File name:

SecurityCheck.exe

Full analysis: https://app.any.run/tasks/9bef739c-5f63-45c6-b40d-aaf9f0a4bbe3
Verdict: Malicious activity
Analysis date: February 29, 2024, 15:49:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F01CF96273B137C356BF8DE65CF73EB6

SHA1:

741AF8681A61E08647B00AAFBE0130BDC988637C

SHA256:

83712E7EA4EDC8080A94552C8AB8C8799DEEF7123394FFADBE7A03A01092C3F7

SSDEEP:

24576:q/TJ0AAp7bSUYDj8OZ7Kg71I9pRKMUvvlskCau5pYiNlU1I1+Fj:q/TJEp7bSUYDj8OZ7Kg71InRrUvvlskx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SecurityCheck.exe (PID: 3672)

  • SUSPICIOUS

    • Reads the Internet Settings

      • SecurityCheck.exe (PID: 3672)
      • SecurityCheck.exe (PID: 3944)

    • Executable content was dropped or overwritten

      • SecurityCheck.exe (PID: 3672)

    • Reads security settings of Internet Explorer

      • SecurityCheck.exe (PID: 3672)
      • SecurityCheck.exe (PID: 3944)

    • Reads the date of Windows installation

      • SecurityCheck.exe (PID: 3944)

    • Searches for installed software

      • SecurityCheck.exe (PID: 3944)

  • INFO

    • The dropped object may contain a URL to Tor Browser

      • SecurityCheck.exe (PID: 3672)
      • SecurityCheck.exe (PID: 3944)

    • Checks supported languages

      • SecurityCheck.exe (PID: 3672)
      • SecurityCheck.exe (PID: 3944)

    • Reads the computer name

      • SecurityCheck.exe (PID: 3672)
      • SecurityCheck.exe (PID: 3944)

    • Create files in a temporary directory

      • SecurityCheck.exe (PID: 3672)
      • SecurityCheck.exe (PID: 3944)

    • Reads mouse settings

      • SecurityCheck.exe (PID: 3944)

    • Checks Windows language

      • SecurityCheck.exe (PID: 3944)

    • Reads the machine GUID from the registry

      • SecurityCheck.exe (PID: 3944)

    • Checks proxy server information

      • SecurityCheck.exe (PID: 3944)

    • Creates files or folders in the user directory

      • SecurityCheck.exe (PID: 3944)

    • Reads Environment values

      • SecurityCheck.exe (PID: 3944)

    • Process checks whether UAC notifications are on

      • SecurityCheck.exe (PID: 3944)

    • Reads Microsoft Office registry keys

      • SecurityCheck.exe (PID: 3944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:02 22:14:00+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 101888
InitializedDataSize: 35840
UninitializedDataSize: -
EntryPoint: 0x193af
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.4.0.0
ProductVersionNumber: 1.4.0.0
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: glax24 (safezone.cc)
FileDescription: SecurityCheck by glax24
FileVersion: Version of a file 1.4
InternalName: SecurityCheck
LegalCopyright: © glax24
OriginalFileName: SecurityCheck.exe
PrivateBuild: 24.01.2024
ProductName: SecurityCheck v1.4
ProductVersion: Version of product 1.4
Comments: SecurityCheck
LegalTrademarks: -
SpecialBuild: For all users ;)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start securitycheck.exe securitycheck.exe no specs securitycheck.exe

Process information

PID
CMD
Path
Indicators
Parent process
3672"C:\Users\admin\AppData\Local\Temp\SecurityCheck.exe" C:\Users\admin\AppData\Local\Temp\SecurityCheck.exe
explorer.exe
User:
admin
Company:
glax24 (safezone.cc)
Integrity Level:
MEDIUM
Description:
SecurityCheck by glax24
Exit code:
0
Version:
Version of a file 1.4
Modules
Images
c:\users\admin\appdata\local\temp\securitycheck.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3916"C:\Users\admin\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe" /autodelscriptC:\Users\admin\AppData\Local\Temp\SecurityCheck\SecurityCheck.exeSecurityCheck.exe
User:
admin
Integrity Level:
MEDIUM
Description:
SecurityCheck by glax24 & Severnyj
Exit code:
3221226540
Version:
1.4.0.57
Modules
Images
c:\users\admin\appdata\local\temp\securitycheck\securitycheck.exe
c:\windows\system32\ntdll.dll
3944"C:\Users\admin\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe" /autodelscriptC:\Users\admin\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
SecurityCheck.exe
User:
admin
Integrity Level:
HIGH
Description:
SecurityCheck by glax24 & Severnyj
Exit code:
0
Version:
1.4.0.57
Modules
Images
c:\users\admin\appdata\local\temp\securitycheck\securitycheck.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
5 574
Read events
5 540
Write events
28
Delete events
6

Modification events

(PID) Process:(3672) SecurityCheck.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3672) SecurityCheck.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3672) SecurityCheck.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3672) SecurityCheck.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3944) SecurityCheck.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3944) SecurityCheck.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3944) SecurityCheck.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3944) SecurityCheck.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3944) SecurityCheck.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3944) SecurityCheck.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
1
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3944SecurityCheck.exeC:\SecurityCheck\SecurityCheck.txttext
MD5:98BDC2B1205C0793153B7E2801CB73E4
SHA256:8BC847A4F166FF5282E4076BE8568BBA2C6447262236D5D0F2DD570FDCAE3374
3672SecurityCheck.exeC:\Users\admin\AppData\Local\Temp\SecurityCheck\SecurityCheck.exeexecutable
MD5:4F60BB524A2C478FD72A9B5129BD0361
SHA256:A08AF68EBFE62509BF933E22F363B669CE1AF5E491D0F8396C510DD46388A486
3944SecurityCheck.exeC:\Users\admin\AppData\Local\Temp\SecurityCheck\SCUpdateInet.xmlxml
MD5:6462A5F3FBA84BDFCAE1C67D367C93EB
SHA256:A972C6ACC2872665779413204056FF94590CD7966E37A4A0295A426359C0393A
3672SecurityCheck.exeC:\Users\admin\AppData\Local\Temp\SecurityCheck\SCUpdate.xmlxml
MD5:9BF7824DEAB46B78F0825FD2931DAABA
SHA256:9780A7AAF2457E28656586903CF3023DDDE65F6B4F468608D9BFE92C4387896B
3944SecurityCheck.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\SCUpdateInet[1].xmlxml
MD5:6462A5F3FBA84BDFCAE1C67D367C93EB
SHA256:A972C6ACC2872665779413204056FF94590CD7966E37A4A0295A426359C0393A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
2
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3944
SecurityCheck.exe
GET
200
104.21.28.45:80
http://tools.safezone.cc/glax24/SecurityCheck/SCUpdateInet.xml
unknown
xml
350 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3944
SecurityCheck.exe
104.21.28.45:80
tools.safezone.cc
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
tools.safezone.cc
  • 104.21.28.45
  • 172.67.144.59
unknown

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3944
SecurityCheck.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecurityCheck.exe