analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

configTools.exe

Full analysis: https://app.any.run/tasks/1a70a083-b8c0-4ee0-854d-1d341e0434bf
Verdict: Malicious activity
Analysis date: August 13, 2019, 18:09:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6D1F417417A3F8817D83483E12EA04BF

SHA1:

B00FE7D6C4360843BD56F94DEDEB4512111A8D78

SHA256:

7096A510CD0446403AD49AFA6C4F2940B4EAF93EDEDFFEFA9DF5860960DE830E

SSDEEP:

49152:87Ol8d3tcmbgEkbcCkW2CBNXbQ2oes2o5BQyIoaRwXPzDYPr:876

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • configTools.exe (PID: 252)
    • Loads dropped or rewritten executable

      • configTools.exe (PID: 252)
    • Changes internet zones settings

      • configTools.exe (PID: 252)
  • SUSPICIOUS

    • Creates files in the user directory

      • configTools.exe (PID: 252)
    • Creates COM task schedule object

      • configTools.exe (PID: 252)
    • Executable content was dropped or overwritten

      • configTools.exe (PID: 252)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (35.9)
.exe | Win32 Executable MS Visual C++ (generic) (27)
.exe | Win64 Executable (generic) (23.9)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.9)

EXIF

EXE

SpecialBuild: 104
ProductVersion: 0, 9, 8, 1
ProductName: ConfigTools 应用程序
PrivateBuild: -
OriginalFileName: ConfigTools.EXE
LegalTrademarks: -
LegalCopyright: 上海格尔软件股份公司 版权所有 (C) 1998~2014
InternalName: ConfigTools
FileVersion: 0, 9, 8, 1
FileDescription: 格尔证书客户端配置工具 v0.9.8
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: Special build
FileFlagsMask: 0x003f
ProductVersionNumber: 0.9.8.1
FileVersionNumber: 0.9.8.1
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x177f6
UninitializedDataSize: -
InitializedDataSize: 102400
CodeSize: 208896
LinkerVersion: 6
PEType: PE32
TimeStamp: 2014:09:30 05:07:36+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Sep-2014 03:07:36
Detected languages:
  • Chinese - PRC
Comments: -
CompanyName: -
FileDescription: 格尔证书客户端配置工具 v0.9.8
FileVersion: 0, 9, 8, 1
InternalName: ConfigTools
LegalCopyright: 上海格尔软件股份公司 版权所有 (C) 1998~2014
LegalTrademarks: -
OriginalFilename: ConfigTools.EXE
PrivateBuild: -
ProductName: ConfigTools 应用程序
ProductVersion: 0, 9, 8, 1
SpecialBuild: 104

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 30-Sep-2014 03:07:36
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000321DE
0x00033000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.5351
.rdata
0x00034000
0x0000B340
0x0000C000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.59086
.data
0x00040000
0x000093A8
0x00005000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.32199
.rsrc
0x0004A000
0x00002E10
0x00003000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.78554

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.89924
521
UNKNOWN
Chinese - PRC
RT_MANIFEST
2
2.55844
296
UNKNOWN
Chinese - PRC
RT_ICON
3
3.02695
308
UNKNOWN
Chinese - PRC
RT_CURSOR
4
2.74274
180
UNKNOWN
Chinese - PRC
RT_CURSOR
7
2.85273
120
UNKNOWN
Chinese - PRC
RT_STRING
100
3.98944
234
UNKNOWN
Chinese - PRC
RT_DIALOG
102
3.84018
360
UNKNOWN
Chinese - PRC
RT_DIALOG
128
2.37086
34
UNKNOWN
Chinese - PRC
RT_GROUP_ICON
129
3.65093
132
UNKNOWN
Chinese - PRC
RT_DIALOG
130
3.70834
134
UNKNOWN
Chinese - PRC
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
OLEPRO32.DLL
SHELL32.dll
SHLWAPI.dll
USER32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start configtools.exe no specs configtools.exe

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Users\admin\AppData\Local\Temp\configTools.exe" C:\Users\admin\AppData\Local\Temp\configTools.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
格尔证书客户端配置工具 v0.9.8
Exit code:
3221226540
Version:
0, 9, 8, 1
252"C:\Users\admin\AppData\Local\Temp\configTools.exe" C:\Users\admin\AppData\Local\Temp\configTools.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
格尔证书客户端配置工具 v0.9.8
Version:
0, 9, 8, 1
Total events
716
Read events
15
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
252configTools.exeC:\Users\admin\AppData\Roaming\configtools.logtext
MD5:6C4E6ED62455F6F19ABC19BBF37B3F85
SHA256:171B655EDB8B7C5D240FB6401DEDE387CC3F4B1E720A90C7245563A3F3C3171B
252configTools.exeC:\Users\admin\AppData\Local\KOAL\ConfigTools\V0.9.8.1\KoalCertCtl.ocxexecutable
MD5:EC1B80BFEF8BEE9265D23E2EFB9A1715
SHA256:DCF74CDB1757F7D8BFD5D64B9960AFA61EA0427A15B40D87F82896C32B0FBE55
252configTools.exeC:\Users\admin\AppData\Local\KOAL\ConfigTools\V0.9.8.1\KoalSkfDevice.ocxexecutable
MD5:EEF5531259B245BAF829F48D889E7EE6
SHA256:58A33CA6459CC4EC10B4A491DF3C1708337E034B5E1EE9215686823F6D0E0AFF
252configTools.exeC:\Users\admin\AppData\Local\KOAL\ConfigTools\V0.9.8.1\configtools.dattext
MD5:4A3BDC46E016B6E85D42926F0694F62D
SHA256:A57E42FC7D38A194B192CDC8367B200CE1576C79D421AB28FE047DB88B66691C
252configTools.exeC:\Users\admin\AppData\Local\KOAL\ConfigTools\V0.9.8.1\klFileRW.dllexecutable
MD5:488175E9AE4C1EE6FBB0E75F2F2BB709
SHA256:16C5015CD3D1CDD24A669320EEB431DE7166033892A26100AE1B38C30AF3EA8D
252configTools.exeC:\Users\admin\AppData\Local\KOAL\ConfigTools\V0.9.8.1\capicom.dllexecutable
MD5:9130CCE19B5DB3D2E31F9F789263FC4A
SHA256:61450BD6BC6590236B1DF56E1594B12AE174496357A49B5963C41D0D1465D66F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
configTools.exe
'C:\Users\admin\AppData\Local\Temp\configTools.exe' size is 2217238byte
configTools.exe
Register ocx 'C:\Users\admin\AppData\Local\KOAL\ConfigTools\V0.9.8.1\KoalCertCtl.ocx' successfully.
configTools.exe
Register ocx 'C:\Users\admin\AppData\Local\KOAL\ConfigTools\V0.9.8.1\KoalSkfDevice.ocx' successfully.
configTools.exe
Register ocx 'C:\Users\admin\AppData\Local\KOAL\ConfigTools\V0.9.8.1\capicom.dll' successfully.
configTools.exe
Register ocx 'C:\Users\admin\AppData\Local\KOAL\ConfigTools\V0.9.8.1\klFileRW.dll' successfully.
configTools.exe
RegOpenKeyEx³ö´í: The operation completed successfully. (0)(CertUtil.cpp:502)
configTools.exe
Add 'JSCA' to TrustCA Zone successfully.
configTools.exe
RegOpenKeyEx³ö´í: The operation completed successfully. (0)(CertUtil.cpp:502)
configTools.exe
Add 'NBSROOT' to TrustCA Zone successfully.
configTools.exe
Add 'http://ca.jsstjj.cn/nbsonline/issue.jsp ' to TrustSite Zone successfully.