analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

nProjectV4.exe

Full analysis: https://app.any.run/tasks/4abc56bd-80b5-4b73-9754-b37f09a8f39a
Verdict: Malicious activity
Analysis date: December 05, 2022, 17:52:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

A453E063EC259B6429FD73ED70308D8E

SHA1:

6BBC2317CF7F6E08BA14BC12370E27D6BBD6F786

SHA256:

3632C73738F73C6623543B6F97FE1C80B929D3C63FB15FB8CB3EABB0BC7D4736

SSDEEP:

98304:IzIgQfwnF+pbZlkLkxMc7Hk71xdnkomKi:IzIfIn8pbPz2xxkoG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads the BIOS version

      • nProjectV4.exe (PID: 4020)
    • Starts CMD.EXE for commands execution

      • nProjectV4.exe (PID: 4020)
  • INFO

    • Process checks are UAC notifies on

      • nProjectV4.exe (PID: 4020)
    • Reads the computer name

      • nProjectV4.exe (PID: 4020)
    • Checks supported languages

      • nProjectV4.exe (PID: 4020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 2022-Oct-25 19:07:56
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 280

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 12
TimeDateStamp: 2022-Oct-25 19:07:56
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
4096
1808350
946417
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.98788
(#2)
1814528
513806
247674
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.97055
(#3)
2330624
44460
5898
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.84924
(#4)
2375680
488
275
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.25982
(#5)
2379776
79092
48287
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
7.97533
.imports
2461696
4096
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.43151
.tls
2465792
4096
512
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.181202
.rsrc
2469888
4096
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.77204
.themida
2473984
4300800
0
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot
6774784
2683904
2683904
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.9478

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.89623
392
UNKNOWN
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
CRYPT32.dll
MSVCP140.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
USERENV.dll
VCRUNTIME140.dll
WS2_32.dll
api-ms-win-crt-convert-l1-1-0.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nprojectv4.exe no specs nprojectv4.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3248"C:\Users\admin\AppData\Local\Temp\nProjectV4.exe" C:\Users\admin\AppData\Local\Temp\nProjectV4.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\nprojectv4.exe
c:\windows\system32\ntdll.dll
4020"C:\Users\admin\AppData\Local\Temp\nProjectV4.exe" C:\Users\admin\AppData\Local\Temp\nProjectV4.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\nprojectv4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
3220C:\Windows\system32\cmd.exe /c clsC:\Windows\system32\cmd.exenProjectV4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
189
Read events
189
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4020
nProjectV4.exe
188.114.96.3:443
keyauth.win
CLOUDFLARENET
NL
malicious

DNS requests

Domain
IP
Reputation
keyauth.win
  • 188.114.96.3
  • 188.114.97.3
malicious

Threats

No threats detected
No debug info