| File name: | 505040.exe |
| Full analysis: | https://app.any.run/tasks/9f3f1bd1-3d56-4787-afab-c06e46948d08 |
| Verdict: | Malicious activity |
| Analysis date: | March 25, 2024, 01:44:04 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 6913DAA5C23E0FCDFD15AF4B3B485AB8 |
| SHA1: | 202A7EA735E9A9DE7325C40F5ABF63A518DEAA61 |
| SHA256: | 7F9F83B315441037E41EE4B9CFBEBBC1B623BCC15CB099FBC033F050C989A29C |
| SSDEEP: | 1536:4PT4ftyCvUCn6fAnnJrSzIxpq7lpYTq1Rzjo7v6QivnCvv0qFL14pHWTgLxN2oGb:ZtyCZ1nnJYsGnEv0Oe8TMxIoM9 |
MALICIOUS
Changes the autorun value in the registry
- 505040.exe (PID: 1692)
Drops the executable file immediately after the start
- 505040.exe (PID: 4008)
- 505040.exe (PID: 1692)
- winmgr.exe (PID: 2232)
SUSPICIOUS
Application launched itself
- 505040.exe (PID: 4008)
- winmgr.exe (PID: 2232)
Starts itself from another location
- 505040.exe (PID: 1692)
Executable content was dropped or overwritten
- 505040.exe (PID: 1692)
- 505040.exe (PID: 4008)
- winmgr.exe (PID: 2232)
Creates file in the systems drive root
- winmgr.exe (PID: 4000)
Connects to unusual port
- winmgr.exe (PID: 4000)
INFO
Checks supported languages
- 505040.exe (PID: 4008)
- 505040.exe (PID: 1692)
- winmgr.exe (PID: 2232)
- winmgr.exe (PID: 4000)
Reads the computer name
- 505040.exe (PID: 4008)
- winmgr.exe (PID: 2232)
- winmgr.exe (PID: 4000)
Create files in a temporary directory
- 505040.exe (PID: 4008)
- winmgr.exe (PID: 2232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | NSIS - Nullsoft Scriptable Install System (91.9) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (3.3) |
| .exe | | | Win64 Executable (generic) (3) |
| .dll | | | Win32 Dynamic Link Library (generic) (0.7) |
| .exe | | | Win32 Executable (generic) (0.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2014:10:07 04:40:17+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 23552 |
| InitializedDataSize: | 117760 |
| UninitializedDataSize: | 1024 |
| EntryPoint: | 0x3217 |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.7.1.8 |
| ProductVersionNumber: | 1.7.1.8 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | - |
| FileDescription: | VirtualDub |
| FileVersion: | 1.7.1.8 |
| LegalCopyright: | Copyright © 1998-2013 by Avery Lee, All Rights Reserved. |
| ProductName: | VirtualDub |
| ProductVersion: | 1.7.1.8 |
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1692 | "C:\Users\admin\AppData\Local\Temp\505040.exe" | C:\Users\admin\AppData\Local\Temp\505040.exe | 505040.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: VirtualDub Exit code: 0 Version: 1.7.1.8 Modules
| |||||||||||||||
| 2232 | C:\Users\admin\M-5050452834348584929485695758050\winmgr.exe | C:\Users\admin\M-5050452834348584929485695758050\winmgr.exe | 505040.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: VirtualDub Exit code: 2 Version: 1.7.1.8 Modules
| |||||||||||||||
| 4000 | "C:\Users\admin\M-5050452834348584929485695758050\winmgr.exe" | C:\Users\admin\M-5050452834348584929485695758050\winmgr.exe | winmgr.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: VirtualDub Version: 1.7.1.8 Modules
| |||||||||||||||
| 4008 | "C:\Users\admin\AppData\Local\Temp\505040.exe" | C:\Users\admin\AppData\Local\Temp\505040.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: VirtualDub Exit code: 2 Version: 1.7.1.8 Modules
| |||||||||||||||
Total events
5 581
Read events
5 580
Write events
1
Delete events
0
Modification events
| (PID) Process: | (1692) 505040.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Microsoft Windows Manager |
Value: C:\Users\admin\M-5050452834348584929485695758050\winmgr.exe | |||
Executable files
3
Suspicious files
2
Text files
2
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4008 | 505040.exe | C:\Users\admin\AppData\Local\Temp\nbkajklzajajaweajgka.aac | binary | |
MD5:AF955D372D2486DA62BB86EDE55894E0 | SHA256:BE1B5B16F43725A2AF0AFB0EC7A456E4ABF36B1249C592F2D3FC84D3E4F23131 | |||
| 2232 | winmgr.exe | C:\Users\admin\AppData\Local\Temp\nsb753D.tmp\hoggeries.dll | executable | |
MD5:27CC35D2BCC5788F73CB450D218B0C51 | SHA256:7206EE405AB119E80F32F2CA10006E58F19B0D804E5163E6F618139E03AF5FC5 | |||
| 4008 | 505040.exe | C:\Users\admin\AppData\Local\Temp\nsm37D6.tmp\hoggeries.dll | executable | |
MD5:27CC35D2BCC5788F73CB450D218B0C51 | SHA256:7206EE405AB119E80F32F2CA10006E58F19B0D804E5163E6F618139E03AF5FC5 | |||
| 4008 | 505040.exe | C:\Users\admin\AppData\Local\Temp\05 - Exchange.mp3 | binary | |
MD5:36BB8C984C8030E3713191F2F97DF3D2 | SHA256:5C859CF036AA372982B76221A8460C1EACB8F79308978206E4BC8C6524E8E84A | |||
| 4008 | 505040.exe | C:\Users\admin\AppData\Local\Temp\g3OdSbf__bigger.jpeg | image | |
MD5:538BEAB4DA03162CE3159A9333E94B13 | SHA256:CDB023DBB15AD033CCF7223C00C7EDF298CD87B6B8BC83F914E8BF1361F27CD4 | |||
| 4008 | 505040.exe | C:\Users\admin\AppData\Local\Temp\wh_home_engage_hub.jpg | image | |
MD5:935039F3A7DFF570091D3263C3AC8E18 | SHA256:BBB16249CE406E276E027ADD60760552EBF8851423A2D9FE60831C9378C8C08E | |||
| 4008 | 505040.exe | C:\Users\admin\AppData\Local\Temp\nsi20C3.tmp | binary | |
MD5:4195755CD6249BDFFDB60C5C7925A9C5 | SHA256:97222968AE0EB1EE6A6D9A745051404664FD755FE951EF34C30AA9E103C15CEA | |||
| 2232 | winmgr.exe | C:\Users\admin\AppData\Local\Temp\nsy626F.tmp | binary | |
MD5:4195755CD6249BDFFDB60C5C7925A9C5 | SHA256:97222968AE0EB1EE6A6D9A745051404664FD755FE951EF34C30AA9E103C15CEA | |||
| 1692 | 505040.exe | C:\Users\admin\M-5050452834348584929485695758050\winmgr.exe | executable | |
MD5:6913DAA5C23E0FCDFD15AF4B3B485AB8 | SHA256:7F9F83B315441037E41EE4B9CFBEBBC1B623BCC15CB099FBC033F050C989A29C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
3
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4000 | winmgr.exe | 49.13.77.253:5050 | trkhaus.ru | Hetzner Online GmbH | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
trkhaus.ru |
| unknown |
dns.msftncsi.com |
| shared |
srv1000.ru |
| unknown |