| File name: | spyeye V1.0.exe |
| Full analysis: | https://app.any.run/tasks/3c2bd626-606c-4a14-ae08-5f40764c92c3 |
| Verdict: | Malicious activity |
| Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
| Analysis date: | February 15, 2024, 02:40:59 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5: | D819832BF7F17AD9B3278F8AC16A76F3 |
| SHA1: | 2899E013EB18654549BBD34E1618C8D96160B89B |
| SHA256: | 25498F0E2601CC3764F00169D800D5C372D5FD763C0CF4346EC9E716462BB8A2 |
| SSDEEP: | 1536:S7hfGrfgTCOioWIR/98amamniaGt7zBX:iJVzioBR/9xmawGt7FX |
MALICIOUS
Drops the executable file immediately after the start
- spyeye V1.0.exe (PID: 3668)
Runs injected code in another process
- cleansweep.exe (PID: 4052)
- spyeye V1.0.exe (PID: 3668)
Application was injected by another process
- explorer.exe (PID: 1164)
Changes the autorun value in the registry
- explorer.exe (PID: 1164)
Connects to the CnC server
- explorer.exe (PID: 1164)
SPYEYE has been detected (SURICATA)
- explorer.exe (PID: 1164)
SUSPICIOUS
Process drops legitimate windows executable
- spyeye V1.0.exe (PID: 3668)
- explorer.exe (PID: 1164)
Starts a Microsoft application from unusual location
- spyeye V1.0.exe (PID: 3668)
Reads the Internet Settings
- wmplayer.exe (PID: 864)
- setup_wm.exe (PID: 120)
- wmplayer.exe (PID: 2064)
Reads security settings of Internet Explorer
- wmplayer.exe (PID: 864)
- setup_wm.exe (PID: 120)
- wmplayer.exe (PID: 2064)
INFO
Reads security settings of Internet Explorer
- explorer.exe (PID: 1164)
Checks supported languages
- spyeye V1.0.exe (PID: 3668)
- cleansweep.exe (PID: 4052)
- wmplayer.exe (PID: 864)
- wmplayer.exe (PID: 2064)
- setup_wm.exe (PID: 120)
- wmpshare.exe (PID: 2060)
Drops the executable file immediately after the start
- explorer.exe (PID: 1164)
Checks proxy server information
- explorer.exe (PID: 1164)
- setup_wm.exe (PID: 120)
- wmplayer.exe (PID: 2064)
Reads the Internet Settings
- explorer.exe (PID: 1164)
Reads the computer name
- wmplayer.exe (PID: 864)
- setup_wm.exe (PID: 120)
- wmplayer.exe (PID: 2064)
- wmpshare.exe (PID: 2060)
Create files in a temporary directory
- setup_wm.exe (PID: 120)
- wmplayer.exe (PID: 2064)
Reads Environment values
- setup_wm.exe (PID: 120)
- wmplayer.exe (PID: 2064)
Reads the machine GUID from the registry
- setup_wm.exe (PID: 120)
- wmplayer.exe (PID: 2064)
Process checks computer location settings
- wmplayer.exe (PID: 2064)
- setup_wm.exe (PID: 120)
Creates files or folders in the user directory
- wmplayer.exe (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (28.6) |
|---|---|---|
| .exe | | | UPX compressed Win32 Executable (28) |
| .exe | | | Win32 EXE Yoda's Crypter (27.5) |
| .dll | | | Win32 Dynamic Link Library (generic) (6.8) |
| .exe | | | Win32 Executable (generic) (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2010:02:04 01:43:43+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 53248 |
| InitializedDataSize: | 8192 |
| UninitializedDataSize: | 94208 |
| EntryPoint: | 0x24ce0 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.1.3.14 |
| ProductVersionNumber: | 2.0.1.14 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Unknown (0009) |
| CharacterSet: | Unicode |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Microsoft CleanSweep |
| FileVersion: | 1, 1, 3, 14 |
| InternalName: | CleanSweep |
| LegalCopyright: | © 2006 Microsoft Corporation. All rights reserved. |
| LegalTrademarks: | Microsoft® is a registered trademark of Microsoft Corporation. |
| OriginalFileName: | cleansweep.exe |
| ProductName: | 2007 Microsoft CleanSweep system |
| ProductVersion: | 2, 0, 1, 14 |
Total processes
52
Monitored processes
9
Malicious processes
4
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | "C:\Program Files\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1 | C:\Program Files\Windows Media Player\setup_wm.exe | wmplayer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Media Configuration Utility Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 864 | "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1 | C:\Program Files\Windows Media Player\wmplayer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Exit code: 0 Version: 12.0.7601.23517 (win7sp1_ldr.160812-0732) Modules
| |||||||||||||||
| 956 | "C:\Windows\system32\unregmp2.exe" /PerformIndivIfNeeded | C:\Windows\System32\unregmp2.exe | — | setup_wm.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Media Player Setup Utility Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1164 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2060 | "C:\Program Files\Windows Media Player\wmpshare.exe" | C:\Program Files\Windows Media Player\wmpshare.exe | — | wmplayer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Folder Sharing Executable Exit code: 0 Version: 12.0.7601.24499 (win7sp1_ldr.190612-0600) Modules
| |||||||||||||||
| 2064 | "C:\Program Files\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:1 | C:\Program Files\Windows Media Player\wmplayer.exe | setup_wm.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Exit code: 3221225477 Version: 12.0.7601.23517 (win7sp1_ldr.160812-0732) Modules
| |||||||||||||||
| 2892 | C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary | C:\Windows\System32\unregmp2.exe | — | setup_wm.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Media Player Setup Utility Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3668 | "C:\Users\admin\AppData\Local\Temp\spyeye V1.0.exe" | C:\Users\admin\AppData\Local\Temp\spyeye V1.0.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft CleanSweep Exit code: 0 Version: 1, 1, 3, 14 Modules
| |||||||||||||||
| 4052 | "C:\cleansweep.exe\cleansweep.exe" | C:\cleansweep.exe\cleansweep.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft CleanSweep Exit code: 0 Version: 1, 1, 3, 14 Modules
| |||||||||||||||
Total events
13 128
Read events
12 632
Write events
404
Delete events
92
Modification events
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000DBDD10622BD67741A42163F361389C4700000000020000000000106600000001000020000000779536EDDE13619BCF4972004A397A2F67C01E073AB76F38C31A5A8F19A5C8AF000000000E80000000020000200000008EB1ECCE6DE29A4702075C7293DFFD1C522A666F5F057DAD2D125F6C44C6C45230000000648F130B0B324129D9BDA4BD331E755207ED4C6CD452BEF234FB6F0027C211E846F465BA1C58E21E25025E1464DAE52840000000C01A511F78EF47FF47597240A6CE340A2941E69AED81AB6B29B56A375394893CB54808922363DF309BE315B4DA6076F53389E75CD25C4CC2C1027C9AA40ED5CD | |||
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | cleansweep.exe |
Value: C:\cleansweep.exe\cleansweep.exe | |||
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyServer |
Value: | |||
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyOverride |
Value: | |||
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoConfigURL |
Value: | |||
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoDetect |
Value: | |||
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47} |
| Operation: | write | Name: | WpadDecisionReason |
Value: 1 | |||
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47} |
| Operation: | write | Name: | WpadDecisionTime |
Value: 0C048D6EB85FDA01 | |||
Executable files
1
Suspicious files
4
Text files
21
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2064 | wmplayer.exe | C:\Users\Public\Music\Sample Music\AlbumArtSmall.jpg | — | |
MD5:— | SHA256:— | |||
| 2064 | wmplayer.exe | C:\Users\Public\Music\Sample Music\Folder.jpg | — | |
MD5:— | SHA256:— | |||
| 2064 | wmplayer.exe | C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg | — | |
MD5:— | SHA256:— | |||
| 2064 | wmplayer.exe | C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.jpg | — | |
MD5:— | SHA256:— | |||
| 1164 | explorer.exe | C:\cleansweep.exe\config.bin | binary | |
MD5:FF3BE08F6B0BBA7742BE7AAE91AC6DBF | SHA256:E77B2566F0ADBEBA303A7DE16FDFE607AFE213DCABF2B904E80836EA64EA22B4 | |||
| 120 | setup_wm.exe | C:\Users\admin\AppData\Local\Temp\tmp49859.WMC\serviceinfo.xml | text | |
MD5:D58DA90D6DC51F97CB84DFBFFE2B2300 | SHA256:93ACDB79543D9248CA3FCA661F3AC287E6004E4B3DAFD79D4C4070794FFBF2AD | |||
| 2064 | wmplayer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms | binary | |
MD5:3DB3814B65589F1A0E304610C29970D0 | SHA256:2BB4E260FBA17E0B319EA7263B2E99B31489E5B10283B2BDF0E30FAC326D8045 | |||
| 1164 | explorer.exe | C:\cleansweep.exe\cleansweep.exe | executable | |
MD5:370F037840866A977FEB0BD83A55E9DA | SHA256:1A58CC2BCF224EF9177408DA0AC7C6551CF7353A13B747ED77352B071706966A | |||
| 120 | setup_wm.exe | C:\Users\admin\AppData\Local\Temp\tmp44937.WMC\allservices.xml | xml | |
MD5:DF03E65B8E082F24DAB09C57BC9C6241 | SHA256:155B9C588061C71832AF329FAFA5678835D9153B8FBB7592195AE953D0C455BA | |||
| 2064 | wmplayer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\AllServices[1].xml | xml | |
MD5:DF03E65B8E082F24DAB09C57BC9C6241 | SHA256:155B9C588061C71832AF329FAFA5678835D9153B8FBB7592195AE953D0C455BA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
16
DNS requests
9
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
276 | taskhost.exe | POST | 302 | 64.91.248.18:80 | http://spyeye-mx1.2fh.co/root/Formgrab/websitechk.php | unknown | — | — | unknown |
1164 | explorer.exe | GET | 302 | 64.91.248.18:80 | http://spyeye-mx1.2fh.co/root/main/bt_version_checker.php?guid=ADMIN!USER-PC!C4BA3647&ver=10070&stat=ONLINE&ie=9.11.9600.19596&os=6.1.7601&ut=User&cpu=2&ccrc=65B0AD8F | unknown | — | — | unknown |
1164 | explorer.exe | GET | 200 | 64.190.63.136:80 | http://ww1.2fh.co/root/main/bt_version_checker.php?guid=ADMIN!USER-PC!C4BA3647&ver=10070&stat=ONLINE&ie=9.11.9600.19596&os=6.1.7601&ut=User&cpu=2&ccrc=65B0AD8F&usid=24&utid=6119897982 | unknown | html | 22.0 Kb | unknown |
120 | setup_wm.exe | GET | 302 | 2.16.2.187:80 | http://redir.metaservices.microsoft.com/redir/allservices/?sv=5&version=12.0.7601.17514&locale=409&userlocale=409&geoid=f4&parch=x86&arch=x86 | unknown | — | — | unknown |
120 | setup_wm.exe | GET | 200 | 2.16.2.32:80 | http://onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv=5&version=12.0.7601.17514&locale=409&userlocale=409&geoid=f4&parch=x86&arch=x86 | unknown | xml | 546 b | unknown |
2064 | wmplayer.exe | GET | 302 | 2.16.2.187:80 | http://redir.metaservices.microsoft.com/redir/allservices/?sv=5&locale=409&geoid=f4&version=12.0.7601.24499&userlocale=409 | unknown | — | — | unknown |
2064 | wmplayer.exe | GET | 200 | 2.16.2.32:80 | http://onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv=5&locale=409&geoid=f4&version=12.0.7601.24499&userlocale=409 | unknown | xml | 546 b | unknown |
2064 | wmplayer.exe | GET | 200 | 2.16.2.49:80 | http://images.windowsmedia.com/svcswitch/mg4_wmp12_30x30_2.png | unknown | image | 2.00 Kb | unknown |
120 | setup_wm.exe | GET | 200 | 2.16.2.32:80 | http://onlinestores.metaservices.microsoft.com/bing/bing.xml | unknown | text | 523 b | unknown |
2064 | wmplayer.exe | GET | 200 | 2.16.2.49:80 | http://images.windowsmedia.com/svcswitch/media_guide_16x16.png | unknown | image | 897 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
276 | taskhost.exe | 64.91.248.18:80 | spyeye-mx1.2fh.co | LIQUIDWEB | US | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1164 | explorer.exe | 64.91.248.18:80 | spyeye-mx1.2fh.co | LIQUIDWEB | US | unknown |
1164 | explorer.exe | 64.190.63.136:80 | ww1.2fh.co | SEDO GmbH | DE | unknown |
120 | setup_wm.exe | 2.16.2.187:80 | redir.metaservices.microsoft.com | Akamai International B.V. | CZ | whitelisted |
120 | setup_wm.exe | 2.16.2.32:80 | onlinestores.metaservices.microsoft.com | Akamai International B.V. | CZ | whitelisted |
2372 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
2064 | wmplayer.exe | 2.16.2.187:80 | redir.metaservices.microsoft.com | Akamai International B.V. | CZ | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
spyeye-mx1.2fh.co |
| unknown |
ww1.2fh.co |
| unknown |
redir.metaservices.microsoft.com |
| whitelisted |
onlinestores.metaservices.microsoft.com |
| whitelisted |
sqm.msn.com |
| unknown |
images.windowsmedia.com |
| whitelisted |
watson.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1164 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE Banker PWS/Infostealer HTTP GET Checkin |
1164 | explorer.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) |
1164 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE SpyEye C&C Check-in URI |
1164 | explorer.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) |
1164 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE Banker PWS/Infostealer HTTP GET Checkin |
1164 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE SpyEye C&C Check-in URI |
1 ETPRO signatures available at the full report