analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware

Full analysis: https://app.any.run/tasks/8a0cd7f1-f0ae-4203-af1a-c99f408e1ef7
Verdict: Malicious activity
Analysis date: October 05, 2022, 06:58:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

56AC9E72644A8DAE8C1968D63A26E58A

SHA1:

D0349D04F33400541898426438D9E036D21DECC5

SHA256:

3DB0E385EB53A32D61A5A35908A99317868B571E4CF7079DB67FD68604DA662C

SSDEEP:

24576:mq5TfcdHj4fmbi2q+0MmV0VMXeyrtoT1GokHTQoCwsC+Y:mUTsamOx9RoBVoCwT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • dmr_72.exe (PID: 2064)
  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe (PID: 3532)
    • Reads Internet Settings

      • 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe (PID: 3532)
      • dmr_72.exe (PID: 2064)
    • Reads the machine GUID from the registry

      • dmr_72.exe (PID: 2064)
  • INFO

    • Reads mouse settings

      • 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe (PID: 3532)
    • Checks supported languages

      • 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe (PID: 3532)
      • dmr_72.exe (PID: 2064)
    • Checks Windows language

      • 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe (PID: 3532)
    • Creates a file in a temporary directory

      • 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe (PID: 3532)
    • Reads the computer name

      • dmr_72.exe (PID: 2064)
      • 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe (PID: 3532)
    • Process checks LSA protection

      • 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe (PID: 3532)
      • dmr_72.exe (PID: 2064)
    • Reads Environment values

      • dmr_72.exe (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (30.7)
.exe | UPX compressed Win32 Executable (30.1)
.exe | Win32 EXE Yoda's Crypter (29.5)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2015-Jul-22 13:51:55
Detected languages:
  • English - United Kingdom
  • German - Germany
FileVersion: 1.0.7.4
Comments: CHIP Secured Installer
FileDescription: CHIP Secured Installer
ProductVersion: 1.0.7.4
LegalCopyright: Copyright © 2015 Chip Digital GmbH

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 264

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 2015-Jul-22 13:51:55
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
4096
1380352
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1
1384448
344064
343040
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.93591
.rsrc
1728512
851968
850944
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.34589

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.34174
588
Latin 1 / Western European
German - Germany
RT_VERSION
4
3.75291
9640
Latin 1 / Western European
English - United Kingdom
RT_ICON
7
3.34702
1428
Latin 1 / Western European
English - United Kingdom
RT_STRING
8
3.2817
1674
Latin 1 / Western European
English - United Kingdom
RT_STRING
9
3.28849
1168
Latin 1 / Western European
English - United Kingdom
RT_STRING
10
3.28373
1532
Latin 1 / Western European
English - United Kingdom
RT_STRING
11
3.26322
1628
Latin 1 / Western European
English - United Kingdom
RT_STRING
12
3.25812
1126
Latin 1 / Western European
English - United Kingdom
RT_STRING
99
2.0815
20
Latin 1 / Western European
English - United Kingdom
RT_GROUP_ICON
166
2.68292
80
Latin 1 / Western European
English - United Kingdom
RT_MENU

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.DLL
MPR.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_malware.exe no specs 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_malware.exe dmr_72.exe

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Users\admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe" C:\Users\admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
CHIP Secured Installer
Exit code:
3221226540
Version:
1.0.7.4
3532"C:\Users\admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe" C:\Users\admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
CHIP Secured Installer
Exit code:
0
Version:
1.0.7.4
2064"C:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -72189998 -chipde -e37278fe332e42d1af33e4480ad52248 - -BLUB2 -vqkfnfnirlrzkfsp -3532C:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exe
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exe
User:
admin
Company:
Chip Digital GmbH
Integrity Level:
HIGH
Description:
DMR
Version:
1.0.7.4
Total events
1 261
Read events
1 238
Write events
23
Delete events
0

Modification events

(PID) Process:(3532) 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3532) 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3532) 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3532) 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2064) dmr_72.exeKey:HKEY_CURRENT_USER\Software\OCS
Operation:writeName:CID
Value:
eb5a3dd3-27c7-4bad-927d-6b6d8bbc4d74
(PID) Process:(2064) dmr_72.exeKey:HKEY_CURRENT_USER\Software\OCS
Operation:writeName:PID
Value:
chipde
(PID) Process:(2064) dmr_72.exeKey:HKEY_CURRENT_USER\Software\OCS
Operation:writeName:lastPID
Value:
chipde
(PID) Process:(2064) dmr_72.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2064) dmr_72.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2064) dmr_72.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
35323db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exeC:\Users\admin\AppData\Local\Temp\DMR\vqkfnfnirlrzkfsp.dattext
MD5:8C934B48A05955C6CC934925F4C01E7D
SHA256:51BE55DD44A7D2C782EF432971878A64040AEC99C5EC0B53AC92D72BB2645992
35323db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware.exeC:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exeexecutable
MD5:1B81FA48134378F2B8D54A41FCFCF0CA
SHA256:5E2931D27098E63B67126EC2E036D8E2F4E46814D8C777C0307E3EEC3B947707
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2064
dmr_72.exe
GET
404
116.203.169.158:80
http://api.chip-secured-download.de/geoip/geoip.php?ip=322e3234342e3130302e323535
IN
xml
341 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2064
dmr_72.exe
116.203.169.158:80
api.chip-secured-download.de
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
api.chip-secured-download.de
  • 116.203.169.158
unknown

Threats

No threats detected
No debug info