File name:

Trojan.Win32.Gentee.a.exe

Full analysis: https://app.any.run/tasks/17047cc3-e15b-4e9a-8b2b-3c6bc7eae293
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 23, 2024, 22:18:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6CD3FF8858E8A695463722FFBC4A0788

SHA1:

5A292640313B7765AE4AFAECFD372100BF4E3BB4

SHA256:

6035AB6EA3D863EDC3F9351DD45E567BC7836F0755A46DD680811B7B27231E65

SSDEEP:

3072:IV3VHV4tkqwVQYGO0gxx4hksfh5132X+y/bSLDGMG:IV3VHV4j8MO0gxGkubGOQbSLDI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Changes the autorun value in the registry

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Disables the Find the Start menu

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Changes the Windows auto-update feature

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Change Internet Settings

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Actions looks like stealing of personal data

      • xp.exe (PID: 2188)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • Trojan.Win32.Gentee.a.exe (PID: 3644)
      • xp.exe (PID: 2188)

    • Creates file in the systems drive root

      • Trojan.Win32.Gentee.a.exe (PID: 3644)
      • xp.exe (PID: 2188)

    • Executable content was dropped or overwritten

      • Trojan.Win32.Gentee.a.exe (PID: 3644)
      • xp.exe (PID: 2188)

    • Changes the desktop background image

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • The process verifies whether the antivirus software is installed

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Read startup parameters

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Modifies the phishing filter of IE

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Changes Internet Explorer settings (feature browser emulation)

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Process changes security settings for the VBA macro

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Reads Internet Explorer settings

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Reads the Internet Settings

      • sipnotify.exe (PID: 340)

    • The process executes via Task Scheduler

      • ctfmon.exe (PID: 1556)
      • sipnotify.exe (PID: 340)

    • Reads settings of System Certificates

      • sipnotify.exe (PID: 340)

    • Checks Windows Trust Settings

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Changes internet zones settings

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Creates/Modifies COM task schedule object

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

  • INFO

    • Create files in a temporary directory

      • Trojan.Win32.Gentee.a.exe (PID: 3644)
      • xp.exe (PID: 2188)

    • Checks supported languages

      • Trojan.Win32.Gentee.a.exe (PID: 3644)
      • xp.exe (PID: 2188)

    • Reads the computer name

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Reads Microsoft Office registry keys

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Reads the software policy settings

      • sipnotify.exe (PID: 340)

    • Manual execution by a user

      • xp.exe (PID: 2064)
      • xp.exe (PID: 2188)

    • Reads security settings of Internet Explorer

      • sipnotify.exe (PID: 340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.3)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2002:02:27 09:51:35+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 3
CodeSize: 2560
InitializedDataSize: 4608
UninitializedDataSize: -
EntryPoint: 0x1001
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
93
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start trojan.win32.gentee.a.exe ctfmon.exe no specs sipnotify.exe xp.exe no specs xp.exe trojan.win32.gentee.a.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
340C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1556C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2064"C:\Windows\xp.exe" C:\Windows\xp.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\windows\xp.exe
c:\windows\system32\ntdll.dll
2188"C:\Windows\xp.exe" C:\Windows\xp.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\xp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
2484"C:\Users\admin\Desktop\Trojan.Win32.Gentee.a.exe" C:\Users\admin\Desktop\Trojan.Win32.Gentee.a.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\trojan.win32.gentee.a.exe
c:\windows\system32\ntdll.dll
3644"C:\Users\admin\Desktop\Trojan.Win32.Gentee.a.exe" C:\Users\admin\Desktop\Trojan.Win32.Gentee.a.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\trojan.win32.gentee.a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
Total events
39 192
Read events
21 783
Write events
17 408
Delete events
1

Modification events

(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoSMHelp
Value:
1
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoRun
Value:
01
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoClose
Value:
01
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoLogOff
Value:
01
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoDrives
Value:
67108863
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoDesktop
Value:
1
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Operation:writeName:Disabled
Value:
1
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Operation:writeName:NoRealMode
Value:
1
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
Operation:writeName:LegalNoticeCaption
Value:
¡ïÌìħ½µÊÀ ÃðÊÀ´ÓÉú¡ï
Executable files
6
Suspicious files
2
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
3644Trojan.Win32.Gentee.a.exeC:\Users\admin\AppData\Local\Temp\ginst0.dllexecutable
MD5:B2736E243082F430D981DBE1D395458A
SHA256:00E55F021A482C54E387A2C5357822ABE873067FA1477B5A0D1B158BD07FB416
340sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\en-us.htmlhtml
MD5:9752942B57692148B9F614CF4C119A36
SHA256:E31B834DD53FA6815F396FC09C726636ABF98F3367F0CF1590EF5EB3801C75D1
340sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\metadata.jsonbinary
MD5:E8A970BA6CE386EED9A5E724F26212A6
SHA256:7E06107D585D8FC7870998F3856DCC3E35800AA97E4406AAB83BC8444B6CBDE3
3644Trojan.Win32.Gentee.a.exeC:\Windows\winnt\xp.exeexecutable
MD5:4FA29A1AD0744D79CDD485B6EC7E76CF
SHA256:73FA95BB57B65F911397B6984A0B0176E565CEA94B76A4DB3056277DD74E0C7F
3644Trojan.Win32.Gentee.a.exeC:\xp.exeexecutable
MD5:4FA29A1AD0744D79CDD485B6EC7E76CF
SHA256:73FA95BB57B65F911397B6984A0B0176E565CEA94B76A4DB3056277DD74E0C7F
340sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\script.jstext
MD5:A2682382967C351F7ED21762F9E5DE9E
SHA256:36B1D26F1EC69685648C0528C2FCE95A3C2DBECF828CDFA4A8B4239A15B644A2
3644Trojan.Win32.Gentee.a.exeC:\Windows\xp.exeexecutable
MD5:4FA29A1AD0744D79CDD485B6EC7E76CF
SHA256:73FA95BB57B65F911397B6984A0B0176E565CEA94B76A4DB3056277DD74E0C7F
340sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\microsoft-logo.pngimage
MD5:B7C73A0CFBA68CC70C35EF9C63703CE4
SHA256:1D8B27A0266FF526CF95447F3701592A908848467D37C09A00A2516C1F29A013
340sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\main.jpgimage
MD5:B342ACE63F77961249A084C61EABC884
SHA256:E5067BBA2095B5DA7C3171EC116E9A92337E24E471339B0860A160076EFE49B9
340sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\styles.csstext
MD5:3383EEF350240253D7C2C2564381B3CB
SHA256:85443493D86D6D7FB0E07BC9705DFC9C858086FBA1B0E508092AB328D5F145E8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
340
sipnotify.exe
HEAD
200
23.197.138.118:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133689287525310000
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1060
svchost.exe
224.0.0.252:5355
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
239.255.255.250:3702
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.206
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
query.prod.cms.rt.microsoft.com
  • 23.197.138.118
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Trojan.Win32.Gentee.a.exe