analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

WinD64.exe

Full analysis: https://app.any.run/tasks/d3fb381e-5b12-4484-a190-9adc56f59272
Verdict: Malicious activity
Analysis date: December 05, 2022, 20:33:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

3E025BD7E2968C1CF83BF7E49E802546

SHA1:

86931E1A76A6DC3D35CB2FD863850E34F1F6EBF7

SHA256:

5F60C63595D91843A3A1A5633855E4AD6121A248D0BF0DAD57E2289090035863

SSDEEP:

49152:wJKouUHPVz9wSNSDjyWKS3m/UX0asMsFMvci:eWUvJ9wSUD2WL3mcLsJFMvV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • WinD64.exe (PID: 1152)
    • Drops the executable file immediately after the start

      • WinD64.exe (PID: 1152)
    • Changes firewall settings

      • WinD64.exe (PID: 2952)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinD64.exe (PID: 1152)
    • Uses NETSH.EXE for network configuration

      • WinD64.exe (PID: 2952)
    • Application launched itself

      • WinD64.exe (PID: 1152)
    • Connects to unusual port

      • WinD64.exe (PID: 2952)
  • INFO

    • Checks supported languages

      • WinD64.exe (PID: 1152)
      • WinD64.exe (PID: 2952)
    • Reads the computer name

      • WinD64.exe (PID: 1152)
      • WinD64.exe (PID: 2952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2022-Nov-09 09:12:24
FileDescription: -
FileVersion: 1.0.0.0
InternalName: Pdmzced.exe
LegalCopyright: -
OriginalFilename: Pdmzced.exe
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 2022-Nov-09 09:12:24
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
8192
2138132
2138624
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.9998
.rsrc
2154496
2048
2048
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.86655
.reloc
2162688
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.22461
580
UNKNOWN
UNKNOWN
RT_VERSION
1 (#2)
5.07301
801
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start wind64.exe wind64.exe netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1152"C:\Users\admin\AppData\Local\Temp\WinD64.exe" C:\Users\admin\AppData\Local\Temp\WinD64.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
2952C:\Users\admin\AppData\Local\Temp\WinD64.exeC:\Users\admin\AppData\Local\Temp\WinD64.exe
WinD64.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
2504netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\WinD64.exe" "WinD64.exe" ENABLEC:\Windows\system32\netsh.exeWinD64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
876
Read events
812
Write events
64
Delete events
0

Modification events

(PID) Process:(1152) WinD64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Cogjggcbzm
Value:
"C:\Users\admin\AppData\Roaming\Bsjmi\Cogjggcbzm.exe"
(PID) Process:(2952) WinD64.exeKey:HKEY_CURRENT_USER
Operation:writeName:di
Value:
!
(PID) Process:Key:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:Key:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-100
Value:
DHCP Quarantine Enforcement Client
(PID) Process:Key:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-101
Value:
Provides DHCP based enforcement for NAP
(PID) Process:Key:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-103
Value:
1.0
(PID) Process:Key:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-102
Value:
Microsoft Corporation
(PID) Process:Key:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@%SystemRoot%\system32\napipsec.dll,-1
Value:
IPsec Relying Party
(PID) Process:Key:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@%SystemRoot%\system32\napipsec.dll,-2
Value:
Provides IPsec based enforcement for Network Access Protection
(PID) Process:Key:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@%SystemRoot%\system32\napipsec.dll,-4
Value:
1.0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1152WinD64.exeC:\Users\admin\AppData\Roaming\Bsjmi\Cogjggcbzm.exeexecutable
MD5:3E025BD7E2968C1CF83BF7E49E802546
SHA256:5F60C63595D91843A3A1A5633855E4AD6121A248D0BF0DAD57E2289090035863
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
95
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
89.208.103.75:5552
point.chxv8ybuh2ytmfvfwrulcdqtywlooiybaevwsa2b.org
AEZA GROUP Ltd
DE
suspicious
2952
WinD64.exe
89.208.103.75:5552
point.chxv8ybuh2ytmfvfwrulcdqtywlooiybaevwsa2b.org
AEZA GROUP Ltd
DE
suspicious

DNS requests

Domain
IP
Reputation
point.chxv8ybuh2ytmfvfwrulcdqtywlooiybaevwsa2b.org
  • 89.208.103.75
suspicious

Threats

No threats detected
No debug info