analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://s3.us-east-2.amazonaws.com/aiite/EKENTAJOY.exe

Full analysis: https://app.any.run/tasks/dad061d6-f8f6-42f6-9948-9495f56bd5ec
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 07:44:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
autoit
Indicators:
MD5:

7690B3AF87EC6EA6628BC75691AF4E35

SHA1:

5EE7008A6867E5EA0C3EFFA272DD74ED99588DAE

SHA256:

7F3095E872A310C4A6E2577BA79E51B1A6F87B8C02E4FE4005BAF794EE6B1077

SSDEEP:

3:N1KN9hPN2Q7WtEDA1A:CjhPLvDAK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • wdq.exe (PID: 1744)
      • wdq.exe (PID: 2348)
      • EKENTAJOY[1].exe (PID: 1048)

    • Changes the autorun value in the registry

      • wdq.exe (PID: 1744)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 2700)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 1844)
      • iexplore.exe (PID: 2700)
      • EKENTAJOY[1].exe (PID: 1048)

    • Drop AutoIt3 executable file

      • EKENTAJOY[1].exe (PID: 1048)

    • Application launched itself

      • wdq.exe (PID: 2348)
      • taskmgr.exe (PID: 1900)

    • Connects to unusual port

      • RegSvcs.exe (PID: 2044)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2700)
      • iexplore.exe (PID: 1844)

    • Changes internet zones settings

      • iexplore.exe (PID: 1844)

    • Creates files in the user directory

      • iexplore.exe (PID: 2700)

    • Dropped object may contain Bitcoin addresses

      • EKENTAJOY[1].exe (PID: 1048)
      • wdq.exe (PID: 2348)

    • Application launched itself

      • iexplore.exe (PID: 1844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start iexplore.exe iexplore.exe ekentajoy[1].exe wdq.exe no specs wdq.exe regsvcs.exe taskmgr.exe no specs taskmgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
1844"C:\Program Files\Internet Explorer\iexplore.exe" http://s3.us-east-2.amazonaws.com/aiite/EKENTAJOY.exeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2700"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1844 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1048"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\EKENTAJOY[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\EKENTAJOY[1].exe
iexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2348"C:\Users\admin\AppData\Local\Temp\14371771\wdq.exe" lra=jdi C:\Users\admin\AppData\Local\Temp\14371771\wdq.exeEKENTAJOY[1].exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
1744C:\Users\admin\AppData\Local\Temp\14371771\wdq.exe C:\Users\admin\AppData\Local\Temp\14371771\ZNBJMC:\Users\admin\AppData\Local\Temp\14371771\wdq.exe
wdq.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
2044"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
wdq.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.6.1055.0 built by: NETFXREL2
1900"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2664"C:\Windows\system32\taskmgr.exe" /1C:\Windows\system32\taskmgr.exe
taskmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 080
Read events
1 013
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
56
Unknown types
5

Dropped files

PID
Process
Filename
Type
1844iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
1844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1844iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF30A97200BA6AE645.TMP
MD5:
SHA256:
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G1EU3I38\EKENTAJOY[1].exeexecutable
MD5:5E2F643A2486E693CF92496D16EBC0F3
SHA256:88A358CC1987D0D1680537B2FC4E83AA04DFECAABA6455F02431C1F53EA0998D
1844iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019032120190322\index.datdat
MD5:B4C08CBE0C394B071E49DA459D647F64
SHA256:0A54CF7091636AD89B11D0D3B63BFF530F9FB180776B3E256F3DD434E880EB10
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:CE841525E9B1C4F9818D399AF32B22DF
SHA256:A382172E33B839DAEB479FE9ACFE7546EDF2F943BC0086A0A053ED466D6EFCCF
1844iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\EKENTAJOY[1].exeexecutable
MD5:5E2F643A2486E693CF92496D16EBC0F3
SHA256:88A358CC1987D0D1680537B2FC4E83AA04DFECAABA6455F02431C1F53EA0998D
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019032120190322\index.datdat
MD5:058DF52D7DA3220ACC67816CC033EEE5
SHA256:D30A38020406E04877196835BAA327E691B26469AE7D51495C64B2AD19A55F2C
1844iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{4021A82A-4BAD-11E9-A302-5254004A04AF}.datbinary
MD5:3AE7D06EE29FE03C26CF69A9C6C88336
SHA256:91D5BCD247E778DA0562B5A28774AA8EBDCADF09BD5D1F8D85E0F864EFF444D7
1048EKENTAJOY[1].exeC:\Users\admin\AppData\Local\Temp\14371771\qdj.mp3text
MD5:BC99588CCD62D0000EFD064FD1A552AB
SHA256:CF9ADD6262DE10754DBF06EBFB1390CD0E377DC191271DCB1056ADB036294C73
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2700
iexplore.exe
GET
200
52.219.100.218:80
http://s3.us-east-2.amazonaws.com/aiite/EKENTAJOY.exe
US
executable
944 Kb
shared
1844
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1844
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2700
iexplore.exe
52.219.100.218:80
s3.us-east-2.amazonaws.com
US
shared
2044
RegSvcs.exe
197.210.53.61:1807
gjmaszny.duckdns.org
MTN NIGERIA Communication limited
NG
unknown

DNS requests

Domain
IP
Reputation
s3.us-east-2.amazonaws.com
  • 52.219.100.218
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
gjmaszny.duckdns.org
  • 197.210.53.61
malicious

Threats

PID
Process
Class
Message
2700
iexplore.exe
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
2700
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://s3.us-east-2.amazonaws.com/aiite/EKENTAJOY.exe