analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

[email protected]

Full analysis: https://app.any.run/tasks/9c4e8010-10fb-45d8-bcc8-4b3c3ac03be6
Verdict: Malicious activity
Analysis date: January 25, 2022, 00:15:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

35B22C54BA95C491DCFDB74B9D16ABAB

SHA1:

E5A9181BEAF501F624E31E7F94DA117D8F8F5CF9

SHA256:

30DF06B21645E742CE545C54D6203B629A47E58F300D25E40ACEBBFF37288FDA

SSDEEP:

3072:ygXdZt9P6D3XJoxRedyTe/wjDwrKEFUYbRjqSKXD80sNzQw:ye34+xRtAG+3JRjeD80sNz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 23:50:52+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 164864
UninitializedDataSize: 1024
EntryPoint: 0x30fa
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Dec-2009 22:50:52
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 05-Dec-2009 22:50:52
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005C4C
0x00005E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44011
.rdata
0x00007000
0x0000129C
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04684
.data
0x00009000
0x00025C58
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.801
.ndata
0x0002F000
0x00009000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00038000
0x000056E0
0x00005800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.61355

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.10394
533
UNKNOWN
English - United States
RT_MANIFEST
2
4.92004
4264
UNKNOWN
English - United States
RT_ICON
3
3.53063
2216
UNKNOWN
English - United States
RT_ICON
4
0
1384
UNKNOWN
English - United States
RT_ICON
5
0
1128
UNKNOWN
English - United States
RT_ICON
6
0
744
UNKNOWN
English - United States
RT_ICON
7
0
296
UNKNOWN
English - United States
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG
103
2.79638
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start [email protected] no specs [email protected] wemakeppopmds.exe cmd.exe no specs wemakeppopmds.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3448"C:\Users\admin\Desktop\[email protected]" C:\Users\admin\Desktop\[email protected]Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
464"C:\Users\admin\Desktop\[email protected]" C:\Users\admin\Desktop\[email protected]
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
3272"C:\Program Files\wemakeppop\wemakeppopmds.exe" /SC:\Program Files\wemakeppop\wemakeppopmds.exe
[email protected]
User:
admin
Integrity Level:
HIGH
Description:
system wemakeppop
Exit code:
0
Version:
1, 0, 0, 1
3932C:\Windows\system32\cmd.exe /c \DelUS.batC:\Windows\system32\cmd.exe[email protected]
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2412"C:\Program Files\wemakeppop\wemakeppopmds.exe"C:\Program Files\wemakeppop\wemakeppopmds.exe[email protected]
User:
admin
Integrity Level:
HIGH
Description:
system wemakeppop
Exit code:
0
Version:
1, 0, 0, 1
Total events
486
Read events
437
Write events
49
Delete events
0

Modification events

(PID) Process:(464) [email protected]Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wemakeppop
Value:
C:\Program Files\wemakeppop\wemakeppop.exe
(PID) Process:(464) [email protected]Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wemakeppopmds
Value:
C:\Program Files\wemakeppop\wemakeppopmds.exe
(PID) Process:(464) [email protected]Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wemakeppop.exe
Operation:writeName:(default)
Value:
C:\Program Files\wemakeppop\wemakeppopmds.exe
(PID) Process:(464) [email protected]Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wemakeppopclient service update x86 (remove only)
Operation:writeName:DisplayName
Value:
Wemakeppopclient service update x86 (remove only) .
(PID) Process:(464) [email protected]Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wemakeppopclient service update x86 (remove only)
Operation:writeName:UninstallString
Value:
C:\Program Files\wemakeppop\uninst.exe
(PID) Process:(464) [email protected]Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wemakeppopclient service update x86 (remove only)
Operation:writeName:DisplayIcon
Value:
C:\Program Files\wemakeppop\wemakeppopmds.exe
(PID) Process:(464) [email protected]Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wemakeppopclient service update x86 (remove only)
Operation:writeName:DisplayVersion
Value:
.
(PID) Process:(464) [email protected]Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wemakeppopclient service update x86 (remove only)
Operation:writeName:Publisher
Value:
(PID) Process:(464) [email protected]Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
101
(PID) Process:(3272) wemakeppopmds.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
5
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
464[email protected]C:\DelUS.battext
MD5:31C4EDC144EE72C0F8FC4FC44FC8E1CF
SHA256:59E55C060B1025C2B16E169E48636F76E78297551AD0F8F199A590876247BD16
464[email protected]C:\Program Files\wemakeppop\wemakeppop.exeexecutable
MD5:FD2652EEA88CBDC1220EC609B95485B8
SHA256:4409C2EA707C42E6A5E93F054C985DE3624182DCD03A339C2AFE4136BFDFBC5C
464[email protected]C:\Program Files\wemakeppop\uninst.exeexecutable
MD5:18B06F5E61CCB862077864B67E680167
SHA256:7E4D330B27F39475B9E9FD4A5C65E5CD018FEA560A8C7E92251DA68046CFD5B8
464[email protected]C:\Program Files\wemakeppop\wemakeppopmds.exeexecutable
MD5:15616F4E444C0D3E34487DC8E7F062F3
SHA256:D8D87C9F13A3AB4F5ABA09DBBAD2D14E27B1A39E0A215170B539129A81FBA07D
464[email protected]C:\Program Files\wemakeppop\cns.dattext
MD5:050D2133089E23568A21888F500246BB
SHA256:F4E56631F89D0C62A914CC26B3BE9D0E74AB373A97232F0581479F9545201B60
464[email protected]C:\Users\admin\AppData\Local\Temp\nsk4EE9.tmp\InstallOptions.dllexecutable
MD5:325B008AEC81E5AAA57096F05D4212B5
SHA256:C9CD5C9609E70005926AE5171726A4142FFBCCCC771D307EFCD195DAFC1E6B4B
464[email protected]C:\Users\admin\AppData\Local\Temp\nsk4EE9.tmp\ioSpecial.iniini
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
464[email protected]C:\Users\admin\AppData\Local\Temp\nsk4EE9.tmp\SelfDelete.dllexecutable
MD5:7BF1BD7661385621C7908E36958F582E
SHA256:C0AD2C13D48C9FE62F898DA822A5F08BE3BF6C4E2C1C7FFDF7634F2CA4A8859E
464[email protected]C:\Users\admin\AppData\Local\Temp\nsk4EE9.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
wemake.adntop.com
unknown

Threats

No threats detected
Process
Message
wemakeppopmds.exe
Error (CInternetException) [12007] : The server name or address could not be resolved
wemakeppopmds.exe
Error (CInternetException) [12007] : The server name or address could not be resolved