpE497.tmp | executable | |
MD5:7091F5E0B823EF775E98DA89DAC7B3B5 | SHA256:0B0E52ADE98A42E1A3C04F6AEAD17AFF2817561C34678F8FED58C7188B4706ED | |||
| 2044 | gk.exe | C:\Users\admin\AppData\Local\Temp\tmpE657.tmp | executable | |
MD5:7091F5E0B823EF775E98DA89DAC7B3B5 | SHA256:0B0E52ADE98A42E1A3C04F6AEAD17AFF2817561C34678F8FED58C7188B4706ED | |||
| 2044 | gk.exe | C:\Users\admin\AppData\Local\Temp\tmpE5A7.tmp | compressed | |
MD5:3418B4A7613411280C40F74301E3D178 | SHA256:18176DE92D6A5BD815408716B29C7455D50FBF79F91C147F5C40BC125F175E0F | |||
| 2044 | gk.exe | C:\Users\admin\AppData\Local\Temp\1iki.txt | binary | |
MD5:3EA611FAB76B8881D3D824269940CC70 | SHA256:8E28C483FE80718CA6B9C2569E74E562876DA67CF6D558E2C4D750720B80D625 | |||
| 2044 | gk.exe | C:\Users\admin\AppData\Local\Temp\tmpE574.tmp | executable | |
MD5:7091F5E0B823EF775E98DA89DAC7B3B5 | SHA256:0B0E52ADE98A42E1A3C04F6AEAD17AFF2817561C34678F8FED58C7188B4706ED | |||
| 2044 | gk.exe | C:\Users\admin\AppData\Local\Temp\tmpE596.tmp | executable | |
MD5:7091F5E0B823EF775E98DA89DAC7B3B5 | SHA256:0B0E52ADE98A42E1A3C04F6AEAD17AFF2817561C34678F8FED58C7188B4706ED | |||
| 2044 | gk.exe | C:\Users\admin\AppData\Local\Temp\tmp845D.tmp | executable | |
MD5:7091F5E0B823EF775E98DA89DAC7B3B5 | SHA256:0B0E52ADE98A42E1A3C04F6AEAD17AFF2817561C34678F8FED58C7188B4706ED | |||
| 2044 | gk.exe | C:\Users\admin\AppData\Local\Temp\tmpE626.tmp | executable | |
MD5:7091F5E0B823EF775E98DA89DAC7B3B5 | SHA256:0B0E52ADE98A42E1A3C04F6AEAD17AFF2817561C34678F8FED58C7188B4706ED | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
58
DNS requests
75
Threats
1
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2044 | gk.exe | 16.179.137.45:1042 | — | — | US | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2044 | gk.exe | 31.228.161.154:1042 | — | Deutsche Telekom AG | DE | unknown |
2044 | gk.exe | 129.81.102.85:1042 | — | TULANE | US | unknown |
2044 | gk.exe | 68.55.184.19:1042 | — | COMCAST-7922 | US | unknown |
2044 | gk.exe | 16.150.147.164:1042 | — | — | US | unknown |
2044 | gk.exe | 15.7.182.190:1042 | — | — | US | unknown |
2044 | gk.exe | 16.100.218.85:1042 | — | — | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
dns.msftncsi.com |
| shared |
apple.com |
| whitelisted |
mx-in.g.apple.com |
| unknown |
mx-in-mdn.apple.com |
| unknown |
mx-in-rno.apple.com |
| unknown |
openoffice.org |
| whitelisted |
mx1-lw-eu.apache.org |
| unknown |
mx1-lw-us.apache.org |
| unknown |
onlineconnections.com.au |
| unknown |
mx2-lw-eu.apache.org |
| unknown |
Threats
1 ETPRO signatures available at the full report