analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DOWNLOAD-100.exe

Full analysis: https://app.any.run/tasks/0ac4ef00-9676-44b8-b32e-ac8dc89cf4bc
Verdict: Malicious activity
Analysis date: August 12, 2022, 20:43:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

95801AF084F016C65FE03CA79EB1B996

SHA1:

C96B671849012D1ED878E4FFEE083D38CC575FA1

SHA256:

603488E403F45E7EECC5B738057C255533AE704450B00F94CCB03F6C714042BF

SSDEEP:

192:vS3PW6LBS3As+45WDG8AxHwCMrpY7Y8LqPZo5LdCfffnMO3UlzuEnrtDINynT+vy:vS3TBS3bWDG8AxHr6+Y9PffPzouqlt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • DOWNLOAD-100.exe (PID: 2452)
  • SUSPICIOUS

    • Checks supported languages

      • DOWNLOAD-100.exe (PID: 2452)
    • Reads the computer name

      • DOWNLOAD-100.exe (PID: 2452)
    • Adds / modifies Windows certificates

      • DOWNLOAD-100.exe (PID: 2452)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3660)
  • INFO

    • Reads settings of System Certificates

      • DOWNLOAD-100.exe (PID: 2452)
      • iexplore.exe (PID: 3112)
    • Checks Windows Trust Settings

      • DOWNLOAD-100.exe (PID: 2452)
      • iexplore.exe (PID: 3112)
    • Checks supported languages

      • iexplore.exe (PID: 3112)
      • iexplore.exe (PID: 3660)
      • iexplore.exe (PID: 1188)
    • Changes internet zones settings

      • iexplore.exe (PID: 3112)
    • Reads the computer name

      • iexplore.exe (PID: 3112)
      • iexplore.exe (PID: 1188)
      • iexplore.exe (PID: 3660)
    • Application launched itself

      • iexplore.exe (PID: 3112)
      • iexplore.exe (PID: 3660)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

OriginalFileName: PoC-BootCamp
InternalName: PoC-BootCamp
ProductVersion: 1
FileVersion: 1
ProductName: PoC-BootCamp
CompanyName: PoC-BootCamp
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 3.1.0.0
FileVersionNumber: 3.1.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 3.1
OSVersion: 4
EntryPoint: 0x5001
UninitializedDataSize: -
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
TimeStamp: 2019:08:16 02:11:11+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Aug-2019 00:11:11
Detected languages:
  • English - United States
CompanyName: PoC-BootCamp
ProductName: PoC-BootCamp
FileVersion: 1
ProductVersion: 1
InternalName: PoC-BootCamp
OriginalFilename: PoC-BootCamp

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 16-Aug-2019 00:11:11
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00002000
0x00000A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.53059
.data
0x00003000
0x0000036C
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00004000
0x00001000
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.91126
.000000
0x00005000
0x00002000
0x00001800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.82914
.adata
0x00007000
0x00001000
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.15472
544
Latin 1 / Western European
English - United States
RT_VERSION

Imports

kernel32.dll
msvbvm60.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start download-100.exe iexplore.exe iexplore.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2452"C:\Users\admin\AppData\Local\Temp\DOWNLOAD-100.exe" C:\Users\admin\AppData\Local\Temp\DOWNLOAD-100.exe
Explorer.EXE
User:
admin
Company:
PoC-BootCamp
Integrity Level:
MEDIUM
Exit code:
0
Version:
1
Modules
Images
c:\users\admin\appdata\local\temp\download-100.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3112"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\sena-dfir.gifC:\Program Files\Internet Explorer\iexplore.exe
DOWNLOAD-100.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3660"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3112 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1188"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3112 CREDAT:333057 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
13 521
Read events
13 316
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
9
Text files
6
Unknown types
6

Dropped files

PID
Process
Filename
Type
2452DOWNLOAD-100.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\hacker-meme[1].gif
MD5:
SHA256:
2452DOWNLOAD-100.exeC:\Users\admin\AppData\Local\Temp\sena-dfir.gif
MD5:
SHA256:
2452DOWNLOAD-100.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAder
MD5:5A11C6099B9E5808DFB08C5C9570C92F
SHA256:91291A5EDC4E10A225D3C23265D236ECC74473D9893BE5BD07E202D95B3FB172
2452DOWNLOAD-100.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_16BC07929C59A36AC8D9861B1F0E63C2binary
MD5:7B037D2F4743C4DF082E8FCA631D8F60
SHA256:C3BC9D8A737A0BE71C3110DA6C5D65E28AC23354CA1D3BFCA717F62D1BC36EBA
2452DOWNLOAD-100.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\dfirsena[1].htmhtml
MD5:41AD004A88D8E3BCA44B4087B29937CD
SHA256:F2F77FAA891FF110D4F268887E09AC09464482E622D3F1E17714F0BF791A7CDD
2452DOWNLOAD-100.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:953BBBF2C62EB6DFC48AAC1AA78AA47F
SHA256:FB2030E7F3083D281DA52246BD5AD19971B1A2A7B9FA91F8ACDD1C4E0F43AF3C
3112iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:290A85BD3E7285CDEDA1602A9E12A7DF
SHA256:17AE86541BE373B2DB8A4B77D7E7626966637E5A6052F290A3B598A56F5123C9
2452DOWNLOAD-100.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:5ED61BC4DF65A902A8F31A1C264F600C
SHA256:A3B77E55F8FCE68BC569F7E2DC9FC88A20B56B407FDDE54D3A3A80459E6D464D
3112iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:3802F5C47AABAF814CFABCB87E23F86F
SHA256:39233EEAEA9607FCD7E2FB215B0EFD9D14DB710F292A05A4EED3474D467D1025
2452DOWNLOAD-100.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_16BC07929C59A36AC8D9861B1F0E63C2der
MD5:12F9887EE70057193DDCC17D7665BCA6
SHA256:E5B2774024918634BA27C660B475E1FF0A18FE3B0020D31DC3A52610EF47AF62
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
14
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2452
DOWNLOAD-100.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2452
DOWNLOAD-100.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
2452
DOWNLOAD-100.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
2452
DOWNLOAD-100.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCJ0LMUWb9%2FFgo%2FwIbO2Mkq
US
der
472 b
whitelisted
2452
DOWNLOAD-100.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9a29b1638721273e
US
compressed
4.70 Kb
whitelisted
3112
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3112
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2452
DOWNLOAD-100.exe
172.67.1.225:443
tinyurl.com
US
malicious
2452
DOWNLOAD-100.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
2452
DOWNLOAD-100.exe
142.250.185.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2452
DOWNLOAD-100.exe
172.217.18.1:443
c.tenor.com
Google Inc.
US
whitelisted
2452
DOWNLOAD-100.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3112
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3112
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3112
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
tinyurl.com
  • 172.67.1.225
  • 104.20.138.65
  • 104.20.139.65
shared
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
c.tenor.com
  • 172.217.18.1
whitelisted
ocsp.pki.goog
  • 142.250.185.131
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info