File name:

rr(.)exe

Full analysis: https://app.any.run/tasks/b6eab6d4-0017-43df-a414-66fed85b1c32
Verdict: Malicious activity
Analysis date: October 30, 2023, 21:46:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

64D333DC747D7001925E1CB1BEBE5E80

SHA1:

19AC273B294879AC913CF48A1EBB0E170655401A

SHA256:

67C053B22CDC61D65F806B8A29C4D44F48D05E7800F52B7D6529BE67310FEA1D

SSDEEP:

24576:0gEeFTIov2XmrLyLlIXZFZ/SNKqzptMqKAU:0gEeFTI8drLyLlIXZFNSNKqzptMqKAU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • rr(.)exe.exe (PID: 3112)
      • rr(.)exe.exe (PID: 3852)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • rr(.)exe.exe (PID: 3980)
      • rr(.)exe.exe (PID: 2064)
      • rr(.)exe.exe (PID: 1488)

    • Detected use of alternative data streams (AltDS)

      • rr(.)exe.exe (PID: 3852)

  • INFO

    • Reads the machine GUID from the registry

      • rr(.)exe.exe (PID: 3852)

    • Checks supported languages

      • rr(.)exe.exe (PID: 3852)

    • Manual execution by a user

      • rr(.)exe.exe (PID: 3980)
      • rr(.)exe.exe (PID: 1488)
      • rr(.)exe.exe (PID: 3112)
      • rr(.)exe.exe (PID: 2064)
      • notepad++.exe (PID: 3432)

    • Creates files or folders in the user directory

      • rr(.)exe.exe (PID: 3852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:08:26 12:08:27+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 700416
InitializedDataSize: 255488
UninitializedDataSize: -
EntryPoint: 0x62b83
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rr(.)exe.exe no specs rr(.)exe.exe no specs cmd.exe no specs rr(.)exe.exe no specs cmd.exe no specs rr(.)exe.exe no specs notepad++.exe no specs rr(.)exe.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1484C:\Windows\system32\cmd.exe /c pauseC:\Windows\System32\cmd.exerr(.)exe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1488"C:\Users\admin\Desktop\rr(.)exe.exe" C:\Users\admin\Desktop\rr(.)exe.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2064"C:\Users\admin\Desktop\rr(.)exe.exe" C:\Users\admin\Desktop\rr(.)exe.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3112"C:\Users\admin\Desktop\rr(.)exe.exe" C:\Users\admin\Desktop\rr(.)exe.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3200C:\Windows\system32\cmd.exe /c pauseC:\Windows\System32\cmd.exerr(.)exe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3432"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\rr(.)exe.exe"C:\Program Files\Notepad++\notepad++.exeexplorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
3852"C:\Users\admin\Desktop\rr(.)exe.exe" C:\Users\admin\Desktop\rr(.)exe.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\rr(.)exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
3980"C:\Users\admin\Desktop\rr(.)exe.exe" C:\Users\admin\Desktop\rr(.)exe.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4036C:\Windows\system32\cmd.exe /c pauseC:\Windows\System32\cmd.exerr(.)exe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
14 462
Read events
14 462
Write events
0
Delete events
0

Modification events

No data
Executable files
27
Suspicious files
4 032
Text files
12
Unknown types
1

Dropped files

PID
Process
Filename
Type
3852rr(.)exe.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccLR.cab
MD5:
SHA256:
3852rr(.)exe.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccessMUI.msibinary
MD5:A17BE53D2BE0206EC9AE401566DEF62F
SHA256:EF1511E6A1ACD325476F8CA77BE230CCD0C54744462F51512A9B695B6AE31487
3852rr(.)exe.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\eRnLXWjwrmbJkaT-Mail[tylerdecsec@gmail.com]ID-[82643855711973].VJDX0
MD5:
SHA256:
3852rr(.)exe.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\JKgNHMISqsuew0p-Mail[tylerdecsec@gmail.com]ID-[82643855711973].UWLAQbinary
MD5:CA0B600F4EA2D1147DC11BE0F2B4BF9C
SHA256:B8E513154E8F5BC7A1B0D5649A778A2FF788A9AEEFB2BB3E67235199EC5634AF
3852rr(.)exe.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\Setup.xmlbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
3852rr(.)exe.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\iYUckRHsXLpnMDq-Mail[tylerdecsec@gmail.com]ID-[82643855711973].S0KDUbinary
MD5:DDFBF07DA296226BE40C5F623EF47463
SHA256:6CE0297BB1C266BD268CCC915326708E8817290353AB34F6052118C86C0F686F
3852rr(.)exe.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\branding.xmlbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
3852rr(.)exe.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccessMUI.xmlbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
3852rr(.)exe.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\Setup.xmlbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
3852rr(.)exe.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\lcrvxQbjtEakfVK-Mail[tylerdecsec@gmail.com]ID-[82643855711973].BVOWRbinary
MD5:6678D76DB499A67146E83514DAAA7C1F
SHA256:77B62DE6FFD1E994E0298CBA3BB95A93E80A9887CF1069BC7687C9EA010BECB3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1088
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rr(.)exe