analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022

Full analysis: https://app.any.run/tasks/6f5475f4-83a8-464f-878b-b6d89c1f78e4
Verdict: Malicious activity
Analysis date: March 31, 2020, 09:57:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

54D16D1D025D34891E996F7397369C82

SHA1:

39757DED9D50151BF41CECF33E1AB59957CF429B

SHA256:

117713C6956ECD18A52768C76452254DF2C5E907F804593EB881C4D756823022

SSDEEP:

3072:qjz9HLSWE4KDvHEc0VRD4pTlgwpW0BNbyq5pkLLxajW4:qjz9HLe4KDvHx0VRDGywpWMkPsjW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • 117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022.exe (PID: 944)
      • WerFault.exe (PID: 3728)
      • windanr.exe (PID: 3564)
      • svchost.exe (PID: 3624)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022.exe (PID: 944)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProgramVersion: 1.4.7
Copyright: Copyright (C) 2020, softtail
InternalServiceName: speedy.exe
FileVersionNew: 2.3.4
CharacterSet: Unicode
LanguageCode: Unknown (0867)
FileSubtype: 82
ObjectFileType: Unknown (8)
FileOS: Unknown (0x40204)
FileFlags: Pre-release, Special build, [6]
FileFlagsMask: 0x005f
ProductVersionNumber: 23.4.13.0
FileVersionNumber: 2.4.1.0
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x2cec
UninitializedDataSize: -
InitializedDataSize: 773120
CodeSize: 107008
LinkerVersion: 9
PEType: PE32
TimeStamp: 2018:10:03 20:24:38+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 03-Oct-2018 18:24:38
Detected languages:
  • F.Y.R.O. Macedonia - F.Y.R.O. Macedonia
FileVersionNew: 2.3.4
InternalServiceName: speedy.exe
Copyright: Copyright (C) 2020, softtail
ProgramVersion: 1.4.7

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 03-Oct-2018 18:24:38
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001A040
0x0001A200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.4047
.rdata
0x0001C000
0x00004324
0x00004400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.57752
.data
0x00021000
0x000AEE54
0x00001A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.22037
.rsrc
0x000D0000
0x000088B8
0x00008A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.00629

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.39991
468
UNKNOWN
UNKNOWN
RT_VERSION
2
5.44238
2216
UNKNOWN
F.Y.R.O. Macedonia - F.Y.R.O. Macedonia
RT_ICON
3
5.74839
1736
UNKNOWN
F.Y.R.O. Macedonia - F.Y.R.O. Macedonia
RT_ICON
4
5.92041
1384
UNKNOWN
F.Y.R.O. Macedonia - F.Y.R.O. Macedonia
RT_ICON
5
4.08205
9640
UNKNOWN
F.Y.R.O. Macedonia - F.Y.R.O. Macedonia
RT_ICON
6
4.54173
4264
UNKNOWN
F.Y.R.O. Macedonia - F.Y.R.O. Macedonia
RT_ICON
7
4.78566
2440
UNKNOWN
F.Y.R.O. Macedonia - F.Y.R.O. Macedonia
RT_ICON
8
4.8292
1128
UNKNOWN
F.Y.R.O. Macedonia - F.Y.R.O. Macedonia
RT_ICON
11
2.6118
148
UNKNOWN
UNKNOWN
RT_STRING
12
3.26571
1336
UNKNOWN
UNKNOWN
RT_STRING

Imports

ADVAPI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022.exe windanr.exe no specs svchost.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
944"C:\117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022.exe" C:\117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
3564"windanr.exe"C:\Windows\system32\windanr.exeqemu-ga.exe
User:
admin
Integrity Level:
MEDIUM
3624C:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3728C:\Windows\system32\WerFault.exe -u -p 944 -s 92C:\Windows\system32\WerFault.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
47
Read events
33
Write events
14
Delete events
0

Modification events

(PID) Process:(3564) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:APPSTARTING
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(3564) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:ARROW
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(3564) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:CROSS
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(3564) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:HAND
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(3564) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:HELP
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(3564) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:IBEAM
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(3564) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:NO
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(3564) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:SIZEALL
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(3564) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:SIZENESW
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(3564) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:SIZENS
Value:
%SystemRoot%\cursors\clearcur.cur
Executable files
1
Suspicious files
1
Text files
6
Unknown types
4

Dropped files

PID
Process
Filename
Type
3728WerFault.exeC:\Users\admin\AppData\Local\Temp\WERDF1.tmp.mdmp
MD5:
SHA256:
3728WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_117713c6956ecd18_52964b6a98d6f2363c4fe3a3414952329b2691_cab_0e370e4b\WERD82.tmp.hdmpdmp
MD5:8A436F578752134E8589526D78863AB3
SHA256:9F3AB268BF2EB89AC0B69B119346651CA80D9957517447DCCC492F4543C55E27
3728WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_117713c6956ecd18_52964b6a98d6f2363c4fe3a3414952329b2691_cab_0e370e4b\Report.werbinary
MD5:B5E82899C7E0828B0D5323F868C94854
SHA256:EAE360381304B94172B8810EFBD98363D033E3B6F829A1A08F1718139675706D
3728WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_117713c6956ecd18_52964b6a98d6f2363c4fe3a3414952329b2691_cab_0e370e4b\WER8872.tmp.WERInternalMetadata.xmlxml
MD5:A97190E0EB6985C41934C9CFDD85E684
SHA256:0946635D92AE53C47D1FFDD98708CAF25ED1C57FC1747713DBEB36D6C5433072
3728WerFault.exeC:\Users\admin\AppData\Local\Temp\WERD43.tmp.appcompat.txtxml
MD5:0D86488B0A109BA45DD83BBF3B11E28D
SHA256:89BF952B9895CBB6D3BC048043C55F67B783A128990002B3C163DA5BC8D90590
3728WerFault.exeC:\Users\admin\AppData\Local\Temp\WERD82.tmp.hdmpdmp
MD5:8A436F578752134E8589526D78863AB3
SHA256:9F3AB268BF2EB89AC0B69B119346651CA80D9957517447DCCC492F4543C55E27
3728WerFault.exeC:\Users\admin\AppData\Local\Temp\WER8872.tmp.WERInternalMetadata.xmlxml
MD5:A97190E0EB6985C41934C9CFDD85E684
SHA256:0946635D92AE53C47D1FFDD98708CAF25ED1C57FC1747713DBEB36D6C5433072
3728WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_117713c6956ecd18_52964b6a98d6f2363c4fe3a3414952329b2691_cab_0e370e4b\WERDF1.tmp.mdmpdmp
MD5:4B53D4AE12ECE3D62AEA61EA8EE5F796
SHA256:7F5557BBFE574A02F6865533F8902048A6D57A572EB7FD464831ACA86F55A90C
3728WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_117713c6956ecd18_52964b6a98d6f2363c4fe3a3414952329b2691_cab_0e370e4b\WERD43.tmp.appcompat.txtxml
MD5:0D86488B0A109BA45DD83BBF3B11E28D
SHA256:89BF952B9895CBB6D3BC048043C55F67B783A128990002B3C163DA5BC8D90590
3728WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022.exe.944.dmpdmp
MD5:616512378247DB8DBE6D75703B8C8C88
SHA256:F8D5D2A72C8281C032C18DE590E56B712181F7E3336B163CD8454A6A7329B0FF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3728
WerFault.exe
GET
51.143.111.81:80
http://watson.microsoft.com/StageOne/117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022/2_4_1_0/5e6f3cde/117713c6956ecd18a52768c76452254df2c5e907f804593eb881c4d756823022/2_4_1_0/5e6f3cde/c0000005/00005a95.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3728
WerFault.exe
51.143.111.81:80
watson.microsoft.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 51.143.111.81
whitelisted

Threats

PID
Process
Class
Message
3728
WerFault.exe
Potential Corporate Privacy Violation
ET POLICY Application Crash Report Sent to Microsoft
3728
WerFault.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info