analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Dosia.exe |
| Full analysis: | https://app.any.run/tasks/df4119ce-5cd3-41f3-b883-24cc518d63a7 |
| Verdict: | Malicious activity |
| Analysis date: | December 06, 2022, 06:20:40 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386, for MS Windows |
| MD5: | 21BE396619D3AB2EFA6A70387180E58F |
| SHA1: | 09A3B689A5077BD89331ACD157EBE621C8714A89 |
| SHA256: | 77CC16BE9E6F910BE9B154981DF07EE9E426863E1543E0D84FBDFB7DC6C9D09F |
| SSDEEP: | 98304:I68cgXwWux4ffGqIVkwAZgEkoA/M9wMVuA7r5jF/vKqdD5g+:ZYe2fGNhAJkb/YwM82rhJf |
MALICIOUS
Loads dropped or rewritten executable
- Dosia.exe (PID: 2732)
- Dosia.exe (PID: 2436)
Drops the executable file immediately after the start
- Dosia.exe (PID: 2436)
SUSPICIOUS
Application launched itself
- Dosia.exe (PID: 2436)
Executable content was dropped or overwritten
- Dosia.exe (PID: 2436)
INFO
Drops a file that was compiled in debug mode
- Dosia.exe (PID: 2436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Compilation Date: | 2022-Jul-01 09:53:45 |
DOS Header
| e_magic: | MZ |
|---|---|
| e_cblp: | 144 |
| e_cp: | 3 |
| e_crlc: | - |
| e_cparhdr: | 4 |
| e_minalloc: | - |
| e_maxalloc: | 65535 |
| e_ss: | - |
| e_sp: | 184 |
| e_csum: | - |
| e_ip: | - |
| e_cs: | - |
| e_ovno: | - |
| e_oemid: | - |
| e_oeminfo: | - |
| e_lfanew: | 248 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| NumberofSections: | 5 |
| TimeDateStamp: | 2022-Jul-01 09:53:45 |
| PointerToSymbolTable: | - |
| NumberOfSymbols: | - |
| SizeOfOptionalHeader: | 224 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 4096 | 151122 | 151552 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.65753 |
.rdata | 155648 | 55268 | 55296 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.15306 |
.data | 212992 | 63700 | 3072 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.88335 |
.rsrc | 278528 | 61444 | 61952 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.35622 |
.reloc | 344064 | 7560 | 7680 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.66216 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
0 | 2.71858 | 104 | Latin 1 / Western European | UNKNOWN | RT_GROUP_ICON |
1 | 5.58652 | 3752 | Latin 1 / Western European | UNKNOWN | RT_ICON |
2 | 6.05629 | 2216 | Latin 1 / Western European | UNKNOWN | RT_ICON |
3 | 5.5741 | 1384 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 7.95079 | 37019 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 5.29119 | 9640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 5.43869 | 4264 | Latin 1 / Western European | UNKNOWN | RT_ICON |
7 | 5.89356 | 1128 | Latin 1 / Western European | UNKNOWN | RT_ICON |
1 (#2) | 5.29093 | 1416 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
Imports
ADVAPI32.dll |
KERNEL32.dll |
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2436 | "C:\Users\admin\AppData\Local\Temp\Dosia.exe" | C:\Users\admin\AppData\Local\Temp\Dosia.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 2 Modules
| |||||||||||||||
| 2732 | "C:\Users\admin\AppData\Local\Temp\Dosia.exe" | C:\Users\admin\AppData\Local\Temp\Dosia.exe | — | Dosia.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 2 Modules
| |||||||||||||||
Total events
151
Read events
151
Write events
0
Delete events
0
Modification events
Executable files
50
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-debug-l1-1-0.dll | executable | |
MD5:CE61A5D4134DE9112F87D67CA0869CF5 | SHA256:EE461EDA292F793D049F67153FA784B56EF2386E49A3B2BCF5EC1B3253E3ED72 | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\_socket.pyd | executable | |
MD5:A7A2A5A17BFD12376E6AEDB5F531C21B | SHA256:F869311C8D4EB3B0CDEF30486EB37C679A35CF11AFA803CD5D9FD61265344810 | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\_lzma.pyd | executable | |
MD5:C573346309D8E967A7ADEBF047F5A693 | SHA256:8F8B3CF6CE8A798398139B91B55A5F2CFCA6D997622C7E04DC99455C3AD6997F | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:DED0A05ECD081921F854C718401839A9 | SHA256:CD49E371C79A0D242293E764CB9CBA1C6B071BBEDA18E7D2AF28804E7721BA3E | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\_hashlib.pyd | executable | |
MD5:4F3BF6E8EFAA31A5812F10963182EC96 | SHA256:F3A4E21F451667415F88C17D2F58AFCF110A922487228CEFA6D4F8D4261A067C | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-file-l1-1-0.dll | executable | |
MD5:9383F2D137B9A23B858AF26979973F90 | SHA256:316CDC6B0993217DE0FBDF2D481E907955A7F7D552171D4ECE7469C7281F6781 | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-memory-l1-1-0.dll | executable | |
MD5:DBFC2D434F864455F4F1C2257D050940 | SHA256:2A76304FBFA3869F152CA955CA76864897409289C0B60EA8FD3C314F4C56ABA6 | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-libraryloader-l1-1-0.dll | executable | |
MD5:F84DD01E37844165EF8CD0DF2D0B45A4 | SHA256:2C3F5F8E9861B05F734DE06A6AC27696DA2DB6193EE003FB62561B6859AFDE11 | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-heap-l1-1-0.dll | executable | |
MD5:483FF5DFE47A187010B9247799EEB174 | SHA256:2AD76AE13FA4BD279F1779312BC2E62D048C9CBB6A528E65B968DFE7431DFEAE | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\_ssl.pyd | executable | |
MD5:411AE4B3C3ACDD207570576ABE296E01 | SHA256:4766EC375DAD3E2106EEEECC6E2069B7D99E1D7691241735B0EBB39564FE339F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report