File name:

Stub.exe

Full analysis: https://app.any.run/tasks/04141405-15e4-4a2f-9bf1-25649c524b8f
Verdict: Malicious activity
Analysis date: June 26, 2024, 03:47:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
netreactor
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4EED490208FBD04D9D7C6775727ED245

SHA1:

A6CCB4D162ED30C1C6C86881F4351FB4B90115BF

SHA256:

773361EA394307A3DC74E1E28F5B7E6A230AFEDBB6415E34C2D3EFAA1FD802DA

SSDEEP:

98304:SQpA0cf91rXL9AQW9iNyk+AUMjRACxeLHFelew7CqwQFm1NfU84hg9FUgiJJOg2P:wgqk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Stub.exe (PID: 3204)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Stub.exe (PID: 3204)

    • Process drops legitimate windows executable

      • Stub.exe (PID: 3204)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:06:20 08:00:00+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 492032
UninitializedDataSize: -
EntryPoint: 0x19b6c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.0.1.0
ProductVersionNumber: 6.0.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: ReasonLabs
FileDescription: ReasonLabs-setup-wizard.exe
FileVersion: 6.0.1
InternalName: 7zS.sfx
LegalCopyright: Copyright (C) 2024 Reason Software Company Inc.
OriginalFileName: 7zS.sfx.exe
ProductName: ReasonLabs Setup Wizard
ProductVersion: 6.0.1
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start stub.exe stub.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3204"C:\Users\admin\Desktop\Stub.exe" C:\Users\admin\Desktop\Stub.exe
explorer.exe
User:
admin
Company:
ReasonLabs
Integrity Level:
HIGH
Description:
ReasonLabs-setup-wizard.exe
Exit code:
0
Version:
6.0.1
3380"C:\Users\admin\Desktop\Stub.exe" C:\Users\admin\Desktop\Stub.exeexplorer.exe
User:
admin
Company:
ReasonLabs
Integrity Level:
MEDIUM
Description:
ReasonLabs-setup-wizard.exe
Exit code:
3221226540
Version:
6.0.1
Modules
Images
c:\users\admin\desktop\stub.exe
c:\windows\system32\ntdll.dll
Total events
1
Read events
1
Write events
0
Delete events
0

Modification events

No data
Executable files
55
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\rsTime.dllexecutable
MD5:167B304C9C615BE2852AC0BEF86E6F15
SHA256:6D5EA04F978E429C5CF0065A213BF28D8AF36540493C6564218EA51B0D5B961D
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\Translations\cs-CZ\UnifiedStub.resources.dllexecutable
MD5:999C5174344E3AF9CCD1E17299448E76
SHA256:0748A7D73F44ACDC027ABF5177DA04DD69D773299138EA0B25D3DBE4C00AD4A0
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\Translations\da-DK\UnifiedStub.resources.dllexecutable
MD5:C2819AE6DB238F0D9FDD865347819A40
SHA256:DA090057B5388EF09CA5F6E72C729F0330FC3CC0352E2EE704982E979DC4E1F1
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\System.Data.SQLite.dllexecutable
MD5:FFBB71041C9A01DA9EA90BDD4C0096A2
SHA256:178570575291B95C767BA304D71C5310A94E93B6C1F673B9179D41A75A48D0E8
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\Translations\el-GR\UnifiedStub.resources.dllexecutable
MD5:765162C01B6A1D4B1EF68832658F4EDA
SHA256:0EF2B0E94D98919186598312218A6BDF5E5C58D7BBA15E85C08CC64454081970
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\Translations\de\Microsoft.Win32.TaskScheduler.resources.dllexecutable
MD5:F83D720B236576C7D1F9F55D3BB988F9
SHA256:6909A1C134D0285FBA2422A40EA0E65C1F0CA3C3EF2B94A1166015AF2A87780F
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\Microsoft.Win32.TaskScheduler.dllexecutable
MD5:87D7FB0770406BC9B4DC292FA9E1E116
SHA256:AAEB1EACBDAEB5425FD4B5C28CE2FD3714F065756664FA9F812AFDC367FBBB46
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\Translations\es\Microsoft.Win32.TaskScheduler.resources.dllexecutable
MD5:15DB634B70D6D9D6CD41BAAE3F02EB14
SHA256:E893C6907DA8D68C03B1A10E68B554AD5A8C0533F15912106F32E925F2BEABF0
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\Translations\es-ES\UnifiedStub.resources.dllexecutable
MD5:648AD011C505A34A9A756209FF749753
SHA256:0CA79AE16990C66CE642475AE2C48EDD9C7D93D1CA361A84FF67B046E3DB1272
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\Translations\fil-PH\UnifiedStub.resources.dllexecutable
MD5:119609E491507BF1AC03571959DFB46F
SHA256:68B32C96F048BE6FDF16050A5D5C073E2F9C5B76A4305CFD0E0A7AC9A45E6726
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1060
svchost.exe
GET
304
88.221.110.91:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?67a3611ec3c0260d
unknown
unknown
1372
svchost.exe
GET
304
88.221.110.91:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3128
UnifiedStub-installer.exe
52.201.189.129:443
track.analytics-data.io
AMAZON-AES
US
unknown
1372
svchost.exe
88.221.110.91:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
3128
UnifiedStub-installer.exe
13.224.189.105:443
update.reasonsecurity.com
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
track.analytics-data.io
  • 52.201.189.129
  • 44.206.171.65
  • 3.214.152.143
malicious
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 88.221.110.91
  • 2.16.100.168
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
update.reasonsecurity.com
  • 13.224.189.105
  • 13.224.189.61
  • 13.224.189.78
  • 13.224.189.107
unknown
electron-shell.reasonsecurity.com
  • 18.66.102.87
  • 18.66.102.77
  • 18.66.102.5
  • 18.66.102.10
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Stub.exe