analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://rammichael.com/downloads/7tt_setup.exe?

Full analysis: https://app.any.run/tasks/a3737568-0ca2-45bb-aa1f-115e40f24104
Verdict: Malicious activity
Analysis date: May 24, 2019, 08:36:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

57EA5F8D50BF9550EDDBCC73E1379375

SHA1:

B356A9DEF399FBAF5E02C68F9F7C985DDBF88AE0

SHA256:

879B74028CF1BE387B53701D5733788C419DE4855B9B54A5513966E21E8177FE

SSDEEP:

3:N1KMIKXKS3644/n:CM3aS3644/n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 7tt_setup[1].exe (PID: 3860)
      • 7+ Taskbar Tweaker.exe (PID: 3908)
    • Runs injected code in another process

      • 7+ Taskbar Tweaker.exe (PID: 3908)
    • Changes the autorun value in the registry

      • 7tt_setup[1].exe (PID: 3860)
    • Loads dropped or rewritten executable

      • explorer.exe (PID: 252)
      • 7tt_setup[1].exe (PID: 3860)
    • Application was injected by another process

      • explorer.exe (PID: 252)
    • Connects to CnC server

      • 7+ Taskbar Tweaker.exe (PID: 3908)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 3228)
      • 7tt_setup[1].exe (PID: 3860)
    • Starts Internet Explorer

      • explorer.exe (PID: 252)
    • Creates a software uninstall entry

      • 7tt_setup[1].exe (PID: 3860)
    • Reads Internet Cache Settings

      • explorer.exe (PID: 252)
    • Creates files in the user directory

      • 7+ Taskbar Tweaker.exe (PID: 3908)
      • 7tt_setup[1].exe (PID: 3860)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2944)
    • Application launched itself

      • iexplore.exe (PID: 2944)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 3228)
    • Creates files in the user directory

      • iexplore.exe (PID: 3228)
    • Manual execution by user

      • 7+ Taskbar Tweaker.exe (PID: 3908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start inject iexplore.exe iexplore.exe 7tt_setup[1].exe 7+ taskbar tweaker.exe explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3228"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2944 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3860"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\7tt_setup[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\7tt_setup[1].exe
iexplore.exe
User:
admin
Company:
RaMMicHaeL
Integrity Level:
MEDIUM
Description:
7+ Taskbar Tweaker
Exit code:
0
Version:
5.6.2
3908"C:\Users\admin\AppData\Roaming\7+ Taskbar Tweaker\7+ Taskbar Tweaker.exe" C:\Users\admin\AppData\Roaming\7+ Taskbar Tweaker\7+ Taskbar Tweaker.exe
explorer.exe
User:
admin
Company:
RaMMicHaeL
Integrity Level:
MEDIUM
Description:
7+ Taskbar Tweaker
Version:
5.6.2
252C:\Windows\Explorer.EXEC:\Windows\explorer.exe
ctfmon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 964
Read events
1 830
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
1
Text files
112
Unknown types
18

Dropped files

PID
Process
Filename
Type
2944iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF191DB5694792EA1C.TMP
MD5:
SHA256:
3228iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:FEC82CC87FC5E4B78014AFFCB54868EE
SHA256:3282DCD77590F79AF202A0C51B73C90ACC1FF7BC677320F209F73E1203B79844
3228iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@rammichael[1].txttext
MD5:6F091881271BB69999D1C5188F83D827
SHA256:8E4EFDA09ABA77F90672346C08C44307CDC636B7A9BD8F8B3DA5E23564EB87B9
3228iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019052420190525\index.datdat
MD5:23190EDBB0DACA69096233353D1F7B18
SHA256:813F2C9AFF405EB9C7E0BAE98F08FC392DB37E7C72CAEF4E9E4226A5811F0590
3228iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:660186E7AD90FC19816122470011DA11
SHA256:F7E4F7423C42976DA5529D791E86B2F3D3C781F29F0614A79624488689CEBA38
3228iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RLM2MF6O\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2944iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\7tt_setup[1].exeexecutable
MD5:5FBA708D57B6E71FF935EA7FA0CA3DDF
SHA256:DA549E48470145582FF4C5C38F4CC4AD2E62B2365942BCFA62643F00EA4951EB
2944iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{137C24CE-7DFF-11E9-B3B3-5254004A04AF}.datbinary
MD5:69701F316E0688FB1C2F79D66D2EFE85
SHA256:B11737DF15661A97E61BAB95DBF76353F34DF15AB1BABF13E1773039A4992AD3
3228iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:F947426B044F6BBDB49D636CB16A1558
SHA256:0FC8FF55B464B363DB1DF256015054241D2D4F42FAC8DEB0B143E6EF71AB47C1
3228iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z8BUQGSY\7tt_setup[1].exeexecutable
MD5:5FBA708D57B6E71FF935EA7FA0CA3DDF
SHA256:DA549E48470145582FF4C5C38F4CC4AD2E62B2365942BCFA62643F00EA4951EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3228
iexplore.exe
GET
301
104.31.92.187:80
http://rammichael.com/downloads/7tt_setup.exe?
US
html
323 b
malicious
3908
7+ Taskbar Tweaker.exe
POST
200
104.31.92.187:80
http://rammichael.com/downloads/7tt_setup.exe?version&changelog=5.6.2
US
text
6 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2944
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3228
iexplore.exe
104.31.92.187:80
rammichael.com
Cloudflare Inc
US
shared
3228
iexplore.exe
104.31.92.187:443
rammichael.com
Cloudflare Inc
US
shared
104.31.92.187:80
rammichael.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
rammichael.com
  • 104.31.92.187
  • 104.31.93.187
malicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info