| File name: | HA.exe |
| Full analysis: | https://app.any.run/tasks/d3f6cbe8-4705-4c4d-b578-d9b5cb015457 |
| Verdict: | Malicious activity |
| Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
| Analysis date: | March 24, 2020, 17:11:12 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386, for MS Windows |
| MD5: | E3F6F694CA9B04BA09E4E2425FC545C1 |
| SHA1: | C72887B977F399F44959BB03879D7190E7EBDCAF |
| SHA256: | 0D8FD2E51E8D89E083469353B89918F4C49776518A8423BD6A5CDCE5CC078E6C |
| SSDEEP: | 24576:QO4d/YmKrx/uUSklJnApHeetf+idPEp6Bqvg8ZE2Xyl9LSTUiMpnH+BC1hDaG:od/j4/utyRetP4NvJCqTUiMpnH1hDaG |
MALICIOUS
Uses Task Scheduler to run other applications
- cmd.exe (PID: 916)
Starts NET.EXE to view/change users group
- cmd.exe (PID: 916)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 3956)
Starts NET.EXE to view/add/change user profiles
- cmd.exe (PID: 916)
SUSPICIOUS
Starts CMD.EXE for commands execution
- HA.exe (PID: 3976)
Uses WMIC.EXE to obtain a system information
- cmd.exe (PID: 916)
Uses IPCONFIG.EXE to discover IP address
- cmd.exe (PID: 916)
Starts SC.EXE for service management
- cmd.exe (PID: 916)
Starts NET.EXE to view connections to shared resources
- cmd.exe (PID: 916)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 916)
Uses NETSTAT.EXE to discover network connections
- cmd.exe (PID: 916)
Uses TASKLIST.EXE to query information about running processes
- cmd.exe (PID: 916)
Connects to server without host name
- HA.exe (PID: 3976)
Searches for installed software
- reg.exe (PID: 2364)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:03:24 08:30:02+01:00 |
| PEType: | PE32 |
| LinkerVersion: | 12 |
| CodeSize: | 790528 |
| InitializedDataSize: | 366080 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xa9b6c |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Compilation Date: | 24-Mar-2020 07:30:02 |
| Detected languages: |
|
| Debug artifacts: |
|
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000118 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 5 |
| Time date stamp: | 24-Mar-2020 07:30:02 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x000C0F3B | 0x000C1000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.69532 |
.rdata | 0x000C2000 | 0x000429C6 | 0x00042A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.88502 |
.data | 0x00105000 | 0x0000C694 | 0x00008600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.82253 |
.rsrc | 0x00112000 | 0x000001E0 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.70436 |
.reloc | 0x00113000 | 0x0000A1FC | 0x0000A200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.59606 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 4.91161 | 381 | UNKNOWN | English - United States | RT_MANIFEST |
Imports
ADVAPI32.dll |
KERNEL32.dll |
USER32.dll |
WS2_32.dll |
Total processes
66
Monitored processes
19
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 272 | find "DisplayName" USER-PC_14 | C:\Windows\system32\find.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 376 | net user | C:\Windows\system32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 916 | cmd.exe /c "C:\Users\admin\Desktop\9179.bat" "(null)" | C:\Windows\system32\cmd.exe | — | HA.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1748 | wmic qfe list | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2364 | reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall USER-PC_14 | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2696 | net use | C:\Windows\system32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2808 | ipconfig /displaydns | C:\Windows\system32\ipconfig.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3052 | ipconfig /all | C:\Windows\system32\ipconfig.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3084 | C:\Windows\system32\net1 localgroup | C:\Windows\system32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3248 | tasklist | C:\Windows\system32\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
3 044
Read events
3 044
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
34
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2364 | reg.exe | C:\Users\admin\AppData\Local\Temp\REG11C.tmp | — | |
MD5:— | SHA256:— | |||
| 916 | cmd.exe | C:\Users\admin\Desktop\USER-PC_1 | text | |
MD5:— | SHA256:— | |||
| 916 | cmd.exe | C:\Users\admin\Desktop\USER-PC_6 | text | |
MD5:— | SHA256:— | |||
| 916 | cmd.exe | C:\Users\admin\Desktop\USER-PC_5 | text | |
MD5:— | SHA256:— | |||
| 916 | cmd.exe | C:\Users\admin\Desktop\USER-PC_3 | text | |
MD5:— | SHA256:— | |||
| 916 | cmd.exe | C:\Users\admin\Desktop\USER-PC_4 | text | |
MD5:— | SHA256:— | |||
| 916 | cmd.exe | C:\Users\admin\Desktop\USER-PC_10 | text | |
MD5:— | SHA256:— | |||
| 916 | cmd.exe | C:\Users\admin\Desktop\USER-PC_11 | text | |
MD5:— | SHA256:— | |||
| 3976 | HA.exe | C:\Users\admin\Desktop\9179.bat | text | |
MD5:— | SHA256:— | |||
| 916 | cmd.exe | C:\Users\admin\Desktop\USER-PC_2 | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
21
DNS requests
2
Threats
20
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3976 | HA.exe | POST | — | 39.98.135.6:80 | http://39.98.135.6/file_file_file.php | CN | — | — | malicious |
3976 | HA.exe | POST | 200 | 39.98.135.6:80 | http://39.98.135.6/file_file_file.php | CN | text | 98 b | malicious |
3976 | HA.exe | POST | 200 | 39.98.135.6:80 | http://39.98.135.6/file_file_file.php | CN | text | 99 b | malicious |
3976 | HA.exe | POST | 200 | 39.98.135.6:80 | http://39.98.135.6/file_file_file.php | CN | text | 99 b | malicious |
3976 | HA.exe | POST | 200 | 39.98.135.6:80 | http://39.98.135.6/file_file_file.php | CN | text | 101 b | malicious |
3976 | HA.exe | POST | 200 | 39.98.135.6:80 | http://39.98.135.6/file_file_file.php | CN | text | 99 b | malicious |
3976 | HA.exe | POST | 200 | 39.98.135.6:80 | http://39.98.135.6/file_file_file.php | CN | text | 100 b | malicious |
3976 | HA.exe | POST | — | 39.98.135.6:80 | http://39.98.135.6/file_file_file.php | CN | — | — | malicious |
3976 | HA.exe | POST | 200 | 39.98.135.6:80 | http://39.98.135.6/file_file_file.php | CN | text | 99 b | malicious |
3976 | HA.exe | POST | — | 39.98.135.6:80 | http://39.98.135.6/file_file_file.php | CN | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3976 | HA.exe | 39.98.135.6:8000 | — | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
3976 | HA.exe | 39.98.135.6:80 | — | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3976 | HA.exe | A Network Trojan was detected | ET INFO Suspicious Possible Process Dump in POST body |
3976 | HA.exe | A Network Trojan was detected | ET TROJAN Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration |
3976 | HA.exe | Successful Administrator Privilege Gain | ET ATTACK_RESPONSE SysInternals sc.exe Output Outbound |
3976 | HA.exe | A Network Trojan was detected | ET TROJAN Windows sc query Microsoft Windows DOS prompt command exit OUTBOUND |
3976 | HA.exe | Successful Administrator Privilege Gain | ET ATTACK_RESPONSE SysInternals sc.exe Output Outbound |
3976 | HA.exe | A Network Trojan was detected | ET TROJAN Windows sc query Microsoft Windows DOS prompt command exit OUTBOUND |
3976 | HA.exe | Successful Administrator Privilege Gain | ET ATTACK_RESPONSE SysInternals sc.exe Output Outbound |
3976 | HA.exe | A Network Trojan was detected | ET TROJAN Windows sc query Microsoft Windows DOS prompt command exit OUTBOUND |
3976 | HA.exe | Successful Administrator Privilege Gain | ET ATTACK_RESPONSE SysInternals sc.exe Output Outbound |
3976 | HA.exe | A Network Trojan was detected | ET TROJAN Windows sc query Microsoft Windows DOS prompt command exit OUTBOUND |
Process | Message |
|---|---|
HA.exe | 03/24/20 17:11:51 HA.exe HttpClient::Get error = 7
|