analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://powertec-sy.com/a/a.exe

Full analysis: https://app.any.run/tasks/2816c764-0489-42f6-93d5-ad0bfa8c3d91
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: February 10, 2019, 21:41:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
loader
Indicators:
MD5:

3FC43DA705DC1828B51E84650999AF13

SHA1:

96B540AE991CFE9E9F45D8D164BA45B2C690133D

SHA256:

73345FF8373C37A00F55EB33159B97B8E598B401689FFEDA13E2B8D37515E5FD

SSDEEP:

3:N1KOK9c9A:COAmA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • a[1].exe (PID: 2688)
    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3248)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3248)
      • iexplore.exe (PID: 2964)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2964)
    • Application launched itself

      • iexplore.exe (PID: 2964)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe a[1].exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3248"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2964 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2688"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\a[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\a[1].exeiexplore.exe
User:
admin
Company:
Tracepurcel2
Integrity Level:
MEDIUM
Description:
Thymelici3
Version:
1.04.0004
Total events
619
Read events
567
Write events
48
Delete events
4

Modification events

(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{B8ED524D-2D7C-11E9-AA93-5254004A04AF}
Value:
0
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307020000000A0015002A000C004A03
Executable files
2
Suspicious files
1
Text files
5
Unknown types
2

Dropped files

PID
Process
Filename
Type
2964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2964iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF70C5AEF81AB1D275.TMP
MD5:
SHA256:
2964iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF9228F0EC8A5252F4.TMP
MD5:
SHA256:
2964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B8ED524D-2D7C-11E9-AA93-5254004A04AF}.dat
MD5:
SHA256:
2964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B8ED524E-2D7C-11E9-AA93-5254004A04AF}.datbinary
MD5:D9795B05EBC50222FD1E7DED7659737B
SHA256:739E8899736EBE374BD48D7F05C9B377E2FBDF6C1D3D123CECCBC40887069BFB
3248iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019021020190211\index.datdat
MD5:5D5BB764F0AAD3663375B710E8D95040
SHA256:778E501DFE0F1B84E297E4A8C0099B64BD4BD94E244B89DC14112D921115E9B2
2964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019021020190211\index.datdat
MD5:C44E1C3B83E5146B9D890BD1A2A7058D
SHA256:87675EE2FE0AD42DB72570FDE17508333EE3C269F01272FB89553C3434CEE503
3248iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\a[1].exeexecutable
MD5:A4E49AAD602CD5831B920C880F882D8B
SHA256:6179143A0F2B792DB294AAC373E19028BBD4B8797DDEAB9833753A3680558E63
3248iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.logtext
MD5:1ABBC758DDF62EEBE07C76C698E95BD6
SHA256:13E410080D85228CCF73A0C7D0AF819F4B4F5EC9886791FD00A1C273D8193470
2964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\a[1].exeexecutable
MD5:A4E49AAD602CD5831B920C880F882D8B
SHA256:6179143A0F2B792DB294AAC373E19028BBD4B8797DDEAB9833753A3680558E63
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3248
iexplore.exe
GET
200
170.10.162.202:80
http://powertec-sy.com/a/a.exe
US
executable
476 Kb
malicious
2964
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2964
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3248
iexplore.exe
170.10.162.202:80
powertec-sy.com
Steadfast
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
powertec-sy.com
  • 170.10.162.202
malicious

Threats

PID
Process
Class
Message
3248
iexplore.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
3248
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3248
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info