analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 206ef01e49cf89cce3ae37b77147637b |
| Full analysis: | https://app.any.run/tasks/d805adf6-2a49-429b-9e87-1371fa94b529 |
| Verdict: | Malicious activity |
| Analysis date: | December 06, 2022, 06:21:03 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 206EF01E49CF89CCE3AE37B77147637B |
| SHA1: | E3A610A77740F91B8085534BDF4EA530D9A8CA1C |
| SHA256: | 50ED7FF89205B20B7AA7538438B2AF93BBF61BC9488F5EB7E3DC673B0579A2F2 |
| SSDEEP: | 6144:Df7ySH2VV6yOoxypbVchDauBsj92P2hdLP4WBfO:PjEV65kypbVEDkj8OhdP40f |
MALICIOUS
Application was dropped or rewritten from another process
- sezwdccq.exe (PID: 2888)
TOFSEE detected by memory dumps
- svchost.exe (PID: 2800)
SUSPICIOUS
Connects to SMTP port
- svchost.exe (PID: 2800)
INFO
Executable content was dropped or overwritten
- cmd.exe (PID: 3804)
Drops the executable file immediately after the start
- cmd.exe (PID: 3804)
Drops a file that was compiled in debug mode
- cmd.exe (PID: 3804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Tofsee
(PID) Process(2800) svchost.exe
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s
sc config %s binPath= "%s%s /d\"%s\""
sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off
:next_try
del "%s">nul
if exist "%s" (
ping 127.0.0.1 >nul
goto next_try
)
del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d
win=%X/%d sid=%s
rep=%s
C2 (2)defeatwax.ru
refabyd.info
TRiD
| .exe | | | InstallShield setup (26.8) |
| .exe | | | Win32 EXE PECompact compressed (generic) (25.8) |
| .exe | | | Win32 Executable MS Visual C++ (generic) (19.4) |
| .exe | | | Win64 Executable (generic) (17.2) |
| .dll | | | Win32 Dynamic Link Library (generic) (4) |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 2020-Oct-10 04:33:19 |
| Detected languages: |
|
| Debug artifacts: |
|
DOS Header
| e_magic: | MZ |
| e_cblp: | 144 |
| e_cp: | 3 |
| e_crlc: | 0 |
| e_cparhdr: | 4 |
| e_minalloc: | 0 |
| e_maxalloc: | 65535 |
| e_ss: | 0 |
| e_sp: | 184 |
| e_csum: | 0 |
| e_ip: | 0 |
| e_cs: | 0 |
| e_ovno: | 0 |
| e_oemid: | 0 |
| e_oeminfo: | 0 |
| e_lfanew: | 240 |
PE Headers
| Signature: | PE |
| Machine: | IMAGE_FILE_MACHINE_I386 |
| NumberofSections: | 4 |
| TimeDateStamp: | 2020-Oct-10 04:33:19 |
| PointerToSymbolTable: | 0 |
| NumberOfSymbols: | 0 |
| SizeOfOptionalHeader: | 224 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 4096 | 112720 | 113152 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.54436 |
.rdata | 118784 | 14072 | 14336 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.24671 |
.data | 135168 | 30527464 | 9216 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.15201 |
.rsrc | 30662656 | 128696 | 129024 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.59894 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 4.18245 | 3752 | UNKNOWN | Slovenian - Slovenia | RT_ICON |
2 | 5.08434 | 2216 | UNKNOWN | Slovenian - Slovenia | RT_ICON |
3 | 4.75704 | 1384 | UNKNOWN | Slovenian - Slovenia | RT_ICON |
4 | 6.54384 | 9640 | UNKNOWN | Slovenian - Slovenia | RT_ICON |
5 | 6.57546 | 4264 | UNKNOWN | Slovenian - Slovenia | RT_ICON |
6 | 6.543 | 1128 | UNKNOWN | Slovenian - Slovenia | RT_ICON |
7 | 5.64504 | 3752 | UNKNOWN | Slovenian - Slovenia | RT_ICON |
8 | 5.54768 | 2216 | UNKNOWN | Slovenian - Slovenia | RT_ICON |
9 | 5.85457 | 1384 | UNKNOWN | Slovenian - Slovenia | RT_ICON |
10 | 6.48963 | 9640 | UNKNOWN | Slovenian - Slovenia | RT_ICON |
Imports
KERNEL32.dll |
Total processes
52
Monitored processes
11
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2436 | "C:\Users\admin\AppData\Local\Temp\206ef01e49cf89cce3ae37b77147637b.exe" | C:\Users\admin\AppData\Local\Temp\206ef01e49cf89cce3ae37b77147637b.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2736 | "C:\Windows\System32\wusa.exe" | C:\Windows\System32\wusa.exe | — | 206ef01e49cf89cce3ae37b77147637b.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Update Standalone Installer Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3344 | "C:\Windows\System32\wusa.exe" | C:\Windows\System32\wusa.exe | 206ef01e49cf89cce3ae37b77147637b.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Update Standalone Installer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3256 | cmd /C mkdir C:\Windows\system32\yaigjkvq\ | C:\Windows\system32\cmd.exe | 206ef01e49cf89cce3ae37b77147637b.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3804 | cmd /C move /Y "C:\Users\admin\AppData\Local\Temp\sezwdccq.exe" C:\Windows\system32\yaigjkvq\ | C:\Windows\system32\cmd.exe | 206ef01e49cf89cce3ae37b77147637b.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2952 | sc create yaigjkvq binPath= "C:\Windows\system32\yaigjkvq\sezwdccq.exe /d\"C:\Users\admin\AppData\Local\Temp\206ef01e49cf89cce3ae37b77147637b.exe\"" type= own start= auto DisplayName= "wifi support" | C:\Windows\system32\sc.exe | 206ef01e49cf89cce3ae37b77147637b.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2052 | sc description yaigjkvq "wifi internet conection" | C:\Windows\system32\sc.exe | 206ef01e49cf89cce3ae37b77147637b.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1980 | sc start yaigjkvq | C:\Windows\system32\sc.exe | 206ef01e49cf89cce3ae37b77147637b.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2888 | C:\Windows\system32\yaigjkvq\sezwdccq.exe /d"C:\Users\admin\AppData\Local\Temp\206ef01e49cf89cce3ae37b77147637b.exe" | C:\Windows\system32\yaigjkvq\sezwdccq.exe | — | services.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
| 2800 | svchost.exe | C:\Windows\system32\svchost.exe | sezwdccq.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
Tofsee(PID) Process(2800) svchost.exe Encrypted Strings (59)c:\Windows \system32\ ImagePath .exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOFTWARE\Microsoft\Windows\CurrentVersion\Run MSConfig /r .exe cmd /C move /Y "%s" %s
sc config %s binPath= "%s%s /d\"%s\""
sc start %s svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ConsentPromptBehaviorAdmin PromptOnSecureDesktop MSConfig :.repos USERPROFILE \Local Settings:.repos USERPROFILE \Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos USERPROFILE \wincookie.repos TMP Config Control Panel\Buses Config SOFTWARE\Microsoft\Buses Config Control Panel\Buses Config SOFTWARE\Microsoft\Buses SYSTEM\CurrentControlSet\services ImagePath SYSTEM\CurrentControlSet\services SYSTEM\CurrentControlSet\services SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOFTWARE\Microsoft\Windows\CurrentVersion\Run .exe qazwsxed %s%i%i%i%i.bat @echo off
:next_try
del "%s">nul
if exist "%s" (
ping 127.0.0.1 >nul
goto next_try
)
del %%0 svchost.exe .exe /u USERPROFILE SOFTWARE\Microsoft\Windows\CurrentVersion\Run /d /e /d /e .exe "%s" /u"%s" USERPROFILE .exe USERPROFILE USERPROFILE ver=%d lid=%d
win=%X/%d sid=%s
rep=%s C2 (2)defeatwax.ru refabyd.info | |||||||||||||||
Total events
989
Read events
917
Write events
72
Delete events
0
Modification events
| (PID) Process: | (2436) 206ef01e49cf89cce3ae37b77147637b.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2436) 206ef01e49cf89cce3ae37b77147637b.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2436) 206ef01e49cf89cce3ae37b77147637b.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2436) 206ef01e49cf89cce3ae37b77147637b.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2984) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2984) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dhcpqec.dll,-100 |
Value: DHCP Quarantine Enforcement Client | |||
| (PID) Process: | (2984) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dhcpqec.dll,-101 |
Value: Provides DHCP based enforcement for NAP | |||
| (PID) Process: | (2984) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dhcpqec.dll,-103 |
Value: 1.0 | |||
| (PID) Process: | (2984) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dhcpqec.dll,-102 |
Value: Microsoft Corporation | |||
| (PID) Process: | (2984) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\napipsec.dll,-1 |
Value: IPsec Relying Party | |||
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3804 | cmd.exe | C:\Windows\System32\yaigjkvq\sezwdccq.exe | executable | |
MD5:68AC7B55DE0DB58683E24AC673AE747D | SHA256:DED56FC25D80D58C8420816EE46490CD01763D4EFE08020DC9F2E63C4D7ADA57 | |||
| 2436 | 206ef01e49cf89cce3ae37b77147637b.exe | C:\Users\admin\AppData\Local\Temp\sezwdccq.exe | executable | |
MD5:68AC7B55DE0DB58683E24AC673AE747D | SHA256:DED56FC25D80D58C8420816EE46490CD01763D4EFE08020DC9F2E63C4D7ADA57 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
14
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2800 | svchost.exe | 45.9.20.250:443 | refabyd.info | — | RU | unknown |
2800 | svchost.exe | 217.69.139.150:25 | mxs.mail.ru | LLC VK | RU | unknown |
2800 | svchost.exe | 20.103.85.33:80 | microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | suspicious |
— | — | 74.125.133.27:25 | smtp.google.com | GOOGLE | US | whitelisted |
2800 | svchost.exe | 67.195.228.106:25 | mta7.am0.yahoodns.net | YAHOO-GQ1 | US | unknown |
2800 | svchost.exe | 104.47.54.36:25 | microsoft-com.mail.protection.outlook.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
microsoft.com |
| whitelisted |
defeatwax.ru |
| malicious |
microsoft-com.mail.protection.outlook.com |
| whitelisted |
yahoo.com |
| whitelisted |
mta7.am0.yahoodns.net |
| whitelisted |
dns.msftncsi.com |
| shared |
google.com |
| whitelisted |
smtp.google.com |
| whitelisted |
mail.ru |
| whitelisted |
mxs.mail.ru |
| shared |