analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed

Full analysis: https://app.any.run/tasks/bfd95838-1c7b-43f4-b2fc-1d637f471f4b
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: July 17, 2019, 13:45:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B01045A83EAFB879BDD5EEBED16F2A66

SHA1:

FDC340769C3CA364F6CC7CA1BE99762B8FEAE73A

SHA256:

3031DB957BDC9EB4913BA8095C4749ABF5DD7494CAFB01C9F14B3B1BC184D3ED

SSDEEP:

12288:vINGRlBHTGUZTQuOPakIznClkQlu/no0C4aQ4z:QNOHGATNOCkGnSkQlu/oZ7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe (PID: 3584)

    • Loads the Task Scheduler COM API

      • 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe (PID: 3584)
      • 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe (PID: 2328)

    • Application was dropped or rewritten from another process

      • updatewin1.exe (PID: 3512)
      • updatewin1.exe (PID: 2844)
      • updatewin2.exe (PID: 3048)

    • Task Manager has been disabled (taskmgr)

      • updatewin1.exe (PID: 2844)

    • Disables Windows Defender

      • updatewin1.exe (PID: 2844)

    • Downloads executable files from the Internet

      • 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe (PID: 2328)

  • SUSPICIOUS

    • Changes tracing settings of the file or console

      • 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe (PID: 3584)

    • Creates files in the user directory

      • 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe (PID: 3584)
      • powershell.exe (PID: 3700)
      • powershell.exe (PID: 2404)
      • powershell.exe (PID: 2728)

    • Executable content was dropped or overwritten

      • 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe (PID: 3584)
      • 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe (PID: 2328)

    • Uses ICACLS.EXE to modify access control list

      • 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe (PID: 3584)

    • Application launched itself

      • 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe (PID: 3584)
      • updatewin1.exe (PID: 3512)
      • powershell.exe (PID: 3700)

    • Executes PowerShell scripts

      • updatewin1.exe (PID: 2844)
      • powershell.exe (PID: 3700)

    • Starts CMD.EXE for commands execution

      • updatewin1.exe (PID: 2844)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe (PID: 2328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x787d
UninitializedDataSize: -
InitializedDataSize: 8755200
CodeSize: 86528
LinkerVersion: 12
PEType: PE32
TimeStamp: 2018:11:18 13:12:09+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Nov-2018 12:12:09
Detected languages:
  • French - Monaco
  • German - Liechtenstein
Debug artifacts:
  • C:\rogepeb_nahalogoxacunuteyap_zezukawecezemeburi_tizukobesenuc.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 18-Nov-2018 12:12:09
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00015123
0x00015200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.80081
.rdata
0x00017000
0x00009C62
0x00009E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.64119
.data
0x00021000
0x008485E0
0x00045400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.04464
.rsrc
0x0086A000
0x00006BF8
0x00006C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.17694
.reloc
0x00871000
0x00001438
0x00001600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.33628

Resources

Title
Entropy
Size
Codepage
Language
Type
1
6.03692
3752
UNKNOWN
German - Liechtenstein
RT_ICON
2
6.44629
2216
UNKNOWN
German - Liechtenstein
RT_ICON
3
6.35266
1736
UNKNOWN
German - Liechtenstein
RT_ICON
4
6.10631
1384
UNKNOWN
German - Liechtenstein
RT_ICON
5
5.61959
9640
UNKNOWN
German - Liechtenstein
RT_ICON
6
6.01516
4264
UNKNOWN
German - Liechtenstein
RT_ICON
7
5.99413
2440
UNKNOWN
German - Liechtenstein
RT_ICON
8
6.08672
1128
UNKNOWN
German - Liechtenstein
RT_ICON
16
3.12468
290
UNKNOWN
French - Monaco
RT_STRING
127
2.85812
118
UNKNOWN
German - Liechtenstein
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
MSIMG32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe icacls.exe no specs 3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe updatewin1.exe no specs updatewin1.exe no specs updatewin2.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs mpcmdrun.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3584"C:\Users\admin\AppData\Local\Temp\3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe" C:\Users\admin\AppData\Local\Temp\3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3224icacls "C:\Users\admin\AppData\Local\e3d32ebe-d7dc-4ced-a72f-73e40c13763b" /deny *S-1-1-0:(OI)(CI)(DE,DC)C:\Windows\system32\icacls.exe3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2328"C:\Users\admin\AppData\Local\Temp\3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\AppData\Local\Temp\3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
User:
admin
Integrity Level:
HIGH
3512"C:\Users\admin\AppData\Local\b6aedf1c-bf88-4eb2-8f27-8a44661c564c\updatewin1.exe" C:\Users\admin\AppData\Local\b6aedf1c-bf88-4eb2-8f27-8a44661c564c\updatewin1.exe3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2844"C:\Users\admin\AppData\Local\b6aedf1c-bf88-4eb2-8f27-8a44661c564c\updatewin1.exe" --AdminC:\Users\admin\AppData\Local\b6aedf1c-bf88-4eb2-8f27-8a44661c564c\updatewin1.exeupdatewin1.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3048"C:\Users\admin\AppData\Local\b6aedf1c-bf88-4eb2-8f27-8a44661c564c\updatewin2.exe" C:\Users\admin\AppData\Local\b6aedf1c-bf88-4eb2-8f27-8a44661c564c\updatewin2.exe3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2404powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSignedC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeupdatewin1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3700powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\admin\AppData\Local\script.ps1""' -Verb RunAs}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeupdatewin1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2728"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\script.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3640"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -allC:\Program Files\Windows Defender\mpcmdrun.exeupdatewin1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 730
Read events
1 508
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
6
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
23283031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\geo[1].json
MD5:
SHA256:
23283031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\updatewin1[1].exe
MD5:
SHA256:
23283031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\updatewin2[1].exe
MD5:
SHA256:
2404powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TU9MUC2IFOBAJBRPT6PB.temp
MD5:
SHA256:
3700powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DPWXMXDDD2YXW2S893K9.temp
MD5:
SHA256:
2728powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QQIVQ5E3B5TURP0HWEPL.temp
MD5:
SHA256:
2404powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1192e6.TMPbinary
MD5:4B92A079D7F4DFA0DFE9125E60FE7814
SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04
2404powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:4B92A079D7F4DFA0DFE9125E60FE7814
SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04
23283031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exeC:\Users\admin\AppData\Local\b6aedf1c-bf88-4eb2-8f27-8a44661c564c\updatewin1.exeexecutable
MD5:5B4BD24D6240F467BFBC74803C9F15B0
SHA256:14C7BEC7369D4175C6D92554B033862B3847FF98A04DFEBDF9F5BB30180ED13E
23283031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exeC:\Users\admin\AppData\Local\b6aedf1c-bf88-4eb2-8f27-8a44661c564c\updatewin2.exeexecutable
MD5:996BA35165BB62473D2A6743A5200D45
SHA256:5CAFFDC76A562E098C471FEAEDE5693F9EAD92D5C6C10FB3951DD1FA6C12D21D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
GET
200
194.67.196.123:80
http://bronze2.hk/tesptc/penelop/updatewin2.exe
RU
executable
274 Kb
malicious
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
GET
200
194.67.196.123:80
http://bronze2.hk/tesptc/penelop/updatewin1.exe
RU
executable
272 Kb
malicious
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
GET
404
194.67.196.123:80
http://bronze2.hk/tesptc/penelop/4.exe
RU
html
218 b
malicious
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
GET
404
194.67.196.123:80
http://bronze1.hk/dfgdfgdf26/khjkhjkhjkh/get.php?pid=2485E9F082250E269EA0EF635E0D382D&first=true
RU
html
228 b
malicious
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
GET
194.67.196.123:80
http://bronze2.hk/tesptc/penelop/5.exe
RU
malicious
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
GET
404
194.67.196.123:80
http://bronze2.hk/tesptc/penelop/updatewinx.exe
RU
html
227 b
malicious
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
GET
404
194.67.196.123:80
http://bronze2.hk/tesptc/penelop/3.exe
RU
html
218 b
malicious
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
GET
194.67.196.123:80
http://bronze1.hk/dfgdfgdf26/khjkhjkhjkh/get.php?pid=2485E9F082250E269EA0EF635E0D382D&first=true
RU
malicious
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
GET
404
194.67.196.123:80
http://bronze1.hk/dfgdfgdf26/khjkhjkhjkh/get.php?pid=2485E9F082250E269EA0EF635E0D382D&first=true
RU
html
228 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3584
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
77.123.139.189:443
api.2ip.ua
Volia
UA
unknown
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
77.123.139.189:443
api.2ip.ua
Volia
UA
unknown
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
194.67.196.123:80
bronze2.hk
MAROSNET Telecommunication Company LLC
RU
malicious

DNS requests

Domain
IP
Reputation
api.2ip.ua
  • 77.123.139.189
shared
bronze2.hk
  • 194.67.196.123
  • 95.181.178.110
  • 85.143.219.242
  • 62.173.140.17
malicious
bronze1.hk
  • 194.67.196.123
  • 95.181.178.110
  • 85.143.219.242
  • 62.173.140.17
malicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET POLICY External IP Address Lookup DNS Query
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
A Network Trojan was detected
ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
Misc activity
ET INFO Packed Executable Download
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-PSW.Win32.Coins.nrc
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
A Network Trojan was detected
ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
A Network Trojan was detected
ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request
2328
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
3031db957bdc9eb4913ba8095c4749abf5dd7494cafb01c9f14b3b1bc184d3ed