analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

http://xemhang.vn/Website/iexplore.exe

Full analysis: https://app.any.run/tasks/8f65e730-5c6e-42fc-b510-46e7a46652e4
Verdict: Malicious activity
Analysis date: October 05, 2022, 07:07:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F54C429A5A0B2BA6922417A181C89856

SHA1:

5EB52117D4F01C7CCDE053D780242959686DA355

SHA256:

47C20159BAB515DD809169D8339892BAC10FA8EDE4781FC1CD8B76978DBC3D47

SSDEEP:

1572864:xYmpnWwFRqWuRAqd4iiN+e6eu18GIw5LDwJy59oG7:xYmpnRFcPAqOiiWeu18G7wo59f7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 1284)
      • cmd.exe (PID: 2832)
      • unpro.exe (PID: 2236)

    • Application was dropped or rewritten from another process

      • screen.exe (PID: 1568)
      • screen.exe (PID: 2896)
      • RuntimeBroker.exe (PID: 2840)
      • RuntimeBroker.exe (PID: 3284)
      • RuntimeBroker.exe (PID: 3296)
      • RuntimeBroker.exe (PID: 3520)
      • RuntimeBroker.exe (PID: 3936)
      • RuntimeBroker.exe (PID: 1464)
      • unpro.exe (PID: 2108)
      • unpro.exe (PID: 2236)
      • RuntimeBroker.exe (PID: 3396)
      • IntelSvc.exe (PID: 708)
      • screen.exe (PID: 2568)
      • screen.exe (PID: 3692)
      • IntelSvc.exe (PID: 3632)
      • IntelSvc.exe (PID: 2192)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3960)
      • schtasks.exe (PID: 2180)
      • schtasks.exe (PID: 2108)
      • schtasks.exe (PID: 3504)
      • schtasks.exe (PID: 4000)
      • schtasks.exe (PID: 1264)
      • schtasks.exe (PID: 3712)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2832)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 2832)
      • cmd.exe (PID: 3956)

    • Creates a writable file the system directory

      • cmd.exe (PID: 2832)

  • SUSPICIOUS

    • Drops a file with too old compile date

      • iexplore.exe (PID: 1284)
      • cmd.exe (PID: 2832)
      • unpro.exe (PID: 2236)

    • Drops a file that was compiled in debug mode

      • iexplore.exe (PID: 1284)
      • cmd.exe (PID: 2832)
      • unpro.exe (PID: 2236)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 1284)
      • cmd.exe (PID: 2832)
      • unpro.exe (PID: 2236)

    • Application launched itself

      • cmd.exe (PID: 2032)
      • screen.exe (PID: 2896)
      • cmd.exe (PID: 2832)
      • cmd.exe (PID: 3956)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2032)
      • iexplore.exe (PID: 1284)
      • screen.exe (PID: 1568)
      • cmd.exe (PID: 2832)
      • cmd.exe (PID: 3956)
      • RuntimeBroker.exe (PID: 3396)

    • Reads Internet Settings

      • iexplore.exe (PID: 1284)
      • screen.exe (PID: 2896)
      • screen.exe (PID: 2568)
      • screen.exe (PID: 3692)
      • IntelSvc.exe (PID: 708)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2832)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2832)

    • Creates files in the Windows directory

      • cmd.exe (PID: 2832)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2832)
      • cmd.exe (PID: 3956)

    • Creates or modifies Windows services

      • reg.exe (PID: 1972)
      • reg.exe (PID: 2184)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2832)

    • Creates a directory in Program Files

      • unpro.exe (PID: 2236)

    • Executes as Windows Service

      • RuntimeBroker.exe (PID: 3396)
      • IntelSvc.exe (PID: 2192)

    • Reads the machine GUID from the registry

      • IntelSvc.exe (PID: 708)

    • Reads security settings of Internet Explorer

      • IntelSvc.exe (PID: 708)

    • Starts CHOICE.EXE to create a delay

      • cmd.exe (PID: 2832)

    • Checks Windows Trust Settings

      • IntelSvc.exe (PID: 708)

    • Executed via COM

      • DllHost.exe (PID: 2592)

    • Reads settings of System Certificates

      • IntelSvc.exe (PID: 708)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 1284)
      • screen.exe (PID: 2896)
      • screen.exe (PID: 1568)
      • RuntimeBroker.exe (PID: 2840)
      • RuntimeBroker.exe (PID: 3284)
      • RuntimeBroker.exe (PID: 3296)
      • RuntimeBroker.exe (PID: 3520)
      • RuntimeBroker.exe (PID: 3936)
      • RuntimeBroker.exe (PID: 1464)
      • unpro.exe (PID: 2108)
      • unpro.exe (PID: 2236)
      • RuntimeBroker.exe (PID: 3396)
      • IntelSvc.exe (PID: 708)
      • screen.exe (PID: 2568)
      • screen.exe (PID: 3692)
      • IntelSvc.exe (PID: 2192)
      • IntelSvc.exe (PID: 3632)

    • Creates a file in a temporary directory

      • iexplore.exe (PID: 1284)

    • Process checks LSA protection

      • iexplore.exe (PID: 1284)
      • screen.exe (PID: 2896)
      • screen.exe (PID: 2568)
      • IntelSvc.exe (PID: 708)
      • screen.exe (PID: 3692)
      • IntelSvc.exe (PID: 3632)
      • IntelSvc.exe (PID: 2192)

    • Reads the computer name

      • iexplore.exe (PID: 1284)
      • screen.exe (PID: 2896)
      • RuntimeBroker.exe (PID: 2840)
      • RuntimeBroker.exe (PID: 3284)
      • RuntimeBroker.exe (PID: 3296)
      • RuntimeBroker.exe (PID: 3520)
      • RuntimeBroker.exe (PID: 1464)
      • RuntimeBroker.exe (PID: 3936)
      • RuntimeBroker.exe (PID: 3396)
      • screen.exe (PID: 2568)
      • IntelSvc.exe (PID: 708)
      • screen.exe (PID: 3692)
      • IntelSvc.exe (PID: 2192)
      • IntelSvc.exe (PID: 3632)

    • Process checks are UAC notifies on

      • iexplore.exe (PID: 1284)

    • Creates files in the program directory

      • cmd.exe (PID: 2032)
      • cmd.exe (PID: 2832)
      • cmd.exe (PID: 3956)
      • unpro.exe (PID: 2236)
      • IntelSvc.exe (PID: 708)

    • Reads the machine GUID from the registry

      • WMIC.exe (PID: 3364)
      • taskkill.exe (PID: 2316)
      • taskkill.exe (PID: 4012)
      • WMIC.exe (PID: 3796)
      • taskkill.exe (PID: 3836)
      • WMIC.exe (PID: 2264)
      • WMIC.exe (PID: 3312)
      • taskkill.exe (PID: 652)
      • taskkill.exe (PID: 3172)
      • taskkill.exe (PID: 1996)
      • taskkill.exe (PID: 1368)
      • DllHost.exe (PID: 2592)

    • Process checks computer location settings

      • IntelSvc.exe (PID: 708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (83.4)
.exe | Win32 Executable (generic) (8.7)
.exe | Generic Win/DOS Executable (3.8)
.exe | DOS Executable Generic (3.8)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: -
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: 26
e_oemid: -
e_oeminfo: -
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
77892
78336
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.43594
DATA
86016
1548
2048
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.51863
BSS
90112
3237
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
94208
2640
3072
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.26186
.tls
98304
12
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
102400
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.204488
.reloc
106496
6328
6656
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
6.52837
.rsrc
114688
52999344
52999680
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
7.87114

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.96797
1384
Latin 1 / Western European
English - United States
RT_ICON
2
6.2503
2216
Latin 1 / Western European
English - United States
RT_ICON
3
7.90976
708670
Latin 1 / Western European
UNKNOWN
RT_RCDATA
4
4.9657
392704
Latin 1 / Western European
UNKNOWN
RT_RCDATA
5
7.75028
45568
Latin 1 / Western European
UNKNOWN
RT_RCDATA
6
6.09357
1072593
Latin 1 / Western European
UNKNOWN
RT_RCDATA
7
6.45762
5128016
Latin 1 / Western European
UNKNOWN
RT_RCDATA
8
6.17976
167936
Latin 1 / Western European
UNKNOWN
RT_RCDATA
9
7.68694
181772
Latin 1 / Western European
UNKNOWN
RT_RCDATA
10
7.99858
41853697
Latin 1 / Western European
UNKNOWN
RT_RCDATA

Imports

advapi32.dll
kernel32.dll
kernel32.dll (#2)
kernel32.dll (#3)
kernel32.dll (#4)
oleaut32.dll
oleaut32.dll (#2)
user32.dll
user32.dll (#2)
winmm.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
249
Monitored processes
208
Malicious processes
12
Suspicious processes
8

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start runas.exe no specs iexplore.exe cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs screen.exe no specs screen.exe no specs timeout.exe no specs cmd.exe wmic.exe no specs taskkill.exe no specs taskkill.exe no specs schtasks.exe no specs net.exe no specs net1.exe no specs sc.exe no specs timeout.exe no specs cmd.exe no specs whoami.exe no specs cmd.exe no specs findstr.exe no specs timeout.exe no specs cmd.exe no specs findstr.exe no specs attrib.exe no specs attrib.exe no specs schtasks.exe no specs timeout.exe no specs schtasks.exe no specs schtasks.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs attrib.exe no specs runtimebroker.exe no specs runtimebroker.exe no specs runtimebroker.exe no specs runtimebroker.exe no specs runtimebroker.exe no specs runtimebroker.exe no specs reg.exe no specs reg.exe no specs unpro.exe no specs unpro.exe attrib.exe no specs attrib.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs runtimebroker.exe no specs cmd.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs attrib.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs timeout.exe no specs screen.exe no specs intelsvc.exe timeout.exe no specs screen.exe no specs intelsvc.exe timeout.exe no specs intelsvc.exe DllHost.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs sc.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2188"C:\Windows\System32\runas.exe" /user:administrator C:\Users\admin\AppData\Local\Temp\iexplore.exeC:\Windows\System32\runas.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Run As Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\runas.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\gdi32.dll
1284C:\Users\admin\AppData\Local\Temp\iexplore.exeC:\Users\admin\AppData\Local\Temp\iexplore.exe
runas.exe
User:
Administrator
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2032C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\SetupSV.cmd" "C:\Windows\system32\cmd.exeiexplore.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2208reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" C:\Windows\system32\reg.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1556find "0x0" C:\Windows\system32\find.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3500C:\Windows\system32\cmd.exe /c findstr -b -n "^_two181019_" "C:\Users\admin\AppData\Local\Temp\SetupSV.cmd" 2>nulC:\Windows\system32\cmd.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2552findstr -b -n "^_two181019_" "C:\Users\admin\AppData\Local\Temp\SetupSV.cmd" C:\Windows\system32\findstr.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
2724C:\Windows\system32\cmd.exe /c type "C:\Users\admin\AppData\Local\Temp\SetupSV.cmd"C:\Windows\system32\cmd.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2896"C:\Users\ADMINI~1\AppData\Local\Temp\screen.exe" elevate "C:\Users\ADMINI~1\AppData\Local\Temp\screen.exe" Exec Hide "C:\ProgramData\run.cmd"C:\Users\ADMINI~1\AppData\Local\Temp\screen.execmd.exe
User:
Administrator
Company:
NirSoft
Integrity Level:
HIGH
Description:
NirCmd
Exit code:
0
Version:
2.86
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\administrator\appdata\local\temp\screen.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1568"C:\Users\ADMINI~1\AppData\Local\Temp\screen.exe" Exec Hide "C:\ProgramData\run.cmd"C:\Users\ADMINI~1\AppData\Local\Temp\screen.exescreen.exe
User:
Administrator
Company:
NirSoft
Integrity Level:
HIGH
Description:
NirCmd
Exit code:
0
Version:
2.86
Modules
Images
c:\users\administrator\appdata\local\temp\screen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
7 186
Read events
7 082
Write events
100
Delete events
4

Modification events

(PID) Process:(1284) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:delete valueName:ProxyByPass
Value:
0
(PID) Process:(1284) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:delete valueName:IntranetName
Value:
0
(PID) Process:(1284) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1284) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2896) screen.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2896) screen.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3036) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Windows\SysWOW64\RuntimeBroker.exe
Value:
~ RUNASADMIN
(PID) Process:(1936) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\ProgramData\RuntimeBroker.exe
Value:
~ RUNASADMIN
(PID) Process:(3180) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Windows\SysWOW64\screen.exe
Value:
~ RUNASADMIN
(PID) Process:(3296) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\ProgramData\screen.exe
Value:
~ RUNASADMIN
Executable files
87
Suspicious files
30
Text files
65
Unknown types
17

Dropped files

PID
Process
Filename
Type
1284iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\palemoon.zip
MD5:
SHA256:
2832cmd.exeC:\Windows\System32\MicrosoftEdgeTaskMachineWS.xmlxml
MD5:E0FA2E19D4FC3C2AB72B3982A09BADB8
SHA256:DEA511C320B0D5CFCC95C45BEFE3653FA1B458C68F32552CAE3D513F6F936DE8
2832cmd.exeC:\Program Files\palemoon.zip
MD5:
SHA256:
1284iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\Unicod.cmdtext
MD5:EB43C214E68D2201FB2A7236E8E0AA71
SHA256:40162E30C97238AFDD0D7B0178B2EB96DDECE98967B41C393F8232A126B9526A
2832cmd.exeC:\ProgramData\MicrosoftEdgeTaskMachineWS.xmlxml
MD5:E0FA2E19D4FC3C2AB72B3982A09BADB8
SHA256:DEA511C320B0D5CFCC95C45BEFE3653FA1B458C68F32552CAE3D513F6F936DE8
2032cmd.exeC:\Users\Public\Documents\pathcd.txttext
MD5:91D838F2C457428DC003B90CFE2061E2
SHA256:C3AC5952FE0D7061DE7DD8FC4DEF6386725C07FE56F24C9FB3414CF5254B933A
1284iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\IntelSvc.exeexecutable
MD5:A7CDE18F991E97037A7899B7669E2548
SHA256:8B9F1FA5F941C7F46B65BF8929CA80D132435151E1DCB3A5DE7693B70B254467
1284iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\netserver.exeexecutable
MD5:483421FB3DA24E88AE3B3337967CF4A4
SHA256:FAB3AB7FD5D49194EEAF4D88B487F4FA7E2388B81999031367521457AAD0A65B
2832cmd.exeC:\Windows\System32\Unicod.cmdtext
MD5:EB43C214E68D2201FB2A7236E8E0AA71
SHA256:40162E30C97238AFDD0D7B0178B2EB96DDECE98967B41C393F8232A126B9526A
2032cmd.exeC:\ProgramData\run.cmdtext
MD5:9B5299B3005B35D550387B6D3F85278F
SHA256:ED4D54DFA21DBEC24F1BD9906C6028910F55F31FC411C8F17119863E16623696
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
708
IntelSvc.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
708
IntelSvc.exe
GET
200
8.248.131.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5fce982482aa552d
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
708
IntelSvc.exe
188.114.97.3:443
ulm.aeroadmin.com
CLOUDFLARENET
NL
malicious
708
IntelSvc.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
708
IntelSvc.exe
8.248.131.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
708
IntelSvc.exe
37.48.87.53:5665
auth11.aeroadmin.com
LeaseWeb Netherlands B.V.
NL
suspicious

DNS requests

Domain
IP
Reputation
auth11.aeroadmin.com
  • 37.48.87.53
malicious
ulm.aeroadmin.com
  • 188.114.97.3
  • 188.114.96.3
malicious
ctldl.windowsupdate.com
  • 8.248.131.254
  • 8.248.115.254
  • 8.253.204.249
  • 8.241.11.126
  • 8.248.147.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
708
IntelSvc.exe
Generic Protocol Command Decode
SURICATA Applayer Wrong direction first Data
Process
Message
IntelSvc.exe
Info: % 1106] mode: 0
IntelSvc.exe
Info: % 1123] Start
IntelSvc.exe
Info: % 1135] Environment language: "en"
IntelSvc.exe
Info: % 1138] Launch parameters: admin: 1, boot_mode: 0, mode: 0, restart: ""C:\Windows\Temp\IntelSvc.exe" a ", selected: 0, service: 0, as sessid: 1, is running updated: 0
IntelSvc.exe
Error: % 1274] registering tray window class
IntelSvc.exe
Info: % 1306] Running with no UI
IntelSvc.exe
Info: % 54] Adapter best: 1, name: "{4040CF00-1B3E-486A-B407-FA14C56B6FC0}", status: 1
IntelSvc.exe
Info: % 54] Adapter best: 0, name: "{E29AC6C2-7037-11DE-816D-806E6F6E6963}", status: 1
IntelSvc.exe
Info: % 274] Connecting to ip: "37.48.87.53", port: "5665"
IntelSvc.exe
Info: % 262] TCP connection established with socket: 632
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://xemhang.vn/Website/iexplore.exe