File name:

starter.exe

Full analysis: https://app.any.run/tasks/d0fa9dee-7298-40da-bd4b-1ac00e60395e
Verdict: Malicious activity
Analysis date: December 05, 2022, 20:06:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

D5416A1089DBADC6054227BB58EBD291

SHA1:

DAE118B43D0256F33E5D35C1D06B6D33F88F6010

SHA256:

841572DA329176A7F23DA214406A8C5D19C4107206DF3D83BFCD8DD6DC906ECF

SSDEEP:

393216:RJU5oNri0Bjaj1cCDu4LAG6vtlCM7NF0JQ+ZEZlB93:5Ou4Zu4LT6rBB6JQ4EJ9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Phfocdkc4ugs5.exe (PID: 952)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • starter.exe (PID: 1708)
      • Phfocdkc4ugs5.exe (PID: 952)

    • Reads the Internet Settings

      • starter.exe (PID: 1708)
      • Phfocdkc4ugs5.exe (PID: 952)

    • Reads the BIOS version

      • Phfocdkc4ugs5.exe (PID: 952)

    • Starts CHOICE.EXE to create a delay

      • cmd.exe (PID: 2116)

    • Starts CMD.EXE for commands execution

      • starter.exe (PID: 1708)

  • INFO

    • Reads Environment values

      • starter.exe (PID: 1708)
      • Phfocdkc4ugs5.exe (PID: 952)

    • Checks supported languages

      • starter.exe (PID: 1708)
      • Phfocdkc4ugs5.exe (PID: 952)

    • Reads the computer name

      • starter.exe (PID: 1708)
      • Phfocdkc4ugs5.exe (PID: 952)

    • Creates a file in a temporary directory

      • starter.exe (PID: 1708)

    • Process checks are UAC notifies on

      • Phfocdkc4ugs5.exe (PID: 952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2021-Sep-29 23:06:57
Comments:
CompanyName:
FileDescription: Updater
FileVersion: 1.9.0.0
InternalName: starter.exe
LegalCopyright: Copyright © 2019
LegalTrademarks:
OriginalFilename: starter.exe
ProductName: Updater
ProductVersion: 1.9.0.0
Assembly Version: 1.9.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 2021-Sep-29 23:06:57
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
8192
19535160
19535360
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.95973
.reloc
19546112
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.122276
.rsrc
19554304
263388
263680
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.70959

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.62546
259112
UNKNOWN
UNKNOWN
RT_ICON
32512
2.01924
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON
1 (#2)
3.27244
780
UNKNOWN
UNKNOWN
RT_VERSION
1 (#3)
5.00692
3169
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start starter.exe no specs starter.exe phfocdkc4ugs5.exe cmd.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1240"C:\Users\admin\AppData\Local\Temp\starter.exe" C:\Users\admin\AppData\Local\Temp\starter.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Updater
Exit code:
3221226540
Version:
1.9.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\starter.exe
1708"C:\Users\admin\AppData\Local\Temp\starter.exe" C:\Users\admin\AppData\Local\Temp\starter.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
Updater
Exit code:
0
Version:
1.9.0.0
Modules
Images
c:\users\admin\appdata\local\temp\starter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
952"C:\Users\admin\AppData\Local\Temp\Phfocdkc4ugs5.exe" C:\Users\admin\AppData\Local\Temp\Phfocdkc4ugs5.exe
starter.exe
User:
admin
Integrity Level:
HIGH
Description:
Updater
Version:
3.8.0.9
Modules
Images
c:\users\admin\appdata\local\temp\phfocdkc4ugs5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2116"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\admin\AppData\Local\Temp\starter.exe"C:\Windows\System32\cmd.exestarter.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1116choice /C Y /N /D Y /T 5 C:\Windows\system32\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Offers the user a choice
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\choice.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
Total events
6 942
Read events
6 882
Write events
60
Delete events
0

Modification events

(PID) Process:(1708) starter.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\starter_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1708) starter.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\starter_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1708) starter.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\starter_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1708) starter.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\starter_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1708) starter.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\starter_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1708) starter.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\starter_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1708) starter.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\starter_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1708) starter.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\starter_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1708) starter.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\starter_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1708) starter.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\starter_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1708starter.exeC:\Users\admin\AppData\Local\Temp\Phfocdkc4ugs5.exeexecutable
MD5:865F8043A4686705E2C198B513590D82
SHA256:881F65D32B60825D6CFB5D97DF1DB1055E725CDA2DCE38A20A8FADAA8B5758B6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
3
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
952
Phfocdkc4ugs5.exe
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
malicious
1708
starter.exe
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
malicious
1708
starter.exe
162.159.134.233:443
cdn.discordapp.com
CLOUDFLARENET
shared
1708
starter.exe
104.26.12.201:443
t.ly
CLOUDFLARENET
US
suspicious

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
shared
t.ly
  • 104.26.12.201
  • 172.67.75.122
  • 104.26.13.201
malicious
cdn.discordapp.com
  • 162.159.134.233
  • 162.159.133.233
  • 162.159.129.233
  • 162.159.130.233
  • 162.159.135.233
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
1708
starter.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2023 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
starter.exe