| download: | sa-mp-0.3.7-install.exe |
| Full analysis: | https://app.any.run/tasks/a69b95f9-826e-4ccd-bc62-34cd01b283b5 |
| Verdict: | Malicious activity |
| Analysis date: | December 26, 2022, 01:07:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | 3D248CC47F0434C158DE30755FCF1506 |
| SHA1: | AA26E7B6FFA20A6AED6B417FBABB9F17E6010291 |
| SHA256: | 4BFE8B844A12DEF72D441FC27C9F155641ABE6D99216F1C00292BF0B3685A510 |
| SSDEEP: | 393216:mhRPtmflaNtY7G8t+LdFyBV9DVimtbA9yRbABehQtAuGuSwcBn:mhRPtklUt3Nd2VvimtbeGbbhQtWBn |
MALICIOUS
Loads dropped or rewritten executable
- SearchProtocolHost.exe (PID: 2492)
- sa-mp-0.3.7-install.exe (PID: 2168)
Application was dropped or rewritten from another process
- samp.exe (PID: 3436)
Creates a writable file the system directory
- sa-mp-0.3.7-install.exe (PID: 2168)
SUSPICIOUS
Drops a file with too old compile date
- sa-mp-0.3.7-install.exe (PID: 2168)
Changes default file association
- sa-mp-0.3.7-install.exe (PID: 2168)
INFO
Checks supported languages
- sa-mp-0.3.7-install.exe (PID: 2168)
- samp.exe (PID: 3436)
Reads the computer name
- sa-mp-0.3.7-install.exe (PID: 2168)
- samp.exe (PID: 3436)
Manual execution by a user
- samp.exe (PID: 3436)
- chrome.exe (PID: 2736)
Drops a file that was compiled in debug mode
- sa-mp-0.3.7-install.exe (PID: 2168)
Application launched itself
- chrome.exe (PID: 2736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | NSIS - Nullsoft Scriptable Install System (94.8) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (3.4) |
| .dll | | | Win32 Dynamic Link Library (generic) (0.7) |
| .exe | | | Win32 Executable (generic) (0.5) |
| .exe | | | Generic Win/DOS Executable (0.2) |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 2009-Dec-05 22:50:41 |
| Detected languages: |
|
DOS Header
| e_magic: | MZ |
|---|---|
| e_cblp: | 144 |
| e_cp: | 3 |
| e_crlc: | - |
| e_cparhdr: | 4 |
| e_minalloc: | - |
| e_maxalloc: | 65535 |
| e_ss: | - |
| e_sp: | 184 |
| e_csum: | - |
| e_ip: | - |
| e_cs: | - |
| e_ovno: | - |
| e_oemid: | - |
| e_oeminfo: | - |
| e_lfanew: | 216 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| NumberofSections: | 5 |
| TimeDateStamp: | 2009-Dec-05 22:50:41 |
| PointerToSymbolTable: | - |
| NumberOfSymbols: | - |
| SizeOfOptionalHeader: | 224 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 4096 | 22738 | 23040 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.4331 |
.rdata | 28672 | 4496 | 4608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.17976 |
.data | 36864 | 110456 | 1024 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.6178 |
.ndata | 147456 | 36864 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rsrc | 184320 | 16688 | 16896 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.85878 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 6.26612 | 4264 | UNKNOWN | English - United States | RT_ICON |
2 | 5.9993 | 3752 | UNKNOWN | English - United States | RT_ICON |
3 | 6.24459 | 2216 | UNKNOWN | English - United States | RT_ICON |
4 | 5.01502 | 1384 | UNKNOWN | English - United States | RT_ICON |
5 | 6.16057 | 1128 | UNKNOWN | English - United States | RT_ICON |
6 | 3.34146 | 744 | UNKNOWN | English - United States | RT_ICON |
7 | 3.04232 | 296 | UNKNOWN | English - United States | RT_ICON |
102 | 2.71813 | 180 | UNKNOWN | English - United States | RT_DIALOG |
103 | 2.56193 | 288 | UNKNOWN | English - United States | RT_DIALOG |
105 | 2.73893 | 514 | UNKNOWN | English - United States | RT_DIALOG |
Imports
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
Total processes
122
Monitored processes
77
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,17380042383088828284,16032718780213384623,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 292 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1060,17380042383088828284,16032718780213384623,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 560 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,17380042383088828284,16032718780213384623,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3040 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 668 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,17380042383088828284,16032718780213384623,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 752 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,17380042383088828284,16032718780213384623,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 1028 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,17380042383088828284,16032718780213384623,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2480 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 1244 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1284 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,17380042383088828284,16032718780213384623,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 1328 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,17380042383088828284,16032718780213384623,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
| 1400 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,17380042383088828284,16032718780213384623,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
Total events
41 486
Read events
40 998
Write events
480
Delete events
8
Modification events
| (PID) Process: | (2168) sa-mp-0.3.7-install.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2168) sa-mp-0.3.7-install.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | @C:\Windows\system32\NetworkExplorer.dll,-2 |
Value: Access the computers and devices that are on your network. | |||
| (PID) Process: | (2168) sa-mp-0.3.7-install.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | Browse For Folder Width |
Value: 318 | |||
| (PID) Process: | (2168) sa-mp-0.3.7-install.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | Browse For Folder Height |
Value: 288 | |||
| (PID) Process: | (2492) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2492) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | @C:\Windows\system32\notepad.exe,-469 |
Value: Text Document | |||
| (PID) Process: | (2492) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | @C:\Windows\System32\isoburn.exe,-350 |
Value: Disc Image File | |||
| (PID) Process: | (2168) sa-mp-0.3.7-install.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\samp |
| Operation: | write | Name: | (default) |
Value: San Andreas Multiplayer | |||
| (PID) Process: | (2168) sa-mp-0.3.7-install.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\samp |
| Operation: | write | Name: | Url Protocol |
Value: | |||
| (PID) Process: | (2168) sa-mp-0.3.7-install.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\samp\shell\open\command |
| Operation: | write | Name: | (default) |
Value: "C:\Users\admin\Desktop\samp.exe" "%1" | |||
Executable files
16
Suspicious files
494
Text files
370
Unknown types
56
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2168 | sa-mp-0.3.7-install.exe | C:\Users\admin\Desktop\SAMP\SAMP.img | — | |
MD5:— | SHA256:— | |||
| 2168 | sa-mp-0.3.7-install.exe | C:\Users\admin\AppData\Local\Temp\nsyF87F.tmp\modern-wizard.bmp | image | |
MD5:CBE40FD2B1EC96DAEDC65DA172D90022 | SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2 | |||
| 2168 | sa-mp-0.3.7-install.exe | C:\Users\admin\Desktop\bass.dll | executable | |
MD5:8F5B9B73D33E8C99202B5058CB6DCE51 | SHA256:3F04620D6627ABE5C3B4747FAF26603AB7A006C81B2021AB4689BDD7033BB4CD | |||
| 2168 | sa-mp-0.3.7-install.exe | C:\Users\admin\Desktop\samp.exe | executable | |
MD5:C1AEDD9F2DAC8A7F79ED40D264B4DF6D | SHA256:F7C4372C8545121938230AE0C9F1D9BD297836E8AD37AFA710EE93F2C4791ADE | |||
| 2168 | sa-mp-0.3.7-install.exe | C:\Users\admin\Desktop\samp_debug.exe | executable | |
MD5:2C00C60A5511C3A41A70296FD1879067 | SHA256:F64D11680442CEA5940614177B5ECFF866E1E45C07A95CD5564327A94E8101D3 | |||
| 2168 | sa-mp-0.3.7-install.exe | C:\Users\admin\Desktop\SAMP\SAMPCOL.img | binary | |
MD5:EB690E98B644FA584BE6917D48EE6CBC | SHA256:AA6DABFB4B38E3B79949BBB3AA4F90C7E4FD3909FEED37335B2D656E73089490 | |||
| 2168 | sa-mp-0.3.7-install.exe | C:\Users\admin\Desktop\SAMP\SAMP.ide | text | |
MD5:9FC8A6769F18D3DACEABBBED8632C68E | SHA256:DD66AA822943526DFFE0F80AF88547615672C9BB6E9F3FCFDE6D6F8B860F93F5 | |||
| 2168 | sa-mp-0.3.7-install.exe | C:\Users\admin\Desktop\rcon.exe | executable | |
MD5:3F4821CDA1DE6D7D10654E5537B4DF6E | SHA256:19F0D6D844F6F14856E3EA88853202B6310EDC4726EB0C803710B67F641E596F | |||
| 2168 | sa-mp-0.3.7-install.exe | C:\Users\admin\Desktop\samp.saa | binary | |
MD5:833AF65BC94EEA6F8503900EF597AD51 | SHA256:596895C61A70F558A9AD6B9B44CB5C9AC4B374E95EE2266AC9C88585898F8AE7 | |||
| 2168 | sa-mp-0.3.7-install.exe | C:\Users\admin\Desktop\sampgui.png | image | |
MD5:1423C18DFA2064D967B397227960B93D | SHA256:8BD41399B3FF22B7D497F3F31D39CAA67A10E6B91D47BDFBE35E963894C22C4D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
55
DNS requests
46
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
868 | svchost.exe | HEAD | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/YGkwa4MXjfWSuERyWQYP_A_4/aapLKTSZ439A-0g3nqJr3Q | US | — | — | whitelisted |
2184 | chrome.exe | GET | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | crx | 242 Kb | whitelisted |
868 | svchost.exe | GET | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/YGkwa4MXjfWSuERyWQYP_A_4/aapLKTSZ439A-0g3nqJr3Q | US | crx | 3.72 Kb | whitelisted |
2184 | chrome.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1f81ffcb767e0b74 | US | compressed | 61.4 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2184 | chrome.exe | 34.104.35.123:80 | edgedl.me.gvt1.com | GOOGLE | US | whitelisted |
2184 | chrome.exe | 142.251.39.78:443 | consent.google.com | GOOGLE | US | whitelisted |
2184 | chrome.exe | 188.114.97.12:443 | www.youtubethumbnaildownloader.com | CLOUDFLARENET | NL | malicious |
2184 | chrome.exe | 172.217.20.3:443 | id.google.com | GOOGLE | US | whitelisted |
2184 | chrome.exe | 142.250.180.194:443 | pagead2.googlesyndication.com | GOOGLE | US | unknown |
— | — | 142.250.201.196:443 | www.google.com | GOOGLE | US | whitelisted |
2184 | chrome.exe | 142.250.201.196:443 | www.google.com | GOOGLE | US | whitelisted |
2184 | chrome.exe | 142.250.180.238:443 | clients2.google.com | GOOGLE | US | whitelisted |
2184 | chrome.exe | 142.251.208.97:443 | clients2.googleusercontent.com | GOOGLE | US | unknown |
2184 | chrome.exe | 142.250.201.195:443 | clientservices.googleapis.com | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
accounts.google.com |
| shared |
www.google.com |
| malicious |
clients2.google.com |
| whitelisted |
clients2.googleusercontent.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
encrypted-tbn0.gstatic.com |
| whitelisted |
update.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
content-autofill.googleapis.com |
| whitelisted |