File name:

23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe

Full analysis: https://app.any.run/tasks/1f799208-0e7f-4bbc-a596-72fdf3ad91a7
Verdict: Malicious activity
Analysis date: October 19, 2023, 11:47:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

DC6F55B6CE634ECD409DC535053EBDBC

SHA1:

2CB8CCF33E22B46B3EA722548EC34A8167A38A67

SHA256:

387E3C8F0F29348AFCC2D36AF37D6FD81A5A8DDE21C8B46F41DBE879679CB2CA

SSDEEP:

49152:RJJJJJJJJJJJJJJJJJfb33333333333333EaS2W846rFddbt/mT/zDU1aXEOB445:832rFdtE/zDU1POB4NN+3U5D0wyCRVCp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe (PID: 1492)

    • Drops the executable file immediately after the start

      • 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe (PID: 1492)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe (PID: 1492)

    • The process creates files with name similar to system file names

      • 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe (PID: 1492)

  • INFO

    • Reads the computer name

      • 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe (PID: 1492)

    • Checks supported languages

      • 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe (PID: 1492)

    • Create files in a temporary directory

      • 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe (PID: 1492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:03 22:18:56+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25088
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x33b6
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.0.0.0
ProductVersionNumber: 3.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: Healthsouth Corp
FileVersion: 3.0.0.0
OriginalFileName: doorward buddhisternes.exe
ProductName: W.R. Grace & Co
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
29
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 23ik-1799-ref09nsep-germamy-tbilis.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1492"C:\Users\admin\AppData\Local\Temp\23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe" C:\Users\admin\AppData\Local\Temp\23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
3.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\23ik-1799-ref09nsep-germamy-tbilis.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
Total events
679
Read events
674
Write events
5
Delete events
0

Modification events

(PID) Process:(1492) 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeKey:HKEY_CURRENT_USER\Software\89
Operation:writeName:Start
Value:
user32::ShowWindow(i r3, i 0)
(PID) Process:(1492) 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeKey:HKEY_CURRENT_USER\Software\89
Operation:writeName:Start
Value:
KERNEL32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5
(PID) Process:(1492) 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeKey:HKEY_CURRENT_USER\Software\89
Operation:writeName:Start
Value:
KERNEL32::VirtualAlloc(i0,i 79585280, i 0x3000, i 0x40)p.r1
(PID) Process:(1492) 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeKey:HKEY_CURRENT_USER\Software\89
Operation:writeName:Start
Value:
KERNEL32::SetFilePointer(i r5, i 800 , i 0,i 0)i.r3
(PID) Process:(1492) 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeKey:HKEY_CURRENT_USER\Software\89
Operation:writeName:Start
Value:
KERNEL32::ReadFile(ir5, i r1, i 79585280,*i 0, i 0)i.r3
Executable files
1
Suspicious files
13
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
149223IK-1799-REF09NSEP-GERMAMY-TBILIS.exeC:\Users\admin\vinsort\Mokkerne206\rigsgreves\Flyvestationers117\Invigilating\Nivicolous.ulibinary
MD5:5429E173B67566B34C5EC2D304C8E643
SHA256:07EA7EF9409DBF095A9AE4D8830C9876FC082D4EE7D53E49C95DB79B1172CCE0
149223IK-1799-REF09NSEP-GERMAMY-TBILIS.exeC:\Users\admin\vinsort\Mokkerne206\rigsgreves\Deltaerne140\Suborders\Bibelkritikker\lascivious.Undbinary
MD5:0BD07D5786BC3B47220DF84E051F3C99
SHA256:0D2E1DECDBC885ADE27C255EB12396B4DA48DBD665254A3638AC84D4720FA1FF
149223IK-1799-REF09NSEP-GERMAMY-TBILIS.exeC:\Users\admin\vinsort\Mokkerne206\rigsgreves\Laciniate245\Storkenbbet\Unthrobbing32\Hungrify\principfastere.virbinary
MD5:265030BEFC50BF1142CB66F1B52B58C3
SHA256:E1BF63AEEA1052D02C7077E86BFE7FE9B6362003547A5815FC6A0824F48CD06D
149223IK-1799-REF09NSEP-GERMAMY-TBILIS.exeC:\Users\admin\vinsort\Mokkerne206\rigsgreves\Laciniate245\Storkenbbet\Unthrobbing32\Hungrify\kbestddet.hunbinary
MD5:0BBD794777600C79332A0D22227399A5
SHA256:122DE122FDF253BA4610F2038A0017F667C4D56032CE83CECF2DAC0527B7D5BC
149223IK-1799-REF09NSEP-GERMAMY-TBILIS.exeC:\Users\admin\vinsort\Mokkerne206\rigsgreves\dobbeltdoeren\imperial\Starrify\chromamamin.txttext
MD5:52B8AF9E8E24418EBB502C576D5FC9BC
SHA256:8BB8C7C4FB6AC8F17C065AF758351430C0840D16C06FEC4862A570C3BB234478
149223IK-1799-REF09NSEP-GERMAMY-TBILIS.exeC:\Users\admin\vinsort\Mokkerne206\rigsgreves\Laciniate245\Storkenbbet\Unthrobbing32\Hungrify\haggardly.boobinary
MD5:11457CA33BECD6F29AC5F75300F08B4C
SHA256:0172D72054302E116C6FFB602C8AF626421A189FEFFF6926266FE23522A888E5
149223IK-1799-REF09NSEP-GERMAMY-TBILIS.exeC:\Users\admin\vinsort\Mokkerne206\rigsgreves\Laciniate245\Storkenbbet\Unthrobbing32\Hungrify\himmelstrgenes.solbinary
MD5:8DFE9EF473292D10BDECA94DCEE140BF
SHA256:BDFC2A0FAC80AE8D3D5934AA935B536578BDBD76BA7B3B22A7F55F61DD9A98FF
149223IK-1799-REF09NSEP-GERMAMY-TBILIS.exeC:\Users\admin\vinsort\Mokkerne206\rigsgreves\Flyvestationers117\Invigilating\Smldede.Wartext
MD5:24C18241C4FB1F8ED282A222C5BFAA0D
SHA256:CA7F6E900949BEE6D92993C639BA075D598CD4590D34DA7AAF7E5C30685DB50C
149223IK-1799-REF09NSEP-GERMAMY-TBILIS.exeC:\Users\admin\AppData\Local\Temp\nscB8AE.tmp\System.dllexecutable
MD5:0FF2D70CFDC8095EA99CA2DABBEC3CD7
SHA256:982C5FB7ADA7D8C9BC3E419D1C35DA6F05BC5DD845940C179AF3A33D00A36A8B
149223IK-1799-REF09NSEP-GERMAMY-TBILIS.exeC:\Users\admin\vinsort\Mokkerne206\rigsgreves\Flyvestationers117\Invigilating\Jenvrnene.zerbinary
MD5:A5A3304436A5B30C0D39B217AC000E92
SHA256:B5EFA940818F0069B0DC903A126644A281564501F76E6E27CAD4CB957B0035E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1956
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe