analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.municipalidadnancagua.cl/descargas/lex.exe

Full analysis: https://app.any.run/tasks/e34ce0e1-2cee-456d-aec1-2eb2f66a1edc
Verdict: Malicious activity
Analysis date: December 06, 2022, 06:20:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

18A701C5B8D54D556D5DD4D70A88AB96

SHA1:

4CD8C10F5EE832FE20FB66BC81A3743995ECBC39

SHA256:

12EF663539AC98065DDBA763228232207E35C04056CC004FC3465E7D2E5D9B9F

SSDEEP:

3:N1KJS4nBLiGElUGEXtOyAn:Cc4nB+dFyA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • lex.exe (PID: 2932)
      • lex.exe (PID: 1880)
      • setup.exe (PID: 1404)
      • Package.exe (PID: 3240)
      • installgui.exe (PID: 2008)
    • Drops the executable file immediately after the start

      • lex.exe (PID: 1880)
    • Loads dropped or rewritten executable

      • installgui.exe (PID: 2008)
      • Package.exe (PID: 3240)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • lex.exe (PID: 1880)
    • Reads the Internet Settings

      • lex.exe (PID: 1880)
  • INFO

    • Reads the computer name

      • lex.exe (PID: 1880)
      • installgui.exe (PID: 2008)
    • Checks supported languages

      • lex.exe (PID: 1880)
      • Package.exe (PID: 3240)
      • setup.exe (PID: 1404)
      • installgui.exe (PID: 2008)
    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3152)
    • Drops a file that was compiled in debug mode

      • iexplore.exe (PID: 3152)
      • lex.exe (PID: 1880)
    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3152)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 1592)
    • Application launched itself

      • iexplore.exe (PID: 1592)
    • Creates files in the program directory

      • installgui.exe (PID: 2008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start iexplore.exe iexplore.exe lex.exe no specs lex.exe package.exe no specs setup.exe no specs installgui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1592"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.municipalidadnancagua.cl/descargas/lex.exe"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3152"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1592 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
2932"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\lex.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\lex.exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\po2hn1x2\lex.exe
c:\windows\system32\ntdll.dll
1880"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\lex.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\lex.exe
iexplore.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\po2hn1x2\lex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3240"C:\Users\admin\AppData\Local\Temp\RarSFX0\Package.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\Package.exelex.exe
User:
admin
Integrity Level:
HIGH
Description:
Package Selection Options
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\package.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
1404C:\Users\admin\AppData\Local\Temp\RarSFX0\Lexmark_Network_TWAIN_scan\setup.exe C:\Users\admin\AppData\Local\Temp\RarSFX0\Lexmark_Network_TWAIN_scan\setup.exePackage.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup Launcher
Version:
1.0.205.0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\lexmark_network_twain_scan\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2008C:\Users\admin\AppData\Local\Temp\RarSFX0\Lexmark_Network_TWAIN_scan\install\x86\installgui.exe C:\Users\admin\AppData\Local\Temp\RarSFX0\Lexmark_Network_TWAIN_scan\install\x86\installgui.exesetup.exe
User:
admin
Integrity Level:
HIGH
Description:
Installer GUI
Version:
1.0.205.0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\lexmark_network_twain_scan\install\x86\installgui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\rarsfx0\lexmark_network_twain_scan\install\x86\mfc120u.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\users\admin\appdata\local\temp\rarsfx0\lexmark_network_twain_scan\install\x86\msvcr120.dll
Total events
8 843
Read events
8 740
Write events
103
Delete events
0

Modification events

(PID) Process:(1592) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(1592) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(1592) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31000890
(PID) Process:(1592) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(1592) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31000890
(PID) Process:(1592) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1592) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1592) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1592) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1592) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
21
Suspicious files
8
Text files
120
Unknown types
29

Dropped files

PID
Process
Filename
Type
3152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\lex[1].exeexecutable
MD5:C4544EEF2B352ECAADF3E23341217856
SHA256:11B799603BC5751ED520940C7667378F92BB351B673F4BE52E35496DB20A7E49
1592iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF9B2CCCA7D04D6FFC.TMPgmc
MD5:BB5A3D2573DC1E712116262FAC4FC103
SHA256:7E687F612BFFA2D886BF5FF13D3DE9DC32A20ECB3D308803DFBA1614BF6D9A7C
1592iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:D3E7CA30BAD9742AF42E48D7FBC821C4
SHA256:9848E59A360AD0C862ECF810120EFF6B94AC22D5DF56368823E9167A40FA6B96
1592iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{242CD81F-752E-11ED-80DA-12A9866C77DE}.datbinary
MD5:DD4A49B87FF96EA333ED59367C670251
SHA256:74653F25570BB573D7ED63C9D90BBA0D8C57EADAD44830D215381FC0DD7AF6FE
1592iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\lex.exeexecutable
MD5:B356F56E0066528496DA6A19C3739799
SHA256:2A3AEB7801ECBF18D5D3EEF0B9AC0565DD29F0AFC7DAA08A17F3D2BD72941F3A
3152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\lex.exe.lo7f6yu.partialexecutable
MD5:B356F56E0066528496DA6A19C3739799
SHA256:2A3AEB7801ECBF18D5D3EEF0B9AC0565DD29F0AFC7DAA08A17F3D2BD72941F3A
1880lex.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Lexmark_Network_TWAIN_scan\Notices\EULA\EULA_el.txttext
MD5:79E609A969D39A99DEFB13865BB9E407
SHA256:134CBE4FE4649C3F22A603996897E8A3CF6551D747B854F4800529338C5822B4
1880lex.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Lexmark_Network_TWAIN_scan\Notices\EULA\EULA_fr.txttext
MD5:712EDF45C42296FCD68A167478A84559
SHA256:10484F48528F5EC5C4EBD6CA57DFABA98DBC0748DF1FEDCBC9793E5603BA627F
1592iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar2627.tmpcat
MD5:73B4B714B42FC9A6AAEFD0AE59ADB009
SHA256:C0CF8CC04C34B5B80A2D86AD0EAFB2DD71436F070C86B0321FBA0201879625FD
1592iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab2626.tmpcompressed
MD5:FC4666CBCA561E864E7FDF883A9E6661
SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
14
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1592
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
779 b
whitelisted
1592
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c2aa41e613a12b29
US
compressed
61.4 Kb
whitelisted
1592
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?424620b3a7c7d983
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1592
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
1592
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
3152
iexplore.exe
186.64.114.175:80
ZAM LTDA.
CL
unknown
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
1592
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info