analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Windows Loader.exe

Full analysis: https://app.any.run/tasks/0a903159-d293-4506-aca5-b1ef56b02877
Verdict: Malicious activity
Analysis date: December 02, 2019, 19:40:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

323C0FD51071400B51EEDB1BE90A8188

SHA1:

0EFC35935957C25193BBE9A83AB6CAA25A487ADA

SHA256:

2F2ABA1E074F5F4BAA08B524875461889F8F04D4FFC43972AC212E286022AB94

SSDEEP:

49152:cEYCFEvlmOmTgtFM3uK5m3imrHuiff+puWV355FXw/+zuWV355FXw/+DuWV355FP:cEYzEFTgtFM3ukm3imPnt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Windows Loader.exe (PID: 2956)
      • cmd.exe (PID: 408)
      • cmd.exe (PID: 2480)

    • Uses ICACLS.EXE to modify access control list

      • cmd.exe (PID: 2564)
      • cmd.exe (PID: 3740)

    • Executes scripts

      • cmd.exe (PID: 2452)
      • cmd.exe (PID: 3132)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (30.1)
.exe | Win64 Executable (generic) (20)
.exe | UPX compressed Win32 Executable (19.6)
.exe | Win32 EXE Yoda's Crypter (19.2)
.dll | Win32 Dynamic Link Library (generic) (4.7)

EXIF

EXE

InternalName: -
OriginalFileName: Windows Loader.exe
ProductName: -
ProductVersion: -
LegalCopyright: -
FileDescription: -
Release: Final
Country: -
FileVersion: 2.2.2.0
CompanyName: -
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: Pre-release, Private build
FileFlagsMask: 0x003f
ProductVersionNumber: 2.2.2.0
FileVersionNumber: 2.2.2.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x21a9a0
UninitializedDataSize: 1613824
InitializedDataSize: 28672
CodeSize: 593920
LinkerVersion: 8
PEType: PE32
TimeStamp: 2007:10:31 17:53:19+01:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
17
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start windows loader.exe no specs windows loader.exe explorer.exe no specs cmd.exe no specs cmd.exe no specs takeown.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs takeown.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2028"C:\Users\admin\AppData\Local\Temp\Windows Loader.exe" C:\Users\admin\AppData\Local\Temp\Windows Loader.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
2956"C:\Users\admin\AppData\Local\Temp\Windows Loader.exe" C:\Users\admin\AppData\Local\Temp\Windows Loader.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
2812"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2480cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin" C:\Windows\system32\cmd.exeWindows Loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3500cmd.exe /c takeown /f C:\ldrscan\bootwin C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3892takeown /f C:\ldrscan\bootwin C:\Windows\system32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2564cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)" C:\Windows\system32\cmd.exeWindows Loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3116icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F) C:\Windows\system32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
408cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin" C:\Windows\system32\cmd.exeWindows Loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1096cmd.exe /c takeown /f C:\ldrscan\bootwin C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
144
Read events
144
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2956Windows Loader.exeC:\System Volume Information\MountPointManagerRemoteDatabasebinary
MD5:00140FEEDF94331812077ECAAA0B4D91
SHA256:52E1C2907D4B58765F04AE92ED31C294BE31A0A3A9EEF37408182BF079DD4115
2956Windows Loader.exeC:\Dell.XRM-MSxml
MD5:18B1E45BF56F40C3C4BBE65831178216
SHA256:D072A059D3ED3E75C98B85B41E4319E8D5CFAE0E0C239B62436A3AD34003AB4A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Windows Loader.exe