File name:

Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe

Full analysis: https://app.any.run/tasks/a5ba7bc1-bd9d-4862-b740-c1c2ee94f0a4
Verdict: Malicious activity
Analysis date: December 06, 2022, 01:40:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

DFDE7866B2DE880F117836AA8D5B8ADC

SHA1:

66006BB4A7D2A35841BFEA14ABF1536B20F7A974

SHA256:

862C17B77ECE5EB013BBE5CED057F1A635A80D4A21C43356AED77E19FADCC0E3

SSDEEP:

12288:OGlaKpWkdJ9pQ15Hzj4WlhjWPPvCLyZ+RvugSrmhktjxGty20qTszOFk:XlppWw9pC4pPPpkR0ymtjxUBYz0k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • rsphjnyos.exe (PID: 2328)
    • Drops the executable file immediately after the start

      • rsphjnyos.exe (PID: 2328)
    • Application was dropped or rewritten from another process

      • rsphjnyos.exe (PID: 2328)
      • rsphjnyos.exe (PID: 1040)
  • SUSPICIOUS

    • Application launched itself

      • rsphjnyos.exe (PID: 2328)
    • Drops the AutoIt3 executable file

      • rsphjnyos.exe (PID: 2328)
    • Executable content was dropped or overwritten

      • rsphjnyos.exe (PID: 2328)
  • INFO

    • Checks supported languages

      • rsphjnyos.exe (PID: 2328)
      • f257efa8-32ea-4e65-9941-663dc5424b4c.exe (PID: 2436)
    • Reads the computer name

      • f257efa8-32ea-4e65-9941-663dc5424b4c.exe (PID: 2436)
    • Reads mouse settings

      • rsphjnyos.exe (PID: 2328)
    • Manual execution by a user

      • chrome.exe (PID: 3776)
      • rundll32.exe (PID: 2876)
      • explorer.exe (PID: 3548)
    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3216)
    • Drops the executable file immediately after the start

      • chrome.exe (PID: 3216)
    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 1652)
    • Drops a file that was compiled in debug mode

      • chrome.exe (PID: 3216)
    • Application launched itself

      • chrome.exe (PID: 3776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2015-Dec-27 05:38:52
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 216

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2015-Dec-27 05:38:52
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
23626
24064
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.41076
.rdata
28672
4446
4608
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.14255
.data
36864
110712
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.22522
.ndata
151552
32768
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
184320
202592
202752
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.93641

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.90959
67624
UNKNOWN
English - United States
RT_ICON
2
7.96373
38581
UNKNOWN
English - United States
RT_ICON
3
5.17077
38056
UNKNOWN
English - United States
RT_ICON
4
5.22062
21640
UNKNOWN
English - United States
RT_ICON
5
5.1977
16936
UNKNOWN
English - United States
RT_ICON
6
5.26928
9640
UNKNOWN
English - United States
RT_ICON
7
5.3399
4264
UNKNOWN
English - United States
RT_ICON
8
5.49489
2440
UNKNOWN
English - United States
RT_ICON
9
5.20658
1128
UNKNOWN
English - United States
RT_ICON
103
3.03466
132
UNKNOWN
English - United States
RT_GROUP_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
99
Monitored processes
58
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start f257efa8-32ea-4e65-9941-663dc5424b4c.exe no specs rsphjnyos.exe rsphjnyos.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs rundll32.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2436"C:\Users\admin\Desktop\f257efa8-32ea-4e65-9941-663dc5424b4c.exe" C:\Users\admin\Desktop\f257efa8-32ea-4e65-9941-663dc5424b4c.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\desktop\f257efa8-32ea-4e65-9941-663dc5424b4c.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2328"C:\Users\admin\AppData\Local\Temp\rsphjnyos.exe" "C:\Users\admin\AppData\Local\Temp\ruegnseq.au3"C:\Users\admin\AppData\Local\Temp\rsphjnyos.exe
f257efa8-32ea-4e65-9941-663dc5424b4c.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
Modules
Images
c:\users\admin\appdata\local\temp\rsphjnyos.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll