| File name: | Dosia.exe |
| Full analysis: | https://app.any.run/tasks/df4119ce-5cd3-41f3-b883-24cc518d63a7 |
| Verdict: | Malicious activity |
| Analysis date: | December 06, 2022, 06:20:40 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386, for MS Windows |
| MD5: | 21BE396619D3AB2EFA6A70387180E58F |
| SHA1: | 09A3B689A5077BD89331ACD157EBE621C8714A89 |
| SHA256: | 77CC16BE9E6F910BE9B154981DF07EE9E426863E1543E0D84FBDFB7DC6C9D09F |
| SSDEEP: | 98304:I68cgXwWux4ffGqIVkwAZgEkoA/M9wMVuA7r5jF/vKqdD5g+:ZYe2fGNhAJkb/YwM82rhJf |
MALICIOUS
Loads dropped or rewritten executable
- Dosia.exe (PID: 2732)
- Dosia.exe (PID: 2436)
Drops the executable file immediately after the start
- Dosia.exe (PID: 2436)
SUSPICIOUS
Executable content was dropped or overwritten
- Dosia.exe (PID: 2436)
Application launched itself
- Dosia.exe (PID: 2436)
INFO
Drops a file that was compiled in debug mode
- Dosia.exe (PID: 2436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Compilation Date: | 2022-Jul-01 09:53:45 |
DOS Header
| e_magic: | MZ |
|---|---|
| e_cblp: | 144 |
| e_cp: | 3 |
| e_crlc: | - |
| e_cparhdr: | 4 |
| e_minalloc: | - |
| e_maxalloc: | 65535 |
| e_ss: | - |
| e_sp: | 184 |
| e_csum: | - |
| e_ip: | - |
| e_cs: | - |
| e_ovno: | - |
| e_oemid: | - |
| e_oeminfo: | - |
| e_lfanew: | 248 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| NumberofSections: | 5 |
| TimeDateStamp: | 2022-Jul-01 09:53:45 |
| PointerToSymbolTable: | - |
| NumberOfSymbols: | - |
| SizeOfOptionalHeader: | 224 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 4096 | 151122 | 151552 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.65753 |
.rdata | 155648 | 55268 | 55296 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.15306 |
.data | 212992 | 63700 | 3072 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.88335 |
.rsrc | 278528 | 61444 | 61952 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.35622 |
.reloc | 344064 | 7560 | 7680 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.66216 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
0 | 2.71858 | 104 | Latin 1 / Western European | UNKNOWN | RT_GROUP_ICON |
1 | 5.58652 | 3752 | Latin 1 / Western European | UNKNOWN | RT_ICON |
2 | 6.05629 | 2216 | Latin 1 / Western European | UNKNOWN | RT_ICON |
3 | 5.5741 | 1384 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 7.95079 | 37019 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 5.29119 | 9640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 5.43869 | 4264 | Latin 1 / Western European | UNKNOWN | RT_ICON |
7 | 5.89356 | 1128 | Latin 1 / Western European | UNKNOWN | RT_ICON |
1 (#2) | 5.29093 | 1416 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
Imports
ADVAPI32.dll |
KERNEL32.dll |
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2436 | "C:\Users\admin\AppData\Local\Temp\Dosia.exe" | C:\Users\admin\AppData\Local\Temp\Dosia.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 2 Modules
| |||||||||||||||
| 2732 | "C:\Users\admin\AppData\Local\Temp\Dosia.exe" | C:\Users\admin\AppData\Local\Temp\Dosia.exe | — | Dosia.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 2 Modules
| |||||||||||||||
Total events
151
Read events
151
Write events
0
Delete events
0
Modification events
Executable files
50
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:— | SHA256:— | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\_lzma.pyd | executable | |
MD5:— | SHA256:— | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\_ssl.pyd | executable | |
MD5:— | SHA256:— | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:— | SHA256:— | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\_hashlib.pyd | executable | |
MD5:— | SHA256:— | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\_socket.pyd | executable | |
MD5:— | SHA256:— | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\_bz2.pyd | executable | |
MD5:— | SHA256:— | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-debug-l1-1-0.dll | executable | |
MD5:— | SHA256:— | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-errorhandling-l1-1-0.dll | executable | |
MD5:— | SHA256:— | |||
| 2436 | Dosia.exe | C:\Users\admin\AppData\Local\Temp\_MEI24362\api-ms-win-core-file-l1-1-0.dll | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report