analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

dUzv3Q.exe

Full analysis: https://app.any.run/tasks/f13fe34f-7f8e-4575-ac64-383993142f8b
Verdict: Malicious activity
Analysis date: August 08, 2020, 15:56:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

145AC25AB6A720135F47C39E15236309

SHA1:

FECE4215C8508B1479F5DEE6633138B686A42F0C

SHA256:

3A63E7105149A048D46D78EC89A94E544316730321FDFE0A36BF8D92EF7F3C28

SSDEEP:

384:dgHKIdm15LOUmbU4puuIaLMxy4QCyfrJ:dgHKIdmLLhmb1Yx0/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • dUzv3Q.exe (PID: 2640)
  • SUSPICIOUS

    • Uses NETSH.EXE for network configuration

      • dUzv3Q.exe (PID: 2640)
    • Executed via COM

      • OUTLOOK.EXE (PID: 3584)
    • Starts CMD.EXE for commands execution

      • dUzv3Q.exe (PID: 2640)
  • INFO

    • Reads settings of System Certificates

      • dUzv3Q.exe (PID: 2640)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3584)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2093:05:05 00:33:59+02:00
PEType: PE32
LinkerVersion: 48
CodeSize: 14336
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x565a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: dUzv3Q
FileVersion: 1.0.0.0
InternalName: dUzv3Q.exe
LegalCopyright: Copyright © 2020
LegalTrademarks: -
OriginalFileName: dUzv3Q.exe
ProductName: dUzv3Q
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 29-Mar-1957 16:05:43
Debug artifacts:
  • C:\Users\novel\source\repos\dUzv3Q\dUzv3Q\obj\Debug\dUzv3Q.pdb
Comments: -
CompanyName: -
FileDescription: dUzv3Q
FileVersion: 1.0.0.0
InternalName: dUzv3Q.exe
LegalCopyright: Copyright © 2020
LegalTrademarks: -
OriginalFilename: dUzv3Q.exe
ProductName: dUzv3Q
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 29-Mar-1957 16:05:43
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x00003660
0x00003800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.5522
.rsrc
0x00006000
0x0000059C
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.06627
.reloc
0x00008000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.0815394

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
7
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start duzv3q.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs outlook.exe

Process information

PID
CMD
Path
Indicators
Parent process
2640"C:\Users\admin\AppData\Local\Temp\dUzv3Q.exe" C:\Users\admin\AppData\Local\Temp\dUzv3Q.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
dUzv3Q
Version:
1.0.0.0
2612"netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=anyC:\Windows\system32\netsh.exedUzv3Q.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2396"netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=in action=allow enable=yes profile=anyC:\Windows\system32\netsh.exedUzv3Q.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2444"netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=anyC:\Windows\system32\netsh.exedUzv3Q.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3120"netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=out action=allow enable=yes profile=anyC:\Windows\system32\netsh.exedUzv3Q.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2732"cmd.exe" reg add "HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security" /f /v "PromptOOMSend" /t REG_DWORD /d 2C:\Windows\system32\cmd.exedUzv3Q.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3584"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
Total events
888
Read events
560
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
3584OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRFD0C.tmp.cvr
MD5:
SHA256:
3584OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmpbinary
MD5:CEEC7B426502E1E697F2467EA38D2D3B
SHA256:530908FBACE59BFC31A863E67C15C1F94C8757A673CC0D0259D2C21A3FEE49D7
3584OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:F0FD3FA8604AEE2D8E7FB221C5328E9C
SHA256:D472BAE43A8B2FB0C419E4215FF2B3AA0742B441439C89CF3C0B1A264D63D026
3584OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
3584OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{30AD63C6-AC6F-46AF-8BA4-8051BED20D83}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
3584OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_52F5B0B27B4FB14E8930F80C36E96ED6.datxml
MD5:F194B1FA12F9B6F46A47391FAE8BEEC2
SHA256:FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74
3584OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_99C007340C0C414F9E9AC3875392B0FF.datxml
MD5:807EF0FC900FEB3DA82927990083D6E7
SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913
3584OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_818F09DC3CD019438707D1852165647A.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
3584OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_4CD3B2FCA4183945BF4F5F5557520E2D.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
3584OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_C1F75FCF0602E04FB064B646A762B931.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
7
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2640
dUzv3Q.exe
GET
200
195.201.245.34:80
http://unhanorarse.altervista.org/add.php?username=admin
RU
malicious
3584
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2640
dUzv3Q.exe
GET
200
195.201.245.34:80
http://unhanorarse.altervista.org/getdos.php
RU
binary
1 b
malicious
2640
dUzv3Q.exe
GET
200
195.201.245.34:80
http://unhanorarse.altervista.org/getdos.php
RU
binary
1 b
malicious
2640
dUzv3Q.exe
GET
200
195.201.245.34:80
http://unhanorarse.altervista.org/getdos.php
RU
binary
1 b
malicious
2640
dUzv3Q.exe
GET
200
195.201.245.34:80
http://unhanorarse.altervista.org/getdos.php
RU
binary
1 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2640
dUzv3Q.exe
195.201.245.34:80
unhanorarse.altervista.org
Awanti Ltd.
RU
malicious
2640
dUzv3Q.exe
104.23.98.190:443
pastebin.com
Cloudflare Inc
US
malicious
3584
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.23.98.190
  • 104.23.99.190
shared
unhanorarse.altervista.org
  • 195.201.245.34
unknown
config.messenger.msn.com
  • 64.4.26.155
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info