| File name: | MM.exe |
| Full analysis: | https://app.any.run/tasks/646873dd-cca1-483c-8328-01a430af80d2 |
| Verdict: | Malicious activity |
| Analysis date: | November 11, 2023, 23:10:15 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | E88FF8F8F200F948BDB40E3FEC7A7787 |
| SHA1: | D692AC4ABCB5BA6FB5ECF223414629EC8A0B3906 |
| SHA256: | 47F0245970ECE06D3CAC88886273F310F586B317131C50285530A38AC4FCC005 |
| SSDEEP: | 1536:iqu5CERccfeD5U6erC/+tjmGoI8qNncv7QsWjcdn8PtQrM9ub7qoE9:nuMERcICW6erwmCG38qN+8lQrM9u3qz |
MALICIOUS
Unusual connection from system programs
- rundll32.exe (PID: 3644)
MYDOOM has been detected (SURICATA)
- MM.exe (PID: 3652)
Actions looks like stealing of personal data
- MM.exe (PID: 3652)
SUSPICIOUS
Reads the Internet Settings
- rundll32.exe (PID: 3644)
Connects to SMTP port
- MM.exe (PID: 3652)
INFO
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 3544)
Checks supported languages
- wmpnscfg.exe (PID: 3544)
- MM.exe (PID: 3652)
Manual execution by a user
- wmpnscfg.exe (PID: 3544)
- MM.exe (PID: 3652)
Reads the computer name
- wmpnscfg.exe (PID: 3544)
- MM.exe (PID: 3652)
Checks proxy server information
- rundll32.exe (PID: 3644)
Create files in a temporary directory
- MM.exe (PID: 3652)
Creates files or folders in the user directory
- rundll32.exe (PID: 3644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:10:23 18:50:21+02:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 45568 |
| InitializedDataSize: | 77824 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x60af |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
44
Monitored processes
4
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3460 | "C:\Windows\System32\runas.exe" /user:administrator C:\Users\admin\Desktop\MM.exe | C:\Windows\System32\runas.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Run As Utility Exit code: 3221225786 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3544 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3644 | C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {29dfdaf6-2655-4d7d-9dae-112ce811cf33};C:\Users\admin\Desktop\MM.exe;3652 | C:\Windows\System32\rundll32.exe | MM.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3652 | "C:\Users\admin\Desktop\MM.exe" | C:\Users\admin\Desktop\MM.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 3221225477 Modules
| |||||||||||||||
Total events
820
Read events
817
Write events
0
Delete events
3
Modification events
| (PID) Process: | (3544) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{98D828C8-2FF2-446A-A254-F21B073A458A}\{E019CE60-936C-4908-8068-8C7E29EEB8A8} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3544) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{98D828C8-2FF2-446A-A254-F21B073A458A} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3544) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{B5087EC2-7F34-4BE9-9A4E-EA4982A942F8} |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
0
Suspicious files
18
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3652 | MM.exe | C:\Users\admin\AppData\Local\Temp\tmp7121.tmp | compressed | |
MD5:575B5AF7564CECB05194E214733C2F38 | SHA256:E37AE1B34333868DF8F360BE46C5FE0D7EC00AFF703B8277D68D021701922DD9 | |||
| 3652 | MM.exe | C:\Users\admin\AppData\Local\Temp\tmp5F46.tmp | compressed | |
MD5:672115B59A2A91034337F2172ECD9287 | SHA256:063222B25EB847D801C6C87B8531E520EB944AC548359365C50A514BA9C1A532 | |||
| 3652 | MM.exe | C:\Users\admin\AppData\Local\Temp\tmp667D.tmp | compressed | |
MD5:0597EAEF5104546848DB3742F3DC0295 | SHA256:3DEABAAF486412D844E4F24C2530F8EF040122CA5EA7F200A5B747169959CF5F | |||
| 3652 | MM.exe | C:\Users\admin\AppData\Local\Temp\tmp6788.tmp | compressed | |
MD5:A6F9B5F3E065278FA0B9EF2AFBA89DDC | SHA256:47A8E340C6D1F644B37304E09E5FD11E99F2F0497EBD25F3A19957D726947E5A | |||
| 3652 | MM.exe | C:\Users\admin\AppData\Local\Temp\tmp70E1.tmp | compressed | |
MD5:80EDEB9C1AEF5913E3305D60EB264571 | SHA256:8D4AA0B0DBE161071D2A7D530722AFDBDFA2B289C3FB723F8EF1C628C6F1A1BD | |||
| 3644 | rundll32.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games\Steam Dark Messiah Might and Magic Single Player™.lnk | binary | |
MD5:797902F867589E70D3B739EED95B8606 | SHA256:205AA055327AC97B6216AFC1409C50F8946692BDB655F4C3BF5743406FE367B5 | |||
| 3644 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\GameExplorer\{F40DFE5F-E6A0-4182-B741-FDC3936D2F33}\PlayTasks\0\Play.lnk | binary | |
MD5:54FC5E99B4CF47E780FAB4A6708CBBF0 | SHA256:6AE8FB8CC8488AC0ECD1155A340632D1B23E8C4F797E00A27D3E867DF0A469A6 | |||
| 3652 | MM.exe | C:\Users\admin\AppData\Local\Temp\tmp7054.tmp | compressed | |
MD5:B4370129AEC2BC7342348EEA9D5B8047 | SHA256:2FB7AB7A73FB9B8DF91268CF7763B7D283EAA8D40B046E95D01B4F2FDBB53FC6 | |||
| 3652 | MM.exe | C:\Users\admin\AppData\Local\Temp\tmp6256.tmp | compressed | |
MD5:49ED213F2D9E81BEA7A5481982D4488E | SHA256:2757E8BF85069155327E44B6DE71A1F6365482A0D41904EC198D725B87132B5E | |||
| 3652 | MM.exe | C:\Users\admin\AppData\Local\Temp\tmp74CD.tmp | compressed | |
MD5:05C931E3AB9D782D118A3EF5605AA77A | SHA256:C5367256A7C17FB8E85237B2BE32F8EA72BD17629857F804F8A069D4523D0F96 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
69
DNS requests
59
Threats
11
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3644 | rundll32.exe | GET | 302 | 2.18.97.227:80 | http://go.microsoft.com/fwlink?linkid=30219&locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2 | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
3644 | rundll32.exe | 2.18.97.227:80 | go.microsoft.com | Akamai International B.V. | FR | unknown |
3644 | rundll32.exe | 65.55.186.115:80 | movie.metaservices.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
3652 | MM.exe | 192.254.190.168:25 | onlineconnections.com.au | UNIFIEDLAYER-AS-1 | US | unknown |
3652 | MM.exe | 64.233.166.26:25 | gmail-smtp-in.l.google.com | GOOGLE | US | unknown |
3652 | MM.exe | 67.195.228.94:25 | mta6.am0.yahoodns.net | YAHOO-GQ1 | US | unknown |
3652 | MM.exe | 74.125.200.26:25 | alt4.gmail-smtp-in.l.google.com | GOOGLE | US | unknown |
3652 | MM.exe | 212.27.48.6:25 | mx1.free.fr | Free SAS | FR | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
go.microsoft.com |
| unknown |
movie.metaservices.microsoft.com |
| unknown |
onlineconnections.com.au |
| unknown |
openoffice.org |
| unknown |
mx1-lw-eu.apache.org |
| unknown |
bryson.demon.co.uk |
| unknown |
mx1-lw-us.apache.org |
| unknown |
mx2-lw-eu.apache.org |
| unknown |
mx2-lw-us.apache.org |
| unknown |
gmail.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | ET SMTP Sorbs.net Block Message |
— | — | Not Suspicious Traffic | ET SMTP Sorbs.net Block Message |
— | — | Generic Protocol Command Decode | SURICATA SMTP duplicate fields |
— | — | Generic Protocol Command Decode | SURICATA SMTP duplicate fields |
— | — | Generic Protocol Command Decode | SURICATA SMTP duplicate fields |
6 ETPRO signatures available at the full report