| File name: | ShutUp10.exe |
| Full analysis: | https://app.any.run/tasks/febf0c94-761c-486e-b730-3a42d44b03d6 |
| Verdict: | Malicious activity |
| Analysis date: | February 17, 2024, 19:13:56 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 3FE356FF0E52F84ABDDF53238EEC0FE6 |
| SHA1: | 874864626861A178F02116228E176F2A41620583 |
| SHA256: | 7335914D30D8EDE5431C4BA32F56A79A397A6F38BFD44E90F62324F63AFEDA65 |
| SSDEEP: | 49152:n9Euv6E2O8pKnJjJwJNJi1YQy/AiWHh6rAoUT4oF4s3/xcKOJEN+q+62/xgw+SfB:nt3B6rtUMoqGxfOJ6+62/frorZb7GH/d |
MALICIOUS
Drops the executable file immediately after the start
- ShutUp10.exe (PID: 2964)
SUSPICIOUS
Likely accesses (executes) a file from the Public directory
- filezilla.exe (PID: 4000)
Reads settings of System Certificates
- filezilla.exe (PID: 4000)
INFO
Reads the computer name
- wmpnscfg.exe (PID: 2472)
- ShutUp10.exe (PID: 2964)
- filezilla.exe (PID: 4000)
Checks supported languages
- wmpnscfg.exe (PID: 2472)
- ShutUp10.exe (PID: 2964)
- filezilla.exe (PID: 4000)
Creates files or folders in the user directory
- filezilla.exe (PID: 4000)
Reads the machine GUID from the registry
- ShutUp10.exe (PID: 2964)
- filezilla.exe (PID: 4000)
Manual execution by a user
- filezilla.exe (PID: 4000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (49.4) |
|---|---|---|
| .scr | | | Windows screen saver (23.4) |
| .dll | | | Win32 Dynamic Link Library (generic) (11.7) |
| .exe | | | Win32 Executable (generic) (8) |
| .exe | | | Generic Win/DOS Executable (3.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:10:17 10:38:29+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 1875456 |
| InitializedDataSize: | 36864 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1cbd3e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.9.1436.400 |
| ProductVersionNumber: | 1.9.1436.400 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | O&O ShutUp10++ |
| CompanyName: | O&O Software GmbH |
| FileDescription: | O&O ShutUp10++ |
| FileVersion: | 1.9.1436.400 |
| InternalName: | OOSU10.exe |
| LegalCopyright: | © 2015-2023 O&O Software GmbH, Berlin. |
| LegalTrademarks: | - |
| OriginalFileName: | OOSU10.exe |
| ProductName: | O&O ShutUp10++ |
| ProductVersion: | 1.9.1436.400 |
| AssemblyVersion: | 1.9.1436.400 |
Total processes
43
Monitored processes
5
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2472 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2964 | "C:\Users\admin\AppData\Local\Temp\ShutUp10.exe" | C:\Users\admin\AppData\Local\Temp\ShutUp10.exe | explorer.exe | ||||||||||||
User: admin Company: O&O Software GmbH Integrity Level: HIGH Description: O&O ShutUp10++ Exit code: 0 Version: 1.9.1436.400 Modules
| |||||||||||||||
| 3212 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3656 | "C:\Users\admin\AppData\Local\Temp\ShutUp10.exe" | C:\Users\admin\AppData\Local\Temp\ShutUp10.exe | — | explorer.exe | |||||||||||
User: admin Company: O&O Software GmbH Integrity Level: MEDIUM Description: O&O ShutUp10++ Exit code: 3221226540 Version: 1.9.1436.400 Modules
| |||||||||||||||
| 4000 | "C:\Program Files\FileZilla FTP Client\filezilla.exe" "C:\Users\Public\Desktop\Microsoft Edge.lnk" | C:\Program Files\FileZilla FTP Client\filezilla.exe | — | explorer.exe | |||||||||||
User: admin Company: FileZilla Project Integrity Level: MEDIUM Description: FileZilla FTP Client Exit code: 0 Version: 3, 65, 0, 0 Modules
| |||||||||||||||
Total events
7 279
Read events
7 266
Write events
13
Delete events
0
Modification events
| (PID) Process: | (2964) ShutUp10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
| Operation: | write | Name: | Name |
Value: ShutUp10.exe | |||
| (PID) Process: | (2964) ShutUp10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow |
| Operation: | write | Name: | Left |
Value: 0 | |||
| (PID) Process: | (2964) ShutUp10.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow |
| Operation: | write | Name: | Top |
Value: 0 | |||
| (PID) Process: | (3212) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
| Operation: | write | Name: | Name |
Value: DllHost.exe | |||
| (PID) Process: | (3212) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids |
| Operation: | write | Name: | pngfile |
Value: | |||
| (PID) Process: | (3212) dllhost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\Program Files\Windows Photo Viewer\PhotoViewer.dll |
Value: Windows Photo Viewer | |||
| (PID) Process: | (3212) dllhost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\Windows\system32\mspaint.exe |
Value: Paint | |||
| (PID) Process: | (3212) dllhost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\Windows\eHome\ehshell.exe |
Value: Windows Media Center | |||
| (PID) Process: | (3212) dllhost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\PROGRA~1\MICROS~1\Office14\OIS.EXE |
Value: Microsoft Office 2010 | |||
| (PID) Process: | (3212) dllhost.exe | Key: | HKEY_CURRENT_USER\Control Panel\Desktop |
| Operation: | write | Name: | TileWallpaper |
Value: 0 | |||
Executable files
0
Suspicious files
0
Text files
31
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3212 | dllhost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg | image | |
MD5:26BFEE11E339788AF530A1DE7C6F3151 | SHA256:6D6EE6DAA6D593E83F6C11BD7D6FC97DA376B058228690D34432E424E26EE23C | |||
| 4000 | filezilla.exe | C:\Users\admin\AppData\Local\FileZilla\default_speedlimits16x16.png | image | |
MD5:EF56A56C6385B8E73B8DF483FB2B7286 | SHA256:8C31386474FBFEC93A303DF0ED1B2D6029CFFD648604A1FB91A9969107D2186F | |||
| 4000 | filezilla.exe | C:\Users\admin\AppData\Local\FileZilla\default_leds24x24.png | image | |
MD5:3CDB1F496431271DB6C442BC0DFA4C87 | SHA256:E9DB40BC4ACAF1B3D7C9262B6EB616C8C29DB3E34D4006443D36F1794553330E | |||
| 4000 | filezilla.exe | C:\Users\admin\AppData\Roaming\FileZilla\layout.xml~ | xml | |
MD5:2C67357412FE5428D2EB67E2178925FA | SHA256:6E8BEE236C7BB6E2CD249AF7449B0F08AFCEBEBE4140CF818750E4489D570B69 | |||
| 4000 | filezilla.exe | C:\Users\admin\AppData\Local\FileZilla\default_localtreeview20x20.png | image | |
MD5:6F1521A05994C29F5DB6711A2A56E25A | SHA256:C0B2F0998B11BFBC0D5EE0FBCA3320CC79A5AF5DF16800F7EDAAB99C7AF0949F | |||
| 3212 | dllhost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows Photo Viewer\Windows Photo Viewer Wallpaper.jpg | image | |
MD5:26BFEE11E339788AF530A1DE7C6F3151 | SHA256:6D6EE6DAA6D593E83F6C11BD7D6FC97DA376B058228690D34432E424E26EE23C | |||
| 4000 | filezilla.exe | C:\Users\admin\AppData\Roaming\FileZilla\layout.xml | xml | |
MD5:2C67357412FE5428D2EB67E2178925FA | SHA256:6E8BEE236C7BB6E2CD249AF7449B0F08AFCEBEBE4140CF818750E4489D570B69 | |||
| 4000 | filezilla.exe | C:\Users\admin\AppData\Local\FileZilla\default_logview20x20.png | image | |
MD5:7CDD1BBF7FF3DDABA37B94B3A8844EFA | SHA256:682ADA4732A0D9282BA25B65C17D5C487DEA484A95E04E5C50E5C3FB2550F0F6 | |||
| 4000 | filezilla.exe | C:\Users\admin\AppData\Local\FileZilla\default_sitemanager20x20.png | image | |
MD5:0DA3E808ABE002C20B4451F5D0F2990F | SHA256:6B2CE84C384134C13BCDBF03F3163EBD9B59E6E40D5A881DF02A2B671F8F12A1 | |||
| 3212 | dllhost.exe | C:\Users\admin\AppData\Local\Temp\~PI5AD2.tmp | image | |
MD5:26BFEE11E339788AF530A1DE7C6F3151 | SHA256:6D6EE6DAA6D593E83F6C11BD7D6FC97DA376B058228690D34432E424E26EE23C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |