analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

asdf

Full analysis: https://app.any.run/tasks/cb37be8c-1024-4545-b94b-805b3cec8b98
Verdict: Malicious activity
Analysis date: February 11, 2020, 13:36:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

342D7AEC0E3C67D437066000B53F0D61

SHA1:

DBD60EFB053B882BB658A9EA54F28B42239EBB55

SHA256:

345D8B4C0479D97440926471C2A8BED43162A3D75BE12422C1C410F5EC90ACD9

SSDEEP:

1536:/QDg6zAD5Xi5/+VRscQqg/+OWe6UTlEJ3miZpOaUgsplLPc8eFsWjcdeyrkP5tmC:KzA17E2Re6UsFpXsvLPeqeYkPL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Runs app for hidden code execution

      • asdf.exe (PID: 3168)
      • cmd.exe (PID: 1920)
    • Loads the Task Scheduler DLL interface

      • cmd.exe (PID: 2872)
    • Known privilege escalation attack

      • DllHost.exe (PID: 3580)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1920)
      • asdf.exe (PID: 3168)
      • DllHost.exe (PID: 3580)
    • Creates files in the Windows directory

      • cmd.exe (PID: 2872)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2220)
    • Connects to unusual port

      • cmd.exe (PID: 2872)
    • Application launched itself

      • cmd.exe (PID: 1920)
    • Reads Internet Cache Settings

      • cmd.exe (PID: 1920)
    • Executed via COM

      • DllHost.exe (PID: 3580)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 1.0.0.0
ProductName: Assembly imported from type library 'CPSCOMMONINTERFACESLib'.
OriginalFileName: Interop.CPSCOMMONINTERFACESLib.dll
LegalTrademarks:
LegalCopyright:
InternalName: Interop.CPSCOMMONINTERFACESLib
FileVersion: 1.0.0.0
FileDescription:
CompanyName:
Comments:
CharacterSet: Unicode
LanguageCode: Invariant
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x1a0f
UninitializedDataSize: -
InitializedDataSize: 78848
CodeSize: 42496
LinkerVersion: 12
PEType: PE32
TimeStamp: 2020:02:01 22:39:25+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 01-Feb-2020 21:39:25
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: Interop.CPSCOMMONINTERFACESLib
LegalCopyright: -
LegalTrademarks: -
OriginalFilename: Interop.CPSCOMMONINTERFACESLib.dll
ProductName: Assembly imported from type library 'CPSCOMMONINTERFACESLib'.
ProductVersion: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 01-Feb-2020 21:39:25
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000A596
0x0000A600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.69217
.rdata
0x0000C000
0x0000F154
0x0000F200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.7494
.data
0x0001C000
0x00002F88
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.32811
.rsrc
0x0001F000
0x000003D0
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.13
.reloc
0x00020000
0x00000DA8
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.54214

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.39594
876
UNKNOWN
UNKNOWN
RT_VERSION

Imports

CRYPT32.dll
GDI32.dll
KERNEL32.dll
USER32.dll
WS2_32.dll
ole32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start asdf.exe no specs cmd.exe cmd.exe CMSTPLUA no specs cmd.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3168"C:\Users\admin\AppData\Local\Temp\asdf.exe" C:\Users\admin\AppData\Local\Temp\asdf.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
1920"C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe
asdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2872"C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3580C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2220"C:\Windows\system32\cmd.exe" /c "reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs" /t REG_DWORD /d 0"C:\Windows\system32\cmd.exeDllHost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3224reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs" /t REG_DWORD /d 0C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
456
Read events
432
Write events
24
Delete events
0

Modification events

(PID) Process:(1920) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1920) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(1920) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1920) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1920) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1920) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1920) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1920) cmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3580) DllHost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3580) DllHost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
0
Suspicious files
3
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
1920cmd.exeC:\Users\admin\AppData\Local\Temp\CabB54E.tmp
MD5:
SHA256:
1920cmd.exeC:\Users\admin\AppData\Local\Temp\TarB54F.tmp
MD5:
SHA256:
1920cmd.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\BunPkWE[1].pngimage
MD5:5AAF1E0F1F4D037F6C82820C3E7360E4
SHA256:F5DCB57CD5663849C584683313F64A46C99D6787090E58A7F13BD4292EB3C436
1920cmd.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6binary
MD5:047941AE1B0087F8DB9F0675841F1494
SHA256:0751B84DB01FAA0B41A08A4D957A57956AE2C204EBB9BD84FA2B790B992866C0
2872cmd.exeC:\Users\admin\AppData\Local\Temp\8074601c.lnklnk
MD5:43EA6632BF50A1E2D67FE631F4EB5345
SHA256:73EF32C491B962E7AFAF8CDC18C40E581C1DC346F50B66B47294853059DD4FEE
1920cmd.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6der
MD5:C056598304ED9DA4CCC3FDAE82B66061
SHA256:175B79EB4DE20873DDB7BADA4CD1705DDAD0736C6B010CA2F9413890B9224250
2872cmd.exeC:\Windows\Tasks\svcr.jobbinary
MD5:E0261094F1E03D724F951D8CB0AD1484
SHA256:6CCB4C0381D1F6695B8D6301BCFC20AFD46B704153DC187F8F032F2C4A8363C7
1920cmd.exeC:\Users\admin\AppData\Local\Temp\6b0420e7.pngimage
MD5:5AAF1E0F1F4D037F6C82820C3E7360E4
SHA256:F5DCB57CD5663849C584683313F64A46C99D6787090E58A7F13BD4292EB3C436
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1920
cmd.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1920
cmd.exe
151.101.112.193:443
i.imgur.com
Fastly
US
malicious
151.101.112.193:443
i.imgur.com
Fastly
US
malicious
2872
cmd.exe
79.134.225.111:8141
vahlallha.duckdns.org
Andreas Fink trading as Fink Telecom Services
CH
malicious
1920
cmd.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
i.imgur.com
  • 151.101.112.193
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
vahlallha.duckdns.org
  • 79.134.225.111
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2872
cmd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Makoob.A!tr
No debug info