| File name: | 0503.exe |
| Full analysis: | https://app.any.run/tasks/70b901ac-87ef-4089-a43c-bbc8ad3ff14c |
| Verdict: | Malicious activity |
| Analysis date: | May 03, 2024, 01:51:18 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | FE54E986A6F7E89D07ECB70D4B023760 |
| SHA1: | 269A71838057F0C1AD5F961ECCD7FCB111A2709D |
| SHA256: | 871A4927FF68D1F1C7466CFB8D37A55705207E6A2AB9EFC7DD895EECAC73D3B0 |
| SSDEEP: | 98304:EtC08sKQJWuXO91YosnKHOWIquzKd4Ia0NSTnvCKGalMeYVjSCREDnyySZx0mimV:aTES5pjp8LdCg049 |
MALICIOUS
Drops the executable file immediately after the start
- 0503.exe (PID: 4080)
- markany_ImageSafer.exe (PID: 928)
- Inst_MaEPSBroker.exe (PID: 1764)
Creates a writable file in the system directory
- markany_ImageSafer.exe (PID: 928)
- 0503.exe (PID: 4080)
Actions looks like stealing of personal data
- cmd.exe (PID: 660)
- certutil.exe (PID: 1488)
Changes the autorun value in the registry
- Inst_MaEPSBroker.exe (PID: 1764)
Registers / Runs the DLL via REGSVR32.EXE
- 0503.exe (PID: 4080)
SUSPICIOUS
Executable content was dropped or overwritten
- 0503.exe (PID: 4080)
- markany_ImageSafer.exe (PID: 928)
- Inst_MaEPSBroker.exe (PID: 1764)
Malware-specific behavior (creating "System.dll" in Temp)
- markany_ImageSafer.exe (PID: 928)
- Inst_MaEPSBroker.exe (PID: 1764)
- 0503.exe (PID: 4080)
The process creates files with name similar to system file names
- markany_ImageSafer.exe (PID: 928)
- Inst_MaEPSBroker.exe (PID: 1764)
- 0503.exe (PID: 4080)
Drops a system driver (possible attempt to evade defenses)
- markany_ImageSafer.exe (PID: 928)
Executes as Windows Service
- IMGSF50Svc.exe (PID: 1876)
Process drops legitimate windows executable
- Inst_MaEPSBroker.exe (PID: 1764)
Executing commands from a ".bat" file
- Inst_MaEPSBroker.exe (PID: 1764)
Creates/Modifies COM task schedule object
- Inst_MaEPSBroker.exe (PID: 1764)
- regsvr32.exe (PID: 2556)
Starts CMD.EXE for commands execution
- Inst_MaEPSBroker.exe (PID: 1764)
Uses NETSH.EXE to delete a firewall rule or allowed programs
- Inst_MaEPSBroker.exe (PID: 1764)
Uses NETSH.EXE to add a firewall rule or allowed programs
- Inst_MaEPSBroker.exe (PID: 1764)
Uses TASKKILL.EXE to kill Browsers
- Inst_MaEPSBroker.exe (PID: 1764)
Creates a software uninstall entry
- Inst_MaEPSBroker.exe (PID: 1764)
- 0503.exe (PID: 4080)
Adds/modifies Windows certificates
- BrokerCRIMGR.exe (PID: 1664)
INFO
Reads the computer name
- 0503.exe (PID: 4080)
- markany_ImageSafer.exe (PID: 928)
- IMGSF50Svc.exe (PID: 820)
- IMGSF50Svc.exe (PID: 112)
- IMGSF50Svc.exe (PID: 1876)
- IMGSF50Start_x86.exe (PID: 2180)
- Inst_MaEPSBroker.exe (PID: 1764)
- certutil.exe (PID: 1488)
- MaEPSBroker.exe (PID: 1548)
Checks supported languages
- 0503.exe (PID: 4080)
- markany_ImageSafer.exe (PID: 928)
- IMGSF50Svc.exe (PID: 820)
- IMGSF50Svc.exe (PID: 112)
- IMGSF50Svc.exe (PID: 1876)
- IMGSF50Start_x86.exe (PID: 2180)
- Inst_MaEPSBroker.exe (PID: 1764)
- certutil.exe (PID: 1488)
- MaEPSBroker.exe (PID: 1548)
- BrokerCRIMGR.exe (PID: 1664)
Create files in a temporary directory
- 0503.exe (PID: 4080)
- markany_ImageSafer.exe (PID: 928)
- Inst_MaEPSBroker.exe (PID: 1764)
Creates files in the program directory
- Inst_MaEPSBroker.exe (PID: 1764)
Creates files or folders in the user directory
- certutil.exe (PID: 1488)
Reads the machine GUID from the registry
- MaEPSBroker.exe (PID: 1548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:12:15 22:24:41+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 25600 |
| InitializedDataSize: | 162816 |
| UninitializedDataSize: | 1024 |
| EntryPoint: | 0x320c |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.5.0.5 |
| ProductVersionNumber: | 2.5.0.5 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | MarkAny Inc. e-PageSafer v2.5 NoaXOZ |
| CompanyName: | MarkAny Inc. |
| FileDescription: | MarkAny Inc. e-PageSafer v2.5 NoaXOZ |
| FileVersion: | 2.5.0.5 |
| LegalCopyright: | MarkAny Inc. |
| ProductName: | MarkAny Inc. e-PageSafer v2.5 NoaXOZ |
| ProductVersion: | 2.5.0.5 |
Total processes
59
Monitored processes
17
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 112 | C:\Windows\IMGSF50Svc.exe -start | C:\Windows\IMGSF50Svc.exe | — | markany_ImageSafer.exe | |||||||||||
User: admin Company: MarkAny Integrity Level: HIGH Description: Image SAFER 5.0 Session Managing Service for x86 Exit code: 0 Version: 5.0.21.1101 Modules
| |||||||||||||||
| 660 | C:\Windows\system32\cmd.exe /c ""C:\Program Files\MarkAny\EPSBroker\cert\MaImpCff.bat"" | C:\Windows\System32\cmd.exe | Inst_MaEPSBroker.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 768 | C:\Windows\system32\netsh advfirewall firewall delete rule name= "MaEPSBroker" program="C:\Program Files\MarkAny\EPSBroker\MaEPSBroker.exe" | C:\Windows\System32\netsh.exe | — | Inst_MaEPSBroker.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 820 | C:\Windows\IMGSF50Svc.exe -install | C:\Windows\IMGSF50Svc.exe | — | markany_ImageSafer.exe | |||||||||||
User: admin Company: MarkAny Integrity Level: HIGH Description: Image SAFER 5.0 Session Managing Service for x86 Exit code: 0 Version: 5.0.21.1101 Modules
| |||||||||||||||
| 928 | "C:\Users\admin\AppData\Local\Temp\markany_ImageSafer.exe" /q | C:\Users\admin\AppData\Local\Temp\markany_ImageSafer.exe | 0503.exe | ||||||||||||
User: admin Company: MarkAny Inc. Integrity Level: HIGH Description: MarkAny ImageSAFER 5.0 Installer Exit code: 0 Version: 5.0.21.1101 Modules
| |||||||||||||||
| 1488 | "C:\Program Files\MarkAny\EPSBroker\cert\certutil.exe" -A -n "C:\Program Files\MarkAny\EPSBroker\cert\maca.crt" -i "C:\Program Files\MarkAny\EPSBroker\cert\maca.crt" -t "TCu,TCu,TCu" -d "sql:." | C:\Program Files\MarkAny\EPSBroker\cert\certutil.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1548 | "C:\Program Files\MarkAny\EPSBroker\MaEPSBroker.exe" | C:\Program Files\MarkAny\EPSBroker\MaEPSBroker.exe | — | Inst_MaEPSBroker.exe | |||||||||||
User: admin Company: MarkAny Inc. Integrity Level: HIGH Description: MaEPSBroker Version: 2, 5, 0, 43 Modules
| |||||||||||||||
| 1664 | "C:\Program Files\MarkAny\EPSBroker\BrokerCRIMGR.exe" | C:\Program Files\MarkAny\EPSBroker\BrokerCRIMGR.exe | — | Inst_MaEPSBroker.exe | |||||||||||
User: admin Company: Markany Inc Integrity Level: HIGH Description: Broker CRI MGR Module Exit code: 0 Version: 1.0.0.4 Modules
| |||||||||||||||
| 1764 | "C:\Users\admin\AppData\Local\Temp\Inst_MaEPSBroker.exe" /q | C:\Users\admin\AppData\Local\Temp\Inst_MaEPSBroker.exe | 0503.exe | ||||||||||||
User: admin Company: MarkAny Inc. Integrity Level: HIGH Description: MarkAny Broker Moudle Exit code: 0 Version: 2.5.0.43 Modules
| |||||||||||||||
| 1876 | C:\Windows\IMGSF50Svc.exe | C:\Windows\IMGSF50Svc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: MarkAny Integrity Level: SYSTEM Description: Image SAFER 5.0 Session Managing Service for x86 Version: 5.0.21.1101 Modules
| |||||||||||||||
Total events
9 249
Read events
9 056
Write events
192
Delete events
1
Modification events
| (PID) Process: | (928) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg |
Value: 본 화면은 보안정책에 의해 보호되었습니다. | |||
| (PID) Process: | (928) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | MsgPosition |
Value: 1 | |||
| (PID) Process: | (928) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | MsgSize |
Value: 32 | |||
| (PID) Process: | (928) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | OnFlag |
Value: 0 | |||
| (PID) Process: | (928) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg_KR |
Value: 정보 유출 방지를 위해 화면 캡처 기능을 사용할 수 없습니다. | |||
| (PID) Process: | (928) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg_US |
Value: Screencapture is prohibited to prevent information leak. | |||
| (PID) Process: | (928) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg_GB |
Value: Screencapture is prohibited to prevent information leaks. | |||
| (PID) Process: | (928) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg_CN |
Value: 禁止抓屏以防止信息泄露。 | |||
| (PID) Process: | (928) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg_HK |
Value: 禁止螢幕擷取是為預防資料外洩。 | |||
| (PID) Process: | (928) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg_PT |
Value: A captura de ecra e proibida para evitar fuga de informacao. | |||
Executable files
57
Suspicious files
7
Text files
11
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4080 | 0503.exe | C:\Users\admin\AppData\Local\Temp\nsf4394.tmp\MaImgsfCheck.dll | executable | |
MD5:CB6B37ED77A1010EA087EDBAAA9355F6 | SHA256:88FAD6FBB302770211FD4427864D9158B89825504BC77A396529C80E9FAB5156 | |||
| 4080 | 0503.exe | C:\Users\admin\AppData\Local\Temp\markany_ImageSafer.exe | executable | |
MD5:B67266AFBFE12EB465F014C09B562798 | SHA256:5D594159E5D235C5C84076E4D5FD0EBCB5C8D13FC613B840ADD27301A75C96DB | |||
| 928 | markany_ImageSafer.exe | C:\Users\admin\AppData\Local\Temp\nsv452A.tmp\nsProcess.dll | executable | |
MD5:05450FACE243B3A7472407B999B03A72 | SHA256:95FE9D92512FF2318CC2520311EF9145B2CEE01209AB0E1B6E45C7CE1D4D0E89 | |||
| 928 | markany_ImageSafer.exe | C:\Windows\system32\ImageSAFERRecovery.exe | executable | |
MD5:1F9B2F80B4EE174AE6D1B9F9CB78B7DE | SHA256:EE6C5FE451DCF57A2FEB3E49F8AD607F0132F2E7B06F351C4D3BF102CC0ED8E8 | |||
| 928 | markany_ImageSafer.exe | C:\Windows\ImageSAFERSvc.exe | executable | |
MD5:3B2955AAC1D9FA353E2FE678EF0E1BE4 | SHA256:4574FBDB2CD737EEA7299DC98653ED4ACB07D710100FFD573C1B6E570A1AABB4 | |||
| 928 | markany_ImageSafer.exe | C:\Users\admin\AppData\Local\Temp\nsv452A.tmp\System.dll | executable | |
MD5:564BB0373067E1785CBA7E4C24AAB4BF | SHA256:7A9DDEE34562CD3703F1502B5C70E99CD5BBA15DE2B6845A3555033D7F6CB2A5 | |||
| 928 | markany_ImageSafer.exe | C:\Windows\system32\ImageSAFERFilter.dll | executable | |
MD5:6386A662E6DA888E93B7E14ED117BAEC | SHA256:4C6655DB6E301C14715EFC42693F6CF26E5F1E8166DD3680CD5A517D76ED14F3 | |||
| 928 | markany_ImageSafer.exe | C:\Windows\system32\ImageSAFERMessage.exe | executable | |
MD5:1C16B1EF674CEDD715D3A65D9581FA8C | SHA256:88DD644CD20BFA195E75F691FA95453CA6367A1977844CC019125AD6BC8F20AB | |||
| 928 | markany_ImageSafer.exe | C:\Windows\system32\ImageSAFERDrv.sys | executable | |
MD5:EE382BD478EEC57D3F3CFE0968CA70A3 | SHA256:44A0318ADA722350325BAD7B1E05921C177804CB771C1F71ED76F99DF13AFC1C | |||
| 928 | markany_ImageSafer.exe | C:\Windows\system32\ImageSAFERStart_X86.exe | executable | |
MD5:5F76943EA54A6970E32F56659382DEFF | SHA256:3AAAE78043C07A763020EFE6B5D5B5EAA20822F2D6815202EA60D6602F1320DA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
0503.exe | bRet1 == [0]
|
0503.exe | bRet3 == [0]
|
0503.exe | !bRet5 == [1]
|
0503.exe | bRet4 == [0]
|
0503.exe | bRet2 == [0]
|
0503.exe | pStr == []
|
0503.exe | pStr == []
|
0503.exe | pStr == []
|
Inst_MaEPSBroker.exe | C:\Windows\system32\netsh advfirewall firewall delete rule name= "MaEPSBroker" program="C:\Program Files\MarkAny\EPSBroker\MaEPSBroker.exe" |
Inst_MaEPSBroker.exe | C:\Windows\system32\netsh advfirewall firewall add rule name="MaEPSBroker" dir=in action=allow program="C:\Program Files\MarkAny\EPSBroker\MaEPSBroker.exe" protocol=TCP enable=yes |