File name:

z.exe

Full analysis: https://app.any.run/tasks/73e0acbb-458f-4b8b-b0c8-5e58a8ce87a5
Verdict: Malicious activity
Analysis date: November 16, 2023, 15:54:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5:

731ED24011DF3A33FE5D3765BF424B0C

SHA1:

104DAF0B26D10FF8A79F77116C0532F0EC3C3320

SHA256:

5C737E8E5E7CEDF0C061E62F4FB7CC2FDF06CE0E79877CC0A6563395FD37CE57

SSDEEP:

24576:ovWcnspIzGr8fbPRnAr2Du37vuYX7ubaZWqbaX2T2qsm5oTFM6wwtPQV2LWgyjYO:oEnAf9Ar2i37uILZQGqTFMC6V2LPUYvG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • z.exe (PID: 3436)

  • SUSPICIOUS

    • Checks for external IP

      • z.exe (PID: 3436)

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 3164)
      • z.exe (PID: 3436)
      • wmpnscfg.exe (PID: 3880)

    • Reads the computer name

      • z.exe (PID: 3436)
      • wmpnscfg.exe (PID: 3164)
      • wmpnscfg.exe (PID: 3880)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3164)
      • wmpnscfg.exe (PID: 3880)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3164)
      • wmpnscfg.exe (PID: 3880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 3
CodeSize: 1527808
InitializedDataSize: 4096
UninitializedDataSize: 3452928
EntryPoint: 0x4c0cb0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start z.exe systeminfo.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3164"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3436"C:\Users\admin\AppData\Local\Temp\z.exe" C:\Users\admin\AppData\Local\Temp\z.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
3456systeminfoC:\Windows\System32\systeminfo.exez.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\systeminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3880"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
274
Read events
266
Write events
2
Delete events
6

Modification events

(PID) Process:(3164) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{1DA43DF7-74B1-45B0-BB54-709BDF1A1DD8}\{F7D0F2CC-43B6-4A2F-B6AD-D71B073A458A}
Operation:delete keyName:(default)
Value:
(PID) Process:(3164) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{1DA43DF7-74B1-45B0-BB54-709BDF1A1DD8}
Operation:delete keyName:(default)
Value:
(PID) Process:(3164) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{F09D73D6-0856-4516-AA86-4051024D5FE6}
Operation:delete keyName:(default)
Value:
(PID) Process:(3456) systeminfo.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3880) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{4101BD30-9A5F-4F6A-A131-C9870C8EA8A0}\{7F1CE974-C170-4DB0-919F-449E5443A6C5}
Operation:delete keyName:(default)
Value:
(PID) Process:(3880) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{4101BD30-9A5F-4F6A-A131-C9870C8EA8A0}
Operation:delete keyName:(default)
Value:
(PID) Process:(3880) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{0D6535D3-1EA8-4A1F-841F-C55EFEE4C550}
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
2
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3436
z.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
binary
293 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3436
z.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
3436
z.exe
185.106.93.137:443
Galaxy LLC
RU
unknown
4
System
192.168.100.255:138
whitelisted
868
svchost.exe
95.101.148.135:80
armmf.adobe.com
Akamai International B.V.
NL
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
armmf.adobe.com
  • 95.101.148.135
whitelisted

Threats

PID
Process
Class
Message
3436
z.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3436
z.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
3436
z.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
No debug info