| File name: | file |
| Full analysis: | https://app.any.run/tasks/c0157d3d-feff-46cc-88ef-bbddfb5f7d84 |
| Verdict: | Malicious activity |
| Analysis date: | December 05, 2022, 19:05:15 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 44085873D2D9AD0A6126F752AD80C4E3 |
| SHA1: | A1B8302E4B7A65C4FD62F5F883B4884BB7AB20F9 |
| SHA256: | 6B6EB4B5978054AC9EEE21AF78C11667E65AB78E5533D72DBFA420A42DDC7B40 |
| SSDEEP: | 196608:91Osam/50vvgbW+iD3IBKI4pZHbzaO+in0g:3OZmh6vyWR35FZHaY0g |
MALICIOUS
Application was dropped or rewritten from another process
- Install.exe (PID: 3416)
- HqbAWMO.exe (PID: 2776)
- gyDVofW.exe (PID: 2452)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 3144)
- schtasks.exe (PID: 1108)
- schtasks.exe (PID: 1280)
- schtasks.exe (PID: 3384)
- schtasks.exe (PID: 3624)
- schtasks.exe (PID: 2404)
- schtasks.exe (PID: 1500)
- schtasks.exe (PID: 1084)
- schtasks.exe (PID: 2580)
- schtasks.exe (PID: 3812)
- schtasks.exe (PID: 852)
- schtasks.exe (PID: 3704)
- schtasks.exe (PID: 592)
- schtasks.exe (PID: 1044)
- schtasks.exe (PID: 2176)
- schtasks.exe (PID: 3404)
- schtasks.exe (PID: 1336)
- schtasks.exe (PID: 2628)
Uses Task Scheduler to run other applications
- Install.exe (PID: 3416)
- HqbAWMO.exe (PID: 2776)
- gyDVofW.exe (PID: 2452)
- gyDVofW.exe (PID: 2452)
- rundll32.EXE (PID: 1500)
Loads the Task Scheduler DLL interface
- schtasks.exe (PID: 3924)
- schtasks.exe (PID: 408)
- schtasks.exe (PID: 488)
- schtasks.exe (PID: 2520)
Modifies exclusions in Windows Defender
- reg.exe (PID: 2004)
- reg.exe (PID: 1032)
- reg.exe (PID: 3512)
- reg.exe (PID: 3024)
- reg.exe (PID: 3388)
- reg.exe (PID: 3016)
- reg.exe (PID: 2208)
- reg.exe (PID: 3348)
- reg.exe (PID: 336)
Steals credentials from Web Browsers
- gyDVofW.exe (PID: 2452)
Creates a writable file the system directory
- gyDVofW.exe (PID: 2452)
Modifies files in the Chrome extension folder
- gyDVofW.exe (PID: 2452)
Drops the executable file immediately after the start
- gyDVofW.exe (PID: 2452)
Loads dropped or rewritten executable
- rundll32.EXE (PID: 1500)
SUSPICIOUS
Starts itself from another location
- file.exe (PID: 2104)
Reads the BIOS version
- Install.exe (PID: 3416)
Reads the Internet Settings
- Install.exe (PID: 3416)
- gyDVofW.exe (PID: 2452)
Starts CMD.EXE for commands execution
- forfiles.exe (PID: 3396)
- forfiles.exe (PID: 1120)
- HqbAWMO.exe (PID: 2776)
- gyDVofW.exe (PID: 2452)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 3360)
- cmd.exe (PID: 1936)
- cmd.exe (PID: 2884)
- cmd.exe (PID: 1708)
- cmd.exe (PID: 3444)
- cmd.exe (PID: 3092)
- cmd.exe (PID: 3124)
- cmd.exe (PID: 2668)
Executes via Task Scheduler
- powershell.EXE (PID: 2752)
- HqbAWMO.exe (PID: 2776)
- powershell.EXE (PID: 1408)
- gyDVofW.exe (PID: 2452)
- rundll32.EXE (PID: 1500)
Starts application from unusual location
- schtasks.exe (PID: 3924)
- schtasks.exe (PID: 408)
- schtasks.exe (PID: 488)
- schtasks.exe (PID: 2520)
Executes scripts
- HqbAWMO.exe (PID: 2776)
Creates a directory in Program Files
- gyDVofW.exe (PID: 2452)
Reads settings of System Certificates
- gyDVofW.exe (PID: 2452)
Checks Windows Trust Settings
- gyDVofW.exe (PID: 2452)
Creates files in the Windows directory
- gyDVofW.exe (PID: 2452)
Adds/modifies Windows certificates
- gyDVofW.exe (PID: 2452)
Creates a software uninstall entry
- gyDVofW.exe (PID: 2452)
Executable content was dropped or overwritten
- gyDVofW.exe (PID: 2452)
INFO
Checks supported languages
- Install.exe (PID: 1988)
- file.exe (PID: 2104)
- Install.exe (PID: 3416)
- HqbAWMO.exe (PID: 2776)
- gyDVofW.exe (PID: 2452)
Creates a file in a temporary directory
- Install.exe (PID: 1988)
- file.exe (PID: 2104)
- powershell.EXE (PID: 2752)
- Install.exe (PID: 3416)
- powershell.EXE (PID: 1408)
Reads the computer name
- Install.exe (PID: 3416)
- gyDVofW.exe (PID: 2452)
Reads security settings of Internet Explorer
- powershell.EXE (PID: 2752)
- powershell.EXE (PID: 1408)
Creates files in the Windows directory
- schtasks.exe (PID: 3924)
- schtasks.exe (PID: 408)
- schtasks.exe (PID: 488)
- schtasks.exe (PID: 2520)
Process checks SAM and SYSTEM backups
- gyDVofW.exe (PID: 2452)
Creates files in the program directory
- gyDVofW.exe (PID: 2452)
Process checks computer location settings
- gyDVofW.exe (PID: 2452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 2010-Nov-18 16:27:35 |
| Detected languages: |
|
| CompanyName: | Igor Pavlov |
| FileDescription: | 7z Setup SFX |
| FileVersion: | 9.20 |
| InternalName: | 7zS.sfx |
| LegalCopyright: | Copyright (c) 1999-2010 Igor Pavlov |
| OriginalFilename: | 7zS.sfx.exe |
| ProductName: | 7-Zip |
| ProductVersion: | 9.20 |
DOS Header
| e_magic: | MZ |
| e_cblp: | 144 |
| e_cp: | 3 |
| e_crlc: | 0 |
| e_cparhdr: | 4 |
| e_minalloc: | 0 |
| e_maxalloc: | 65535 |
| e_ss: | 0 |
| e_sp: | 184 |
| e_csum: | 0 |
| e_ip: | 0 |
| e_cs: | 0 |
| e_ovno: | 0 |
| e_oemid: | 0 |
| e_oeminfo: | 0 |
| e_lfanew: | 232 |
PE Headers
| Signature: | PE |
| Machine: | IMAGE_FILE_MACHINE_I386 |
| NumberofSections: | 5 |
| TimeDateStamp: | 2010-Nov-18 16:27:35 |
| PointerToSymbolTable: | 0 |
| NumberOfSymbols: | 0 |
| SizeOfOptionalHeader: | 224 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 4096 | 104938 | 104960 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60849 |
.rdata | 110592 | 17556 | 17920 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.36802 |
.data | 131072 | 23112 | 12800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.37054 |
.sxdata | 155648 | 4 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.rsrc | 159744 | 2656 | 3072 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.30196 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 3.75404 | 744 | UNKNOWN | English - United States | RT_ICON |
2 | 3.18403 | 296 | UNKNOWN | English - United States | RT_ICON |
5 | 1.43775 | 52 | UNKNOWN | English - United States | RT_STRING |
500 | 3.09294 | 184 | UNKNOWN | English - United States | RT_DIALOG |
1 (#2) | 2.78284 | 148 | UNKNOWN | English - United States | RT_STRING |
1 (#3) | 2.37086 | 34 | UNKNOWN | English - United States | RT_GROUP_ICON |
1 (#4) | 3.44049 | 700 | UNKNOWN | English - United States | RT_VERSION |
Imports
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
Total processes
164
Monitored processes
69
Malicious processes
10
Suspicious processes
10
Behavior graph
Click at the process to see the details