analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PeriorFN_Loader_NEW.exe

Full analysis: https://app.any.run/tasks/39032f16-1849-4529-adac-902de00582c3
Verdict: Malicious activity
Analysis date: August 08, 2020, 16:26:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

C6E25A7C3B084CDDE7FBEF16BAB52CBF

SHA1:

E9B977F705F258AC3B18DE770E69311A6A1294F8

SHA256:

47A260546AA2652EE089BB2BC2ABEA351F296B6D6CCCC6FC475E03B0CFD29197

SSDEEP:

1536:wwV514BN1t6hv/GOdV3ApEMTYbYT1GhIegx:bV51+PovkD4fgx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • PeriorFN_Loader_NEW.exe (PID: 1452)
  • SUSPICIOUS

    • Starts Internet Explorer

      • PeriorFN_Loader_NEW.exe (PID: 1452)
    • Creates files in the Windows directory

      • PeriorFN_Loader_NEW.exe (PID: 1452)
    • Adds / modifies Windows certificates

      • PeriorFN_Loader_NEW.exe (PID: 1452)
    • Executable content was dropped or overwritten

      • PeriorFN_Loader_NEW.exe (PID: 1452)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2112)
      • iexplore.exe (PID: 3976)
    • Changes internet zones settings

      • iexplore.exe (PID: 2112)
    • Application launched itself

      • iexplore.exe (PID: 2112)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3976)
    • Creates files in the user directory

      • iexplore.exe (PID: 3976)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3976)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3976)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3976)
    • Manual execution by user

      • explorer.exe (PID: 2764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: PeriorFN_Loader_NEW
OriginalFileName: PeriorFN_Loader_NEW.exe
LegalTrademarks: -
LegalCopyright: Copyright © HP Inc. 2020
InternalName: PeriorFN_Loader_NEW.exe
FileVersion: 1.0.0.0
FileDescription: PeriorFN_Loader_NEW
CompanyName: HP Inc.
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows command line
SubsystemVersion: 6
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1325e
UninitializedDataSize: -
InitializedDataSize: 5120
CodeSize: 70656
LinkerVersion: 48
PEType: PE32
TimeStamp: 2102:08:28 05:29:26+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 21-Jul-1966 21:01:10
Debug artifacts:
  • PeriorFN_Loader_NEW.pdb
Comments: -
CompanyName: HP Inc.
FileDescription: PeriorFN_Loader_NEW
FileVersion: 1.0.0.0
InternalName: PeriorFN_Loader_NEW.exe
LegalCopyright: Copyright © HP Inc. 2020
LegalTrademarks: -
OriginalFilename: PeriorFN_Loader_NEW.exe
ProductName: PeriorFN_Loader_NEW
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 21-Jul-1966 21:01:10
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x00011264
0x00011400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.94438
.rsrc
0x00014000
0x00001154
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.0126
.reloc
0x00016000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.06548
3372
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
5
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start periorfn_loader_new.exe no specs periorfn_loader_new.exe iexplore.exe no specs iexplore.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2904"C:\Users\admin\AppData\Local\Temp\PeriorFN_Loader_NEW.exe" C:\Users\admin\AppData\Local\Temp\PeriorFN_Loader_NEW.exeexplorer.exe
User:
admin
Company:
HP Inc.
Integrity Level:
MEDIUM
Description:
PeriorFN_Loader_NEW
Exit code:
3221226540
Version:
1.0.0.0
1452"C:\Users\admin\AppData\Local\Temp\PeriorFN_Loader_NEW.exe" C:\Users\admin\AppData\Local\Temp\PeriorFN_Loader_NEW.exe
explorer.exe
User:
admin
Company:
HP Inc.
Integrity Level:
HIGH
Description:
PeriorFN_Loader_NEW
Version:
1.0.0.0
2112"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/Jp27aq3C:\Program Files\Internet Explorer\iexplore.exePeriorFN_Loader_NEW.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3976"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2112 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2764"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
345
Read events
256
Write events
85
Delete events
4

Modification events

(PID) Process:(1452) PeriorFN_Loader_NEW.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF
Value:
0100000000000000E4F9F3B0A06DD601
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
3269872986
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30829984
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A3000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
2
Suspicious files
12
Text files
9
Unknown types
10

Dropped files

PID
Process
Filename
Type
3976iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab1785.tmp
MD5:
SHA256:
3976iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar1786.tmp
MD5:
SHA256:
3976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9Fder
MD5:4942FCA47B956776CCEDED94C3616BC0
SHA256:F9F6BF37DE8F63BB653419B65855DC39B9F13890A22EF9BB4BAF26469AD60DB1
3976iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\83LZ4W8O.txttext
MD5:A4CBC51C14F4AB6A313FF0269E1EDF1F
SHA256:294E082A353D8AD5860BE977D5B9606A6A7CCC7FE8E1FE10244FDD9DB1FADEC2
2112iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD76A1A359FC2EB67.TMP
MD5:
SHA256:
3976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4binary
MD5:35BBEB4E9806A5F4E6812869FEF86413
SHA256:B456DDF1ABDAEA60441096268B3ED55C09B7FFCA4680A8EC752D206DBF6BA542
3976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_920AF9260C528FAB1F15CA0957850F9Fbinary
MD5:207AA568E021E0721E53AAB2702E95E1
SHA256:B2A8D2C94C7A590E0B86D86E5845BBF9C99BD244B6ED940D5265B7F7E4F22702
3976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9Fbinary
MD5:3DDAFC6FC577E5B4626435DF0FEC9DA6
SHA256:2390F0EDEA0C8A6CAE2AEAB9CD968C39CDFB89FC399EE3D3D76E8DB450C130EF
3976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_920AF9260C528FAB1F15CA0957850F9Fder
MD5:8E5C40F130642EB5E61B15491D545007
SHA256:A60482308DC4017BB56C87835F8D67BB0470DFE5B679FEBA627891470ABDB541
3976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\8e12fb4f14d9c4592eb8ec9f22337b04[1].woffwoff
MD5:8E12FB4F14D9C4592EB8EC9F22337B04
SHA256:5913345A9723FB09F8C8C478446348175A4F00C0E4DB0DB9E275444604650CD2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3976
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTOpjOEf6LG1z52jqAxwDlTxoaOCgQUQAlhZ%2FC8g3FP3hIILG%2FU1Ct2PZYCEDsJGKKiFxWJllawuNqPxXw%3D
US
der
279 b
whitelisted
3976
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTOpjOEf6LG1z52jqAxwDlTxoaOCgQUQAlhZ%2FC8g3FP3hIILG%2FU1Ct2PZYCEQCML6NXQdejdBJDG5j4aa9U
US
der
279 b
whitelisted
3976
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEBblhnjgcJQ5S9%2FbTvymO98%3D
US
der
471 b
whitelisted
3976
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D
US
der
314 b
whitelisted
3976
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTOpjOEf6LG1z52jqAxwDlTxoaOCgQUQAlhZ%2FC8g3FP3hIILG%2FU1Ct2PZYCEQCML6NXQdejdBJDG5j4aa9U
US
der
279 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3976
iexplore.exe
162.159.138.232:443
discord.com
Cloudflare Inc
malicious
1452
PeriorFN_Loader_NEW.exe
162.159.133.233:443
cdn.discordapp.com
Cloudflare Inc
shared
3976
iexplore.exe
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
3976
iexplore.exe
162.159.134.234:443
discord.gg
Cloudflare Inc
shared

DNS requests

Domain
IP
Reputation
discord.gg
  • 162.159.134.234
  • 162.159.130.234
  • 162.159.135.234
  • 162.159.136.234
  • 162.159.133.234
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
ocsp.comodoca4.com
  • 151.139.128.14
whitelisted
discord.com
  • 162.159.138.232
  • 162.159.135.232
  • 162.159.128.233
  • 162.159.137.232
  • 162.159.136.232
whitelisted
cdn.discordapp.com
  • 162.159.133.233
  • 162.159.134.233
  • 162.159.135.233
  • 162.159.130.233
  • 162.159.129.233
shared

Threats

No threats detected
No debug info