| File name: | mal.exe |
| Full analysis: | https://app.any.run/tasks/bf7d487b-29a8-4259-a10d-27f187442917 |
| Verdict: | Malicious activity |
| Analysis date: | December 28, 2023, 09:11:35 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 34510CEB373808C65949CBBE111BF2E3 |
| SHA1: | A7BCF10B90014353744F43C010B27B764AF4D179 |
| SHA256: | 591BE7D2050CD4F7946B22B42575F108EA8B3299519774118FE4ABB8051C5CF5 |
| SSDEEP: | 3072:/caqyte61V77snHLLxtLyaXOqdPNbnhW4IxZx5kCZuubFrhU1wKKrONmI:/caBtT77snHRAY7PNNW4IxZ7zbC0rONR |
MALICIOUS
Runs injected code in another process
- suzu.exe (PID: 392)
Scans artifacts that could help determine the target
- WinMail.exe (PID: 532)
SUSPICIOUS
Reads security settings of Internet Explorer
- WinMail.exe (PID: 532)
Reads Internet Explorer settings
- WinMail.exe (PID: 532)
Reads settings of System Certificates
- WinMail.exe (PID: 532)
Executing commands from a ".bat" file
- mal.exe (PID: 2040)
Reads the Internet Settings
- mal.exe (PID: 2040)
- suzu.exe (PID: 392)
- cmd.exe (PID: 1656)
- WinMail.exe (PID: 532)
Starts CMD.EXE for commands execution
- mal.exe (PID: 2040)
Reads Microsoft Outlook installation path
- WinMail.exe (PID: 532)
Detected use of alternative data streams (AltDS)
- WinMail.exe (PID: 532)
Checks Windows Trust Settings
- WinMail.exe (PID: 532)
INFO
Drops the executable file immediately after the start
- mal.exe (PID: 2040)
- WinMail.exe (PID: 532)
Reads the computer name
- mal.exe (PID: 2040)
- suzu.exe (PID: 392)
- WinMail.exe (PID: 532)
Checks supported languages
- mal.exe (PID: 2040)
- suzu.exe (PID: 392)
- WinMail.exe (PID: 532)
Starts itself from another location
- mal.exe (PID: 2040)
Creates files or folders in the user directory
- mal.exe (PID: 2040)
- WinMail.exe (PID: 532)
Reads the Internet Settings
- explorer.exe (PID: 1164)
- ctfmon.exe (PID: 1564)
Reads the machine GUID from the registry
- WinMail.exe (PID: 532)
Application was injected by another process
- ctfmon.exe (PID: 1564)
- explorer.exe (PID: 1164)
Drops a self-deleting batch file
- mal.exe (PID: 2040)
Create files in a temporary directory
- WinMail.exe (PID: 532)
- mal.exe (PID: 2040)
Checks proxy server information
- WinMail.exe (PID: 532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (42.5) |
|---|---|---|
| .exe | | | DOS Executable Borland Pascal 7.0x (19.2) |
| .exe | | | Generic Win/DOS Executable (18.8) |
| .exe | | | DOS Executable Generic (18.8) |
| .vxd | | | VXD Driver (0.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2011:04:14 17:07:12+02:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 132608 |
| InitializedDataSize: | 14848 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1d470 |
| OSVersion: | 5.1 |
| ImageVersion: | 1 |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
39
Monitored processes
6
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 392 | "C:\Users\admin\AppData\Roaming\Tyysoz\suzu.exe" | C:\Users\admin\AppData\Roaming\Tyysoz\suzu.exe | — | mal.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 532 | "C:\Program Files\Windows Mail\WinMail.exe" -Embedding | C:\Program Files\Windows Mail\WinMail.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Mail Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1164 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1564 | C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CTF Loader Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1656 | "C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\tmpaf858934.bat" | C:\Windows\System32\cmd.exe | — | mal.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2040 | "C:\Users\admin\Desktop\mal.exe" | C:\Users\admin\Desktop\mal.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
6 095
Read events
6 050
Write events
39
Delete events
6
Modification events
| (PID) Process: | (1164) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000DBDD10622BD67741A42163F361389C4700000000020000000000106600000001000020000000714C0B985B0540658F4A2080B484A48FEA0193B4945278E76DEADC9EF300F178000000000E80000000020000200000002B477AD6A48910EDA2BF44A8E4FAAFB7E2EDF3EE6F87B8965B303D8016BD90EA30000000CB02147CAA96DADF9F5A3BD08AC8A954F632048A3EC443FAA534C64E43A96953CAB4A202A2BC0443ADBC5B693897DBB44000000078BCD17E1DCD91E99A86D38616C049FA8C5E2A7C07BB269B76B0709DC8A01ABF25866BF6638D5C4422D1151CE173748901F5A2433E1BD07914E254B07BB130FD | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows Mail |
| Operation: | write | Name: | StoreMigratedV5 |
Value: 1 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows Mail |
| Operation: | write | Name: | Settings Upgraded |
Value: 10 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\IAM |
| Operation: | write | Name: | Server ID |
Value: 2 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Identities |
| Operation: | write | Name: | Identity Ordinal |
Value: 2 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows Mail |
| Operation: | write | Name: | LastBackup |
Value: E1070A0004000500090014000400CA01 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\IAM |
| Operation: | write | Name: | Default News Account |
Value: account{30CE7C98-AA27-4327-91CA-78FA20FFA850}.oeaccount | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\WAB |
| Operation: | delete value | Name: | NamedProps |
Value: 0420060000000000C00000000000004604000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E0000000100330032003800350037000000 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\WAB |
| Operation: | delete value | Name: | NamedPropCount |
Value: 1 | |||
| (PID) Process: | (532) WinMail.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\WAB |
| Operation: | delete value | Name: | NamedProps |
Value: 0420060000000000C00000000000004604000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E0000000100330032003800350037000000813284C18505D011B29000AA003CF6760B000000000004800E0000000100330032003700360039000000000005800E0000000100330032003700370030000000000006800E0000000100330032003700370031000000000007800E0000000100330032003700370032000000000008800E0000000100330032003700370033000000000009800E000000010033003200370037003400000000000A800E000000010033003200370037003500000000000B800E000000010033003200370037003600000000000C800E000000010033003200370037003700000000000D800E000000010033003200370037003800000000000E800E0000000100330032003700370039000000 | |||
Executable files
2
Suspicious files
19
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat | binary | |
MD5:7BCE17770CFA251151D3BC5E7F33504E | SHA256:F3EBD7A2B98427D302864323CFB22165AB8DF25A74983EEE5CADDC6041271AC1 | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol | binary | |
MD5:1D1A60631EFCF505795FB06471CB6A48 | SHA256:87EED194D869F1DEC6EBF639E985101ABAD37F6E5A347237A1B056B2DCBFC481 | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edbtmp.log | binary | |
MD5:8CA8FC7DCA2CE110E9297E3A81859E03 | SHA256:51356EFAAF12921F1B3C43F710E95546E36906350623ED8ADEE40772BE370FCB | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol | binary | |
MD5:9EF0149FAEFF67AA41DA62C9A4B3226C | SHA256:4B8D7DCC16F962586F50184B40E8AD4D2B6E1980ECCACE178BC4B4D645751E49 | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol | binary | |
MD5:639576DAA0EC432482ADC290DB5DA4CC | SHA256:B56D2C191A46CB8E816BA1B23DAED89947628DBAEFE28B430412B1E507AD9161 | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4D490432-00000001.eml | binary | |
MD5:F6BFBFFE3D0E0BFA377776B403B1E747 | SHA256:2170F3A13CC168298752E1D23674F8C590A73844281B709225EB989A8B02DBE9 | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol | binary | |
MD5:4BCBF3AE2DB0F8AEE8E792FD9BA8DA7F | SHA256:1A17F24F9D36E0ABE7E2C7C1AD06E30E9EBE674ED2E2E2E0FB9FD451C4D64B51 | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Microsoft Communities\account{30CE7C98-AA27-4327-91CA-78FA20FFA850}.oeaccount | xml | |
MD5:55E3E8579DB5F3CE6A7355D8AD8B84B9 | SHA256:5EA5B63A0EEB81C9EE0A52213D43125C2E3CEBAC97CFAD811EEF9F45A282E6BE | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log | binary | |
MD5:C91F5B8910A328E932A8B7DC2DD83129 | SHA256:0A9B71FC98C54742E9E5C3D95879FBEAC80A366654A0540389B9D6F6449F4D0A | |||
| 532 | WinMail.exe | C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat | binary | |
MD5:7BCE17770CFA251151D3BC5E7F33504E | SHA256:F3EBD7A2B98427D302864323CFB22165AB8DF25A74983EEE5CADDC6041271AC1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
13
DNS requests
7
Threats
24
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | unknown | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | unknown | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | unknown | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | unknown | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | unknown | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | unknown | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | unknown | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | unknown | xml | 341 b | unknown |
276 | taskhost.exe | GET | 404 | 49.13.77.253:80 | http://root-me-dans-ton.onion/zeus/config.bin | unknown | xml | 341 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
276 | taskhost.exe | 49.13.77.253:80 | root-me-dans-ton.onion | Hetzner Online GmbH | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
root-me-dans-ton.onion |
| unknown |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
1080 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR |
276 | taskhost.exe | A Network Trojan was detected | ET MALWARE Zbot Generic URI/Header Struct .bin |
276 | taskhost.exe | A Network Trojan was detected | ET MALWARE Possible Zbot Activity Common Download Struct |
276 | taskhost.exe | A Network Trojan was detected | ET MALWARE Possible Zbot Activity Common Download Struct |
276 | taskhost.exe | A Network Trojan was detected | ET MALWARE Zbot Generic URI/Header Struct .bin |