File name:

206ef01e49cf89cce3ae37b77147637b

Full analysis: https://app.any.run/tasks/d805adf6-2a49-429b-9e87-1371fa94b529
Verdict: Malicious activity
Analysis date: December 06, 2022, 06:21:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
tofsee
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

206EF01E49CF89CCE3AE37B77147637B

SHA1:

E3A610A77740F91B8085534BDF4EA530D9A8CA1C

SHA256:

50ED7FF89205B20B7AA7538438B2AF93BBF61BC9488F5EB7E3DC673B0579A2F2

SSDEEP:

6144:Df7ySH2VV6yOoxypbVchDauBsj92P2hdLP4WBfO:PjEV65kypbVEDkj8OhdP40f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • sezwdccq.exe (PID: 2888)
    • TOFSEE detected by memory dumps

      • svchost.exe (PID: 2800)
  • SUSPICIOUS

    • Connects to SMTP port

      • svchost.exe (PID: 2800)
  • INFO

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3804)
    • Drops a file that was compiled in debug mode

      • cmd.exe (PID: 3804)
    • Drops the executable file immediately after the start

      • cmd.exe (PID: 3804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Tofsee

(PID) Process(2800) svchost.exe
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
C2 (2)defeatwax.ru
refabyd.info
No Malware configuration.

TRiD

.exe | InstallShield setup (26.8)
.exe | Win32 EXE PECompact compressed (generic) (25.8)
.exe | Win32 Executable MS Visual C++ (generic) (19.4)
.exe | Win64 Executable (generic) (17.2)
.dll | Win32 Dynamic Link Library (generic) (4)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2020-Oct-10 04:33:19
Detected languages:
  • Slovenian - Slovenia
Debug artifacts:
  • C:\jozelutemibize-cenusihejised posuv_dapate48\zodirubufez\kide.pdb

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 240

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 4
TimeDateStamp: 2020-Oct-10 04:33:19
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
112720
113152
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.54436
.rdata
118784
14072
14336
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.24671
.data
135168
30527464
9216
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.15201
.rsrc
30662656
128696
129024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.59894

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.18245
3752
UNKNOWN
Slovenian - Slovenia
RT_ICON
2
5.08434
2216
UNKNOWN
Slovenian - Slovenia
RT_ICON
3
4.75704
1384
UNKNOWN
Slovenian - Slovenia
RT_ICON
4
6.54384
9640
UNKNOWN
Slovenian - Slovenia
RT_ICON
5
6.57546
4264
UNKNOWN
Slovenian - Slovenia
RT_ICON
6
6.543
1128
UNKNOWN
Slovenian - Slovenia
RT_ICON
7
5.64504
3752
UNKNOWN
Slovenian - Slovenia
RT_ICON
8
5.54768
2216
UNKNOWN
Slovenian - Slovenia
RT_ICON
9
5.85457
1384
UNKNOWN
Slovenian - Slovenia
RT_ICON
10
6.48963
9640
UNKNOWN
Slovenian - Slovenia
RT_ICON

Imports

KERNEL32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 206ef01e49cf89cce3ae37b77147637b.exe no specs wusa.exe no specs wusa.exe cmd.exe cmd.exe sc.exe sc.exe sc.exe sezwdccq.exe no specs #TOFSEE svchost.exe netsh.exe

Process information

PID
CMD
Path
Indicators
Parent process
2436"C:\Users\admin\AppData\Local\Temp\206ef01e49cf89cce3ae37b77147637b.exe" C:\Users\admin\AppData\Local\Temp\206ef01e49cf89cce3ae37b77147637b.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\206ef01e49cf89cce3ae37b77147637b.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\user32.dll
2736"C:\Windows\System32\wusa.exe" C:\Windows\System32\wusa.exe206ef01e49cf89cce3ae37b77147637b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wusa.exe
c:\windows\system32\ntdll.dll
3344"C:\Windows\System32\wusa.exe" C:\Windows\System32\wusa.exe
206ef01e49cf89cce3ae37b77147637b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
3256cmd /C mkdir C:\Windows\system32\yaigjkvq\C:\Windows\system32\cmd.exe
206ef01e49cf89cce3ae37b77147637b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3804cmd /C move /Y "C:\Users\admin\AppData\Local\Temp\sezwdccq.exe" C:\Windows\system32\yaigjkvq\C:\Windows\system32\cmd.exe
206ef01e49cf89cce3ae37b77147637b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
2952sc create yaigjkvq binPath= "C:\Windows\system32\yaigjkvq\sezwdccq.exe /d\"C:\Users\admin\AppData\Local\Temp\206ef01e49cf89cce3ae37b77147637b.exe\"" type= own start= auto DisplayName= "wifi support"C:\Windows\system32\sc.exe
206ef01e49cf89cce3ae37b77147637b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2052sc description yaigjkvq "wifi internet conection"C:\Windows\system32\sc.exe
206ef01e49cf89cce3ae37b77147637b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sc.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
1980sc start yaigjkvqC:\Windows\system32\sc.exe
206ef01e49cf89cce3ae37b77147637b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2888C:\Windows\system32\yaigjkvq\sezwdccq.exe /d"C:\Users\admin\AppData\Local\Temp\206ef01e49cf89cce3ae37b77147637b.exe"C:\Windows\system32\yaigjkvq\sezwdccq.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\system32\yaigjkvq\sezwdccq.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\user32.dll
2800svchost.exeC:\Windows\system32\svchost.exe
sezwdccq.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\svchost.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\user32.dll
Tofsee
(PID) Process(2800) svchost.exe
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
C2 (2)defeatwax.ru
refabyd.info
Total events
989
Read events
917
Write events
72
Delete events
0

Modification events

(PID) Process:(2436) 206ef01e49cf89cce3ae37b77147637b.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2436) 206ef01e49cf89cce3ae37b77147637b.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2436) 206ef01e49cf89cce3ae37b77147637b.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2436) 206ef01e49cf89cce3ae37b77147637b.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2984) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2984) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-100
Value:
DHCP Quarantine Enforcement Client
(PID) Process:(2984) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-101
Value:
Provides DHCP based enforcement for NAP
(PID) Process:(2984) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-103
Value:
1.0
(PID) Process:(2984) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-102
Value:
Microsoft Corporation
(PID) Process:(2984) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:@%SystemRoot%\system32\napipsec.dll,-1
Value:
IPsec Relying Party
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3804cmd.exeC:\Windows\System32\yaigjkvq\sezwdccq.exeexecutable
MD5:68AC7B55DE0DB58683E24AC673AE747D
SHA256:DED56FC25D80D58C8420816EE46490CD01763D4EFE08020DC9F2E63C4D7ADA57
2436206ef01e49cf89cce3ae37b77147637b.exeC:\Users\admin\AppData\Local\Temp\sezwdccq.exeexecutable
MD5:68AC7B55DE0DB58683E24AC673AE747D
SHA256:DED56FC25D80D58C8420816EE46490CD01763D4EFE08020DC9F2E63C4D7ADA57
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
14
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2800
svchost.exe
20.103.85.33:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
suspicious
74.125.133.27:25
smtp.google.com
GOOGLE
US
whitelisted
2800
svchost.exe
67.195.228.106:25
mta7.am0.yahoodns.net
YAHOO-GQ1
US
unknown
2800
svchost.exe
104.47.54.36:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2800
svchost.exe
45.9.20.250:443
refabyd.info
RU
unknown
2800
svchost.exe
217.69.139.150:25
mxs.mail.ru
LLC VK
RU
unknown

DNS requests

Domain
IP
Reputation
microsoft.com
  • 20.103.85.33
  • 20.84.181.62
  • 20.53.203.50
  • 20.112.52.29
  • 20.81.111.85
whitelisted
defeatwax.ru
malicious
microsoft-com.mail.protection.outlook.com
  • 104.47.54.36
  • 104.47.53.36
  • 40.93.207.0
  • 52.101.40.29
  • 40.93.207.2
  • 40.93.207.1
whitelisted
yahoo.com
whitelisted
mta7.am0.yahoodns.net
  • 67.195.228.106
  • 67.195.204.73
  • 67.195.204.74
  • 98.136.96.76
  • 67.195.228.111
  • 67.195.228.94
  • 98.136.96.75
  • 67.195.228.109
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
google.com
whitelisted
smtp.google.com
  • 74.125.133.27
  • 74.125.133.26
  • 74.125.140.26
  • 74.125.140.27
  • 108.177.15.26
whitelisted
mail.ru
whitelisted
mxs.mail.ru
  • 217.69.139.150
  • 94.100.180.31
shared

Threats

No threats detected
No debug info