| File name: | I_love_you.exe |
| Full analysis: | https://app.any.run/tasks/2f4faf50-1e7c-4be5-b41c-43bb865efd9a |
| Verdict: | Malicious activity |
| Analysis date: | December 05, 2023, 11:10:32 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed |
| MD5: | C17F8779381F03EADA352332342CA234 |
| SHA1: | 6B3C4AC07D1ECA83C87FD1A4621007D5FC6B0AE3 |
| SHA256: | 2AE0B594750BDAFAEBA0DCD72683B2ADFB03C8AF34FC584C5AB43EFB664175C9 |
| SSDEEP: | 24576:MiiA0OlxylgZBHOtF+3xMcQ+m+IHRzDOg59Pnx+3whnC3G6jxmNbQFM8zidn:MiiA0OlxylgZBHOtF+3xMcQ+mlHRzDOy |
MALICIOUS
Creates a writable file in the system directory
- I_love_you.exe (PID: 2600)
Drops the executable file immediately after the start
- I_love_you.exe (PID: 2600)
Actions looks like stealing of personal data
- dllhost.exe (PID: 1784)
SUSPICIOUS
Starts application with an unusual extension
- rundll32.exe (PID: 3924)
Reads the Internet Settings
- I_love_you.exe (PID: 2600)
- I love you..scr (PID: 1936)
- control.exe (PID: 3856)
- I love you..scr (PID: 4040)
Uses RUNDLL32.EXE to load library
- control.exe (PID: 3856)
INFO
Checks proxy server information
- I love you..scr (PID: 1936)
- I love you..scr (PID: 4040)
Reads the computer name
- I love you..scr (PID: 1936)
- I_love_you.exe (PID: 2600)
- I love you..scr (PID: 4040)
Checks supported languages
- I love you..scr (PID: 1936)
- I_love_you.exe (PID: 2600)
- I love you..scr (PID: 4040)
Creates files or folders in the user directory
- I love you..scr (PID: 1936)
- I_love_you.exe (PID: 2600)
- I love you..scr (PID: 4040)
Creates files in the program directory
- I_love_you.exe (PID: 2600)
Manual execution by a user
- explorer.exe (PID: 2996)
- I love you..scr (PID: 4040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 EXE PECompact compressed (v2.x) (51) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (35.9) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2005:11:29 15:14:41+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 159744 |
| InitializedDataSize: | 299008 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xdeb7 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.5.7.0 |
| ProductVersionNumber: | 3.5.7.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | Axialis Software |
| FileDescription: | Axialis Professional Screen Saver Installation |
| FileVersion: | 3, 5, 7, 0 |
| InternalName: | AxScrInstall |
| LegalCopyright: | Copyright (c) 2002 |
| LegalTrademarks: | - |
| OriginalFileName: | ScrInstall.EXE |
| PrivateBuild: | - |
| ProductName: | Axialis Professional Screen Saver Compiler |
| ProductVersion: | 3, 5, 7, 0 |
| SpecialBuild: | - |
Total processes
53
Monitored processes
8
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 280 | "C:\Users\admin\AppData\Local\Temp\I_love_you.exe" | C:\Users\admin\AppData\Local\Temp\I_love_you.exe | — | explorer.exe | |||||||||||
User: admin Company: Axialis Software Integrity Level: MEDIUM Description: Axialis Professional Screen Saver Installation Exit code: 3221226540 Version: 3, 5, 7, 0 Modules
| |||||||||||||||
| 1784 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\System32\dllhost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1936 | "C:\Windows\system32\I love you..scr" /p 655928 | C:\Windows\System32\I love you..scr | — | rundll32.exe | |||||||||||
User: admin Company: Axialis Software Integrity Level: HIGH Description: Screen Saver Exit code: 0 Version: 3, 6, 3, 0 Modules
| |||||||||||||||
| 2600 | "C:\Users\admin\AppData\Local\Temp\I_love_you.exe" | C:\Users\admin\AppData\Local\Temp\I_love_you.exe | explorer.exe | ||||||||||||
User: admin Company: Axialis Software Integrity Level: HIGH Description: Axialis Professional Screen Saver Installation Exit code: 0 Version: 3, 5, 7, 0 Modules
| |||||||||||||||
| 2996 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 3221225547 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3856 | "C:\Windows\System32\control.exe" desk.cpl,,1 | C:\Windows\System32\control.exe | — | I_love_you.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Control Panel Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3924 | "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL desk.cpl,,1 | C:\Windows\System32\rundll32.exe | — | control.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4040 | "C:\Windows\System32\I love you..scr" /S | C:\Windows\System32\I love you..scr | — | explorer.exe | |||||||||||
User: admin Company: Axialis Software Integrity Level: MEDIUM Description: Screen Saver Exit code: 0 Version: 3, 6, 3, 0 Modules
| |||||||||||||||
Total events
1 030
Read events
1 002
Write events
28
Delete events
0
Modification events
| (PID) Process: | (2600) I_love_you.exe | Key: | HKEY_CURRENT_USER\Control Panel\Desktop |
| Operation: | write | Name: | ScreenSaveActive |
Value: 1 | |||
| (PID) Process: | (2600) I_love_you.exe | Key: | HKEY_CURRENT_USER\Control Panel\Desktop |
| Operation: | write | Name: | scrnsave.exe |
Value: C:\windows\system32\I love you..scr | |||
| (PID) Process: | (2600) I_love_you.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2600) I_love_you.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2600) I_love_you.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2600) I_love_you.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3856) control.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3856) control.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3856) control.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3856) control.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
2
Suspicious files
4
Text files
7
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2600 | I_love_you.exe | C:\Program Files\ScreenBlaster.co.uk\I love you\Uninstall.exe | executable | |
MD5:745D553C48E05AE624D07E138095EE65 | SHA256:F62280CE734FA5EA8E1760D8BDEE70C622DBE1EDA82487405F7528DAAF483A09 | |||
| 2600 | I_love_you.exe | C:\Program Files\ScreenBlaster.co.uk\I love you\Uninstall.ini | text | |
MD5:85A51E8EE37FE4E319A42DE82A9A7176 | SHA256:21267BB234997554D7AB943E5053581E3E427CBDD22DF6F6CBB974384858B428 | |||
| 2600 | I_love_you.exe | C:\Users\Administrator\Desktop\I love you. Screensaver.lnk | binary | |
MD5:A8B055D5AEA2E1A4E10D6CACCA7521D5 | SHA256:FC47350EAFCDBEBB5D1F0D9E2A551F20E88AD7BF0CA541352D2A881BC2975350 | |||
| 2600 | I_love_you.exe | C:\windows\system32\I love you..scr | executable | |
MD5:D733F4BF789B0CBA1DDA4CF07794C0D8 | SHA256:E733BBEF529D6865CE9ABB23F1185C2817CFCB081EFCBCEEF325F6FA508B2664 | |||
| 2600 | I_love_you.exe | C:\Users\admin\AppData\Local\Axialis\dialog.bmp | image | |
MD5:F89C621F894800A2380DED620E7DA9B4 | SHA256:0A0BE94F7AAD0C5CBA840271DEDF5B3640F97954AE1EC8CE078413A68A214184 | |||
| 3924 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme | text | |
MD5:C1FCF55A48CAF02CBC0FEC89C8B44C9D | SHA256:1497F2B7237A7DAEF8DF4568F8BFEF1B7B8FEBE4082A797725C410DF1CE3B961 | |||
| 2600 | I_love_you.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ScreenBlaster.co.uk\I love you. Screensaver\I love you. Screensaver.lnk | binary | |
MD5:BFBE97DB66780FDCCD6452CD1E6C58E9 | SHA256:B9E498A2903773346A375293030C8F8D3ED056482AD4ED1F7CB8CC2ACC203814 | |||
| 2600 | I_love_you.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ScreenBlaster.co.uk\I love you. Screensaver\Uninstall I love you. Screensaver.lnk | lnk | |
MD5:01E3AC65757803B3894F4B01D94680D9 | SHA256:0083C164DDF6566425FB630EB63BC4CF16DB674339FDFA6BA8E3DD27A74A9B40 | |||
| 4040 | I love you..scr | C:\Users\admin\AppData\Local\Axialis\pssp0001.png | image | |
MD5:F1BF88CBAC9A08732E4E83474DA33831 | SHA256:1EA3C319B1A27ADCF32AE0885D830D7AE7D25783A2193B88D4E2CE0EF54F7809 | |||
| 2600 | I_love_you.exe | C:\Users\admin\AppData\Local\Axialis\pssp0001.tmp | binary | |
MD5:D47FF8897F3D7B51710ACABAF3D74E05 | SHA256:93518EF808821BCAAE70B3A8C95D3B6BA7BF40E1AA3F7805E67AECF20403E612 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |