File name:

2.bin

Full analysis: https://app.any.run/tasks/61fff45e-9736-4078-83f5-bfeccaec7556
Verdict: Malicious activity
Analysis date: December 02, 2023, 18:51:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0511A0C819ADE47392A2F3A51EAF1F0B

SHA1:

39B0471E8D501702179BFCB744728C00DCCED7BA

SHA256:

635A73433A258FA5A9B3B015F57CA84E1C296E9B65888FB64EBB602213A9D49D

SSDEEP:

24576:Uu6Z8dgdmi9NgdHwtFRfDWm98krcfWKRMkUxV9RikIjfo1syl4Ik5uv47c:Uu6Z8dgdtvgdKFRrWm98krcfWKRMkUpn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 2.bin.exe (PID: 3476)

  • SUSPICIOUS

    • Application launched itself

      • 2.bin.exe (PID: 2412)
      • 2.bin.exe (PID: 1036)
      • 2.bin.exe (PID: 3476)

    • Reads the Internet Settings

      • 2.bin.exe (PID: 3476)
      • 2.bin.exe (PID: 684)

    • Uses ICACLS.EXE to modify access control lists

      • 2.bin.exe (PID: 3476)

  • INFO

    • Checks supported languages

      • 2.bin.exe (PID: 2412)
      • 2.bin.exe (PID: 3476)
      • 2.bin.exe (PID: 1036)
      • 2.bin.exe (PID: 684)

    • Reads the computer name

      • 2.bin.exe (PID: 3476)
      • 2.bin.exe (PID: 684)

    • Checks proxy server information

      • 2.bin.exe (PID: 3476)
      • 2.bin.exe (PID: 684)

    • Reads the machine GUID from the registry

      • 2.bin.exe (PID: 3476)
      • 2.bin.exe (PID: 684)

    • Creates files or folders in the user directory

      • 2.bin.exe (PID: 3476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:10:29 01:17:51+02:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 760320
InitializedDataSize: 35047424
UninitializedDataSize: -
EntryPoint: 0x54bd
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 91.0.0.0
ProductVersionNumber: 98.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (0294)
CharacterSet: Unknown (85B3)
FileVersions: 64.5.34.31
InternalName: Astronomy.exe
OriginalFileName: Hugidfgy.exe
ProductName: Hdfgodifjg
ProductVersion: 2.8.47.63
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2.bin.exe no specs 2.bin.exe icacls.exe no specs 2.bin.exe 2.bin.exe

Process information

PID
CMD
Path
Indicators
Parent process
684"C:\Users\admin\AppData\Local\Temp\2.bin.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\AppData\Local\Temp\2.bin.exe
2.bin.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\2.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
1036"C:\Users\admin\AppData\Local\Temp\2.bin.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\AppData\Local\Temp\2.bin.exe
2.bin.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\2.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1852icacls "C:\Users\admin\AppData\Local\08deface-da6d-4d42-91e0-a763f249fed1" /deny *S-1-1-0:(OI)(CI)(DE,DC)C:\Windows\System32\icacls.exe2.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
2412"C:\Users\admin\AppData\Local\Temp\2.bin.exe" C:\Users\admin\AppData\Local\Temp\2.bin.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\2.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3476"C:\Users\admin\AppData\Local\Temp\2.bin.exe" C:\Users\admin\AppData\Local\Temp\2.bin.exe
2.bin.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\2.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
Total events
1 289
Read events
1 232
Write events
57
Delete events
0

Modification events

(PID) Process:(3476) 2.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3476) 2.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005A010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3476) 2.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3476) 2.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3476) 2.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3476) 2.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3476) 2.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3476) 2.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3476) 2.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(3476) 2.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionTime
Value:
808ED1875025DA01
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
34762.bin.exeC:\Users\admin\AppData\Local\08deface-da6d-4d42-91e0-a763f249fed1\2.bin.exeexecutable
MD5:0511A0C819ADE47392A2F3A51EAF1F0B
SHA256:635A73433A258FA5A9B3B015F57CA84E1C296E9B65888FB64EBB602213A9D49D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
3
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
3476
2.bin.exe
188.114.97.3:443
api.2ip.ua
CLOUDFLARENET
NL
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3476
2.bin.exe
188.114.96.3:443
api.2ip.ua
CLOUDFLARENET
NL
unknown
684
2.bin.exe
188.114.96.3:443
api.2ip.ua
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
api.2ip.ua
  • 188.114.97.3
  • 188.114.96.3
shared
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1080
svchost.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
1080
svchost.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
2 ETPRO signatures available at the full report
No debug info