analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DOWNLOAD-100.exe

Full analysis: https://app.any.run/tasks/7ab486d2-04b7-4ba8-900c-2b9fbbf575dc
Verdict: Malicious activity
Analysis date: August 12, 2022, 20:13:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

95801AF084F016C65FE03CA79EB1B996

SHA1:

C96B671849012D1ED878E4FFEE083D38CC575FA1

SHA256:

603488E403F45E7EECC5B738057C255533AE704450B00F94CCB03F6C714042BF

SSDEEP:

192:vS3PW6LBS3As+45WDG8AxHwCMrpY7Y8LqPZo5LdCfffnMO3UlzuEnrtDINynT+vy:vS3TBS3bWDG8AxHr6+Y9PffPzouqlt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • DOWNLOAD-100.exe (PID: 3068)
  • SUSPICIOUS

    • Reads the computer name

      • DOWNLOAD-100.exe (PID: 3068)
    • Checks supported languages

      • DOWNLOAD-100.exe (PID: 3068)
    • Adds / modifies Windows certificates

      • DOWNLOAD-100.exe (PID: 3068)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2800)
  • INFO

    • Reads settings of System Certificates

      • DOWNLOAD-100.exe (PID: 3068)
      • iexplore.exe (PID: 1880)
    • Checks Windows Trust Settings

      • DOWNLOAD-100.exe (PID: 3068)
      • iexplore.exe (PID: 1880)
    • Reads the computer name

      • iexplore.exe (PID: 2800)
      • iexplore.exe (PID: 1880)
      • iexplore.exe (PID: 3120)
    • Checks supported languages

      • iexplore.exe (PID: 1880)
      • iexplore.exe (PID: 2800)
      • iexplore.exe (PID: 3120)
    • Application launched itself

      • iexplore.exe (PID: 1880)
      • iexplore.exe (PID: 2800)
    • Changes internet zones settings

      • iexplore.exe (PID: 1880)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

OriginalFileName: PoC-BootCamp
InternalName: PoC-BootCamp
ProductVersion: 1
FileVersion: 1
ProductName: PoC-BootCamp
CompanyName: PoC-BootCamp
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 3.1.0.0
FileVersionNumber: 3.1.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 3.1
OSVersion: 4
EntryPoint: 0x5001
UninitializedDataSize: -
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
TimeStamp: 2019:08:16 02:11:11+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Aug-2019 00:11:11
Detected languages:
  • English - United States
CompanyName: PoC-BootCamp
ProductName: PoC-BootCamp
FileVersion: 1
ProductVersion: 1
InternalName: PoC-BootCamp
OriginalFilename: PoC-BootCamp

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 16-Aug-2019 00:11:11
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00002000
0x00000A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.53059
.data
0x00003000
0x0000036C
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00004000
0x00001000
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.91126
.000000
0x00005000
0x00002000
0x00001800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.82914
.adata
0x00007000
0x00001000
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.15472
544
Latin 1 / Western European
English - United States
RT_VERSION

Imports

kernel32.dll
msvbvm60.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start download-100.exe iexplore.exe iexplore.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3068"C:\Users\admin\AppData\Local\Temp\DOWNLOAD-100.exe" C:\Users\admin\AppData\Local\Temp\DOWNLOAD-100.exe
Explorer.EXE
User:
admin
Company:
PoC-BootCamp
Integrity Level:
MEDIUM
Exit code:
0
Version:
1
1880"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\sena-dfir.gifC:\Program Files\Internet Explorer\iexplore.exe
DOWNLOAD-100.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2800"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1880 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3120"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1880 CREDAT:333057 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
12 955
Read events
12 772
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
7
Text files
4
Unknown types
5

Dropped files

PID
Process
Filename
Type
3068DOWNLOAD-100.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\hacker-meme[1].gif
MD5:
SHA256:
3068DOWNLOAD-100.exeC:\Users\admin\AppData\Local\Temp\sena-dfir.gif
MD5:
SHA256:
3068DOWNLOAD-100.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:953BBBF2C62EB6DFC48AAC1AA78AA47F
SHA256:FB2030E7F3083D281DA52246BD5AD19971B1A2A7B9FA91F8ACDD1C4E0F43AF3C
3068DOWNLOAD-100.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\dfirsena[1].htmhtml
MD5:41AD004A88D8E3BCA44B4087B29937CD
SHA256:F2F77FAA891FF110D4F268887E09AC09464482E622D3F1E17714F0BF791A7CDD
3068DOWNLOAD-100.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:D7D6900B1865EB6FACCA7FBAAF06D102
SHA256:29F759839BE390F8C71E7AD13B958C3714AFE3905E4491008BF38B288933EFE6
3068DOWNLOAD-100.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:F6B8771B2E2857D37F5906F1E05B14DE
SHA256:03DA6C193B91D5EF46E65EA7D28BFC00062811BB3C8F312EBB02A821E6A39707
3068DOWNLOAD-100.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_16BC07929C59A36AC8D9861B1F0E63C2binary
MD5:1710EC55EBB99B49E314F8C59DC38BE3
SHA256:FC4E0C351CA95D110D8AD90623E7D59B221E0EF55B8CE2EF5AA779348AFA8A57
3068DOWNLOAD-100.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\646C991C2A28825F3CC56E0A1D1E3FA9binary
MD5:1E300CB36508A47491E21E3F97B47DB3
SHA256:6A6E396D5CD8996DB9041697AE4FCB6F015A0158A17230431E6AE728CA9BB792
3068DOWNLOAD-100.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:D1B4E697E9086A78D1C4FD3488C2DB44
SHA256:32EB6B06B3B2CFA59C861AE2C94EEE03C1D84A379557626D2D91351E9F270BCB
1880iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:691CFE47616BA3CA3CBFDAD4DA5D538D
SHA256:E515E113E67D65DAC9D3937419474466A5E4B53FF8DFEA3A44D670379CE7D61A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
12
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3068
DOWNLOAD-100.exe
GET
142.250.185.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
whitelisted
3068
DOWNLOAD-100.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
3068
DOWNLOAD-100.exe
GET
200
142.250.185.195:80
http://crl.pki.goog/gsr1/gsr1.crl
US
der
1.70 Kb
whitelisted
3068
DOWNLOAD-100.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCJ0LMUWb9%2FFgo%2FwIbO2Mkq
US
der
472 b
whitelisted
3068
DOWNLOAD-100.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
1880
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3068
DOWNLOAD-100.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8898608dd73ed055
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3068
DOWNLOAD-100.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3068
DOWNLOAD-100.exe
104.20.138.65:443
tinyurl.com
Cloudflare Inc
US
suspicious
3068
DOWNLOAD-100.exe
142.250.185.161:443
c.tenor.com
Google Inc.
US
whitelisted
3068
DOWNLOAD-100.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3068
DOWNLOAD-100.exe
142.250.185.195:80
ocsp.pki.goog
Google Inc.
US
whitelisted
1880
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1880
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
tinyurl.com
  • 104.20.138.65
  • 104.20.139.65
  • 172.67.1.225
shared
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
c.tenor.com
  • 142.250.185.161
whitelisted
ocsp.pki.goog
  • 142.250.185.195
whitelisted
crl.pki.goog
  • 142.250.185.195
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info