analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 2e |
| Full analysis: | https://app.any.run/tasks/3f49b41b-4728-4950-90e6-19fa23fa08b4 |
| Verdict: | Malicious activity |
| Analysis date: | October 14, 2019, 12:28:28 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5: | 0CA62A7A48FFB6D01181BD051C297092 |
| SHA1: | F8540D54F4D94DC2907DA2E9F85BCC1A9A662090 |
| SHA256: | 2E84EBCE5DE7A69A3C8E867A8D26908C9DBEF24523E1F4FA9740A534D98488C8 |
| SSDEEP: | 6144:Lu4j7o9/530BeJ9nWEEIUfQEfRV/snZtq0X9Dbfgsrv:LpojkBe9WEEIUPfR+ZtqKDTjrv |
MALICIOUS
Writes to a start menu file
- 2e.exe (PID: 2172)
Changes the autorun value in the registry
- 2e.exe (PID: 2172)
Runs app for hidden code execution
- 2e.exe (PID: 2172)
Deletes shadow copies
- cmd.exe (PID: 1912)
SUSPICIOUS
Creates files in the user directory
- 2e.exe (PID: 2172)
Starts CMD.EXE for commands execution
- 2e.exe (PID: 2172)
Executable content was dropped or overwritten
- 2e.exe (PID: 2172)
Creates files in the program directory
- 2e.exe (PID: 2172)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (61.7) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.6) |
| .exe | | | Win32 Executable (generic) (10) |
| .exe | | | Clipper DOS Executable (4.5) |
| .exe | | | Generic Win/DOS Executable (4.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:10:06 01:00:16+02:00 |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 54784 |
| InitializedDataSize: | 288256 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1e8a |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.4 |
| ProductVersionNumber: | 1.0.0.4 |
| FileFlagsMask: | 0x006f |
| FileFlags: | Pre-release, Patched |
| FileOS: | Unknown (0x40304) |
| ObjectFileType: | Static library |
| FileSubtype: | 81 |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 05-Oct-2018 23:00:16 |
| Detected languages: |
|
| Debug artifacts: |
|
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000110 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 7 |
| Time date stamp: | 05-Oct-2018 23:00:16 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x0000D4B8 | 0x0000D600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.65203 |
.rdata | 0x0000F000 | 0x00008074 | 0x00008200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.57057 |
.data | 0x00018000 | 0x000368E0 | 0x00028000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.87122 |
.gfids | 0x0004F000 | 0x0000011C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.046 |
.tls | 0x00050000 | 0x00000009 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00051000 | 0x000063A0 | 0x00006400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.05241 |
.reloc | 0x00058000 | 0x00001138 | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.43124 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 3.12909 | 272 | UNKNOWN | UNKNOWN | RT_VERSION |
2 | 6.09958 | 1384 | UNKNOWN | English - United States | RT_ICON |
3 | 5.92621 | 9640 | UNKNOWN | English - United States | RT_ICON |
14 | 3.24974 | 978 | UNKNOWN | UNKNOWN | RT_STRING |
15 | 3.2063 | 506 | UNKNOWN | UNKNOWN | RT_STRING |
29 | 3.13069 | 440 | UNKNOWN | UNKNOWN | RT_STRING |
128 | 2.59109 | 48 | UNKNOWN | English - United States | RT_GROUP_ICON |
216 | 4.62598 | 4182 | UNKNOWN | UNKNOWN | JIXAVIZENAFUN |
256 | 4.62334 | 3308 | UNKNOWN | UNKNOWN | LUKIDIRAXEL |
466 | 2.32193 | 10 | UNKNOWN | UNKNOWN | UNKNOWN |
Imports
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
MSIMG32.dll |
Exports
Title | Ordinal | Address |
|---|---|---|
_ExportFuncs@4 | 1 | 0x00001000 |
Total processes
41
Monitored processes
4
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2172 | "C:\Users\admin\AppData\Local\Temp\2e.exe" | C:\Users\admin\AppData\Local\Temp\2e.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
| 1912 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | 2e.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 3084 | mode con cp select=1251 | C:\Windows\system32\mode.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: DOS Device MODE Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 1016 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
358
Read events
352
Write events
6
Delete events
0
Modification events
| (PID) Process: | (2172) 2e.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | 2e.exe |
Value: C:\Users\admin\AppData\Roaming\2e.exe | |||
| (PID) Process: | (2172) 2e.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | 2e.exe |
Value: C:\Users\admin\AppData\Roaming\2e.exe | |||
| (PID) Process: | (2172) 2e.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2172) 2e.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
Executable files
2
Suspicious files
968
Text files
4
Unknown types
26
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2172 | 2e.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.ini | — | |
MD5:— | SHA256:— | |||
| 2172 | 2e.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leame.htm | — | |
MD5:— | SHA256:— | |||
| 2172 | 2e.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Benioku.htm | — | |
MD5:— | SHA256:— | |||
| 2172 | 2e.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\IrakHau.htm | — | |
MD5:— | SHA256:— | |||
| 2172 | 2e.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Berime.htm | — | |
MD5:— | SHA256:— | |||
| 2172 | 2e.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Comments.aapp | — | |
MD5:— | SHA256:— | |||
| 2172 | 2e.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\AppCenter_R.aapp | — | |
MD5:— | SHA256:— | |||
| 2172 | 2e.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Certificates_R.aapp | — | |
MD5:— | SHA256:— | |||
| 2172 | 2e.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Combine_R_RHP.aapp | — | |
MD5:— | SHA256:— | |||
| 2172 | 2e.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeesMij.htm | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report