analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

bt-ddl.exe

Full analysis: https://app.any.run/tasks/a8f75484-0e0f-4da9-bab7-b088692105ce
Verdict: Malicious activity
Analysis date: November 30, 2020, 00:15:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable, MZ for MS-DOS
MD5:

0CCA673D5DDB45871D05F6A733059E56

SHA1:

77F250C949E5F7D3E7BA33968C74428740FA1031

SHA256:

6C121282C56F9C651FA0C56C9B495B55CD56F7A9F02E4E6F7324735C230DBD71

SSDEEP:

24576:XhQMSJvM7f824wEvwLAj1TXt3l9L4Qy44Dx+fGjNE938:N/hU1BlqVRNE9M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • bt-ddl.exe (PID: 2992)

    • Loads dropped or rewritten executable

      • bt-ddl.exe (PID: 2992)

  • SUSPICIOUS

    • Application launched itself

      • bt-ddl.exe (PID: 2180)

    • Executable content was dropped or overwritten

      • bt-ddl.exe (PID: 2992)

    • Reads internet explorer settings

      • bt-ddl.exe (PID: 2992)

    • Adds / modifies Windows certificates

      • bt-ddl.exe (PID: 2992)

    • Drops a file that was compiled in debug mode

      • bt-ddl.exe (PID: 2992)

    • Starts Internet Explorer

      • bt-ddl.exe (PID: 2992)

    • Creates files in the user directory

      • bt-ddl.exe (PID: 2992)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 560)

  • INFO

    • Reads settings of System Certificates

      • bt-ddl.exe (PID: 2992)
      • iexplore.exe (PID: 3264)

    • Changes internet zones settings

      • iexplore.exe (PID: 3264)

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 560)
      • iexplore.exe (PID: 2916)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2916)

    • Application launched itself

      • iexplore.exe (PID: 3264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:07:26 18:04:19+02:00
PEType: PE32
LinkerVersion: 9
CodeSize: 477696
InitializedDataSize: 272384
UninitializedDataSize: 670720
EntryPoint: 0xa4071
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 3.5.4.26
ProductVersionNumber: 2.0.2.13
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Adobe
FileDescription: Adobe Installation Helper
FileVersion: 3.5.4.26
InternalName: host.exe
LegalCopyright: Copyright © Adobe Systems Incorporated
OriginalFileName: host.exe
ProductName: Adobe Installation Helper
ProductVersion: 2.0.2.13

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 26-Jul-2014 16:04:19
Detected languages:
  • English - United States
CompanyName: Adobe
FileDescription: Adobe Installation Helper
FileVersion: 3.5.4.26
InternalName: host.exe
LegalCopyright: Copyright © Adobe Systems Incorporated
OriginalFilename: host.exe
ProductName: Adobe Installation Helper
ProductVersion: 2.0.2.13

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0040
Pages in file: 0x0001
Relocations: 0x0000
Size of header: 0x0002
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0xB400
OEM information: 0xCD09
Address of NE header: 0x00000040

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 26-Jul-2014 16:04:19
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.MPRESS1
0x00001000
0x000A3000
0x00033400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99914
.MPRESS2\xdb\x0b
0x000A4000
0x00000BDB
0x00000C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.99777
.rsrc
0x000A5000
0x0000E75C
0x0000E800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.15781

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.18054
1167
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.96398
2216
Latin 1 / Western European
English - United States
RT_ICON
3
4.24411
1384
Latin 1 / Western European
English - United States
RT_ICON
4
2.1281
7336
Latin 1 / Western European
English - United States
RT_ICON
5
2.14203
3240
Latin 1 / Western European
English - United States
RT_ICON
6
2.36423
872
Latin 1 / Western European
English - United States
RT_ICON
7
2.23335
9640
Latin 1 / Western European
English - United States
RT_ICON
8
2.30773
4264
Latin 1 / Western European
English - United States
RT_ICON
9
2.67423
1128
Latin 1 / Western European
English - United States
RT_ICON
10
4.87994
3752
UNKNOWN
English - United States
RT_ICON

Imports

KERNEL32.DLL
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bt-ddl.exe no specs bt-ddl.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2180"C:\Users\admin\AppData\Local\Temp\bt-ddl.exe" C:\Users\admin\AppData\Local\Temp\bt-ddl.exeexplorer.exe
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe Installation Helper
Exit code:
0
Version:
3.5.4.26
2992"C:\Users\admin\AppData\Local\Temp\bt-ddl.exe" -ElevatedC:\Users\admin\AppData\Local\Temp\bt-ddl.exe
bt-ddl.exe
User:
admin
Company:
Adobe
Integrity Level:
HIGH
Description:
Adobe Installation Helper
Version:
3.5.4.26
3264"C:\Program Files\Internet Explorer\iexplore.exe" https://get.adobe.com/flashplayer/completion/aih/?exitcode=-1C:\Program Files\Internet Explorer\iexplore.exe
bt-ddl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2916"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3264 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
560C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
1 168
Read events
1 070
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
25
Text files
63
Unknown types
15

Dropped files

PID
Process
Filename
Type
2992bt-ddl.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\E8BN7OJ1.txt
MD5:
SHA256:
2992bt-ddl.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\1XFSFNSN.txt
MD5:
SHA256:
2992bt-ddl.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\1RFY276D.txt
MD5:
SHA256:
2992bt-ddl.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\C0ISBZJS.txt
MD5:
SHA256:
2992bt-ddl.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\11LKZ0D5.txttext
MD5:9875F6DCD3D5048EBA34FB3004B702E9
SHA256:E70DBCCA2C2D0A0B079B548689A7879DADA64A0EA79FDF4BBB870F29278055DE
2992bt-ddl.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\YE35GAR4.txttext
MD5:4C5C61F8952C1BB1CE665313348F2281
SHA256:2DA38972FC49D126EF7B7DE9384B1D95A94F14F574E35084283784C529C89F81
2992bt-ddl.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\icon-blank[1].gifimage
MD5:047722E6940449B36DC7507352170004
SHA256:E749A443EF9436DB67B0FF16DBB3BBBF4CC7E3BA3424EA83F1EE9181B74DCFAA
2916iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6der
MD5:F35594720BDB12D02C777B50A40996C7
SHA256:7C7C3BB58FDF08A0BF4C74CAF57034C7F8DCF3CC4D587E3F90A38B17ECDDB9EB
2992bt-ddl.exeC:\Users\admin\AppData\Local\Temp\bt-ddl_1.exeexecutable
MD5:0CCA673D5DDB45871D05F6A733059E56
SHA256:6C121282C56F9C651FA0C56C9B495B55CD56F7A9F02E4E6F7324735C230DBD71
2992bt-ddl.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\logo-adobe[1].gifimage
MD5:2D32D489B011C582232B70FEBFC866B0
SHA256:3829F33115FF4CD0FC3EC2505FB4603578F040FEBEABAFFF16C9446D53E68A3B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
33
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2992
bt-ddl.exe
GET
302
54.72.205.114:80
http://stats.adobe.com/b/ss/adbacdcprod/1/H.25.4/s8252581608748?AQB=1&ndh=1&t=30%2F10%2F2020%200%3A16%3A9%201%200&fid=3DE7416053BAF34B-182565CBCD9C29F1&ce=UTF-8&ns=adobecorp&pageName=acdc_fp_aih_launched&g=http%3A%2F%2F127.0.0.1%3A49181%2Fmainwindow.html&ch=acdc_flashplayer&events=event96%2Cevent19&products=%3Bflashplayer_aih&c1=aih&c2=acdc%20downloads&c3=get.adobe.com&c4=en&c5=en%3Aacdc_fp_aih_launched&v18=new&v22=sunday%20-%205%3A00pm&v73=acdc_flashplayer&s=1280x720&c=32&j=1.6&v=Y&k=Y&bw=728&bh=248&ct=lan&hp=N&AQE=1
IE
whitelisted
2916
iexplore.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
2916
iexplore.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
2916
iexplore.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEAZ2JfwMCbGcYKxKdYCjCAA%3D
US
der
471 b
whitelisted
2916
iexplore.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
2916
iexplore.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEAZ2JfwMCbGcYKxKdYCjCAA%3D
US
der
471 b
whitelisted
2916
iexplore.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
2916
iexplore.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAza5nSVYZrPeIlAtSf0Rcs%3D
US
der
471 b
whitelisted
2916
iexplore.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
2916
iexplore.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAlARbj%2FknDlKb7yqTuYQmg%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2916
iexplore.exe
72.21.91.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2916
iexplore.exe
23.46.165.49:443
wwwimages2.adobe.com
Cox Communications Inc.
US
unknown
2992
bt-ddl.exe
193.104.215.66:443
get.adobe.com
Level 3 Communications, Inc.
malicious
2916
iexplore.exe
193.104.215.66:443
get.adobe.com
Level 3 Communications, Inc.
malicious
2916
iexplore.exe
2.20.242.24:443
www.adobe.com
Akamai International B.V.
suspicious
2992
bt-ddl.exe
54.72.205.114:80
stats.adobe.com
Amazon.com, Inc.
IE
unknown
2916
iexplore.exe
104.16.149.64:443
cdn.cookielaw.org
Cloudflare Inc
US
unknown
2916
iexplore.exe
2.20.242.16:443
use.typekit.net
Akamai International B.V.
whitelisted
3264
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2916
iexplore.exe
18.202.158.78:443
sstats.adobe.com
US
unknown

DNS requests

Domain
IP
Reputation
get.adobe.com
  • 193.104.215.66
whitelisted
stats.adobe.com
  • 54.72.205.114
whitelisted
ocsp.digicert.com
  • 72.21.91.29
whitelisted
wwwimages2.adobe.com
  • 23.46.165.49
whitelisted
www.adobe.com
  • 2.20.242.24
whitelisted
use.typekit.net
  • 2.20.242.16
whitelisted
cdn.cookielaw.org
  • 104.16.149.64
whitelisted
assets.adobedtm.com
  • 23.46.165.38
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
bt-ddl.exe