analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1171.tmp.exe

Full analysis: https://app.any.run/tasks/ee67ae3f-7ed5-4d3c-a9eb-93183f2932b5
Verdict: Malicious activity
Analysis date: July 13, 2020, 05:59:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

07566FB66073ABAFBD438F08FA1C7245

SHA1:

E73EED815412A3CB1929ADD64B3BA7639006EB2E

SHA256:

6EB60AF3C1F6688FEE7286B384FD107552BDF95DC951101DF4A1D4F861623134

SSDEEP:

12288:GowoJUvqu4QyxhX3dEclUYbxNVh/hSu62:twtqu4QyjXtDUYbRNQu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads the Task Scheduler COM API

      • 1171.tmp.exe (PID: 1032)

    • Changes the autorun value in the registry

      • 1171.tmp.exe (PID: 1032)

    • Changes settings of System certificates

      • 1171.tmp.exe (PID: 3064)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • 1171.tmp.exe (PID: 3064)
      • 1171.tmp.exe (PID: 1032)

    • Executable content was dropped or overwritten

      • 1171.tmp.exe (PID: 1032)

    • Application launched itself

      • 1171.tmp.exe (PID: 1032)

    • Uses ICACLS.EXE to modify access control list

      • 1171.tmp.exe (PID: 1032)

    • Adds / modifies Windows certificates

      • 1171.tmp.exe (PID: 3064)

  • INFO

    • Reads settings of System Certificates

      • 1171.tmp.exe (PID: 3064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductionVersion: 1.0.4.8
Copyright: Copyrighd (C) 2020, odhsjv
InternalSurnames: dhrj.uxe
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Static library
FileOS: Unknown (0x40304)
FileFlags: Pre-release, Patched
FileFlagsMask: 0x006f
ProductVersionNumber: 1.0.0.1
FileVersionNumber: 1.0.0.1
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x436d
UninitializedDataSize: -
InitializedDataSize: 9329664
CodeSize: 48128
LinkerVersion: 9
PEType: PE32
TimeStamp: 2019:07:18 16:45:21+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Jul-2019 14:45:21
Detected languages:
  • Chinese - PRC
InternalSurnames: dhrj.uxe
Copyright: Copyrighd (C) 2020, odhsjv
ProductionVersion: 1.0.4.8

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 18-Jul-2019 14:45:21
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000BA69
0x0000BC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.63998
.rdata
0x0000D000
0x00002DD8
0x00002E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.28825
.data
0x00010000
0x008D8618
0x00095E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.93219
.rsrc
0x008E9000
0x000043A8
0x00004400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.6043

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.35514
428
UNKNOWN
UNKNOWN
RT_VERSION
2
4.3849
1384
UNKNOWN
UNKNOWN
RT_ICON
3
5.7053
9640
UNKNOWN
UNKNOWN
RT_ICON
4
7.04549
1128
UNKNOWN
UNKNOWN
RT_ICON
23
3.29005
1426
UNKNOWN
UNKNOWN
RT_STRING
24
3.15503
478
UNKNOWN
UNKNOWN
RT_STRING
25
3.11399
476
UNKNOWN
UNKNOWN
RT_STRING
121
2.75638
62
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

KERNEL32.dll
WINHTTP.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start 1171.tmp.exe icacls.exe no specs 1171.tmp.exe

Process information

PID
CMD
Path
Indicators
Parent process
1032"C:\Users\admin\AppData\Local\Temp\1171.tmp.exe" C:\Users\admin\AppData\Local\Temp\1171.tmp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2088icacls "C:\Users\admin\AppData\Local\527fb0a9-3658-4387-bc5b-a8797c48da3e" /deny *S-1-1-0:(OI)(CI)(DE,DC)C:\Windows\system32\icacls.exe1171.tmp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3064"C:\Users\admin\AppData\Local\Temp\1171.tmp.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\AppData\Local\Temp\1171.tmp.exe
1171.tmp.exe
User:
admin
Integrity Level:
HIGH
Total events
1 615
Read events
411
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
30641171.tmp.exeC:\Users\admin\AppData\Local\Temp\Cab78BF.tmp
MD5:
SHA256:
30641171.tmp.exeC:\Users\admin\AppData\Local\Temp\Tar78C0.tmp
MD5:
SHA256:
30641171.tmp.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:2D60A05B2F404217FDE5C78188660182
SHA256:EC684AC47217D97F71C4B509F7B0D41E2CF751802ACFF6E3051B481EF6E422C8
10321171.tmp.exeC:\Users\admin\AppData\Local\527fb0a9-3658-4387-bc5b-a8797c48da3e\1171.tmp.exeexecutable
MD5:07566FB66073ABAFBD438F08FA1C7245
SHA256:6EB60AF3C1F6688FEE7286B384FD107552BDF95DC951101DF4A1D4F861623134
30641171.tmp.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:9D4FD53EA2B563071712A63CF64E9DDC
SHA256:A2F2041E264259EA69067A063A37097F580444CCCD01FF4AF045F184EAC1F17E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3064
1171.tmp.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3064
1171.tmp.exe
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
3064
1171.tmp.exe
77.123.139.189:443
api.2ip.ua
Volia
UA
unknown
1032
1171.tmp.exe
77.123.139.189:443
api.2ip.ua
Volia
UA
unknown

DNS requests

Domain
IP
Reputation
api.2ip.ua
  • 77.123.139.189
shared
ocsp.usertrust.com
  • 151.139.128.14
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET POLICY External IP Address Lookup DNS Query
A Network Trojan was detected
ET POLICY External IP Address Lookup DNS Query
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1171.tmp.exe