File name: | RunAsDate.exe |
Full analysis: | https://app.any.run/tasks/3b70d6d3-1f68-467e-9823-097fc19c8d18 |
Verdict: | Malicious activity |
Analysis date: | April 01, 2023, 08:02:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | 1DCCC7CB738029A6F264F07B748B36A4 |
SHA1: | 4C42CE1F07447DD95C28E8A7B4965C66A9D3AE69 |
SHA256: | 2361DD3272C2CA4046B3733CF464FC2B285A5B9D68B03EC8D43D874F4CE8276A |
SSDEEP: | 768:E+NJ1IRaeDQK6oCVwr113G5dvxpp7FU1y4yiRw:BJ9riz1g5XHFU1y4yiy |
.exe | | | UPX compressed Win32 Executable (64.2) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.6) |
.exe | | | Win32 Executable (generic) (10.6) |
.exe | | | Generic Win/DOS Executable (4.7) |
.exe | | | DOS Executable Generic (4.7) |
ProductVersion: | 1.41 |
---|---|
ProductName: | RunAsDate |
OriginalFileName: | RunAsDate.exe |
LegalCopyright: | Copyright (C) 2007 - 2022 Nir Sofer |
InternalName: | RunAsDate |
FileVersion: | 1.41 |
FileDescription: | RunAsDate |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0017 |
ProductVersionNumber: | 1.4.1.0 |
FileVersionNumber: | 1.4.1.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x15950 |
UninitializedDataSize: | 57344 |
InitializedDataSize: | 4096 |
CodeSize: | 28672 |
LinkerVersion: | 8 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, 32-bit |
TimeStamp: | 2022:06:08 12:08:52+00:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 08-Jun-2022 12:08:52 |
Detected languages: |
|
FileDescription: | RunAsDate |
FileVersion: | 1.41 |
InternalName: | RunAsDate |
LegalCopyright: | Copyright (C) 2007 - 2022 Nir Sofer |
OriginalFilename: | RunAsDate.exe |
ProductName: | RunAsDate |
ProductVersion: | 1.41 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 08-Jun-2022 12:08:52 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x0000E000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x0000F000 | 0x00007000 | 0x00006C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.8795 |
.rsrc | 0x00016000 | 0x00001000 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.80125 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.07251 | 362 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 2.92411 | 296 | Latin 1 / Western European | Hebrew - Israel | RT_ICON |
3 | 7.08021 | 308 | Latin 1 / Western European | Hebrew - Israel | RT_CURSOR |
7 | 7.47361 | 602 | Latin 1 / Western European | Hebrew - Israel | RT_STRING |
13 | 6.5696 | 134 | Latin 1 / Western European | Hebrew - Israel | RT_STRING |
19 | 5.76486 | 70 | Latin 1 / Western European | Hebrew - Israel | RT_STRING |
20 | 5.6517 | 62 | Latin 1 / Western European | Hebrew - Israel | RT_STRING |
32 | 5.6875 | 64 | Latin 1 / Western European | Hebrew - Israel | RT_STRING |
76 | 6.58632 | 144 | Latin 1 / Western European | Hebrew - Israel | RT_STRING |
101 | 7.80249 | 1580 | Latin 1 / Western European | Hebrew - Israel | RT_DIALOG |
COMCTL32.dll |
GDI32.dll |
KERNEL32.DLL |
SHELL32.dll |
USER32.dll |
comdlg32.dll |
msvcrt.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2672 | "C:\Users\admin\AppData\Local\Temp\RunAsDate.exe" | C:\Users\admin\AppData\Local\Temp\RunAsDate.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: RunAsDate Exit code: 0 Version: 1.41 Modules
| |||||||||||||||
2972 | "C:\Users\admin\AppData\Local\Temp\RunAsDate.exe" | C:\Users\admin\AppData\Local\Temp\RunAsDate.exe | RunAsDate.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: RunAsDate Exit code: 0 Version: 1.41 Modules
| |||||||||||||||
3848 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | RunAsDate.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: HIGH Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
528 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | explorer.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
1244 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
3268 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.0.750900832\419966960" -parentBuildID 20201112153044 -prefsHandle 1100 -prefMapHandle 1088 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 1184 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 1 Version: 83.0 Modules
| |||||||||||||||
312 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.6.439000082\694345974" -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2976 -prefsLen 181 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 2992 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2908 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.13.19289037\1888733324" -childID 2 -isForBrowser -prefsHandle 2248 -prefMapHandle 2216 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 1992 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
1108 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.20.1410022144\1886768395" -childID 3 -isForBrowser -prefsHandle 3536 -prefMapHandle 3532 -prefsLen 7399 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 3548 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
|
(PID) Process: | (2672) RunAsDate.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | NodeSlots |
Value: 0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
(PID) Process: | (2672) RunAsDate.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | MRUListEx |
Value: 0C000000000000000B00000001000000020000000D00000007000000060000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
(PID) Process: | (2672) RunAsDate.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | MRUListEx |
Value: 020000000C000000000000000B000000010000000D00000007000000060000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
(PID) Process: | (2672) RunAsDate.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
Operation: | write | Name: | TV_FolderType |
Value: {FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} | |||
(PID) Process: | (2672) RunAsDate.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
Operation: | write | Name: | TV_TopViewID |
Value: {82BA0782-5B7A-4569-B5D7-EC83085F08CC} | |||
(PID) Process: | (2672) RunAsDate.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
Operation: | write | Name: | TV_TopViewVersion |
Value: 0 | |||
(PID) Process: | (2672) RunAsDate.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2672) RunAsDate.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
Operation: | write | Name: | Mode |
Value: 4 | |||
(PID) Process: | (2672) RunAsDate.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
Operation: | write | Name: | LogicalViewMode |
Value: 1 | |||
(PID) Process: | (2672) RunAsDate.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
Operation: | write | Name: | FFlags |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1244 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
2672 | RunAsDate.exe | C:\Users\admin\AppData\Local\Temp\RunAsDate.cfg | text | |
MD5:87275B6F64F59496F7206F2087C250C8 | SHA256:02DC5DE198BDE1C63BDDCA1849C9499164D030CCB523A41A8263EAF4706B4DA7 | |||
1244 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | — | |
MD5:— | SHA256:— | |||
1244 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:994A33896BB41A278A315D0D796422B6 | SHA256:54EC50A20FFF8CC016710E49437CF6A11D3FE5EE7B28C185E4A9AAFEE2908B63 | |||
1244 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
1244 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | text | |
MD5:299A2B747C11E4BDA194E563FEA4A699 | SHA256:94EE461F62E8B4A0A65471A41E10C8C56722B73C0A019D76ACA7F5BAF109813E | |||
1244 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
2972 | RunAsDate.exe | C:\Users\admin\AppData\Local\Temp\dateinj01.dll | executable | |
MD5:78DA45585F24900C17D12EEA993689A5 | SHA256:723D926A7649B400767937CB27098738E727D89D4BF18EEC45EBDB8E9C4ADD55 | |||
1244 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:299A2B747C11E4BDA194E563FEA4A699 | SHA256:94EE461F62E8B4A0A65471A41E10C8C56722B73C0A019D76ACA7F5BAF109813E | |||
1244 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1244 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
1244 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | US | text | 8 b | whitelisted |
1244 | firefox.exe | POST | 200 | 2.16.186.65:80 | http://r3.o.lencr.org/ | unknown | der | 503 b | shared |
1244 | firefox.exe | POST | 200 | 142.250.185.195:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
1244 | firefox.exe | POST | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
— | — | POST | 200 | 2.16.186.65:80 | http://r3.o.lencr.org/ | unknown | der | 503 b | shared |
— | — | POST | 200 | 2.16.186.65:80 | http://r3.o.lencr.org/ | unknown | der | 503 b | shared |
— | — | POST | — | 2.16.186.65:80 | http://r3.o.lencr.org/ | unknown | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 34.107.221.82:80 | detectportal.firefox.com | GOOGLE | US | whitelisted |
1244 | firefox.exe | 35.241.9.150:443 | firefox.settings.services.mozilla.com | GOOGLE | US | suspicious |
1244 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | GOOGLE | US | whitelisted |
1244 | firefox.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
1244 | firefox.exe | 2.16.186.65:80 | r3.o.lencr.org | Akamai International B.V. | DE | whitelisted |
1244 | firefox.exe | 52.40.44.47:443 | location.services.mozilla.com | AMAZON-02 | US | unknown |
1244 | firefox.exe | 142.250.184.202:443 | safebrowsing.googleapis.com | GOOGLE | US | whitelisted |
1244 | firefox.exe | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | GOOGLE | US | suspicious |
1244 | firefox.exe | 34.111.73.144:443 | firefox-settings-attachments.cdn.mozilla.net | GOOGLE | US | unknown |
1244 | firefox.exe | 142.250.185.195:80 | ocsp.pki.goog | GOOGLE | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
firefox.settings.services.mozilla.com |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod2-elb-us-west-2.prod.mozaws.net |
| whitelisted |
r3.o.lencr.org |
| shared |
a1887.dscq.akamai.net |
| whitelisted |
example.org |
| whitelisted |
ipv4only.arpa |
| whitelisted |
ocsp.digicert.com |
| whitelisted |