analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

fa0fd2f44c5220e17b7a5c167ce36440.exe

Full analysis: https://app.any.run/tasks/fb5b0278-0f51-4c60-809f-c3df7cd3bbf7
Verdict: Malicious activity
Analysis date: November 08, 2019, 13:26:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5:

FA0FD2F44C5220E17B7A5C167CE36440

SHA1:

9ADAABEC174BB407E2A08587F5C1E87039A03037

SHA256:

38F98CB9A85BCAD6178C62FAF2CF433E400603B81632A77A0F99FA57A39D8793

SSDEEP:

3072:o7TQlatyYePxiFVj7TQlatyYePxiFVD7TQlatyYePxiFVV7TQlatyYePxiFVh:aTQt8XTQt83TQt8FTQt8h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • UAC/LUA settings modification

      • fa0fd2f44c5220e17b7a5c167ce36440.exe (PID: 3000)
    • Changes the login/logoff helper path in the registry

      • fa0fd2f44c5220e17b7a5c167ce36440.exe (PID: 3000)
    • Changes the autorun value in the registry

      • fa0fd2f44c5220e17b7a5c167ce36440.exe (PID: 3000)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • fa0fd2f44c5220e17b7a5c167ce36440.exe (PID: 3000)
    • Changes the desktop background image

      • fa0fd2f44c5220e17b7a5c167ce36440.exe (PID: 3000)
    • Modifies the open verb of a shell class

      • fa0fd2f44c5220e17b7a5c167ce36440.exe (PID: 3000)
    • Reads Internet Cache Settings

      • fa0fd2f44c5220e17b7a5c167ce36440.exe (PID: 3000)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • fa0fd2f44c5220e17b7a5c167ce36440.exe (PID: 3000)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

OriginalFileName: Kazekage of the Sand
LegalCopyright: © Kota Cantik - Paray City
FileDescription: Kazekage Games Action
InternalName: Kazekage Was Here
ProductVersion: 06.01.2008 (A) Update
FileVersion: 06.01.2008 (A) Update
Mission: Destroy HokageFile, KSpoold, AutoitV3, Autoruner, BlueFantasi, Sys, VBSvir, PornFile, and Kick Anbu-Team-Sampit
ProductName: Gaara The Kazekage By : Paraysutki VM Community
Comments: http:/www.narutogames.com
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 6.1.0.2008
FileVersionNumber: 6.1.0.2008
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6.1
OSVersion: 4
EntryPoint: 0x118c
UninitializedDataSize: -
InitializedDataSize: 16384
CodeSize: 110592
LinkerVersion: 6
PEType: PE32
TimeStamp: 2008:01:12 15:58:39+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 12-Jan-2008 14:58:39
Detected languages:
  • English - United States
Comments: http:/www.narutogames.com
FileDescription: Kazekage Games Action
ProductName: Gaara The Kazekage By : Paraysutki VM Community
Mission: Destroy HokageFile, KSpoold, AutoitV3, Autoruner, BlueFantasi, Sys, VBSvir, PornFile, and Kick Anbu-Team-Sampit
FileVersion: 06.01.2008 (A) Update
ProductVersion: 06.01.2008 (A) Update
InternalName: Kazekage Was Here
LegalCopyright: © Kota Cantik - Paray City
OriginalFilename: Kazekage of the Sand

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 2
Time date stamp: 12-Jan-2008 14:58:39
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001F000
0x00009E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.98081
.rsrc
0x00020000
0x00004000
0x00003A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.10791

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.52785
1240
Unicode (UTF 16LE)
English - United States
RT_VERSION

Imports

kernel32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fa0fd2f44c5220e17b7a5c167ce36440.exe ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3000"C:\Users\admin\Desktop\fa0fd2f44c5220e17b7a5c167ce36440.exe" C:\Users\admin\Desktop\fa0fd2f44c5220e17b7a5c167ce36440.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Kazekage-Games-Action
Version:
06.01.2008 (A) Update
2364ping -a -l www.rasasayang.com.my 65500C:\Windows\system32\ping.exefa0fd2f44c5220e17b7a5c167ce36440.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
3221225786
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2300ping -a -l www.duniasex.com 65500C:\Windows\system32\ping.exefa0fd2f44c5220e17b7a5c167ce36440.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
3221225786
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2580ping -a -l www.rasasayang.com.my 65500C:\Windows\system32\ping.exefa0fd2f44c5220e17b7a5c167ce36440.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
3221225786
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
932ping -a -l www.duniasex.com 65500C:\Windows\system32\ping.exefa0fd2f44c5220e17b7a5c167ce36440.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
3221225786
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2360ping -a -l www.rasasayang.com.my 65500C:\Windows\system32\ping.exefa0fd2f44c5220e17b7a5c167ce36440.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
3221225786
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2376ping -a -l www.duniasex.com 65500C:\Windows\system32\ping.exefa0fd2f44c5220e17b7a5c167ce36440.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
3221225786
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3140ping -a -l www.rasasayang.com.my 65500C:\Windows\system32\ping.exefa0fd2f44c5220e17b7a5c167ce36440.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
3221225786
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3036ping -a -l www.duniasex.com 65500C:\Windows\system32\ping.exefa0fd2f44c5220e17b7a5c167ce36440.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
3221225786
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 345
Read events
26
Write events
0
Delete events
0

Modification events

No data
Executable files
22
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3000fa0fd2f44c5220e17b7a5c167ce36440.exeC:\Users\admin\Desktop\Gaara The Kazekage.exeexecutable
MD5:B9B537F47C3EFFFBEAAFC3B50F287E83
SHA256:650DE0E1F363961326CFE1FDF92C16C68802B340F1A8BFF6F415AA8B1F628AF2
3000fa0fd2f44c5220e17b7a5c167ce36440.exeC:\admin Games\Gaara go to Kazekage.exeexecutable
MD5:5F5C425325892A9A5B473247A68AAD82
SHA256:03039775993177D2735BFEE7C3947394604AF90D5C346C4432C8AA56C31912FE
3000fa0fd2f44c5220e17b7a5c167ce36440.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\System32\desktop.iniini
MD5:64ACFA7E03B01F48294CF30D201A0026
SHA256:BA8159D865D106E7B4D0043007A63D1541E1DE455DC8D7FF0EDD3013BD425C62
3000fa0fd2f44c5220e17b7a5c167ce36440.exeC:\admin Games\Hokage-Sampit (Nothing).exeexecutable
MD5:BD028D4F2FFFDAC4ECBA06E6CBEA06D0
SHA256:C002242191D71DE2B43F40765CA527005E27445A58BFE427FD844A116FB3B0A1
3000fa0fd2f44c5220e17b7a5c167ce36440.exeC:\admin Games\Kazekage VS Hokage.exeexecutable
MD5:EF1BDF3DD072DC74A052120248649EE7
SHA256:3E2C345B02A510B76C58E9CF292F6711167083ED401FEB295D7CF7828585EE63
3000fa0fd2f44c5220e17b7a5c167ce36440.exeC:\admin Games\Readme.txttext
MD5:BB5D6ABDF8D0948AC6895CE7FDFBC151
SHA256:5DB2E0915B5464D32E83484F8AE5E3C73D2C78F238FDE5F58F9B40DBB5322DE8
3000fa0fd2f44c5220e17b7a5c167ce36440.exeC:\admin Games\Naruto games.exeexecutable
MD5:F817E0AFA911C3D40A27A08EFD6311E9
SHA256:5308B5B7662200F8117AEEAE41213324D3B01A1AA54F29CF2EB86A9A7A71D94A
3000fa0fd2f44c5220e17b7a5c167ce36440.exeC:\admin Games\Kazekage.exeexecutable
MD5:446118F23384932494112D19F6893509
SHA256:B07C96181A8E38023CA5DBD064CEF22B98376343756778682C3875DA8A9DB119
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
220.255.0.0.in-addr.arpa
unknown

Threats

No threats detected
No debug info