analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

HIRE INV. NO.014.exe

Full analysis: https://app.any.run/tasks/80f24d51-a373-4df7-922b-fe65674d5656
Verdict: Malicious activity
Analysis date: April 25, 2019, 08:38:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3A0E4FE49FBB9FF38E2151929EFBE1C6

SHA1:

A95521AEC051CAC0E1371FCE10D21BE96979276A

SHA256:

73AADE7DF37A8EA24D5892E714F1DCBCA17ED4FA3ACBBFE75786049CD94A4C10

SSDEEP:

12288:b/EuWhdZ8R6FjA7OUQRpmcj37YWBfnA3Zd8cW8c+P:b5NkQSvD+P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • HIRE INV. NO.014.exe (PID: 1360)

    • Actions looks like stealing of personal data

      • HIRE INV. NO.014.exe (PID: 1360)

    • Changes settings of System certificates

      • HIRE INV. NO.014.exe (PID: 1360)

  • SUSPICIOUS

    • Reads the cookies of Mozilla Firefox

      • HIRE INV. NO.014.exe (PID: 1360)

    • Reads the cookies of Google Chrome

      • HIRE INV. NO.014.exe (PID: 1360)

    • Creates files in the user directory

      • HIRE INV. NO.014.exe (PID: 1360)

    • Starts CMD.EXE for commands execution

      • HIRE INV. NO.014.exe (PID: 1360)

    • Application launched itself

      • HIRE INV. NO.014.exe (PID: 2596)

    • Adds / modifies Windows certificates

      • HIRE INV. NO.014.exe (PID: 1360)

    • Executable content was dropped or overwritten

      • HIRE INV. NO.014.exe (PID: 1360)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (84.4)
.dll | Win32 Dynamic Link Library (generic) (6.7)
.exe | Win32 Executable (generic) (4.6)
.exe | Generic Win/DOS Executable (2)
.exe | DOS Executable Generic (2)

EXIF

EXE

OriginalFileName: MYTHOPOET10.exe
InternalName: MYTHOPOET10
ProductVersion: 1.03.0008
FileVersion: 1.03.0008
ProductName: coracomorphic2
LegalTrademarks: Misarray
LegalCopyright: HANDTOHAND10
FileDescription: fafaronade10
CompanyName: Clipped6
Comments: intervarsity
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 1.3.0.8
FileVersionNumber: 1.3.0.8
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 1.3
OSVersion: 4
EntryPoint: 0x109c
UninitializedDataSize: -
InitializedDataSize: 40960
CodeSize: 520192
LinkerVersion: 6
PEType: PE32
TimeStamp: 1993:02:11 11:41:47+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 11-Feb-1993 10:41:47
Detected languages:
  • English - United States
Comments: intervarsity
CompanyName: Clipped6
FileDescription: fafaronade10
LegalCopyright: HANDTOHAND10
LegalTrademarks: Misarray
ProductName: coracomorphic2
FileVersion: 1.03.0008
ProductVersion: 1.03.0008
InternalName: MYTHOPOET10
OriginalFilename: MYTHOPOET10.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 11-Feb-1993 10:41:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0007E9F8
0x0007F000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.41078
.data
0x00080000
0x00001160
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00082000
0x000075CE
0x00008000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.83202

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.36964
816
Unicode (UTF 16LE)
English - United States
RT_VERSION
30001
4.96255
16456
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30002
5.14593
7336
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30003
5.03019
3240
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30004
5.56963
1864
Unicode (UTF 16LE)
UNKNOWN
RT_ICON

Imports

MSVBVM60.DLL
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start hire inv. no.014.exe no specs hire inv. no.014.exe cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2596"C:\Users\admin\AppData\Local\Temp\HIRE INV. NO.014.exe" C:\Users\admin\AppData\Local\Temp\HIRE INV. NO.014.exeexplorer.exe
User:
admin
Company:
Clipped6
Integrity Level:
MEDIUM
Description:
fafaronade10
Exit code:
0
Version:
1.03.0008
1360C:\Users\admin\AppData\Local\Temp\HIRE INV. NO.014.exe" C:\Users\admin\AppData\Local\Temp\HIRE INV. NO.014.exe
HIRE INV. NO.014.exe
User:
admin
Company:
Clipped6
Integrity Level:
MEDIUM
Description:
fafaronade10
Exit code:
0
Version:
1.03.0008
2828"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "HIRE INV. NO.014.exe"C:\Windows\system32\cmd.exeHIRE INV. NO.014.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2652C:\Windows\system32\timeout.exe 3 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
101
Read events
67
Write events
0
Delete events
0

Modification events

No data
Executable files
48
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
1360HIRE INV. NO.014.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dllexecutable
MD5:FDBA0DB0A1652D86CD471EAA509E56EA
SHA256:2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
1360HIRE INV. NO.014.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dllexecutable
MD5:6F6796D1278670CCE6E2D85199623E27
SHA256:C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
1360HIRE INV. NO.014.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dllexecutable
MD5:D97A1CB141C6806F0101A5ED2673A63D
SHA256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
1360HIRE INV. NO.014.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dllexecutable
MD5:D0289835D97D103BAD0DD7B9637538A1
SHA256:91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
1360HIRE INV. NO.014.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:6D778E83F74A4C7FE4C077DC279F6867
SHA256:A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325
1360HIRE INV. NO.014.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:502263C56F931DF8440D7FD2FA7B7C00
SHA256:94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231
1360HIRE INV. NO.014.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:E479444BDD4AE4577FD32314A68F5D28
SHA256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
1360HIRE INV. NO.014.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dllexecutable
MD5:12CC7D8017023EF04EBDD28EF9558305
SHA256:7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
1360HIRE INV. NO.014.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dllexecutable
MD5:D0873E21721D04E20B6FFB038ACCF2F1
SHA256:BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
1360HIRE INV. NO.014.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dllexecutable
MD5:5F73A814936C8E7E4A2DFD68876143C8
SHA256:96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1360
HIRE INV. NO.014.exe
164.132.161.180:443
www.tcc-corso.dz
OVH SAS
FR
malicious

DNS requests

Domain
IP
Reputation
www.tcc-corso.dz
  • 164.132.161.180
malicious

Threats

PID
Process
Class
Message
1360
HIRE INV. NO.014.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
HIRE INV. NO.014.exe