File name:

MBR.exe

Full analysis: https://app.any.run/tasks/0822b257-5a2b-414c-a753-2a92820e0f1f
Verdict: Malicious activity
Analysis date: June 23, 2024, 01:47:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
python
mbr
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DC99AA4D5F053CC08ADFEB9A1BE5522A

SHA1:

355CAB71F8D530493CFCC1908D841A59CD17AACC

SHA256:

7C3E492B6AD430B58FE7674E37A30B5E717EEDAD831FB0F2FC0477EEC2217CB1

SSDEEP:

98304:wPH6njxErFcN+CrrUyMzSvRRyOC2HpaxF3fycPfDmlH4ubCOMGRHgtEdmpVpFJlu:Tzh4QHV7i698AEEt9RW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

    • Process drops python dynamic module

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

    • Loads Python modules

      • MBR.exe (PID: 3568)
      • MBR.exe (PID: 660)

    • Executable content was dropped or overwritten

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

    • Process drops legitimate windows executable

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

    • Application launched itself

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

  • INFO

    • Reads the computer name

      • MBR.exe (PID: 3368)
      • wmpnscfg.exe (PID: 3424)
      • wmpnscfg.exe (PID: 3852)
      • MBR.exe (PID: 3328)

    • Checks supported languages

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3568)
      • wmpnscfg.exe (PID: 3424)
      • wmpnscfg.exe (PID: 3852)
      • MBR.exe (PID: 3328)
      • MBR.exe (PID: 660)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3424)
      • explorer.exe (PID: 3272)
      • wmpnscfg.exe (PID: 3852)
      • MBR.exe (PID: 3328)

    • Create files in a temporary directory

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

    • Reads the machine GUID from the registry

      • MBR.exe (PID: 3568)
      • MBR.exe (PID: 660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (50.1)
.exe | Win64 Executable (generic) (32.2)
.dll | Win32 Dynamic Link Library (generic) (7.6)
.exe | Win32 Executable (generic) (5.2)
.exe | Generic Win/DOS Executable (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:23 01:45:38+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 153088
InitializedDataSize: 128512
UninitializedDataSize: -
EntryPoint: 0xafe0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mbr.exe wmpnscfg.exe no specs mbr.exe no specs explorer.exe no specs wmpnscfg.exe no specs mbr.exe mbr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660"C:\Users\admin\AppData\Local\Temp\MBR.exe" C:\Users\admin\AppData\Local\Temp\MBR.exeMBR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\mbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3272"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3328"C:\Users\admin\AppData\Local\Temp\MBR.exe" C:\Users\admin\AppData\Local\Temp\MBR.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\mbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3368"C:\Users\admin\AppData\Local\Temp\MBR.exe" C:\Users\admin\AppData\Local\Temp\MBR.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\mbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3424"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3568"C:\Users\admin\AppData\Local\Temp\MBR.exe" C:\Users\admin\AppData\Local\Temp\MBR.exeMBR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\mbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3852"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
385
Read events
385
Write events
0
Delete events
0

Modification events

No data
Executable files
108
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\VCRUNTIME140.dllexecutable
MD5:AE96651CFBD18991D186A029CBECB30C
SHA256:1B372F064EACB455A0351863706E6326CA31B08E779A70DE5DE986B5BE8069A1
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:D9BC0DDEDE244CEB8DBE6C70C4AB7FE7
SHA256:A25D06F847B2B1EC19A8A1CE38F63FC65D8EED8E1A2F6882C57A69D3C4C4B0A2
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:753756E3B77ACDC08832F90E62C12617
SHA256:8D6748E1023E437575F5ADD3EB53C8A7E525096205E6BD4C9A0FC47CFD3E34C2
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:718B88FC6F158A62309419CDC7C511ED
SHA256:8CD67DBC62070C1288E83D5789F41664951FB0C120070AB5334AC7719A5C8AC9
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\_hashlib.pydexecutable
MD5:9AA769EFAC1446DB1D2E4E1C39500A20
SHA256:DE7C71C90C7F58DCDC3DA159D08DDA7DC297E39C5F309849290238BAED7E230F
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:206F6A17FA7F1A3859FA71AF090B9E25
SHA256:9C8F26D0CAD0128BD2AD7614501F2F9C9BD8DD5A0E43BD64E717AFDF5511F794
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\_socket.pydexecutable
MD5:F7D2FE8CDDEDED1210B06AF09B0FAD3C
SHA256:C56088832A09820ABFD45135AC3874117D0CFE669E982314FDC3FE73CA195DEE
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\api-ms-win-core-interlocked-l1-1-0.dllexecutable
MD5:256B7101F1F0F2384D93D0A67E7CA773
SHA256:F832DA3F72B4FBE67DE30ED93E4B41470DC17CF0DF3CD6F4004F4F6D0EE1DD1F
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\api-ms-win-core-memory-l1-1-0.dllexecutable
MD5:E6DE28C4D1DAA3646BA533F495CAE1AB
SHA256:3D411347C29A6768630ADFE1833642134FD4E65355C92D1DA545F8976F532E28
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:5576FDD1F244BE3F29072F3D0EF710E1
SHA256:26C712D65BD2D3621DBD75EC9CD9C25B5A43035137171C64C101C66F6943DAA0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MBR.exe