File name:

dqhj_eqqw.exe

Full analysis: https://app.any.run/tasks/4ca77319-1ae4-401d-b747-b3df369bfb9a
Verdict: Malicious activity
Analysis date: December 06, 2022, 04:06:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

AD01EC1430C0B7FCBA0FC5D0B419D2ED

SHA1:

49E90ABAAE6AA26FBBCCE958CA24044D0C17F329

SHA256:

62018FB4CAF35E5849EC75A3797008F678E5DAF48B486031AFC59B88D91E09A9

SSDEEP:

49152:2l/NEdAGDAfnSwglT5htj5a35mAwqDgPU:U8AGDMzglT5njMc4j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • dqhj_eqqwd.exe (PID: 3056)
      • dqhj_eqqwd.exe (PID: 1528)
    • Loads dropped or rewritten executable

      • dqhj_eqqw.exe (PID: 3140)
      • dqhj_eqqwd.exe (PID: 3056)
      • dqhj_eqqwd.exe (PID: 1528)
    • Connects to the CnC server

      • dqhj_eqqwd.exe (PID: 3056)
  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • dqhj_eqqwd.exe (PID: 1528)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • dqhj_eqqw.exe (PID: 3140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2016-Apr-02 03:20:09
Detected languages:
  • Chinese - PRC
  • English - United States
CompanyName: 上海三七玩网络科技有限公司
FileDescription: 灭神 install
FileVersion: 3.0.0.0
LegalCopyright: 上海三七玩网络科技有限公司
ProductName: 灭神
ProductVersion: 3.0.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 200

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2016-Apr-02 03:20:09
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
23668
24064
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.41039
.rdata
28672
4502
4608
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.20374
.data
36864
110680
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.13053
.ndata
151552
65536
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
217088
189728
189952
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.89167

Resources

Title
Entropy
Size
Codepage
Language
Type
1
7.99215
156644
UNKNOWN
English - United States
RT_ICON
2
6.65828
16936
UNKNOWN
English - United States
RT_ICON
3
6.87943
9640
UNKNOWN
English - United States
RT_ICON
4
6.44871
1128
UNKNOWN
English - United States
RT_ICON
102
2.63447
160
UNKNOWN
English - United States
RT_DIALOG
103
2.68436
62
UNKNOWN
English - United States
RT_GROUP_ICON
104
2.60821
260
UNKNOWN
English - United States
RT_DIALOG
105
2.62576
492
UNKNOWN
English - United States
RT_DIALOG
106
2.86626
228
UNKNOWN
English - United States
RT_DIALOG
110
2.82633
1638
UNKNOWN
English - United States
RT_BITMAP

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start dqhj_eqqw.exe no specs dqhj_eqqw.exe dqhj_eqqwd.exe dqhj_eqqwd.exe

Process information

PID
CMD
Path
Indicators
Parent process
1580"C:\Users\admin\AppData\Local\Temp\dqhj_eqqw.exe" C:\Users\admin\AppData\Local\Temp\dqhj_eqqw.exeExplorer.EXE
User:
admin
Company:
上海三七玩网络科技有限公司
Integrity Level:
MEDIUM
Description:
灭神 install
Exit code:
3221226540
Version:
3.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\dqhj_eqqw.exe
3140"C:\Users\admin\AppData\Local\Temp\dqhj_eqqw.exe" C:\Users\admin\AppData\Local\Temp\dqhj_eqqw.exe
Explorer.EXE
User:
admin
Company:
上海三七玩网络科技有限公司
Integrity Level:
HIGH
Description:
灭神 install
Exit code:
0
Version:
3.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\dqhj_eqqw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
3056"C:\Users\admin\AppData\Roaming\syol\dqhj_eqqwd.exe" /setupsuccC:\Users\admin\AppData\Roaming\syol\dqhj_eqqwd.exe
dqhj_eqqw.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\syol\dqhj_eqqwd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
1528"C:\Users\admin\AppData\Roaming\syol\dqhj_eqqwd.exe" /autorun /setuprunC:\Users\admin\AppData\Roaming\syol\dqhj_eqqwd.exe
dqhj_eqqw.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\syol\dqhj_eqqwd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
Total events
6 194
Read events
6 108
Write events
85
Delete events
1

Modification events

(PID) Process:(3140) dqhj_eqqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃðÉñ
Operation:writeName:DisplayName
Value:
ÃðÉñ
(PID) Process:(3140) dqhj_eqqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃðÉñ
Operation:writeName:UninstallString
Value:
C:\Users\admin\AppData\Roaming\syol\uninst.exe
(PID) Process:(3140) dqhj_eqqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃðÉñ
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Roaming\syol\dqhj_eqqwd.exe
(PID) Process:(3140) dqhj_eqqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃðÉñ
Operation:writeName:DisplayVersion
Value:
3.0.0.0
(PID) Process:(3140) dqhj_eqqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃðÉñ
Operation:writeName:URLInfoAbout
Value:
http://www.37.com/
(PID) Process:(3140) dqhj_eqqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃðÉñ
Operation:writeName:Publisher
Value:
ÉϺ£ÈýÆßÍæÍøÂç¿Æ¼¼ÓÐÏÞ¹«Ë¾
(PID) Process:(3056) dqhj_eqqwd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3056) dqhj_eqqwd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3056) dqhj_eqqwd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3056) dqhj_eqqwd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
5
Suspicious files
10
Text files
51
Unknown types
5

Dropped files

PID
Process
Filename
Type
3140dqhj_eqqw.exeC:\Users\admin\AppData\Local\Temp\nslFD53.tmp\FindProcDLL.dllexecutable
MD5:8614C450637267AFACAD1645E23BA24A
SHA256:0FA04F06A6DE18D316832086891E9C23AE606D7784D5D5676385839B21CA2758
3140dqhj_eqqw.exeC:\Users\admin\AppData\Local\Temp\nslFD53.tmp\System.dllexecutable
MD5:56A321BD011112EC5D8A32B2F6FD3231
SHA256:BB6DF93369B498EAA638B0BCDC4BB89F45E9B02CA12D28BCEDF4629EA7F5E0F1
3140dqhj_eqqw.exeC:\Users\admin\AppData\Roaming\syol\config.iniini
MD5:D2DA9A221E32623FB1D903598D2010A0
SHA256:F4DD96A9287D285B825F82C547DD8536EB97D795B2561C7945DCF018F2129F6C
3140dqhj_eqqw.exeC:\Users\admin\AppData\Roaming\syol\dqhj_eqqwd.exeexecutable
MD5:BFB792FA68FAA37E1C45ED915CE20244
SHA256:6740512BB022A009346990CBADB3A59B5B60EA565FD299F60FCEFF6AEC0C0CF0
3140dqhj_eqqw.exeC:\Users\admin\Desktop\ÃðÉñ.lnklnk
MD5:F5B3E3C9B63E8FA3007228435670BA92
SHA256:B9DA9EBABFF955B4887E52E63C4ECAD0CDC4C6E91845F6FE946E58FD282EA047
3056dqhj_eqqwd.exeC:\Users\admin\AppData\Local\Temp\InstallStat.tmpbinary
MD5:DBB6F23686ECB4F3874719CEE71C11F7
SHA256:A4E0BE6E7905A298130A048AE83B3D979425244387D27B6427F4B46F979BE2DF
3140dqhj_eqqw.exeC:\Users\admin\AppData\Roaming\syol\uninst.exeexecutable
MD5:ED1353CB86B2D1B0F66D93A7B745D652
SHA256:3EAB70A40492C842BE6A0A084991C111951D095E507DA36031DE1753AE143F04
3140dqhj_eqqw.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\37ÓÎÏ·ÖÐÐÄ\ÃðÉñ\ÃðÉñ.lnklnk
MD5:B6900382BEBCE170BE2150556135603D
SHA256:4B46CF44D8075F38A634796FB5683E5C4BF4BFA70C244DB4A4F3A2DAD54B16D9
1528dqhj_eqqwd.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\game[1].jshtml
MD5:B1D6D4711536FD2220B8F55757A4759C
SHA256:BE711B079D1F3BBD207914838515FE28C55F16FEC4F5FFBA0ADE2F2321E51C54
1528dqhj_eqqwd.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\client[1].htmhtml
MD5:BEE831B1E3F9984E70165E657CF98E34
SHA256:EEAA256956313D53D7416E6C87191DF1AACBA475383C2061310DC42C4F9E3C34
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
29
DNS requests
14
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1528
dqhj_eqqwd.exe
GET
200
120.77.146.101:80
http://gameapp.37.com/controller/client.php?game_id=537&tpl_type=game&refer=wd_feitian&uid=913449&version=3000&installtime=20221206&runcount=1&curtime=20221206040657&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1
CN
html
3.38 Kb
unknown
1528
dqhj_eqqwd.exe
GET
200
163.171.132.119:80
http://img1.37wanimg.com/syol/js/client/game.js?t=1670299621
US
html
2.08 Kb
malicious
3056
dqhj_eqqwd.exe
GET
200
159.75.141.43:80
http://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=537&ext_1=2&ext_2=wd_feitian&ext_3=913449&ext_4=39E4C723C4854FAAB3027BFA7E85299C&ext_5=2a41613a3db831e4d15842ae94d8d097&ext_6=2&browser_type=3000
CN
binary
38 b
malicious
1528
dqhj_eqqwd.exe
GET
404
163.171.128.148:80
http://d.wanyouxi7.com/yx/syol/wd_feitian/913449/app.ini
US
html
168 b
malicious
1528
dqhj_eqqwd.exe
GET
200
163.171.128.148:80
http://img2.37wanimg.com/2019/04/16181600wKssp.jpg
US
image
58.8 Kb
malicious
1528
dqhj_eqqwd.exe
GET
200
163.171.132.119:80
http://img1.37wanimg.com/syol/css/client/game.css?t=1670299621
US
text
4.59 Kb
malicious
1528
dqhj_eqqwd.exe
GET
200
163.171.132.119:80
http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304
US
html
37.2 Kb
whitelisted
1528
dqhj_eqqwd.exe
GET
200
163.171.132.119:80
http://ptres.37.com/js/sq/widget/sq.login.js?t=20211123172316
US
html
12.5 Kb
whitelisted
1528
dqhj_eqqwd.exe
GET
200
163.171.132.119:80
http://ptres.37.com/js/sq/widget/sq.tab.js
US
text
1.64 Kb
whitelisted
1528
dqhj_eqqwd.exe
GET
200
163.171.132.119:80
http://img1.37wanimg.com/syol/css/client/game/check-on.png
US
image
1.32 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1528
dqhj_eqqwd.exe
163.171.132.119:80
img1.37wanimg.com
QUANTILNETWORKS
DE
malicious
1528
dqhj_eqqwd.exe
120.77.146.101:80
gameapp.37.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3056
dqhj_eqqwd.exe
159.75.141.43:80
a.clickdata.37wan.com
Shenzhen Tencent Computer Systems Company Limited
CN
malicious
1528
dqhj_eqqwd.exe
39.108.132.57:443
my.37.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
1528
dqhj_eqqwd.exe
159.75.141.43:80
a.clickdata.37wan.com
Shenzhen Tencent Computer Systems Company Limited
CN
malicious
1528
dqhj_eqqwd.exe
163.171.128.148:80
img1.37wanimg.com
QUANTILNETWORKS
DE
malicious
1528
dqhj_eqqwd.exe
193.112.116.230:80
cm.he2d.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
1528
dqhj_eqqwd.exe
106.55.175.231:80
regapi.37.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
1528
dqhj_eqqwd.exe
106.55.175.231:443
regapi.37.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
1528
dqhj_eqqwd.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
suspicious

DNS requests

Domain
IP
Reputation
a.clickdata.37wan.com
  • 159.75.141.43
  • 106.55.79.146
malicious
gameapp.37.com
  • 120.77.146.101
  • 81.71.82.218
  • 106.53.131.76
unknown
img1.37wanimg.com
  • 163.171.132.119
  • 163.171.128.148
malicious
img2.37wanimg.com
  • 163.171.128.148
  • 163.171.132.119
malicious
ptres.37.com
  • 163.171.132.119
  • 163.171.128.148
whitelisted
d.wanyouxi7.com
  • 163.171.128.148
  • 163.171.132.119
malicious
regapi.37.com
  • 106.55.175.231
  • 39.108.147.122
  • 81.71.21.194
unknown
my.37.com
  • 39.108.132.57
  • 42.194.153.154
  • 81.71.10.131
suspicious
cm.he2d.com
  • 193.112.116.230
  • 139.9.125.189
suspicious
cookiem.37.com
  • 139.9.125.189
  • 193.112.116.230
suspicious

Threats

Found threats are available for the paid subscriptions
8 ETPRO signatures available at the full report
No debug info