File name:

dctfmensalv3-7.exe

Full analysis: https://app.any.run/tasks/abdcf51f-357a-4d04-9e89-3339fe1d614d
Verdict: Malicious activity
Analysis date: March 01, 2024, 13:17:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

05F42D77E0B6115F3C3517BED2E557F1

SHA1:

B85D004343FAAC509B7A4EBCE4C09AB67CC02934

SHA256:

1504CEBAE3AE60D4E780D43A383357AF13718002F5476B8E6288B86E405BF410

SSDEEP:

98304:RpgNCSp0+JopWSMi4IBnQW+BtXU/0vK9GPxUd/hwXZFR7+Sa2S8gic1xvvukKvIZ:yuJma1xQ6yJwDNSK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • dctfmensalv3-7.exe (PID: 3660)

    • Drops the executable file immediately after the start

      • dctfmensalv3-7.exe (PID: 3660)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • dctfmensalv3-7.exe (PID: 3660)

    • The process drops C-runtime libraries

      • dctfmensalv3-7.exe (PID: 3660)

    • Starts application with an unusual extension

      • dctfmensalv3-7.exe (PID: 3660)

    • Creates/Modifies COM task schedule object

      • GLJFA3F.tmp (PID: 3428)
      • GLJFA3F.tmp (PID: 3992)
      • GLJFA3F.tmp (PID: 1836)
      • GLJFA3F.tmp (PID: 2580)
      • GLJFA3F.tmp (PID: 2232)
      • GLJFA3F.tmp (PID: 3276)
      • GLJFA3F.tmp (PID: 4004)
      • GLJFA3F.tmp (PID: 4044)
      • GLJFA3F.tmp (PID: 2892)
      • GLJFA3F.tmp (PID: 2208)
      • GLJFA3F.tmp (PID: 2184)
      • GLJFA3F.tmp (PID: 3684)

    • Process drops legitimate windows executable

      • dctfmensalv3-7.exe (PID: 3660)

  • INFO

    • Checks supported languages

      • dctfmensalv3-7.exe (PID: 3660)
      • GLJFA3F.tmp (PID: 1492)
      • GLJFA3F.tmp (PID: 1876)
      • GLJFA3F.tmp (PID: 1040)
      • GLJFA3F.tmp (PID: 3304)
      • GLJFA3F.tmp (PID: 3992)
      • GLJFA3F.tmp (PID: 3428)
      • GLJFA3F.tmp (PID: 2624)
      • GLJFA3F.tmp (PID: 2120)
      • GLJFA3F.tmp (PID: 1836)
      • GLJFA3F.tmp (PID: 2580)
      • GLJFA3F.tmp (PID: 2232)
      • GLJFA3F.tmp (PID: 3276)
      • GLJFA3F.tmp (PID: 4000)
      • GLJFA3F.tmp (PID: 4004)
      • GLJFA3F.tmp (PID: 4044)
      • GLJFA3F.tmp (PID: 2420)
      • GLJFA3F.tmp (PID: 2892)
      • GLJFA3F.tmp (PID: 2208)
      • GLJFA3F.tmp (PID: 1348)
      • GLJFA3F.tmp (PID: 3164)
      • GLJFA3F.tmp (PID: 1824)
      • GLJFA3F.tmp (PID: 1928)
      • GLJFA3F.tmp (PID: 1972)
      • GLJFA3F.tmp (PID: 3724)
      • GLJFA3F.tmp (PID: 3684)
      • GLJFA3F.tmp (PID: 2168)
      • GLJFA3F.tmp (PID: 2072)
      • GLJFA3F.tmp (PID: 2184)
      • DCTFMensal37.exe (PID: 1572)
      • DCTFMensal37.exe (PID: 1576)
      • GLJFA3F.tmp (PID: 3488)

    • Create files in a temporary directory

      • dctfmensalv3-7.exe (PID: 3660)

    • Reads the computer name

      • dctfmensalv3-7.exe (PID: 3660)
      • GLJFA3F.tmp (PID: 3428)
      • GLJFA3F.tmp (PID: 2120)
      • GLJFA3F.tmp (PID: 3992)
      • GLJFA3F.tmp (PID: 1836)
      • GLJFA3F.tmp (PID: 4044)
      • GLJFA3F.tmp (PID: 3684)
      • GLJFA3F.tmp (PID: 2184)

    • Creates files in the program directory

      • dctfmensalv3-7.exe (PID: 3660)

    • Reads mouse settings

      • GLJFA3F.tmp (PID: 3992)

    • Manual execution by a user

      • DCTFMensal37.exe (PID: 1572)
      • DCTFMensal37.exe (PID: 1576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Wise Installer executable (91.7)
.exe | Win64 Executable (generic) (5.3)
.dll | Win32 Dynamic Link Library (generic) (1.2)
.exe | Win32 Executable (generic) (0.8)
.exe | Generic Win/DOS Executable (0.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:10:25 19:47:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, Removable run from swap
PEType: PE32
LinkerVersion: 6
CodeSize: 8704
InitializedDataSize: 5632
UninitializedDataSize: -
EntryPoint: 0x21af
OSVersion: 4
ImageVersion: 4
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.7.0.0
ProductVersionNumber: 3.7.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: SERPRO
FileDescription: PGD DCTF Mensal 3.7
FileVersion: 3.7
LegalCopyright: Receita Federal do Brasil (RFB)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
33
Malicious processes
3
Suspicious processes
5

Behavior graph

Click at the process to see the details
start dctfmensalv3-7.exe gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs gljfa3f.tmp no specs dctfmensal37.exe no specs dctfmensal37.exe no specs dctfmensalv3-7.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1040"C:\Users\admin\AppData\Local\Temp\GLJFA3F.tmp" C:\Windows\System32\oleaut32.dllC:\Users\admin\AppData\Local\Temp\GLJFA3F.tmpdctfmensalv3-7.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\gljfa3f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1348"C:\Users\admin\AppData\Local\Temp\GLJFA3F.tmp" C:\Windows\System32\Msrepl35.dllC:\Users\admin\AppData\Local\Temp\GLJFA3F.tmpdctfmensalv3-7.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\gljfa3f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1492"C:\Users\admin\AppData\Local\Temp\GLJFA3F.tmp" C:\Windows\System32\msvcrt40.dllC:\Users\admin\AppData\Local\Temp\GLJFA3F.tmpdctfmensalv3-7.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\gljfa3f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1572"C:\Arquivos de Programas RFB\DCTF Mensal 3.7\DCTFMensal37.exe" C:\Arquivos de Programas RFB\DCTF Mensal 3.7\DCTFMensal37.exeexplorer.exe
User:
admin
Company:
SERPRO
Integrity Level:
MEDIUM
Exit code:
0
Version:
3.07
Modules
Images
c:\arquivos de programas rfb\dctf mensal 3.7\dctfmensal37.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1576"C:\Arquivos de Programas RFB\DCTF Mensal 3.7\DCTFMensal37.exe" C:\Arquivos de Programas RFB\DCTF Mensal 3.7\DCTFMensal37.exeexplorer.exe
User:
admin
Company:
SERPRO
Integrity Level:
MEDIUM
Exit code:
0
Version:
3.07
Modules
Images
c:\arquivos de programas rfb\dctf mensal 3.7\dctfmensal37.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1824"C:\Users\admin\AppData\Local\Temp\GLJFA3F.tmp" C:\Windows\System32\Msrd2x35.dllC:\Users\admin\AppData\Local\Temp\GLJFA3F.tmpdctfmensalv3-7.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\gljfa3f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1836"C:\Users\admin\AppData\Local\Temp\GLJFA3F.tmp" C:\Windows\System32\Dblist32.ocxC:\Users\admin\AppData\Local\Temp\GLJFA3F.tmpdctfmensalv3-7.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\gljfa3f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1876"C:\Users\admin\AppData\Local\Temp\GLJFA3F.tmp" C:\Windows\System32\comcat.dllC:\Users\admin\AppData\Local\Temp\GLJFA3F.tmpdctfmensalv3-7.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\gljfa3f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1928"C:\Users\admin\AppData\Local\Temp\GLJFA3F.tmp" C:\Windows\System32\Msjint35.dllC:\Users\admin\AppData\Local\Temp\GLJFA3F.tmpdctfmensalv3-7.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\gljfa3f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1972"C:\Users\admin\AppData\Local\Temp\GLJFA3F.tmp" C:\Windows\System32\expsrv.dllC:\Users\admin\AppData\Local\Temp\GLJFA3F.tmpdctfmensalv3-7.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\gljfa3f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
9 193
Read events
5 861
Write events
3 244
Delete events
88

Modification events

(PID) Process:(3660) dctfmensalv3-7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Windows\System32\comcat.dll
Value:
2
(PID) Process:(3660) dctfmensalv3-7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Windows\System32\msvcrt40.dll
Value:
2
(PID) Process:(3660) dctfmensalv3-7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Windows\System32\olepro32.dll
Value:
2
(PID) Process:(3660) dctfmensalv3-7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Windows\System32\oleaut32.dll
Value:
2
(PID) Process:(3660) dctfmensalv3-7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Windows\System32\msvbvm60.dll
Value:
2
(PID) Process:(3660) dctfmensalv3-7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Windows\System32\ComDlg32.ocx
Value:
1
(PID) Process:(3660) dctfmensalv3-7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Windows\System32\MSCOMCTL.OCX
Value:
2
(PID) Process:(3660) dctfmensalv3-7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Windows\System32\hhctrl.ocx
Value:
2
(PID) Process:(3660) dctfmensalv3-7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Windows\System32\Dblist32.ocx
Value:
1
(PID) Process:(3660) dctfmensalv3-7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Windows\System32\Tinumb6.ocx
Value:
1
Executable files
103
Suspicious files
11
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3660dctfmensalv3-7.exeC:\Users\admin\AppData\Local\Temp\~GLH0000.TMPexecutable
MD5:3B2E23D259394C701050486E642D14FA
SHA256:166D7156142F3EE09FA69EB617DD22E4FD248AA80A1AC08767DB6AD99A2705C1
3660dctfmensalv3-7.exeC:\Users\admin\AppData\Local\Temp\GLCFA2F.tmpexecutable
MD5:8C97D8BB1470C6498E47B12C5A03CE39
SHA256:A87F19F9FEE475D2B2E82ACFB4589BE6D816B613064CD06826E1D4C147BEB50A
3660dctfmensalv3-7.exeC:\Windows\system32\~GLH0001.TMPexecutable
MD5:5664566021FD53758A9AE087C3A29485
SHA256:5FCFC480B3C7BC2DC18E39667CF4A3313575C6A5A614EBDCCB71AF664C19739D
3660dctfmensalv3-7.exeC:\Windows\system32\~GLH0003.TMPexecutable
MD5:37B3C7AFD09CF8DD315C506565D776CB
SHA256:9BCD0FE2C80A07C33EDA7FF67BBB2F7B70F65DE6AE5F458E6A6B9411AC5D91A2
3660dctfmensalv3-7.exeC:\Users\admin\AppData\Local\Temp\GLF1F.tmpexecutable
MD5:3B2E23D259394C701050486E642D14FA
SHA256:166D7156142F3EE09FA69EB617DD22E4FD248AA80A1AC08767DB6AD99A2705C1
3660dctfmensalv3-7.exeC:\Windows\system32\temp.002executable
MD5:6568CB4ADCA8E02088B4B5F37F9E938E
SHA256:83338B40AFDB275CC1FB20DCCB1DA096E03F7F718346EE22E75D864F44872D30
3660dctfmensalv3-7.exeC:\Windows\system32\temp.001executable
MD5:37B3C7AFD09CF8DD315C506565D776CB
SHA256:9BCD0FE2C80A07C33EDA7FF67BBB2F7B70F65DE6AE5F458E6A6B9411AC5D91A2
3660dctfmensalv3-7.exeC:\Windows\system32\~GLH0005.TMPexecutable
MD5:0D303488CCE054204C323C37657AFA34
SHA256:B34A300B2DD2B8A2946A451549202E8F9705AA38C19A4E2D73AB684CD93736C0
3660dctfmensalv3-7.exeC:\Windows\system32\temp.003executable
MD5:0D303488CCE054204C323C37657AFA34
SHA256:B34A300B2DD2B8A2946A451549202E8F9705AA38C19A4E2D73AB684CD93736C0
3660dctfmensalv3-7.exeC:\Windows\system32\~GLH0006.TMPexecutable
MD5:F28EB5CBC3CA6D8C787F09F047D1F9C8
SHA256:3EF32E0152CC3FA07C417E6AADF9EAD83A17B5FDEE73799044E1BD7564725D6E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dctfmensalv3-7.exe