File name:

windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe

Full analysis: https://app.any.run/tasks/656653c2-b10f-46c8-98e7-624a0d30a112
Verdict: Malicious activity
Analysis date: January 31, 2024, 16:33:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1369D4B73CCE022F3EFAECE385A02062

SHA1:

F617CAF6E7EE6F43ABE4B386CB1D26B3318693CF

SHA256:

7AC6EA82D8C91E7239FE64A2C7CDA81EB55A380E48919B7E76ED7A2D1C83199A

SSDEEP:

24576:+IuTafI6umlJRHqjoC/P39Kzvdg6F2ng65iD0+gQdhqlCB23nHGuTM+ZhBzToMBh:juTafI6umlJRHqjoCntKzvdg64g68D0Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe (PID: 2204)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe (PID: 2204)

    • Starts a Microsoft application from unusual location

      • windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe (PID: 2204)
      • windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe (PID: 572)

    • Drops a system driver (possible attempt to evade defenses)

      • windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe (PID: 2204)

    • Executable content was dropped or overwritten

      • windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe (PID: 2204)

  • INFO

    • Checks supported languages

      • windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe (PID: 2204)
      • update.exe (PID: 3472)

    • Reads the computer name

      • windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe (PID: 2204)
      • update.exe (PID: 3472)

    • Reads the machine GUID from the registry

      • windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe (PID: 2204)
      • update.exe (PID: 3472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | MS generic-sfx Cabinet File Unpacker (32/64bit MSCFU) (82.5)
.exe | Win32 Executable MS Visual C++ (generic) (7.3)
.exe | Win64 Executable (generic) (6.5)
.dll | Win32 Dynamic Link Library (generic) (1.5)
.exe | Win32 Executable (generic) (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:03:13 07:51:25+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 7.1
CodeSize: 35840
InitializedDataSize: 4096
UninitializedDataSize: -
EntryPoint: 0x6b23
OSVersion: 5.2
ImageVersion: 5.2
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 6.3.18.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Security Update
FileVersion: 1
InternalName: SFXCAB.EXE
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: SFXCAB.EXE
ProductName: Windows Server 2003 Family
ProductVersion: 6.3.0018.0
BuildDate: 2017/02/11
Appliesto: Windows Server 2003 Service Pack 2
InstallationType: Full
InstallerVersion: 6.3.4.1
InstallerEngine: update.exe
KBArticleNumber: 4012598
SupportLink: http://support.microsoft.com?kbid=4012598
PackageType: Security Update
ProcArchitecture: x86
Self-ExtractorVersion: SFXCAB v6.3.18.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe update.exe no specs windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
572"C:\Users\admin\AppData\Local\Temp\windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe" C:\Users\admin\AppData\Local\Temp\windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Security Update
Exit code:
3221226540
Version:
1
Modules
Images
c:\users\admin\appdata\local\temp\windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe
c:\windows\system32\ntdll.dll
2204"C:\Users\admin\AppData\Local\Temp\windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe" C:\Users\admin\AppData\Local\Temp\windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Security Update
Exit code:
0
Version:
1
Modules
Images
c:\users\admin\appdata\local\temp\windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3472c:\9bf9a5382a0e817492bc5b27\update\update.exeC:\9bf9a5382a0e817492bc5b27\update\update.exewindowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Service Pack Setup
Exit code:
0
Version:
6.3.0004.1 built by: dnsrv
Modules
Images
c:\9bf9a5382a0e817492bc5b27\update\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
92
Read events
90
Write events
2
Delete events
0

Modification events

(PID) Process:(3472) update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
Operation:writeName:LogLevel
Value:
536936192
(PID) Process:(3472) update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
Operation:writeName:LogLevel
Value:
536870912
Executable files
9
Suspicious files
15
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2204windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exeC:\9bf9a5382a0e817492bc5b27\_sfx_0003._pbinary
MD5:520BB7FF769444801F08615653D73186
SHA256:ACCB27781D295DACC993DEFFD490F1C77CEE99FEF81AA64F1D476DE976AD78FA
2204windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exeC:\9bf9a5382a0e817492bc5b27\_sfx_0008._pbinary
MD5:379ED291BF837A0739757FC831B7C5C2
SHA256:52813230854A7F42F242E4A4439C914740D2A7A04668E84101A9681C22E4B738
2204windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exeC:\9bf9a5382a0e817492bc5b27\_sfx_0010._pbinary
MD5:7DC3F042218A7D0E91ED0ABE1FD939F0
SHA256:30F76FC8AACF413584D6A4842FC3E97CC1B9AF40E1973C4D443D9E20ABFB11D4
2204windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exeC:\9bf9a5382a0e817492bc5b27\_sfx_0001._pbinary
MD5:F39B5BE6ABA794D24160C43BA2A95231
SHA256:57BA5F875A79E8A16D4CBB643B4D886B0597864F37AEDF4A0D5FD4DFC2F76223
2204windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exeC:\9bf9a5382a0e817492bc5b27\_sfx_0000._pbinary
MD5:56B3105A6952CCEBCD1A1DA82445A87E
SHA256:0D6E75AC3A1ADCE5FDFC5967B2CF82A13E5BE8A019DD7CE003B418C48B24ADE2
2204windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exeC:\9bf9a5382a0e817492bc5b27\_sfx_0004._pbinary
MD5:0F4C24357D50118B473BFA03D6529500
SHA256:840F9DC6DE801AA70D0865EF62D30E1E473071AEECE75E2D7F05AE5E05C7A903
2204windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exeC:\9bf9a5382a0e817492bc5b27\_sfx_0009._pbinary
MD5:DCE275830A51A3C7A50859B59C9B3696
SHA256:1F410F0A0CE68598EE69ACDFEFE714A23A1886984ED3F8100DCDE6016F5865BC
2204windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exeC:\9bf9a5382a0e817492bc5b27\update\eula.txttext
MD5:6EC23E0E7A7747B50E3FC7C908E9EBBA
SHA256:36E97F9F15F540B207D7A529EB7E7EC2864E7AC5CFF9BDEADEEE165EB98CCB3D
2204windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exeC:\9bf9a5382a0e817492bc5b27\_sfx_0007._pbinary
MD5:2EEE620231F72626CC1F34A20BD12489
SHA256:604CE738D5816BECC77A70BDF349B31A0D0CB952BB4C1F8D9DBF691215A505ED
2204windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exeC:\9bf9a5382a0e817492bc5b27\_sfx_0006._pbinary
MD5:2343EC36CFBE3EC1666A03949E924CA7
SHA256:C6B140D4AA4BFA00BAE342D72459EC2CFE3144789E961F26798485831395DD18
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe