| File name: | mal.exe |
| Full analysis: | https://app.any.run/tasks/bf7d487b-29a8-4259-a10d-27f187442917 |
| Verdict: | Malicious activity |
| Analysis date: | December 28, 2023, 09:11:35 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 34510CEB373808C65949CBBE111BF2E3 |
| SHA1: | A7BCF10B90014353744F43C010B27B764AF4D179 |
| SHA256: | 591BE7D2050CD4F7946B22B42575F108EA8B3299519774118FE4ABB8051C5CF5 |
| SSDEEP: | 3072:/caqyte61V77snHLLxtLyaXOqdPNbnhW4IxZx5kCZuubFrhU1wKKrONmI:/caBtT77snHRAY7PNNW4IxZ7zbC0rONR |
MALICIOUS
Scans artifacts that could help determine the target
- WinMail.exe (PID: 532)
Runs injected code in another process
- suzu.exe (PID: 392)
SUSPICIOUS
Detected use of alternative data streams (AltDS)
- WinMail.exe (PID: 532)
Reads Microsoft Outlook installation path
- WinMail.exe (PID: 532)
Reads Internet Explorer settings
- WinMail.exe (PID: 532)
Reads the Internet Settings
- WinMail.exe (PID: 532)
- mal.exe (PID: 2040)
- suzu.exe (PID: 392)
- cmd.exe (PID: 1656)
Checks Windows Trust Settings
- WinMail.exe (PID: 532)
Reads security settings of Internet Explorer
- WinMail.exe (PID: 532)
Reads settings of System Certificates
- WinMail.exe (PID: 532)
Executing commands from a ".bat" file
- mal.exe (PID: 2040)
Starts CMD.EXE for commands execution
- mal.exe (PID: 2040)
INFO
Drops the executable file immediately after the start
- mal.exe (PID: 2040)
- WinMail.exe (PID: 532)
Reads the computer name
- WinMail.exe (PID: 532)
- mal.exe (PID: 2040)
- suzu.exe (PID: 392)
Starts itself from another location
- mal.exe (PID: 2040)
Checks supported languages
- mal.exe (PID: 2040)
- suzu.exe (PID: 392)
- WinMail.exe (PID: 532)
Creates files or folders in the user directory
- mal.exe (PID: 2040)
- WinMail.exe (PID: 532)
Reads the Internet Settings
- explorer.exe (PID: 1164)
- ctfmon.exe (PID: 1564)
Reads the machine GUID from the registry
- WinMail.exe (PID: 532)
Checks proxy server information
- WinMail.exe (PID: 532)
Create files in a temporary directory
- WinMail.exe (PID: 532)
- mal.exe (PID: 2040)
Application was injected by another process
- explorer.exe (PID: 1164)
- ctfmon.exe (PID: 1564)
Drops a self-deleting batch file
- mal.exe (PID: 2040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (42.5) |
|---|---|---|
| .exe | | | DOS Executable Borland Pascal 7.0x (19.2) |
| .exe | | | Generic Win/DOS Executable (18.8) |
| .exe | | | DOS Executable Generic (18.8) |
| .vxd | | | VXD Driver (0.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2011:04:14 17:07:12+02:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 132608 |
| InitializedDataSize: | 14848 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1d470 |
| OSVersion: | 5.1 |
| ImageVersion: | 1 |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
39
Monitored processes
6
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 392 | "C:\Users\admin\AppData\Roaming\Tyysoz\suzu.exe" | C:\Users\admin\AppData\Roaming\Tyysoz\suzu.exe | — | mal.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 532 | "C:\Program Files\Windows Mail\WinMail.exe" -Embedding | C:\Program Files\Windows Mail\WinMail.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Mail Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1164 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1564 | C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CTF Loader Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1656 | "C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\tmpaf858934.bat" | C:\Windows\System32\cmd.exe | — | mal.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2040 | "C:\Users\admin\Desktop\mal.exe" | C:\Users\admin\Desktop\mal.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
6 095
Read events
6 050
Write events
39
Delete events
6
Modification events
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000DBDD10622BD67741A42163F361389C4700000000020000000000106600000001000020000000714C0B985B0540658F4A2080B484A48FEA0193B4945278E76DEADC9EF300F178000000000E80000000020000200000002B477AD6A48910EDA2BF44A8E4FAAFB7E2EDF3EE6F87B8965B303D8016BD90EA30000000CB02147CAA96DADF9F5A3BD08AC8A954F632048A3EC443FAA534C64E43A96953CAB4A202A2BC0443ADBC5B693897DBB44000000078BCD17E1DCD91E99A86D38616C049FA8C5E2A7C07BB269B76B0709DC8A01ABF25866BF6638D5C4422D1151CE173748901F5A2433E1BD07914E254B07BB130FD | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows Mail |
| Operation: | write | Name: | StoreMigratedV5 |
Value: 1 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows Mail |
| Operation: | write | Name: | Settings Upgraded |
Value: 10 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\IAM |
| Operation: | write | Name: | Server ID |
Value: 2 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Identities |
| Operation: | write | Name: | Identity Ordinal |
Value: 2 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows Mail |
| Operation: | write | Name: | LastBackup |
Value: E1070A0004000500090014000400CA01 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\IAM |
| Operation: | write | Name: | Default News Account |
Value: account{30CE7C98-AA27-4327-91CA-78FA20FFA850}.oeaccount | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\WAB |
| Operation: | delete value | Name: | NamedProps |
Value: 0420060000000000C00000000000004604000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E0000000100330032003800350037000000 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\WAB |
| Operation: | delete value | Name: | NamedPropCount |
Value: 1 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\WAB |
| Operation: | delete value | Name: | NamedProps |
Value: 0420060000000000C00000000000004604000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E0000000100330032003800350037000000813284C18505D011B29000AA003CF6760B000000000004800E0000000100330032003700360039000000000005800E0000000100330032003700370030000000000006800E0000000100330032003700370031000000000007800E0000000100330032003700370032000000000008800E0000000100330032003700370033000000000009800E000000010033003200370037003400000000000A800E000000010033003200370037003500000000000B800E000000010033003200370037003600000000000C800E000000010033003200370037003700000000000D800E000000010033003200370037003800000000000E800E0000000100330032003700370039000000 | |||
Executable files
2
Suspicious files
19
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat | binary | |
MD5:7BCE17770CFA251151D3BC5E7F33504E | SHA256:F3EBD7A2B98427D302864323CFB22165AB8DF25A74983EEE5CADDC6041271AC1 | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log | binary | |
MD5:09F9EC30C43F61C1B4E3CF574CEF1740 | SHA256:3A2C8485989DE3437B107D5459308E6984CC2D0F029B25CA74DFA0BC4B754054 | |||
| 2040 | mal.exe | C:\Users\admin\AppData\Roaming\Tyysoz\suzu.exe | executable | |
MD5:C0F2E5484EC7B35F45830F08E4C9359F | SHA256:B03140A85D3AF3E839852E5DF5495CE78259553C14EC2CA75E1C353C5F47F2CD | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore | binary | |
MD5:B1A0555C7A4C2DEF7307B024F47851AC | SHA256:B30DF99C5A63BF0AC8A256FA03C4CD787B503942360D1B0A62633A181E3038B8 | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore | binary | |
MD5:12D22E407831BC4112FCA83C01A3506F | SHA256:D02484C62782FF74A7EB4D39B8858B009680DD5E5246D2059819BF0AFFF99F2E | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edbtmp.log | binary | |
MD5:8CA8FC7DCA2CE110E9297E3A81859E03 | SHA256:51356EFAAF12921F1B3C43F710E95546E36906350623ED8ADEE40772BE370FCB | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log | binary | |
MD5:C91F5B8910A328E932A8B7DC2DD83129 | SHA256:0A9B71FC98C54742E9E5C3D95879FBEAC80A366654A0540389B9D6F6449F4D0A | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol | binary | |
MD5:60A3B6592DE01A4CB2E07DA218C9F34B | SHA256:8AD29C309236F0210E3AE7AF8ADEDF1642A9E561498F9320B50CEC8938EE8B83 | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol | binary | |
MD5:639576DAA0EC432482ADC290DB5DA4CC | SHA256:B56D2C191A46CB8E816BA1B23DAED89947628DBAEFE28B430412B1E507AD9161 | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Microsoft Communities\account{30CE7C98-AA27-4327-91CA-78FA20FFA850}.oeaccount | xml | |
MD5:55E3E8579DB5F3CE6A7355D8AD8B84B9 | SHA256:5EA5B63A0EEB81C9EE0A52213D43125C2E3CEBAC97CFAD811EEF9F45A282E6BE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
13
DNS requests
7
Threats
24
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | DE | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | DE | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | DE | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | DE | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | DE | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | DE | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | DE | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | DE | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | DE | xml | 341 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
276 | taskhost.exe | 49.13.77.253:80 | root-me-dans-ton.onion | Hetzner Online GmbH | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
root-me-dans-ton.onion |
| unknown |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
276 | taskhost.exe | A Network Trojan was detected | ET MALWARE Zbot Generic URI/Header Struct .bin |
276 | taskhost.exe | A Network Trojan was detected | ET MALWARE Possible Zbot Activity Common Download Struct |
276 | taskhost.exe | A Network Trojan was detected | ET MALWARE Possible Zbot Activity Common Download Struct |
276 | taskhost.exe | A Network Trojan was detected | ET MALWARE Zbot Generic URI/Header Struct .bin |