Malware analysis C:\Users\admin\Desktop\CXSplay.exe Malicious activity

Add for printing

File name:	C:\Users\admin\Desktop\CXSplay.exe
Full analysis:	https://app.any.run/tasks/fa24cf96-27a6-4de3-bacf-678f3e3b2b58
Verdict:	Malicious activity
Analysis date:	July 18, 2019, 09:56:44
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:	960A505759EF8CFA5AA6E8689D3E04BC
SHA1:	93268C84F806010C09C9F3AD862B1CBB1AEA028C
SHA256:	0E201DB06D2E2E58A0600C631FB5DAB0DB328A339CCD2E623C0E1D9CE75ADAB7
SSDEEP:	24576:ZcwWawXEUYBsX9mcdtMP9+rHIyghro2ZPBn2Uf92lNUfYuhgZ2pP6wGGsVYYYYYB:2wW5XEUYBsXNMF+Eh8UoloYuhI2JfqYx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: off

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - svchost.exe (PID: 3468)
  - svchost.exe (PID: 2100)
  - Server.exe (PID: 2848)
  - explorerr.exe (PID: 2128)
- Loads dropped or rewritten executable
  - CXSplay.exe (PID: 3464)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Server.exe (PID: 2848)
  - CXSplay.exe (PID: 3464)
- Executed as Windows Service
  - svchost.exe (PID: 3468)
- Creates files in the Windows directory
  - Server.exe (PID: 2848)
  - CXSplay.exe (PID: 3464)
- Creates executable files which already exist in Windows
  - Server.exe (PID: 2848)
- Creates or modifies windows services
  - svchost.exe (PID: 2100)
  - Server.exe (PID: 2848)
- Application launched itself
  - svchost.exe (PID: 3468)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	UPX compressed Win32 Executable (64.2)
.dll	\|	Win32 Dynamic Link Library (generic) (15.6)
.exe	\|	Win32 Executable (generic) (10.6)
.exe	\|	Generic Win/DOS Executable (4.7)
.exe	\|	DOS Executable Generic (4.7)

EXIF

EXE

Comments:	本程序使用易语言编写(http://www.eyuyan.com)
LegalCopyright:	作者版权所有请尊重并使用正版
ProductVersion:	1.0.0.0
ProductName:	易语言程序
FileDescription:	应用程序
FileVersion:	1.0.0.0
CharacterSet:	Unicode
LanguageCode:	Chinese (Simplified)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x0000
ProductVersionNumber:	1.0.0.0
FileVersionNumber:	1.0.0.0
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x1d5c70
UninitializedDataSize:	724992
InitializedDataSize:	212992
CodeSize:	1200128
LinkerVersion:	6
PEType:	PE32
TimeStamp:	2018:11:13 08:45:46+01:00
MachineType:	Intel 386 or later, and compatibles

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	13-Nov-2018 07:45:46
Detected languages:	Chinese - PRC
FileVersion:	1.0.0.0
FileDescription:	应用程序
ProductName:	易语言程序
ProductVersion:	1.0.0.0
LegalCopyright:	作者版权所有请尊重并使用正版
Comments:	本程序使用易语言编写(http://www.eyuyan.com)

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000F8

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	3
Time date stamp:	13-Nov-2018 07:45:46
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
UPX0	0x00001000	0x000B1000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0
UPX1	0x000B2000	0x00125000	0x00124A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.99972
.rsrc	0x001D7000	0x00034000	0x00033400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	6.19484

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.02094	697	Latin 1 / Western European	UNKNOWN	RT_MANIFEST
2	2.18858	296	Latin 1 / Western European	Chinese - PRC	RT_ICON
3	3.5232	10344	Latin 1 / Western European	UNKNOWN	RT_ICON
4	3.84212	2664	Latin 1 / Western European	UNKNOWN	RT_ICON
5	3.96536	1640	Latin 1 / Western European	UNKNOWN	RT_ICON
6	3.82603	744	Latin 1 / Western European	UNKNOWN	RT_ICON
7	3.69679	488	Latin 1 / Western European	UNKNOWN	RT_ICON
8	3.07507	296	Latin 1 / Western European	UNKNOWN	RT_ICON
9	5.07349	19496	Latin 1 / Western European	UNKNOWN	RT_ICON
10	5.70457	5672	Latin 1 / Western European	UNKNOWN	RT_ICON

Imports


ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.DLL
OLEAUT32.dll
SHELL32.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3028	"C:\Users\admin\Downloads\CXSplay.exe"	C:\Users\admin\Downloads\CXSplay.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Description: 应用程序 Exit code: 3221226540 Version: 1.0.0.0
3464	"C:\Users\admin\Downloads\CXSplay.exe"	C:\Users\admin\Downloads\CXSplay.exe		explorer.exe
User: admin Integrity Level: HIGH Description: 应用程序 Version: 1.0.0.0
2128	C:\Windows\explorerr.exe	C:\Windows\explorerr.exe	—	CXSplay.exe
User: admin Integrity Level: HIGH Description: 易语言程序 Version: 1.0.0.0
2848	C:\Windows\Server.exe	C:\Windows\Server.exe		CXSplay.exe
User: admin Integrity Level: HIGH Description: 5555 MFC Application Exit code: 0 Version: 1, 0, 0, 1
3468	C:\Windows\svchost.exe	C:\Windows\svchost.exe		services.exe
User: SYSTEM Integrity Level: SYSTEM Description: 5555 MFC Application Exit code: 0 Version: 1, 0, 0, 1
2100	C:\Windows\svchost.exe Win7	C:\Windows\svchost.exe		svchost.exe
User: SYSTEM Integrity Level: SYSTEM Description: 5555 MFC Application Version: 1, 0, 0, 1

Add for printing

Total events

Read events

Write events

Delete events

Modification events


(PID) Process:	(2848) Server.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Opqrst
Operation:	write	Name:	Description
Value: Opqrstuv Xyabcdefg Ijklmno Qrstuvwx Abc
(PID) Process:	(2848) Server.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Opqrst
Operation:	write	Name:	Group
Value: Default
(PID) Process:	(2848) Server.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Opqrst
Operation:	write	Name:	InstallTime
Value: 2019-07-18 10:57
(PID) Process:	(2848) Server.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:	write	Name:	PendingFileRenameOperations
Value: \??\C:\Windows\system32\1554437.bak
(PID) Process:	(2100) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Opqrst
Operation:	write	Name:	MarkTime
Value: 2019-07-18 10:57
(PID) Process:	(3464) CXSplay.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CXSplay_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3464) CXSplay.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CXSplay_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3464) CXSplay.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CXSplay_RASAPI32
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(3464) CXSplay.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CXSplay_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760
(PID) Process:	(3464) CXSplay.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CXSplay_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3464	CXSplay.exe	C:\Users\admin\AppData\Local\Temp\1553125\TemporaryFile		—
		MD5:—	SHA256:—
3464	CXSplay.exe	C:\Windows\explorerr.exe		executable
		MD5:D8DB6DBCB2DBE9CDF084261A02EB615D	SHA256:924A5B0940F847701AB848D2B66636DDED4D5B2469ABEB40C910D329C31ECC83
3464	CXSplay.exe	C:\Users\admin\Downloads\1.dll		executable
		MD5:F38ACC8F5544B3FA4B3FB9B7EC532EF5	SHA256:A4F9287EB8CAD334F9B8BF290F3AD9A27614CB379E60CFA2B5E1BB3D7FDF7462
2848	Server.exe	C:\Windows\svchost.exe		executable
		MD5:5DFB5C71F501AA9B006F8CB38D6DF7EC	SHA256:425BCBC612A2339965E845A039CDEC3180D101FED601CEC218E7DA9B48A6FD50
3464	CXSplay.exe	C:\Windows\Server.exe		executable
		MD5:5DFB5C71F501AA9B006F8CB38D6DF7EC	SHA256:425BCBC612A2339965E845A039CDEC3180D101FED601CEC218E7DA9B48A6FD50
3464	CXSplay.exe	C:\Users\admin\AppData\Local\Temp\1553125\....\TemporaryFile		executable
		MD5:960A505759EF8CFA5AA6E8689D3E04BC	SHA256:0E201DB06D2E2E58A0600C631FB5DAB0DB328A339CCD2E623C0E1D9CE75ADAB7
2848	Server.exe	C:\Windows\system32\1554437.bak		executable
		MD5:5DFB5C71F501AA9B006F8CB38D6DF7EC	SHA256:425BCBC612A2339965E845A039CDEC3180D101FED601CEC218E7DA9B48A6FD50

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

Process	Message
Server.exe	½øÈëDLLMain
svchost.exe	½øÈëDLLMain
svchost.exe	½øÈëDLLMain

General Info

C:\Users\admin\Desktop\CXSplay.exe

960A505759EF8CFA5AA6E8689D3E04BC

93268C84F806010C09C9F3AD862B1CBB1AEA028C

0E201DB06D2E2E58A0600C631FB5DAB0DB328A339CCD2E623C0E1D9CE75ADAB7

24576:ZcwWawXEUYBsX9mcdtMP9+rHIyghro2ZPBn2Uf92lNUfYuhgZ2pP6wGGsVYYYYYB:2wW5XEUYBsXNMF+Eh8UoloYuhI2JfqYx

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

Executed as Windows Service

Creates files in the Windows directory

Creates executable files which already exist in Windows

Creates or modifies windows services

Application launched itself

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings