File name:

SpySheriff.exe

Full analysis: https://app.any.run/tasks/7cbe5cb2-29ce-4e2d-88d1-cf60e0e8ae87
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: April 24, 2024, 09:27:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rogue
trojan
spysheriff
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C899F93E8B753FEDD068EF3FE2EDB0FD

SHA1:

144B1F18D0E307D14937C21CA1D7CBFC91828A10

SHA256:

5C2A85FB56DE2E0A1A1D260EF2177E0209477586C8A6740494BBAF40A9785F47

SSDEEP:

12288:eBMDMf+ztV53y2k9I68iXDycz+rYIYsVRSHsDrL:eS4S53h68eIZjDP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • SpySheriff.exe (PID: 324)

    • Drops the executable file immediately after the start

      • SpySheriff.exe (PID: 324)

    • Scans artifacts that could help determine the target

      • SpySheriff.exe (PID: 324)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • SpySheriff.exe (PID: 324)

    • Reads security settings of Internet Explorer

      • SpySheriff.exe (PID: 324)

    • Checks for Java to be installed

      • SpySheriff.exe (PID: 324)

    • Reads Internet Explorer settings

      • SpySheriff.exe (PID: 324)

    • Reads settings of System Certificates

      • SpySheriff.exe (PID: 324)

    • Checks Windows Trust Settings

      • SpySheriff.exe (PID: 324)

    • Checks for the .NET to be installed

      • SpySheriff.exe (PID: 324)

    • Reads Microsoft Outlook installation path

      • SpySheriff.exe (PID: 324)

    • Reads the history of recent RDP connections

      • SpySheriff.exe (PID: 324)

    • Reads the Internet Settings

      • SpySheriff.exe (PID: 324)

    • Check the default browser

      • SpySheriff.exe (PID: 324)

    • Read startup parameters

      • SpySheriff.exe (PID: 324)

    • Accesses Microsoft Outlook profiles

      • SpySheriff.exe (PID: 324)

  • INFO

    • Manual execution by a user

      • iexplore.exe (PID: 2740)

    • Checks supported languages

      • SpySheriff.exe (PID: 324)

    • Process checks computer location settings

      • SpySheriff.exe (PID: 324)

    • Reads the computer name

      • SpySheriff.exe (PID: 324)

    • Reads mouse settings

      • SpySheriff.exe (PID: 324)

    • Process checks Internet Explorer phishing filters

      • SpySheriff.exe (PID: 324)

    • Reads Microsoft Office registry keys

      • SpySheriff.exe (PID: 324)

    • Checks proxy server information

      • SpySheriff.exe (PID: 324)

    • Application launched itself

      • iexplore.exe (PID: 2740)

    • Checks transactions between databases Windows and Oracle

      • SpySheriff.exe (PID: 324)

    • Reads the machine GUID from the registry

      • SpySheriff.exe (PID: 324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:02:24 11:33:55+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 698368
InitializedDataSize: 420290560
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start spysheriff.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Users\admin\Desktop\SpySheriff.exe" C:\Users\admin\Desktop\SpySheriff.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\spysheriff.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2740"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3084"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2740 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
216 865
Read events
216 684
Write events
138
Delete events
43

Modification events

(PID) Process:(324) SpySheriff.exeKey:HKEY_CURRENT_USER\Software\SpySheriff
Operation:writeName:ScanOnStartup
Value:
1
(PID) Process:(324) SpySheriff.exeKey:HKEY_CURRENT_USER\Software\SpySheriff
Operation:writeName:PlaySounds
Value:
1
(PID) Process:(324) SpySheriff.exeKey:HKEY_CURRENT_USER\Software\SpySheriff
Operation:writeName:ScheduledScan
Value:
0
(PID) Process:(324) SpySheriff.exeKey:HKEY_CURRENT_USER\Software\SpySheriff
Operation:writeName:ScheduledScanHour
Value:
0
(PID) Process:(324) SpySheriff.exeKey:HKEY_CURRENT_USER\Software\SpySheriff
Operation:writeName:ScheduledScanMin
Value:
0
(PID) Process:(324) SpySheriff.exeKey:HKEY_CURRENT_USER\Software\SpySheriff
Operation:writeName:SecurityLevel
Value:
2
(PID) Process:(324) SpySheriff.exeKey:HKEY_CURRENT_USER\Software\SpySheriff
Operation:writeName:Uninstall
Value:
C:\Users\admin\Desktop
(PID) Process:(324) SpySheriff.exeKey:HKEY_CURRENT_USER\Software\SpySheriff\IE Security
Operation:writeName:BlockIframeTags
Value:
0
(PID) Process:(324) SpySheriff.exeKey:HKEY_CURRENT_USER\Software\SpySheriff\IE Security
Operation:writeName:BlockJavascripts
Value:
0
(PID) Process:(324) SpySheriff.exeKey:HKEY_CURRENT_USER\Software\SpySheriff\IE Security
Operation:writeName:BlockLocations
Value:
0
Executable files
0
Suspicious files
5
Text files
145
Unknown types
3

Dropped files

PID
Process
Filename
Type
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\qsml[1].xml
MD5:
SHA256:
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\qsml[1].xml
MD5:
SHA256:
2740iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\qsml[1].xml
MD5:
SHA256:
3084iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53der
MD5:5E1C044361FEC457024FCE1E5A978609
SHA256:9B5CFC0578603365E6CA2804E112CBD825AAE6983C7FB344CCB936AE20C0D8E3
2740iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118Abinary
MD5:FBE88987346BF076209D26AF70873CB0
SHA256:8C4621DFF67646504EB2160B2D1322267EF8E32F308578379726CF231E98BF8A
2740iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118Ader
MD5:EB6AC869DB45FDCAC124B22AC7128B56
SHA256:BFB060F60268B5AD7FBB0D4F234465F949C9AEA069B24AE6E22C7FB3FCF037DA
2740iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2740iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\qsml[1].xml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
41
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2740
iexplore.exe
GET
304
173.222.108.115:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?43b18d99c1a9a1db
unknown
unknown
2740
iexplore.exe
GET
304
173.222.108.115:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e4be019b4f150fcf
unknown
unknown
3084
iexplore.exe
GET
304
173.222.108.115:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?37f4e5b01d909904
unknown
unknown
3084
iexplore.exe
GET
304
173.222.108.115:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?996dbed5eb9efbe9
unknown
unknown
2740
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
3084
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
unknown
3084
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
324
SpySheriff.exe
69.50.167.171:80
SOHOSKYWAY1
CA
unknown
2740
iexplore.exe
173.222.108.41:443
www.bing.com
Akamai International B.V.
CH
unknown
3084
iexplore.exe
13.107.5.80:443
api.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2740
iexplore.exe
173.222.108.115:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
3084
iexplore.exe
173.222.108.115:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
2740
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 173.222.108.41
  • 173.222.108.57
  • 173.222.108.50
whitelisted
ctldl.windowsupdate.com
  • 173.222.108.115
  • 80.67.82.73
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
r.bing.com
  • 173.222.108.50
  • 173.222.108.57
  • 173.222.108.41
whitelisted
th.bing.com
  • 173.222.108.57
  • 173.222.108.50
  • 173.222.108.41
whitelisted
login.microsoftonline.com
  • 40.126.32.133
  • 40.126.32.136
  • 20.190.160.22
  • 40.126.32.140
  • 20.190.160.17
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.138
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SpySheriff.exe