| File name: | namebench-1.3.1-Windows.exe |
| Full analysis: | https://app.any.run/tasks/d945b976-a26c-48fe-90fb-7d2a0f2407e4 |
| Verdict: | Malicious activity |
| Analysis date: | December 10, 2023, 17:30:43 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5: | 2A26C182BCC0AFEE88434E64B7B633BE |
| SHA1: | B33778303D37BB6A2E6FE4861C72390A41F3AB7A |
| SHA256: | 32DEBD21DBE46268E2305271FD63B96AFA4284FFA3CF7AE005F1B70E79699FF1 |
| SSDEEP: | 98304:VPHA10B6kNeZ9gYwsxLCknBRSF5SPJYsU+Ry02krJqZCFJJePx6c7g+MhgEdF2OX:wm3reevC |
MALICIOUS
Drops the executable file immediately after the start
- namebench-1.3.1-Windows.exe (PID: 1864)
Actions looks like stealing of personal data
- namebench.exe (PID: 1852)
Steals credentials from Web Browsers
- namebench.exe (PID: 1852)
SUSPICIOUS
Loads Python modules
- namebench.exe (PID: 1852)
INFO
Create files in a temporary directory
- namebench-1.3.1-Windows.exe (PID: 1864)
- namebench.exe (PID: 1852)
Reads the computer name
- namebench.exe (PID: 1852)
- wmpnscfg.exe (PID: 3028)
Checks supported languages
- wmpnscfg.exe (PID: 3028)
- namebench-1.3.1-Windows.exe (PID: 1864)
- namebench.exe (PID: 1852)
Reads the machine GUID from the registry
- namebench.exe (PID: 1852)
Reads Environment values
- namebench.exe (PID: 1852)
Manual execution by a user
- wmpnscfg.exe (PID: 3028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (28.6) |
|---|---|---|
| .exe | | | UPX compressed Win32 Executable (28) |
| .exe | | | Win32 EXE Yoda's Crypter (27.5) |
| .dll | | | Win32 Dynamic Link Library (generic) (6.8) |
| .exe | | | Win32 Executable (generic) (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2001:03:20 07:35:57+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Aggressive working-set trim, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 24576 |
| InitializedDataSize: | 4096 |
| UninitializedDataSize: | 77824 |
| EntryPoint: | 0x19200 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1852 | namebench.exe | C:\Users\admin\AppData\Local\Temp\namebench.exe | namebench-1.3.1-Windows.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1864 | "C:\Users\admin\Downloads\namebench-1.3.1-Windows.exe" | C:\Users\admin\Downloads\namebench-1.3.1-Windows.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3028 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
253
Read events
253
Write events
0
Delete events
0
Modification events
Executable files
12
Suspicious files
1
Text files
312
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\FE56E.tmp | text | |
MD5:22B87765D9E22F33898885336D86D5B3 | SHA256:4B82C5EF5E8188FAE4CA89C8A66F96FFFAA9C4AD2DB5CBC45B41FB7287E2B318 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\data\alexa-top-2000-domains.txt | text | |
MD5:775EB71D547D8E2BB76ADF27D1C4BADE | SHA256:81E28CBC8ABD3D394D3C46CE567EBA84B7E25D707E6B9D76005CC6E7C915B063 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\config\data_sources.cfg | text | |
MD5:3B5F3956FFA9C0D94B3DFD3421EFF9E7 | SHA256:0CA4CBCD3A98608710ED5AB63FF67AA2D786C1EB7284E330B4EE5A33B89E36EE | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\config\namebench.cfg | text | |
MD5:D4F014F675FB072687BAC68087324F92 | SHA256:96A2F8D67FDBA8E0AE6C37763A7F4FA60FC481B1B27F084B1A1B5F15518B34F9 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\data\cache-miss.txt | text | |
MD5:155E14DCE644B7D5AC4D800BEFA112E7 | SHA256:88D908CDC046F05348E08C1A8C3C8733AFC4EB62BD8F26F9BEEEDB2A1DD69417 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\data\cache-hit.txt | text | |
MD5:8028068E0CAF8A729136AEE4F4F6F3FE | SHA256:0AC200D16A46774D3E23B2C2D185092D82DF08A6363F31CAAE3B2939EC5AC925 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench.zip | compressed | |
MD5:6AB90E72B14D25FDF7AF02A10449D23A | SHA256:0FD1215BE93B89677B7F97A4BD2E7C3FF0512AC08B5B3BDEC853FFA3B042A0B3 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\select.pyd | executable | |
MD5:9BDE99C2037EBAF2A8777A8DF8E7FC17 | SHA256:AC6944FFD02C388701FD874EF58A645EB54A2DF264A8A1957C6C6E6309E2D7D8 | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\tcl\tcl8.5\auto.tcl | text | |
MD5:667AACC63FB13A5090F3724F2224A0CC | SHA256:33A3078B6FF6F34B5903EF48A8412D89E0B9687740DF156D49255222C54DE2AC | |||
| 1864 | namebench-1.3.1-Windows.exe | C:\Users\admin\AppData\Local\Temp\namebench\templates\style.css | text | |
MD5:E09A8516B290DC6B358FFFBF85908FD4 | SHA256:846BDB01D15ABAE467CB2513AFC7F5B7B6731B3C43177B5B596FBCD34BAFE376 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
3 921
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1852 | namebench.exe | POST | 404 | 142.250.184.196:80 | http://www.google.com/loc/json | unknown | html | 1.53 Kb | unknown |
1852 | namebench.exe | GET | 404 | 173.194.76.82:80 | http://namebench.googlecode.com/svn/trunk/config/hostname_reference.cfg | unknown | html | 1.56 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1852 | namebench.exe | 142.250.184.196:80 | www.google.com | GOOGLE | US | whitelisted |
1852 | namebench.exe | 173.194.76.82:80 | namebench.googlecode.com | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.google.com |
| whitelisted |
j.maxmind.com |
| unknown |
220.220.67.208.in-addr.arpa |
| unknown |
which.opendns.com |
| unknown |
test.nb0.137781320885.google.com |
| unknown |
test.nb0.399900469648.google.com |
| unknown |
test.nb0.142037428967.google.com |
| unknown |
namebench.googlecode.com |
| unknown |
a.root-servers.net |
| unknown |
Threats
2 ETPRO signatures available at the full report