File name:

Trojan.Win32.Gentee.a.exe

Full analysis: https://app.any.run/tasks/17047cc3-e15b-4e9a-8b2b-3c6bc7eae293
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 23, 2024, 22:18:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6CD3FF8858E8A695463722FFBC4A0788

SHA1:

5A292640313B7765AE4AFAECFD372100BF4E3BB4

SHA256:

6035AB6EA3D863EDC3F9351DD45E567BC7836F0755A46DD680811B7B27231E65

SSDEEP:

3072:IV3VHV4tkqwVQYGO0gxx4hksfh5132X+y/bSLDGMG:IV3VHV4j8MO0gxGkubGOQbSLDI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Changes the login/logoff helper path in the registry

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Disables the Find the Start menu

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Changes the Windows auto-update feature

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Change Internet Settings

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Actions looks like stealing of personal data

      • xp.exe (PID: 2188)

  • SUSPICIOUS

    • The process verifies whether the antivirus software is installed

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Changes the desktop background image

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Creates file in the systems drive root

      • Trojan.Win32.Gentee.a.exe (PID: 3644)
      • xp.exe (PID: 2188)

    • Read startup parameters

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Modifies the phishing filter of IE

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Reads Internet Explorer settings

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Process changes security settings for the VBA macro

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Changes Internet Explorer settings (feature browser emulation)

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Drops the executable file immediately after the start

      • Trojan.Win32.Gentee.a.exe (PID: 3644)
      • xp.exe (PID: 2188)

    • Executable content was dropped or overwritten

      • Trojan.Win32.Gentee.a.exe (PID: 3644)
      • xp.exe (PID: 2188)

    • The process executes via Task Scheduler

      • ctfmon.exe (PID: 1556)
      • sipnotify.exe (PID: 340)

    • Reads the Internet Settings

      • sipnotify.exe (PID: 340)

    • Reads settings of System Certificates

      • sipnotify.exe (PID: 340)

    • Checks Windows Trust Settings

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Changes internet zones settings

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Creates/Modifies COM task schedule object

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

  • INFO

    • Checks supported languages

      • Trojan.Win32.Gentee.a.exe (PID: 3644)
      • xp.exe (PID: 2188)

    • Reads the computer name

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Reads Microsoft Office registry keys

      • Trojan.Win32.Gentee.a.exe (PID: 3644)

    • Create files in a temporary directory

      • Trojan.Win32.Gentee.a.exe (PID: 3644)
      • xp.exe (PID: 2188)

    • Reads the software policy settings

      • sipnotify.exe (PID: 340)

    • Manual execution by a user

      • xp.exe (PID: 2064)
      • xp.exe (PID: 2188)

    • Reads security settings of Internet Explorer

      • sipnotify.exe (PID: 340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.3)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2002:02:27 09:51:35+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 3
CodeSize: 2560
InitializedDataSize: 4608
UninitializedDataSize: -
EntryPoint: 0x1001
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
93
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start trojan.win32.gentee.a.exe ctfmon.exe no specs sipnotify.exe xp.exe no specs xp.exe trojan.win32.gentee.a.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
340C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1556C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2064"C:\Windows\xp.exe" C:\Windows\xp.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\windows\xp.exe
c:\windows\system32\ntdll.dll
2188"C:\Windows\xp.exe" C:\Windows\xp.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\xp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
2484"C:\Users\admin\Desktop\Trojan.Win32.Gentee.a.exe" C:\Users\admin\Desktop\Trojan.Win32.Gentee.a.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\trojan.win32.gentee.a.exe
c:\windows\system32\ntdll.dll
3644"C:\Users\admin\Desktop\Trojan.Win32.Gentee.a.exe" C:\Users\admin\Desktop\Trojan.Win32.Gentee.a.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\trojan.win32.gentee.a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
Total events
39 192
Read events
21 783
Write events
17 408
Delete events
1

Modification events

(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoSMHelp
Value:
1
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoRun
Value:
01
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoClose
Value:
01
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoLogOff
Value:
01
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoDrives
Value:
67108863
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoDesktop
Value:
1
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Operation:writeName:Disabled
Value:
1
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Operation:writeName:NoRealMode
Value:
1
(PID) Process:(3644) Trojan.Win32.Gentee.a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
Operation:writeName:LegalNoticeCaption
Value:
¡ïÌìħ½µÊÀ ÃðÊÀ´ÓÉú¡ï
Executable files
6
Suspicious files
2
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
3644Trojan.Win32.Gentee.a.exeC:\Users\admin\AppData\Local\Temp\ginst0.dllexecutable
MD5:B2736E243082F430D981DBE1D395458A
SHA256:00E55F021A482C54E387A2C5357822ABE873067FA1477B5A0D1B158BD07FB416
340sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\microsoft-logo.pngimage
MD5:B7C73A0CFBA68CC70C35EF9C63703CE4
SHA256:1D8B27A0266FF526CF95447F3701592A908848467D37C09A00A2516C1F29A013
3644Trojan.Win32.Gentee.a.exeC:\Windows\winnt\xp.exeexecutable
MD5:4FA29A1AD0744D79CDD485B6EC7E76CF
SHA256:73FA95BB57B65F911397B6984A0B0176E565CEA94B76A4DB3056277DD74E0C7F
340sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\script.jstext
MD5:A2682382967C351F7ED21762F9E5DE9E
SHA256:36B1D26F1EC69685648C0528C2FCE95A3C2DBECF828CDFA4A8B4239A15B644A2
3644Trojan.Win32.Gentee.a.exeC:\Windows\wininit.initext
MD5:066909F6C6DDFEB7E77D6A0D816B7955
SHA256:A20A3517B458C3E44B6FA84C7DD487ABB9CFFD9BB6BD686880843DD58BBD4E62
340sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\main.jpgimage
MD5:B342ACE63F77961249A084C61EABC884
SHA256:E5067BBA2095B5DA7C3171EC116E9A92337E24E471339B0860A160076EFE49B9
3644Trojan.Win32.Gentee.a.exeC:\xp.exeexecutable
MD5:4FA29A1AD0744D79CDD485B6EC7E76CF
SHA256:73FA95BB57B65F911397B6984A0B0176E565CEA94B76A4DB3056277DD74E0C7F
2188xp.exeC:\Users\admin\AppData\Local\Temp\ginst0.dllexecutable
MD5:B2736E243082F430D981DBE1D395458A
SHA256:00E55F021A482C54E387A2C5357822ABE873067FA1477B5A0D1B158BD07FB416
340sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\en-us.htmlhtml
MD5:9752942B57692148B9F614CF4C119A36
SHA256:E31B834DD53FA6815F396FC09C726636ABF98F3367F0CF1590EF5EB3801C75D1
3644Trojan.Win32.Gentee.a.exeC:\winnt\xp.BMPimage
MD5:1750F9428EF032632F58F4272EF4A9B0
SHA256:3CEF49701052991C868EF2991AB5F73D4511DA8980B0254897D643B4A0B52519
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
340
sipnotify.exe
HEAD
200
23.197.138.118:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133689287525310000
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1060
svchost.exe
224.0.0.252:5355
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
239.255.255.250:3702
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.206
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
query.prod.cms.rt.microsoft.com
  • 23.197.138.118
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Trojan.Win32.Gentee.a.exe