File name:

Dosia.exe

Full analysis: https://app.any.run/tasks/df4119ce-5cd3-41f3-b883-24cc518d63a7
Verdict: Malicious activity
Analysis date: December 06, 2022, 06:20:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

21BE396619D3AB2EFA6A70387180E58F

SHA1:

09A3B689A5077BD89331ACD157EBE621C8714A89

SHA256:

77CC16BE9E6F910BE9B154981DF07EE9E426863E1543E0D84FBDFB7DC6C9D09F

SSDEEP:

98304:I68cgXwWux4ffGqIVkwAZgEkoA/M9wMVuA7r5jF/vKqdD5g+:ZYe2fGNhAJkb/YwM82rhJf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Dosia.exe (PID: 2732)
      • Dosia.exe (PID: 2436)

    • Drops the executable file immediately after the start

      • Dosia.exe (PID: 2436)

  • SUSPICIOUS

    • Application launched itself

      • Dosia.exe (PID: 2436)

    • Executable content was dropped or overwritten

      • Dosia.exe (PID: 2436)

  • INFO

    • Drops a file that was compiled in debug mode

      • Dosia.exe (PID: 2436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 2022-Jul-01 09:53:45

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 248

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2022-Jul-01 09:53:45
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
151122
151552
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.65753
.rdata
155648
55268
55296
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.15306
.data
212992
63700
3072
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.88335
.rsrc
278528
61444
61952
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.35622
.reloc
344064
7560
7680
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.66216

Resources

Title
Entropy
Size
Codepage
Language
Type
0
2.71858
104
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON
1
5.58652
3752
Latin 1 / Western European
UNKNOWN
RT_ICON
2
6.05629
2216
Latin 1 / Western European
UNKNOWN
RT_ICON
3
5.5741
1384
Latin 1 / Western European
UNKNOWN
RT_ICON
4
7.95079
37019
Latin 1 / Western European
UNKNOWN
RT_ICON
5
5.29119
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
6
5.43869
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
7
5.89356
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
1 (#2)
5.29093
1416
Latin 1 / Western European
UNKNOWN
RT_MANIFEST

Imports

ADVAPI32.dll
KERNEL32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dosia.exe dosia.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2436"C:\Users\admin\AppData\Local\Temp\Dosia.exe" C:\Users\admin\AppData\Local\Temp\Dosia.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\dosia.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\apphelp.dll
2732"C:\Users\admin\AppData\Local\Temp\Dosia.exe" C:\Users\admin\AppData\Local\Temp\Dosia.exeDosia.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\dosia.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\users\admin\appdata\local\temp\_mei24362\ucrtbase.dll
Total events
151
Read events
151
Write events
0
Delete events
0

Modification events

No data
Executable files
50
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2436Dosia.exeC:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-heap-l1-1-0.dllexecutable
MD5:483FF5DFE47A187010B9247799EEB174
SHA256:2AD76AE13FA4BD279F1779312BC2E62D048C9CBB6A528E65B968DFE7431DFEAE
2436Dosia.exeC:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-libraryloader-l1-1-0.dllexecutable
MD5:F84DD01E37844165EF8CD0DF2D0B45A4
SHA256:2C3F5F8E9861B05F734DE06A6AC27696DA2DB6193EE003FB62561B6859AFDE11
2436Dosia.exeC:\Users\admin\AppData\Local\Temp\_MEI24362\_bz2.pydexecutable
MD5:967E6B298D140BAEE111CB117FAD6A23
SHA256:466BFE57B5F2E9E28B0CFD118EF10341E9B72E60DFD0EC35B24B3458799CBB91
2436Dosia.exeC:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:5576FDD1F244BE3F29072F3D0EF710E1
SHA256:26C712D65BD2D3621DBD75EC9CD9C25B5A43035137171C64C101C66F6943DAA0
2436Dosia.exeC:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:CE61A5D4134DE9112F87D67CA0869CF5
SHA256:EE461EDA292F793D049F67153FA784B56EF2386E49A3B2BCF5EC1B3253E3ED72
2436Dosia.exeC:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:FB3739342A14BD2AB472A1DA52A0E40E
SHA256:5FF872DFBE8908682C0B5CD2471C6675B917C0E368C592693AAD7275CA5B91E3
2436Dosia.exeC:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:D89D0FD140E470DBBB4E4BB4337F6DF7
SHA256:4AEF6678D7B17314E064B97C54B25AEC7AB8F5CDFB426661CA8FD9BF1DB98203
2436Dosia.exeC:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:9383F2D137B9A23B858AF26979973F90
SHA256:316CDC6B0993217DE0FBDF2D481E907955A7F7D552171D4ECE7469C7281F6781
2436Dosia.exeC:\Users\admin\AppData\Local\Temp\_MEI24362\VCRUNTIME140.dllexecutable
MD5:5F9D90D666620944943B0D6D1CCA1945
SHA256:9EC4AFAD505E0A3DAD760FA5B59C66606AE54DD043C16914CF56D7006E46D375
2436Dosia.exeC:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:1A779B2C8632ACDA0076638AD4C253CA
SHA256:8BA21801189191F319BCB0848FCBE88012EB6D0F26CC78D85563BC36EB7050FB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2023 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Dosia.exe