| File name: | namebench-1.3.1-Windows.exe |
| Full analysis: | https://app.any.run/tasks/d945b976-a26c-48fe-90fb-7d2a0f2407e4 |
| Verdict: | Malicious activity |
| Analysis date: | December 10, 2023, 17:30:43 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5: | 2A26C182BCC0AFEE88434E64B7B633BE |
| SHA1: | B33778303D37BB6A2E6FE4861C72390A41F3AB7A |
| SHA256: | 32DEBD21DBE46268E2305271FD63B96AFA4284FFA3CF7AE005F1B70E79699FF1 |
| SSDEEP: | 98304:VPHA10B6kNeZ9gYwsxLCknBRSF5SPJYsU+Ry02krJqZCFJJePx6c7g+MhgEdF2OX:wm3reevC |
MALICIOUS
Drops the executable file immediately after the start
- namebench-1.3.1-Windows.exe (PID: 1864)
Actions looks like stealing of personal data
- namebench.exe (PID: 1852)
Steals credentials from Web Browsers
- namebench.exe (PID: 1852)
SUSPICIOUS
Loads Python modules
- namebench.exe (PID: 1852)
INFO
Checks supported languages
- namebench.exe (PID: 1852)
- namebench-1.3.1-Windows.exe (PID: 1864)
- wmpnscfg.exe (PID: 3028)
Create files in a temporary directory
- namebench-1.3.1-Windows.exe (PID: 1864)
- namebench.exe (PID: 1852)
Reads the machine GUID from the registry
- namebench.exe (PID: 1852)
Reads Environment values
- namebench.exe (PID: 1852)
Reads the computer name
- namebench.exe (PID: 1852)
- wmpnscfg.exe (PID: 3028)
Manual execution by a user
- wmpnscfg.exe (PID: 3028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (28.6) |
|---|---|---|
| .exe | | | UPX compressed Win32 Executable (28) |
| .exe | | | Win32 EXE Yoda's Crypter (27.5) |
| .dll | | | Win32 Dynamic Link Library (generic) (6.8) |
| .exe | | | Win32 Executable (generic) (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2001:03:20 07:35:57+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Aggressive working-set trim, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 24576 |
| InitializedDataSize: | 4096 |
| UninitializedDataSize: | 77824 |
| EntryPoint: | 0x19200 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1852 | namebench.exe | C:\Users\admin\AppData\Local\Temp\namebench.exe | namebench-1.3.1-Windows.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1864 | "C:\Users\admin\Downloads\namebench-1.3.1-Windows.exe" | C:\Users\admin\Downloads\namebench-1.3.1-Windows.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3028 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
253
Read events
253
Write events
0
Delete events
0
Modification events
Executable files
12
Suspicious files
1
Text files
312
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\bz2.pyd | executable | |
MD5:3825D4803887FD7905094127F5208035 | SHA256:975F06897191DEBE3408EE23F9D972D69A54B1823645987DF6690FD4F85DD1DB | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\config\hostname_reference.cfg | text | |
MD5:7E0B2D08B6F77B5B5A88060B34A13AF8 | SHA256:C7072EDC4D501B7B8D6AD4530D1F791DD99D27F957F4BA440304A89CCF3D41C9 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench.exe | executable | |
MD5:1A1814781C8E85F9AD8FF8E2F8D9781E | SHA256:E6AA34EAD07078E64F47A3BDDCAB27B1E7A8EAE8363B75405D87E7D756D27B17 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\config\data_sources.cfg | text | |
MD5:3B5F3956FFA9C0D94B3DFD3421EFF9E7 | SHA256:0CA4CBCD3A98608710ED5AB63FF67AA2D786C1EB7284E330B4EE5A33B89E36EE | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\FE56E.tmp | text | |
MD5:22B87765D9E22F33898885336D86D5B3 | SHA256:4B82C5EF5E8188FAE4CA89C8A66F96FFFAA9C4AD2DB5CBC45B41FB7287E2B318 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\data\alexa-top-2000-domains.txt | text | |
MD5:775EB71D547D8E2BB76ADF27D1C4BADE | SHA256:81E28CBC8ABD3D394D3C46CE567EBA84B7E25D707E6B9D76005CC6E7C915B063 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\templates\ascii.tmpl | text | |
MD5:7ED235066BABBE7F293B2C105F3E31BE | SHA256:1F49501C78865D8EC50CFC3B730AFD0E2596EE1893EB12A8B3CAED5BF45509A3 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\data\cache-miss.txt | text | |
MD5:155E14DCE644B7D5AC4D800BEFA112E7 | SHA256:88D908CDC046F05348E08C1A8C3C8733AFC4EB62BD8F26F9BEEEDB2A1DD69417 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\data\cache-mix.txt | text | |
MD5:5CA9A7817D3FB5A5266CD7157D2EFD44 | SHA256:F6A7DA4DC26929F27DAEBD0D56BD724EC0F2DA607E0288D81573627BF609C862 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\templates\html.tmpl | html | |
MD5:386307DEC2B56FACCCBE866E8F4A055E | SHA256:88B78F90C820C5B73FBBAEEF94CB9B8646A0871ACE03E05F676E4623FFAC370A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
3 921
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1852 | namebench.exe | POST | 404 | 142.250.184.196:80 | http://www.google.com/loc/json | unknown | html | 1.53 Kb | unknown |
1852 | namebench.exe | GET | 404 | 173.194.76.82:80 | http://namebench.googlecode.com/svn/trunk/config/hostname_reference.cfg | unknown | html | 1.56 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1852 | namebench.exe | 142.250.184.196:80 | www.google.com | GOOGLE | US | whitelisted |
1852 | namebench.exe | 173.194.76.82:80 | namebench.googlecode.com | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.google.com |
| whitelisted |
j.maxmind.com |
| unknown |
220.220.67.208.in-addr.arpa |
| unknown |
which.opendns.com |
| unknown |
test.nb0.137781320885.google.com |
| unknown |
test.nb0.399900469648.google.com |
| unknown |
test.nb0.142037428967.google.com |
| unknown |
namebench.googlecode.com |
| unknown |
a.root-servers.net |
| unknown |
Threats
2 ETPRO signatures available at the full report