File name:

malicious.exe

Full analysis: https://app.any.run/tasks/eb0e8abc-14b7-4982-aa2d-cabecce6eace
Verdict: Malicious activity
Analysis date: January 21, 2025, 02:06:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

FCCABF4AD72E9DD65D4205FC26773BE5

SHA1:

C21932368C43FAFFCCF8A24B3C910E05D3953D66

SHA256:

89ABFC5D2F6CA26B606674D936F03697670DF8F1B8D69C86D063C4D39C20C4EF

SSDEEP:

6144:sziL6Tj1u6C7SdQNrJda/aulZLyVuYL9Y6K71p1gzojZDViEtnwwm:svqSyJda/aulZAuYL901/gWxiEGwm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses environment variables (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Changes the autorun value in the registry

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Gets startup folder path (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Create files in the Startup directory

      • malicious.exe (PID: 1836)

    • Gets path to any of the special folders (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Accesses name of a computer manufacturer via WMI (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Accesses physical disk drive(Win32_DiskDrive) via WMI (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Accesses Processor(Win32_Processor, may evade sandboxes) via WMI (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Accesses BIOS(Win32_BIOS, may evade sandboxes) via WMI (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Reads the value of a key from the registry (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Copies file to a new location (SCRIPT)

      • xelag.exe (PID: 1804)
      • malicious.exe (PID: 1836)

    • Gets TEMP folder path (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Modifies registry startup key (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Creates a new folder (SCRIPT)

      • xelag.exe (PID: 1804)
      • malicious.exe (PID: 1836)

  • SUSPICIOUS

    • Gets full path of the running script (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Executable content was dropped or overwritten

      • malicious.exe (PID: 1836)

    • Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Accesses WMI object caption (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Executes WMI query (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Access Product Name via WMI (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Accesses operating system name via WMI (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Accesses name of a user that is currently logged on via WMI (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Accesses computer name via WMI (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Accesses current user name via WMI (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Reads the Internet Settings

      • malicious.exe (PID: 1836)

    • Checks whether a specific file exists (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Runs shell command (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Reads security settings of Internet Explorer

      • malicious.exe (PID: 1836)

    • Starts itself from another location

      • malicious.exe (PID: 1836)

    • Checks whether the drive is ready (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Gets a collection of all available drive names (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Gets the drive type (SCRIPT)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • There is functionality for taking screenshot (YARA)

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

  • INFO

    • Reads Environment values

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Reads the computer name

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • Checks supported languages

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • The sample compiled with english language support

      • malicious.exe (PID: 1836)

    • Creates files or folders in the user directory

      • malicious.exe (PID: 1836)

    • Reads the machine GUID from the registry

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)

    • The process uses the downloaded file

      • malicious.exe (PID: 1836)

    • Create files in a temporary directory

      • malicious.exe (PID: 1836)
      • xelag.exe (PID: 1804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:07:22 10:43:26+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 174592
InitializedDataSize: 165376
UninitializedDataSize: -
EntryPoint: 0x19158
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0017
FileFlags: Debug
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 1, 0, 0, 0
ProductVersion: 1, 0, 0, 0
LegalCopyright: Copyright (C) 2014
FileDescription: Windows Defender Service
ProductName: Defend Center
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start malicious.exe xelag.exe

Process information

PID
CMD
Path
Indicators
Parent process
1804"C:\Users\admin\AppData\Local\Temp\xelag.exe" C:\Users\admin\AppData\Local\Temp\xelag.exe
malicious.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\xelag.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1836"C:\Users\admin\AppData\Local\Temp\malicious.exe" C:\Users\admin\AppData\Local\Temp\malicious.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\malicious.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
19 535
Read events
19 523
Write events
12
Delete events
0

Modification events

(PID) Process:(1836) malicious.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Msiexec
Value:
C:\Users\admin\AppData\Local\Temp\{09a405f0-0a5f-4cfe-a424-a56e9a3186f}\WinDefender.exe
(PID) Process:(1836) malicious.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MSKERNEL
Value:
C:\Users\admin\AppData\Local\Temp\xelag.exe
(PID) Process:(1836) malicious.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1836) malicious.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1836) malicious.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1836) malicious.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1804) xelag.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Msiexec
Value:
C:\Users\admin\AppData\Local\Temp\{09a405f0-0a5f-4cfe-a424-a56e9a3186f}\WinDefender.exe
(PID) Process:(1804) xelag.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MSKERNEL
Value:
C:\Users\admin\AppData\Local\Temp\xelag.exe
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1836malicious.exeC:\Users\admin\AppData\Local\Temp\xelag.exeexecutable
MD5:FCCABF4AD72E9DD65D4205FC26773BE5
SHA256:89ABFC5D2F6CA26B606674D936F03697670DF8F1B8D69C86D063C4D39C20C4EF
1836malicious.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Download_Manager.exeexecutable
MD5:FCCABF4AD72E9DD65D4205FC26773BE5
SHA256:89ABFC5D2F6CA26B606674D936F03697670DF8F1B8D69C86D063C4D39C20C4EF
1836malicious.exeC:\Users\admin\AppData\Local\Temp\{09a405f0-0a5f-4cfe-a424-a56e9a3186f}\WinDefender.exeexecutable
MD5:FCCABF4AD72E9DD65D4205FC26773BE5
SHA256:89ABFC5D2F6CA26B606674D936F03697670DF8F1B8D69C86D063C4D39C20C4EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1108
svchost.exe
224.0.0.252:5355
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
malicious.exe