analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

AKBANK Dekont_08-01-2018.exe

Full analysis: https://app.any.run/tasks/9f61d9e3-6f4f-4e3d-93c1-51b5ccb10c18
Verdict: Malicious activity
Analysis date: January 10, 2019, 14:50:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

52A6A2894E237FD653DBC3EFF433DB14

SHA1:

5962F18523F6580E35CAD17A1A06BF5B41D18522

SHA256:

14010D86CDF2C621799432F3E1FA768D142043B0D695D71B38A01487C74386AF

SSDEEP:

6144:7aB4JFhmGTLkCGDmCw5H+mqjJFUfGwt12WgPnc6ZoA32MB2A/J4qwvc5avEU:eSmGTHkBw5HLGmCjPoMcA2qZaX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Known privilege escalation attack

      • AKBANK Dekont_08-01-2018.exe (PID: 2796)
      • AKBANK Dekont_08-01-2018.exe (PID: 3404)
    • Changes the autorun value in the registry

      • AKBANK Dekont_08-01-2018.exe (PID: 2796)
      • CASH.exe (PID: 3668)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • AKBANK Dekont_08-01-2018.exe (PID: 2796)
    • Application launched itself

      • AKBANK Dekont_08-01-2018.exe (PID: 3080)
      • AKBANK Dekont_08-01-2018.exe (PID: 2592)
      • CASH.exe (PID: 4004)
    • Modifies the open verb of a shell class

      • AKBANK Dekont_08-01-2018.exe (PID: 2796)
      • AKBANK Dekont_08-01-2018.exe (PID: 3404)
    • Creates files in the user directory

      • AKBANK Dekont_08-01-2018.exe (PID: 2796)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3896)
    • Executes scripts

      • AKBANK Dekont_08-01-2018.exe (PID: 2796)
    • Starts Internet Explorer

      • CASH.exe (PID: 3668)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2400)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2400)
    • Application launched itself

      • iexplore.exe (PID: 2264)
      • chrome.exe (PID: 3436)
    • Modifies the open verb of a shell class

      • chrome.exe (PID: 3436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (38.2)
.exe | Win32 EXE Yoda's Crypter (37.5)
.dll | Win32 Dynamic Link Library (generic) (9.2)
.exe | Win32 Executable (generic) (6.3)
.exe | Win16/32 Executable Delphi generic (2.9)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0xc8950
UninitializedDataSize: 491520
InitializedDataSize: 16384
CodeSize: 327680
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 1992:04:03 15:41:59+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 03-Apr-1992 13:41:59
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 03-Apr-1992 13:41:59
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00078000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00079000
0x00050000
0x0004FC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.94654
.rsrc
0x000C9000
0x00004000
0x00003200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.56058

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.58764
4264
Latin 1 / Western European
English - United States
RT_ICON
2
7.14801
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
3
7.15704
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
4
7.24978
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
5
7.2064
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
6
7.23402
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
7
7.15214
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
8
7.24463
308
Latin 1 / Western European
UNKNOWN
RT_CURSOR
357
7.79396
1656
Latin 1 / Western European
English - United States
RT_BITMAP
358
7.75191
1656
Latin 1 / Western European
English - United States
RT_BITMAP

Imports

KERNEL32.DLL
advapi32.dll
comctl32.dll
comdlg32.dll
gdi32.dll
oleaut32.dll
user32.dll
version.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
21
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start akbank dekont_08-01-2018.exe no specs winword.exe no specs akbank dekont_08-01-2018.exe no specs eventvwr.exe no specs eventvwr.exe akbank dekont_08-01-2018.exe no specs akbank dekont_08-01-2018.exe wscript.exe no specs cmd.exe no specs cash.exe no specs cash.exe iexplore.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3080"C:\Users\admin\AppData\Local\Temp\AKBANK Dekont_08-01-2018.exe" C:\Users\admin\AppData\Local\Temp\AKBANK Dekont_08-01-2018.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2400"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\islanddifficult.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3404"C:\Users\admin\AppData\Local\Temp\AKBANK Dekont_08-01-2018.exe" C:\Users\admin\AppData\Local\Temp\AKBANK Dekont_08-01-2018.exeAKBANK Dekont_08-01-2018.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2524"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exeAKBANK Dekont_08-01-2018.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Event Viewer Snapin Launcher
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3844"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exe
AKBANK Dekont_08-01-2018.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Viewer Snapin Launcher
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2592"C:\Users\admin\AppData\Local\Temp\AKBANK Dekont_08-01-2018.exe" C:\Users\admin\AppData\Local\Temp\AKBANK Dekont_08-01-2018.exeeventvwr.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2796"C:\Users\admin\AppData\Local\Temp\AKBANK Dekont_08-01-2018.exe" C:\Users\admin\AppData\Local\Temp\AKBANK Dekont_08-01-2018.exe
AKBANK Dekont_08-01-2018.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3896"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" C:\Windows\System32\WScript.exeAKBANK Dekont_08-01-2018.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3256"C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\remcos\CASH.exe"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4004C:\Users\admin\AppData\Roaming\remcos\CASH.exeC:\Users\admin\AppData\Roaming\remcos\CASH.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
1 143
Read events
1 010
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
25
Text files
38
Unknown types
5

Dropped files

PID
Process
Filename
Type
2400WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8359.tmp.cvr
MD5:
SHA256:
2400WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{617862A6-2541-4F71-8B0F-1584020CEFA7}.tmp
MD5:
SHA256:
2400WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{88AEB6B8-F402-462F-8D34-FB4E4B59C4EB}.tmp
MD5:
SHA256:
3436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
MD5:
SHA256:
3436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\80c75b7a-74eb-48a9-923b-11f059003c40.tmp
MD5:
SHA256:
2400WINWORD.EXEC:\Users\admin\Desktop\~$landdifficult.rtfpgc
MD5:A78BBA0B3DF79801B3D5987EDB217859
SHA256:F7C20372334D5FB6DE09AC20BF562F59177239F40F8C014D589362D98DAE9382
3436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
MD5:
SHA256:
3436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
MD5:
SHA256:
3436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:92BE6B127E72365885AD4C3FB6534EE2
SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51
2400WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:CC72274EFBA1C6E345C59ADD3B298312
SHA256:1CA528317E9975EF37B0055252C20EA6ABB0D78BCF3E5434D96059B89F1A6DD5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
13
DNS requests
11
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3436
chrome.exe
172.217.21.227:443
www.google.de
Google Inc.
US
whitelisted
3436
chrome.exe
172.217.18.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3436
chrome.exe
216.58.208.42:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3436
chrome.exe
216.58.210.13:443
accounts.google.com
Google Inc.
US
whitelisted
3436
chrome.exe
172.217.21.195:443
ssl.gstatic.com
Google Inc.
US
whitelisted
3436
chrome.exe
172.217.22.3:443
www.gstatic.com
Google Inc.
US
whitelisted
3436
chrome.exe
216.58.206.4:443
www.google.com
Google Inc.
US
whitelisted
3436
chrome.exe
216.58.205.227:443
www.google.pl
Google Inc.
US
whitelisted
3436
chrome.exe
172.217.16.131:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3436
chrome.exe
108.177.15.196:443
apis.google.com
Google Inc.
US
unknown

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.18.99
whitelisted
www.google.de
  • 172.217.21.227
whitelisted
www.gstatic.com
  • 172.217.22.3
whitelisted
safebrowsing.googleapis.com
  • 216.58.208.42
whitelisted
accounts.google.com
  • 216.58.210.13
shared
ssl.gstatic.com
  • 172.217.21.195
whitelisted
apis.google.com
  • 108.177.15.196
whitelisted
www.google.com
  • 216.58.206.4
whitelisted
www.google.pl
  • 216.58.205.227
whitelisted
fonts.googleapis.com
  • 172.217.16.138
whitelisted

Threats

No threats detected
No debug info