analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG

Full analysis: https://app.any.run/tasks/92408f44-538b-43bf-9d2e-3f32a8f29d44
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: September 11, 2019, 10:29:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
pup
downloadguide
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6EEDBAA104967C0FDA685F496265A789

SHA1:

CD5A420CADBEEE454B9A6AA772015A5DDD156E3E

SHA256:

0ECD17E20B8332AB5316BD52C45D926680D1433510AA8EA986FA7D84BF68E20F

SSDEEP:

12288:SW9WJrucV/e5GzfL1LQaMB3+NShR/o1SXZtmswt2QaV7PD:zQwcU5GzfL1xMx+NShR/o1SXTmswwbV3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DOWNLOADGUIDE was detected

      • 0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe (PID: 3728)

  • SUSPICIOUS

    • Creates files in the user directory

      • 0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe (PID: 3728)

    • Changes tracing settings of the file or console

      • 0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe (PID: 3728)

    • Reads Internet Cache Settings

      • 0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe (PID: 3728)

    • Reads internet explorer settings

      • 0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe (PID: 3728)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

FileVersion: 3.1.0.201
CharacterSet: Unicode
LanguageCode: Russian
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 3.1.0.201
FileVersionNumber: 3.1.0.201
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x13b6c
UninitializedDataSize: -
InitializedDataSize: 199168
CodeSize: 335360
LinkerVersion: 10
PEType: PE32
TimeStamp: 2018:01:02 12:02:06+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 02-Jan-2018 11:02:06
Detected languages:
  • Russian - Russia
FileVersion: 3.1.0.201

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 02-Jan-2018 11:02:06
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00051C3E
0x00051E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.59441
.rdata
0x00053000
0x00021A38
0x00021C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.29471
.data
0x00075000
0x00004900
0x00002200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.97581
.rsrc
0x0007A000
0x00003EC0
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.82636
.reloc
0x0007E000
0x000062BA
0x00006400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.72035

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.88452
372
UNKNOWN
UNKNOWN
RT_MANIFEST
2
4.8116
4264
UNKNOWN
UNKNOWN
RT_ICON
3
4.51657
9640
UNKNOWN
UNKNOWN
RT_ICON
101
2.45849
48
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SHLWAPI.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.mrg.exe no specs #DOWNLOADGUIDE 0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.mrg.exe

Process information

PID
CMD
Path
Indicators
Parent process
2892"C:\Users\admin\AppData\Local\Temp\0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe" C:\Users\admin\AppData\Local\Temp\0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3728"C:\Users\admin\AppData\Local\Temp\0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe" C:\Users\admin\AppData\Local\Temp\0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Total events
153
Read events
128
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
34
Unknown types
2

Dropped files

PID
Process
Filename
Type
37280ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exeC:\Users\admin\AppData\Local\Temp\DLG\ui\common\base\base.zip.part
MD5:
SHA256:
37280ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exeC:\Users\admin\AppData\Local\Temp\DLG\ui\common\last\last.zip.part
MD5:
SHA256:
37280ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exeC:\Users\admin\AppData\Local\Temp\DLG\ui\common\progress\progress.zip.part
MD5:
SHA256:
37280ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exeC:\Users\admin\AppData\Local\Temp\DLG8BBA.tmptlb
MD5:220FAF7A3E4C98512EBCB8A47E9C915B
SHA256:8EC69E605927392DDD10194C95D4C185D3EFE6D0DC8874B6A5BAD3D759C806D1
37280ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exeC:\Users\admin\AppData\Local\Temp\DLG\ui\common\last\last.zipcompressed
MD5:78A75672FDD18E75FB46E47640E1456A
SHA256:0C4DECCB016B28CD4A829C661F247675195AE63EC9AC18A18CAC5D7C12C0843C
37280ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exeC:\Users\admin\AppData\Local\Temp\DLG\ui\common\progress\index.htmlhtml
MD5:294C6B37C2D048CF16E1052CE48E57E8
SHA256:A6E9449C31842D33734924A9C401C5A98920190D9E6900EFAF234FF73785D79F
37280ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exeC:\Users\admin\AppData\Local\Temp\DLG\ui\common\progress\css\style.csstext
MD5:F3A2D3BBA7A924924EB075F995C50EC0
SHA256:31ABB83FB4010FF20353EA4287C388C3EA3F30536F66976CF181979129696DE2
37280ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exeC:\Users\admin\AppData\Local\Temp\DLG\ui\common\base\base.zipcompressed
MD5:D6A7A365A47553849B8FDEABD2387D04
SHA256:281CE553CF7C12E88B70DD51447085B8E368B1E71D4013CDE5C48988370BB512
37280ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exeC:\Users\admin\AppData\Local\Temp\DLG\loadingImage\loadingImage.bmpimage
MD5:002AB0273D3F8F0575A09DC4392B1905
SHA256:57F3C81751562F8327A62E3381B93367755A2DDDC18BECC6FEDEFE6CA6554D63
37280ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exeC:\Users\admin\AppData\Local\Temp\DLG\initWindow\noconnection.htmlhtml
MD5:A0EE32DC4FFC79FDEF2DC0467DA538C5
SHA256:B4508B7DCC08B2B93CD64BEE68BD5174FE48F48280E59F9A81D4861C3EF0431D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
38
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
GET
301
2.16.186.67:80
http://ftp22.nero.com/Nero2018/Nero_BurningROM2018-1.10.0.9_stub_trial.exe
unknown
malicious
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
HEAD
200
23.102.60.206:80
http://dlg-configs.buzzrin.de/
IE
whitelisted
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
GET
200
152.199.19.161:80
http://az687722.vo.msecnd.net/public-source/downloadguide/freeware-de/1.0/default/campaigns/product+website/ui/last.zip
US
compressed
87.2 Kb
shared
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
GET
200
152.199.19.161:80
http://az687722.vo.msecnd.net/public-source/downloadguide/freeware-de/1.0/default/campaigns/product+website/ui/progress.zip
US
compressed
134 Kb
shared
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
GET
302
209.239.121.93:80
http://dle.nero.com/link.php?topic_id=9014&ak_file=Nero_BurningROM2018-1.10.0.9_stub_trial.exe;PATH=/Nero2018/Nero_BurningROM2018-1.10.0.9_stub_trial.exe
US
malicious
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
GET
200
152.199.19.161:80
http://az687722.vo.msecnd.net/public-source/downloadguide/freeware-de/1.0/default/campaigns/product+website/ui/base.zip
US
compressed
33.6 Kb
shared
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
HEAD
200
23.102.60.206:80
http://dlg-configs.buzzrin.de/
IE
whitelisted
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
GET
301
2.16.186.67:80
http://ftp22.nero.com/Nero2018/Nero_BurningROM2018-1.10.0.9_stub_trial.exe
unknown
malicious
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
GET
302
209.239.121.93:80
http://dle.nero.com/link.php?topic_id=9014&ak_file=Nero_BurningROM2018-1.10.0.9_stub_trial.exe;PATH=/Nero2018/Nero_BurningROM2018-1.10.0.9_stub_trial.exe
US
malicious
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
GET
302
2.19.38.243:80
http://www.nero.com/download.php?id=nbr-pad
unknown
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
23.102.60.206:80
dlg-configs.buzzrin.de
Microsoft Corporation
IE
whitelisted
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
104.40.188.185:80
dlg-messages.buzzrin.de
Microsoft Corporation
NL
whitelisted
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
2.16.186.67:80
ftp22.nero.com
Akamai International B.V.
whitelisted
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
209.239.121.93:80
dle.nero.com
server4you Inc.
US
malicious
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
152.199.19.161:80
az687722.vo.msecnd.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
2.19.38.243:80
www.nero.com
Akamai International B.V.
whitelisted
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
188.138.9.62:443
dl14.nero.com
Host Europe GmbH
DE
suspicious
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
40.118.73.208:80
freemium.blob.core.windows.net
Microsoft Corporation
NL
whitelisted

DNS requests

Domain
IP
Reputation
dlg-configs.buzzrin.de
  • 23.102.60.206
unknown
dlg-messages.buzzrin.de
  • 104.40.188.185
unknown
az687722.vo.msecnd.net
  • 152.199.19.161
shared
ftp22.nero.com
  • 2.16.186.67
  • 2.16.186.72
malicious
dle.nero.com
  • 209.239.121.93
malicious
www.nero.com
  • 2.19.38.243
suspicious
dl14.nero.com
  • 188.138.9.62
suspicious
freemium.blob.core.windows.net
  • 40.118.73.208
suspicious

Threats

PID
Process
Class
Message
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
A Network Trojan was detected
ET MALWARE PUP W32/DownloadGuide.D
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
Misc activity
ADWARE [PTsecurity] W32/Buzzrin HTTP POST
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
A Network Trojan was detected
ET MALWARE PUP Win32/DownloadGuide.A
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
A Network Trojan was detected
ET MALWARE PUP Win32/DownloadGuide.A
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
A Network Trojan was detected
ET MALWARE PUP Win32/DownloadGuide.A
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
A Network Trojan was detected
ET MALWARE PUP Win32/DownloadGuide.A
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
A Network Trojan was detected
ET MALWARE PUP Win32/DownloadGuide.A
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
A Network Trojan was detected
ET MALWARE PUP Win32/DownloadGuide.A
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
A Network Trojan was detected
ET MALWARE PUP Win32/DownloadGuide.A
3728
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG.exe
A Network Trojan was detected
ET MALWARE PUP Win32/DownloadGuide.A
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0ecd17e20b8332ab5316bd52c45d926680d1433510aa8ea986fa7d84bf68e20f.MRG