analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

diefioj.scr

Full analysis: https://app.any.run/tasks/030c308f-dc4c-4ec3-a8b1-c00bb5a5eae2
Verdict: Malicious activity
Analysis date: January 18, 2019, 05:55:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C1F2DB0B40AA445EA93FA6F89832F2B4

SHA1:

C0BE70C56258B571F9CFB5D13536DE09A2CBB159

SHA256:

3100EBD91FD286ABC43572CF20D16456D78C7D9FFB598BEA702CF1398AC1091F

SSDEEP:

768:uoHNPE4G7XnMvYqf0mq/6/Q/9NF0+LEc8af3ts0E9t:uB4Ggv/q2oS+Ljb3ts0E9t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • biecei.exe (PID: 2300)

    • Changes the autorun value in the registry

      • reg.exe (PID: 3660)
      • biecei.exe (PID: 2300)

  • SUSPICIOUS

    • Creates files in the user directory

      • Skype.exe (PID: 2916)
      • Skype.exe (PID: 3516)
      • Skype.exe (PID: 3080)

    • Application launched itself

      • Skype.exe (PID: 2916)
      • Skype.exe (PID: 3516)
      • Skype.exe (PID: 3080)

    • Reads CPU info

      • Skype.exe (PID: 3516)

    • Modifies the open verb of a shell class

      • Skype.exe (PID: 3516)

    • Uses REG.EXE to modify Windows registry

      • Skype.exe (PID: 3516)

    • Executable content was dropped or overwritten

      • diefioj.scr (PID: 2940)

  • INFO

    • Reads settings of System Certificates

      • Skype.exe (PID: 3516)

    • Dropped object may contain Bitcoin addresses

      • Skype.exe (PID: 3516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

FileSubtype: -
ObjectFileType: Unknown
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 1
OSVersion: 4
EntryPoint: 0x1184
UninitializedDataSize: -
InitializedDataSize: 4096
CodeSize: 49152
LinkerVersion: 6
PEType: PE32
TimeStamp: 2000:01:01 13:00:00+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 01-Jan-2000 12:00:00

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 01-Jan-2000 12:00:00
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000B988
0x0000C000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.21332
.data
0x0000D000
0x000023B0
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00010000
0x000000B4
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.80818

Resources

Title
Entropy
Size
Codepage
Language
Type
1
1.98351
92
Latin 1 / Western European
UNKNOWN
RT_VERSION

Imports

MSVBVM60.DLL
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
15
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start diefioj.scr biecei.exe skype.exe skype.exe reg.exe skype.exe no specs reg.exe no specs skype.exe skype.exe no specs skype.exe skype.exe no specs skype.exe no specs skype.exe no specs skype.exe no specs skype.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Users\admin\AppData\Local\Temp\diefioj.scr" /SC:\Users\admin\AppData\Local\Temp\diefioj.scr
explorer.exe
User:
admin
Integrity Level:
MEDIUM
2300"C:\Users\admin\biecei.exe" C:\Users\admin\biecei.exe
diefioj.scr
User:
admin
Integrity Level:
MEDIUM
3516"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
3016"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
3660C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /fC:\Windows\system32\reg.exe
Skype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2916"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=0B52AE9770DEE359B415370BB2F772B5 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=0B52AE9770DEE359B415370BB2F772B5 --renderer-client-id=3 --mojo-platform-channel-handle=1536 /prefetch:1C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
3221225477
Version:
8.29.0.50
3164C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdateC:\Windows\system32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3816"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
2
Version:
8.29.0.50
3080"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=71BA0E266FD0353CCC4BC1B19EE3DBC3 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=1 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=71BA0E266FD0353CCC4BC1B19EE3DBC3 --renderer-client-id=4 --mojo-platform-channel-handle=2584 /prefetch:1C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
3221225477
Version:
8.29.0.50
2092"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
2
Version:
8.29.0.50
Total events
5 849
Read events
615
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
14
Text files
33
Unknown types
4

Dropped files

PID
Process
Filename
Type
3516Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U0QZ2IL8D38E9E5QS98T.temp
MD5:
SHA256:
3516Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe
MD5:
SHA256:
3516Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-msbinary
MD5:FF17E86FAAFB072686D650443C84A7D6
SHA256:3AD89CB552952707F86D8BDF449FBC9E6486943D07985F49009C477595A659CB
3516Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms~RF1ab670.TMPbinary
MD5:FF17E86FAAFB072686D650443C84A7D6
SHA256:3AD89CB552952707F86D8BDF449FBC9E6486943D07985F49009C477595A659CB
3816Skype.exeC:\Users\admin\AppData\Local\Temp\skype-preview Crashes\operation_log.txttext
MD5:D06EE013F7C7A119B3A6BFF40B796A87
SHA256:8BFC2979249CBA531B2E8CABAEB7AADD884518EA8C46ED9802B1702ADA448BAF
3516Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.jsontext
MD5:A00042E827E9FA749E490427DC1F6781
SHA256:B1E7103D6E098300F60DAD4D1ADAE502478682CEB2A8DD0A32C87A3D648AEE13
2940diefioj.scrC:\Users\admin\biecei.exeexecutable
MD5:E151D5E17D55DA8C4B237F0ED7F7C589
SHA256:0A858841FAAA6EEDA2DD5DC8254200165AB4813471C027D6EAEE3E0D70B9DE97
2092Skype.exeC:\Users\admin\AppData\Local\Temp\skype-preview Crashes\operation_log.txttext
MD5:62C836880CA350F7439110A7A5EB6801
SHA256:E64D83AB07B79581DF7BFE79C3BC66F09B491F934482B73A78B53CC1F28CE232
3516Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000005compressed
MD5:2F639CBB561789AAA2DDED91BA7B10C3
SHA256:D16E14B38C97D9AF993615640BCD864E5179A2F112980E098D2D2F6C7FADA039
3516Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.logbinary
MD5:76B2722AA96D7383D14691DE20685BC4
SHA256:B3104E83662289AFB561341DD8138BEB4945F64F5DD040C3D033C264097F07ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
31
DNS requests
14
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3516
Skype.exe
52.114.158.53:443
pipe.skype.com
Microsoft Corporation
US
whitelisted
3516
Skype.exe
23.101.156.198:443
a.config.skype.com
Microsoft Corporation
US
whitelisted
3516
Skype.exe
157.55.134.138:443
login.live.com
Microsoft Corporation
US
whitelisted
3516
Skype.exe
152.199.19.161:443
accountalt.azureedge.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3516
Skype.exe
13.90.95.57:443
get.skype.com
Microsoft Corporation
US
whitelisted
3516
Skype.exe
172.217.18.170:443
www.googleapis.com
Google Inc.
US
whitelisted
3516
Skype.exe
13.68.117.223:443
avatar.skype.com
Microsoft Corporation
US
whitelisted
3516
Skype.exe
23.54.114.63:443
download.skype.com
Akamai International B.V.
NL
whitelisted
3516
Skype.exe
40.126.9.5:443
account.live.com
Microsoft Corporation
US
unknown
3016
Skype.exe
34.192.103.109:443
rink.hockeyapp.net
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
ns2.theimageparlour.net
unknown
get.skype.com
  • 13.90.95.57
whitelisted
a.config.skype.com
  • 23.101.156.198
whitelisted
pipe.skype.com
  • 52.114.158.53
whitelisted
download.skype.com
  • 23.54.114.63
whitelisted
login.live.com
  • 157.55.134.138
  • 157.55.135.128
  • 157.55.134.136
whitelisted
www.googleapis.com
  • 172.217.18.170
  • 172.217.23.138
  • 216.58.206.10
  • 216.58.207.42
  • 216.58.207.74
  • 172.217.16.170
  • 216.58.208.42
  • 172.217.16.138
  • 172.217.22.42
  • 172.217.22.74
  • 172.217.16.202
  • 172.217.18.106
  • 172.217.23.170
  • 216.58.205.234
  • 172.217.21.234
  • 172.217.22.10
whitelisted
avatar.skype.com
  • 13.68.117.223
whitelisted
browser.pipe.aria.microsoft.com
  • 52.114.76.35
whitelisted
config.edge.skype.com
  • 13.107.3.128
whitelisted

Threats

No threats detected
Process
Message
Skype.exe
[3016:1452:0118/055701.754:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[3016:1452:0118/055701.754:VERBOSE1:crash_service.cc(145)] window handle is 0002011E
Skype.exe
[3016:1452:0118/055701.754:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
Skype.exe
[3016:1452:0118/055701.754:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload maximum 128 reports/day reporter is electron-crash-service
Skype.exe
[3016:1452:0118/055701.754:VERBOSE1:crash_service_main.cc(94)] Ready to process crash requests
Skype.exe
[3016:2288:0118/055701.754:VERBOSE1:crash_service.cc(333)] client start. pid = 3516
Skype.exe
[3016:2288:0118/055704.740:VERBOSE1:crash_service.cc(333)] client start. pid = 2916
Skype.exe
[3816:3796:0118/055705.050:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[3816:3796:0118/055705.054:VERBOSE1:crash_service.cc(145)] window handle is 00040120
Skype.exe
[3816:3796:0118/055705.054:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
diefioj.scr