Malware analysis OOSU10.exe Malicious activity | ANY.RUN

Add for printing

File name:	OOSU10.exe
Full analysis:	https://app.any.run/tasks/cf33a000-e52d-4e59-b77a-4c0df2f3d76b
Verdict:	Malicious activity
Analysis date:	February 28, 2024, 16:45:56
OS:	Ubuntu 22.04.2
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	3FE356FF0E52F84ABDDF53238EEC0FE6
SHA1:	874864626861A178F02116228E176F2A41620583
SHA256:	7335914D30D8EDE5431C4BA32F56A79A397A6F38BFD44E90F62324F63AFEDA65
SSDEEP:	49152:n9Euv6E2O8pKnJjJwJNJi1YQy/AiWHh6rAoUT4oF4s3/xcKOJEN+q+62/xgw+SfB:nt3B6rtUMoqGxfOJ6+62/frorZb7GH/d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Checks DMI information (probably VM detection)
  - systemd-hostnamed (PID: 9293)
- Reads /proc/mounts (likely used to find writable filesystems)
  - firefox (PID: 9351)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (49.4)
.scr	\|	Windows screen saver (23.4)
.dll	\|	Win32 Dynamic Link Library (generic) (11.7)
.exe	\|	Win32 Executable (generic) (8)
.exe	\|	Generic Win/DOS Executable (3.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:10:17 10:38:29+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	48
CodeSize:	1875456
InitializedDataSize:	36864
UninitializedDataSize:	-
EntryPoint:	0x1cbd3e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.9.1436.400
ProductVersionNumber:	1.9.1436.400
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	O&O ShutUp10++
CompanyName:	O&O Software GmbH
FileDescription:	O&O ShutUp10++
FileVersion:	1.9.1436.400
InternalName:	OOSU10.exe
LegalCopyright:	© 2015-2023 O&O Software GmbH, Berlin.
LegalTrademarks:	-
OriginalFileName:	OOSU10.exe
ProductName:	O&O ShutUp10++
ProductVersion:	1.9.1436.400
AssemblyVersion:	1.9.1436.400

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

401

Monitored processes

176

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
9276	/bin/sh -c "DISPLAY=:0 sudo -iu user nautilus \"/home/user/Desktop/OOSU10\.exe\" "	/bin/sh	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 9746
9277	sudo -iu user nautilus /home/user/Desktop/OOSU10.exe	/usr/bin/sudo	—	sh
User: root Integrity Level: UNKNOWN Exit code: 9746
9278	nautilus /home/user/Desktop/OOSU10.exe	/usr/bin/nautilus	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 9746
9279	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	nautilus
User: user Integrity Level: UNKNOWN Exit code: 0
9293	/lib/systemd/systemd-hostnamed	/lib/systemd/systemd-hostnamed	—	systemd
User: root Integrity Level: UNKNOWN Exit code: 9278
9298	nautilus /home/user/Desktop/OOSU10.exe	/usr/bin/nautilus	—	nautilus
User: user Integrity Level: UNKNOWN Exit code: 9278
9299	file-roller /home/user/Desktop/OOSU10.exe	/usr/bin/file-roller	—	nautilus
User: user Integrity Level: UNKNOWN Exit code: 496
9314	/usr/lib/p7zip/7z l -slt -bd -y -- /home/user/Desktop/OOSU10.exe	/usr/lib/p7zip/7z	—	file-roller
User: user Integrity Level: UNKNOWN Exit code: 496
9325	nautilus /home/user/Desktop/OOSU10.exe	/usr/bin/nautilus	—	nautilus
User: user Integrity Level: UNKNOWN Exit code: 496
9326	file-roller /home/user/Desktop/OOSU10.exe	/usr/bin/file-roller	—	nautilus
User: user Integrity Level: UNKNOWN Exit code: 9299

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
9278	nautilus	/home/user/.local/share/nautilus/tags/meta.db-wal		—
		MD5:—	SHA256:—
9278	nautilus	/home/user/.local/share/nautilus/tags/meta.db-shm		—
		MD5:—	SHA256:—
9278	nautilus	/home/user/.local/share/nautilus/tags/.meta.isrunning		—
		MD5:—	SHA256:—
9299	file-roller	/dconf/user		—
		MD5:—	SHA256:—
9278	nautilus	/home/user/.local/share/recently-used.xbel.19LTJ2		—
		MD5:—	SHA256:—
9299	file-roller	/home/user/.local/share/recently-used.xbel.KIUOJ2		—
		MD5:—	SHA256:—
9299	file-roller	/home/user/.local/share/recently-used.xbel.ZVZHJ2		—
		MD5:—	SHA256:—
9278	nautilus	/home/user/.config/mimeapps.list.L14KJ2		—
		MD5:—	SHA256:—
9278	nautilus	/home/user/.local/share/recently-used.xbel.O6GFJ2		—
		MD5:—	SHA256:—
9326	file-roller	/home/user/.local/share/recently-used.xbel.5S4RJ2		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

36

TCP/UDP connections

48

DNS requests

76

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	text	90 b	unknown
—	—	POST	200	184.24.77.70:80	http://r3.o.lencr.org/	unknown	binary	503 b	unknown
—	—	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	text	8 b	unknown
—	—	POST	200	172.217.23.99:80	http://ocsp.pki.goog/gts1c3	unknown	binary	472 b	unknown
—	—	POST	200	184.24.77.70:80	http://r3.o.lencr.org/	unknown	binary	503 b	unknown
—	—	POST	200	184.24.77.70:80	http://r3.o.lencr.org/	unknown	binary	503 b	unknown
—	—	POST	200	184.24.77.70:80	http://r3.o.lencr.org/	unknown	binary	503 b	unknown
—	—	POST	200	172.217.23.99:80	http://ocsp.pki.goog/gts1c3	unknown	binary	472 b	unknown
—	—	POST	—	184.24.77.70:80	http://r3.o.lencr.org/	unknown	—	—	unknown
—	—	POST	200	184.24.77.70:80	http://r3.o.lencr.org/	unknown	binary	503 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	185.125.188.55:443	—	Canonical Group Limited	GB	malicious
—	—	224.0.0.251:5353	—	—	—	unknown
—	—	142.250.185.170:443	safebrowsing.googleapis.com	—	—	unknown
—	—	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	unknown
—	—	34.117.188.166:443	spocs.getpocket.com	—	—	unknown
—	—	172.217.23.99:80	ocsp.pki.goog	GOOGLE	US	unknown
—	—	34.117.237.239:443	contile.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	unknown
—	—	34.107.243.93:443	push.services.mozilla.com	GOOGLE	US	unknown
—	—	184.24.77.70:80	r3.o.lencr.org	Akamai International B.V.	DE	unknown
—	—	34.160.144.191:443	content-signature-2.cdn.mozilla.net	GOOGLE	US	unknown

DNS requests

Domain	IP	Reputation
api.snapcraft.io	—	unknown
137.100.168.192.in-addr.arpa	—	unknown
detectportal.firefox.com	34.107.221.82 2600:1901:0:38d7::	whitelisted
example.org	93.184.216.34 2606:2800:220:1:248:1893:25c8:1946	whitelisted
ipv4only.arpa	192.0.0.171 192.0.0.170	whitelisted
contile.services.mozilla.com	34.117.237.239	whitelisted
spocs.getpocket.com	34.117.188.166	shared
gkegw.prod.ads.prod.webservices.mozgcp.net	—	unknown
r3.o.lencr.org	184.24.77.70 184.24.77.61 184.24.77.52 184.24.77.76 184.24.77.54 184.24.77.58 184.24.77.51 2a01:4a0:1338:28::c38a:ff12 2a01:4a0:1338:28::c38a:ff13	shared
content-signature-2.cdn.mozilla.net	34.160.144.191 2600:1901:0:92a9::	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

OOSU10.exe

3FE356FF0E52F84ABDDF53238EEC0FE6

874864626861A178F02116228E176F2A41620583

7335914D30D8EDE5431C4BA32F56A79A397A6F38BFD44E90F62324F63AFEDA65

49152:n9Euv6E2O8pKnJjJwJNJi1YQy/AiWHh6rAoUT4oF4s3/xcKOJEN+q+62/xgw+SfB:nt3B6rtUMoqGxfOJ6+62/frorZb7GH/d

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Checks DMI information (probably VM detection)

Reads /proc/mounts (likely used to find writable filesystems)

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings