File name:

MBR.exe

Full analysis: https://app.any.run/tasks/0822b257-5a2b-414c-a753-2a92820e0f1f
Verdict: Malicious activity
Analysis date: June 23, 2024, 01:47:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
python
mbr
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DC99AA4D5F053CC08ADFEB9A1BE5522A

SHA1:

355CAB71F8D530493CFCC1908D841A59CD17AACC

SHA256:

7C3E492B6AD430B58FE7674E37A30B5E717EEDAD831FB0F2FC0477EEC2217CB1

SSDEEP:

98304:wPH6njxErFcN+CrrUyMzSvRRyOC2HpaxF3fycPfDmlH4ubCOMGRHgtEdmpVpFJlu:Tzh4QHV7i698AEEt9RW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

    • Process drops legitimate windows executable

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

    • Executable content was dropped or overwritten

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

    • Process drops python dynamic module

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

    • Application launched itself

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

    • Loads Python modules

      • MBR.exe (PID: 3568)
      • MBR.exe (PID: 660)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 3424)
      • MBR.exe (PID: 3368)
      • wmpnscfg.exe (PID: 3852)
      • MBR.exe (PID: 3328)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3424)
      • explorer.exe (PID: 3272)
      • wmpnscfg.exe (PID: 3852)
      • MBR.exe (PID: 3328)

    • Create files in a temporary directory

      • MBR.exe (PID: 3368)
      • MBR.exe (PID: 3328)

    • Checks supported languages

      • MBR.exe (PID: 3568)
      • MBR.exe (PID: 3368)
      • wmpnscfg.exe (PID: 3424)
      • wmpnscfg.exe (PID: 3852)
      • MBR.exe (PID: 3328)
      • MBR.exe (PID: 660)

    • Reads the machine GUID from the registry

      • MBR.exe (PID: 3568)
      • MBR.exe (PID: 660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (50.1)
.exe | Win64 Executable (generic) (32.2)
.dll | Win32 Dynamic Link Library (generic) (7.6)
.exe | Win32 Executable (generic) (5.2)
.exe | Generic Win/DOS Executable (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:23 01:45:38+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 153088
InitializedDataSize: 128512
UninitializedDataSize: -
EntryPoint: 0xafe0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mbr.exe wmpnscfg.exe no specs mbr.exe no specs explorer.exe no specs wmpnscfg.exe no specs mbr.exe mbr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660"C:\Users\admin\AppData\Local\Temp\MBR.exe" C:\Users\admin\AppData\Local\Temp\MBR.exeMBR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\mbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3272"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3328"C:\Users\admin\AppData\Local\Temp\MBR.exe" C:\Users\admin\AppData\Local\Temp\MBR.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\mbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3368"C:\Users\admin\AppData\Local\Temp\MBR.exe" C:\Users\admin\AppData\Local\Temp\MBR.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\mbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3424"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3568"C:\Users\admin\AppData\Local\Temp\MBR.exe" C:\Users\admin\AppData\Local\Temp\MBR.exeMBR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\mbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3852"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
385
Read events
385
Write events
0
Delete events
0

Modification events

No data
Executable files
108
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\Pythonwin\mfc140u.dllexecutable
MD5:E76B52D11DB435D36453D26C8B446A8F
SHA256:E422C9366A53536A35E307EF301F08661C28C29B7FCDA1B454333C6A41C6BB21
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\VCRUNTIME140.dllexecutable
MD5:AE96651CFBD18991D186A029CBECB30C
SHA256:1B372F064EACB455A0351863706E6326CA31B08E779A70DE5DE986B5BE8069A1
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\_socket.pydexecutable
MD5:F7D2FE8CDDEDED1210B06AF09B0FAD3C
SHA256:C56088832A09820ABFD45135AC3874117D0CFE669E982314FDC3FE73CA195DEE
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\_lzma.pydexecutable
MD5:52E990DA9F33D0EF2B83A0B52D42DCD6
SHA256:17FD3A2750E61FB164F3A9E8E021A0A3B5DE107A3CC4C798E127618034E09D6F
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\Pythonwin\win32ui.pydexecutable
MD5:9A206178DC7E2A6CE185553245A3325D
SHA256:00EA5C2866A682627651B7883F80854748D7B7EE4F6C6B6D7B4ADF4D01DC4652
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:5576FDD1F244BE3F29072F3D0EF710E1
SHA256:26C712D65BD2D3621DBD75EC9CD9C25B5A43035137171C64C101C66F6943DAA0
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:0C2A83BF1C146D35B3F5732A88317100
SHA256:4E9E805E521B85E1F022FFA5714131C37A338F0801F7E7478FAD4DB798ADD138
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\_hashlib.pydexecutable
MD5:9AA769EFAC1446DB1D2E4E1C39500A20
SHA256:DE7C71C90C7F58DCDC3DA159D08DDA7DC297E39C5F309849290238BAED7E230F
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\_bz2.pydexecutable
MD5:852CAC1AC7232C5788CBA284C3122347
SHA256:94D02CBCFAC3141CA0107253050D7B9D809FEA04B42964142BED3F090783A26A
3368MBR.exeC:\Users\admin\AppData\Local\Temp\_MEI33682\api-ms-win-core-interlocked-l1-1-0.dllexecutable
MD5:256B7101F1F0F2384D93D0A67E7CA773
SHA256:F832DA3F72B4FBE67DE30ED93E4B41470DC17CF0DF3CD6F4004F4F6D0EE1DD1F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MBR.exe