Malware analysis dseo13b.exe Malicious activity | ANY.RUN - Malware Sandbox Online

Add for printing

File name:	dseo13b.exe
Full analysis:	https://app.any.run/tasks/4ceafb00-eb77-4ef0-841e-d841cfd9fe81
Verdict:	Malicious activity
Analysis date:	February 04, 2024, 20:20:08
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	6DDEB31C98A188378F0652CD90FC50FF
SHA1:	D7922F2DCB47A37CF798DFFB824F840DDEF7FFD5
SHA256:	39036A8F2CA0430FD57D86563BC783E0F1AD3144540B87CF2EC2DDE9ABB3B8CD
SSDEEP:	24576:2YNh+XEAcdWLg0IsqNqQZpCkPdba7SYLa7SYra7SY0mcrCZ9eeGy71+ltipzc5TS:BNh+UAcdWLzIshQSkPdm7SYW7SY27SYb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 660 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: on
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat Reader DC (20.013.20074)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
FileZilla 3.65.0 (3.65.0)
Google Chrome (112.0.5615.50)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows 10 Upgrade Assistant (1.4.9200.22175)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - dseo13b.exe (PID: 5592)
SUSPICIOUS
- Process drops legitimate windows executable
  - dseo13b.exe (PID: 5592)
- Executable content was dropped or overwritten
  - dseo13b.exe (PID: 5592)
INFO
- Checks supported languages
  - dseo13b.exe (PID: 5592)
- Create files in a temporary directory
  - dseo13b.exe (PID: 5592)
- Reads the computer name
  - dseo13b.exe (PID: 5592)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2003:03:10 18:22:47+01:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	49152
InitializedDataSize:	12288
UninitializedDataSize:	-
EntryPoint:	0x646b
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

All screenshots are available in the full report

Add for printing

Total processes

119

Monitored processes

2

Malicious processes

1

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2176

"C:\Users\admin\Desktop\dseo13b.exe"

C:\Users\admin\Desktop\dseo13b.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\desktop\dseo13b.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

5592

"C:\Users\admin\Desktop\dseo13b.exe"

C:\Users\admin\Desktop\dseo13b.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

0

Modules

Images
c:\users\admin\desktop\dseo13b.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

Add for printing

Total events

260

Read events

260

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

4

Suspicious files

1

Text files

1

Unknown types

0

Dropped files

PID	Process	Filename		Type
5592	dseo13b.exe	C:\Users\admin\AppData\Local\Temp\~vis0000\miscdata.xyz		binary
		MD5:A0064E619964DE638FDCF7EA18319EDB	SHA256:96EA911FB86245D8D57B8AF1F8680A0D531B84FA931CC7E6EAF6FC7AA745F8AE
5592	dseo13b.exe	C:\Users\admin\AppData\Local\Temp\~vis0000\vise32ex.dll		executable
		MD5:54925D8AEA245A7BE34EC34402B2865B	SHA256:EE0D08A2B5888B1E127F11FEE8BF91D274E4126D571C62654B97270A11BE7C0F
5592	dseo13b.exe	C:\Users\admin\AppData\Local\Temp\~vis0000\default.bmp		image
		MD5:4B6AD7D5E4B4F631F7F78DD049E5326B	SHA256:B76620E328E1C40C43965FF65023C995C455B4EC150D55024ABFF46718EA9EC9
5592	dseo13b.exe	C:\Users\admin\AppData\Local\Temp\~vis0000\English.vlg		text
		MD5:AA00F72BFC4B20E2EF89A6D705C19345	SHA256:ADA22EB8E66B404689FABF256E185DD0A9005B7BC7E6C616DB27ED7DBEC080A5
5592	dseo13b.exe	C:\Users\admin\AppData\Local\Temp\~vis0000\v0000005.488		executable
		MD5:C216469F755493B29518B9ECBEE99CBC	SHA256:3D88DD98F488D92F724B1D253C966E92C4B2664A8B0AC03D5850D6D768B5FEB5
5592	dseo13b.exe	C:\Users\admin\AppData\Local\Temp\~vis0000\rebootnt.exe		executable
		MD5:C459E252866435ED8B928D1509C28DE2	SHA256:4887FF02F8E45F5E03E351CB5156111659CC1B04FDCA9DAE3BD75CB99381DEDE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

0

DNS requests

0

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/111.0.1661.62?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfull=0&scpguard=0&scpfre=0&scpver=0&osarch=x86_64&osver=10.0.19044&wu=1&devicefamily=desktop&uma=0&sessionid=13&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245	unknown	binary	81.5 Kb	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info