analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

st.exe

Full analysis: https://app.any.run/tasks/db34464c-2272-4fff-9032-330e36e16440
Verdict: Malicious activity
Analysis date: April 15, 2019, 08:51:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable, MZ for MS-DOS
MD5:

ECF5CABC81047B46977A4DF9D8D68797

SHA1:

9E0C79A494C450D684E17B0CB4BADEC73171B8DA

SHA256:

750BAA808221DD28920451DF0BDEBF7C1456C5B4B71E32917668E2E19677B666

SSDEEP:

49152:EHfXZ/v+zgAWDaCkJFDgGOiBIHf8WK0GvsbDCcMszvlt:EHB/G8mH4H0QG8DCcpzz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • mmkt.exe (PID: 300)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • st.exe (PID: 2672)
    • Creates files in the program directory

      • st.exe (PID: 2672)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x7491c5
UninitializedDataSize: -
InitializedDataSize: 6202880
CodeSize: 1418240
LinkerVersion: 14
PEType: PE32
TimeStamp: 2018:06:24 09:07:00+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Jun-2018 07:07:00
Detected languages:
  • Chinese - PRC
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0040
Pages in file: 0x0001
Relocations: 0x0000
Size of header: 0x0002
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0xB400
OEM information: 0xCD09
Address of NE header: 0x00000040

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 24-Jun-2018 07:07:00
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.MPRESS1
0x00001000
0x00748000
0x00282400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99993
.MPRESS2P\x0d
0x00749000
0x00000D50
0x00000E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.83198
.rsrc
0x0074A000
0x00000A64
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.06563

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.91161
381
UNKNOWN
English - United States
RT_MANIFEST
101
7.99878
129024
UNKNOWN
Chinese - PRC
ECC
102
7.57265
503
UNKNOWN
Chinese - PRC
ECC1
103
7.97503
7782
UNKNOWN
Chinese - PRC
ECC2
104
7.99822
100864
UNKNOWN
Chinese - PRC
ECC3
105
7.98532
15360
UNKNOWN
Chinese - PRC
ECC4
106
7.99016
17408
UNKNOWN
Chinese - PRC
ECC5
107
7.9906
479744
UNKNOWN
Chinese - PRC
ECC6
108
0
5120
UNKNOWN
Chinese - PRC
ECC7
109
0
10240
UNKNOWN
Chinese - PRC
ECC8

Imports

ADVAPI32.dll
KERNEL32.DLL
OLEAUT32.dll
SHELL32.dll
USER32.dll
WLDAP32.dll
WS2_32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start st.exe mmkt.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2672"C:\Users\admin\AppData\Local\Temp\st.exe" C:\Users\admin\AppData\Local\Temp\st.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\st.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
300"C:\Users\All Users\mmkt.exe" C:\Users\All Users\mmkt.exest.exe
User:
admin
Company:
gentilkiwi (Benjamin DELPY)
Integrity Level:
MEDIUM
Description:
mimikatz for Windows
Exit code:
0
Version:
2.1.1.0
Modules
Images
c:\programdata\mmkt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\crypt32.dll
Total events
48
Read events
44
Write events
4
Delete events
0

Modification events

(PID) Process:(2672) st.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2672) st.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
20
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2672st.exeC:\ProgramData\blue.xmlxml
MD5:F56025565DE4F53F5771D4966C2B5555
SHA256:EA7CAA08E115DBB438E29DA46B47F54C62C29697617BAE44464A9B63D9BDDF18
2672st.exeC:\ProgramData\down64.dllexecutable
MD5:562DF8E4EABE900AEF8A6F6642316CDE
SHA256:8D579D65B4C0E208AABEB79683E7F9F00CBEAC3A3965CE85D4CB08D06897A6C0
2672st.exeC:\ProgramData\crli-0.dllexecutable
MD5:F82FA69BFE0522163EB0CF8365497DA2
SHA256:B556B5C077E38DCB65D21A707C19618D02E0A65FF3F9887323728EC078660CC3
2672st.exeC:\ProgramData\trfo-2.dllexecutable
MD5:3E89C56056E5525BF4D9E52B28FBBCA7
SHA256:B2A3172A1D676F00A62DF376D8DA805714553BB3221A8426F9823A8A5887DAAA
2672st.exeC:\ProgramData\exma-1.dllexecutable
MD5:BA629216DB6CF7C0C720054B0C9A13F3
SHA256:15292172A83F2E7F07114693AB92753ED32311DFBA7D54FE36CC7229136874D9
2672st.exeC:\ProgramData\posh-0.dllexecutable
MD5:2F0A52CE4F445C6E656ECEBBCACEADE5
SHA256:CDE45F7FF05F52B7215E4B0EA1F2F42AD9B42031E16A3BE9772AA09E014BACDB
2672st.exeC:\ProgramData\dmgd-4.dllexecutable
MD5:A05C7011AB464E6C353A057973F5A06E
SHA256:50F329E034DB96BA254328CD1E0F588AF6126C341ED92DDF4AEB96BC76835937
2672st.exeC:\ProgramData\cnli-1.dllexecutable
MD5:A539D27F33EF16E52430D3D2E92E9D5C
SHA256:DB0831E19A4E3A736EA7498DADC2D6702342F75FD8F7FBAE1894EE2E9738C2B4
2672st.exeC:\ProgramData\libeay32.dllexecutable
MD5:F01F09FE90D0F810C44DCE4E94785227
SHA256:5F30AA2FE338191B972705412B8043B0A134CDB287D754771FC225F2309E82EE
2672st.exeC:\ProgramData\coli-0.dllexecutable
MD5:3C2FE2DBDF09CFA869344FDB53307CB2
SHA256:0439628816CABE113315751E7113A9E9F720D7E499FFDD78ACBAC1ED8BA35887
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
1 142
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2672
st.exe
GET
103.17.104.4:80
http://103.17.104.4/
IN
unknown
2672
st.exe
GET
103.17.104.3:80
http://103.17.104.3/
IN
unknown
2672
st.exe
GET
103.17.104.1:80
http://103.17.104.1/
IN
unknown
2672
st.exe
GET
103.17.104.0:80
http://103.17.104.0/
IN
unknown
2672
st.exe
GET
103.17.104.2:80
http://103.17.104.2/
IN
unknown
2672
st.exe
GET
103.17.104.2:8080
http://103.17.104.2:8080/
IN
unknown
2672
st.exe
GET
103.17.104.3:8080
http://103.17.104.3:8080/
IN
unknown
2672
st.exe
GET
103.17.104.1:8080
http://103.17.104.1:8080/
IN
unknown
2672
st.exe
GET
103.17.104.4:8080
http://103.17.104.4:8080/
IN
unknown
2672
st.exe
GET
103.17.104.0:8080
http://103.17.104.0:8080/
IN
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2672
st.exe
103.17.104.0:88
Vasai Cable Pvt. Ltd.
IN
unknown
2672
st.exe
103.17.104.0:83
Vasai Cable Pvt. Ltd.
IN
unknown
2672
st.exe
103.17.104.0:81
Vasai Cable Pvt. Ltd.
IN
unknown
2672
st.exe
103.17.104.0:82
Vasai Cable Pvt. Ltd.
IN
unknown
2672
st.exe
103.17.104.0:80
Vasai Cable Pvt. Ltd.
IN
unknown
2672
st.exe
103.17.104.0:84
Vasai Cable Pvt. Ltd.
IN
unknown
2672
st.exe
103.17.104.0:89
Vasai Cable Pvt. Ltd.
IN
unknown
2672
st.exe
103.17.104.0:99
Vasai Cable Pvt. Ltd.
IN
unknown
2672
st.exe
103.17.104.0:113
Vasai Cable Pvt. Ltd.
IN
unknown
2672
st.exe
103.17.104.0:102
Vasai Cable Pvt. Ltd.
IN
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
2672
st.exe
Misc activity
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
No debug info