File name:

ntp-time-server-monitor-104.exe

Full analysis: https://app.any.run/tasks/8b21725b-1af9-4027-909d-b62f38a316cd
Verdict: Malicious activity
Analysis date: November 02, 2023, 14:09:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

73028DB2B223FE7A0218ABB3540B16CE

SHA1:

33BEDD6AB84A9489C88CF89DC78F838014D68175

SHA256:

8DB53E6A988AB72F6E97C2ABF844B471665E3B71986F33A0056F8B7DBB1868CD

SSDEEP:

49152:tC1B20Tt5RZz5gjFvtwDAXLvNuXT5HyGubnUY1zo5dwYcgA+wLyRUu9U8KHvkQf7:tCB20TtTZz5gdtwDAXLVujcXb91zo5BU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file the system directory

      • ntp-time-server-monitor-104.exe (PID: 3512)

    • Drops the executable file immediately after the start

      • ntp-time-server-monitor-104.exe (PID: 3512)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • ntp-time-server-monitor-104.exe (PID: 3512)
      • mbgtsmon.exe (PID: 3652)

    • Reads the computer name

      • ntp-time-server-monitor-104.exe (PID: 3512)
      • mbgtsmon.exe (PID: 3652)

    • Create files in a temporary directory

      • ntp-time-server-monitor-104.exe (PID: 3512)

    • Creates files in the program directory

      • ntp-time-server-monitor-104.exe (PID: 3512)

    • Manual execution by a user

      • mbgtsmon.exe (PID: 3652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Wise Installer executable (91.7)
.exe | Win64 Executable (generic) (5.3)
.dll | Win32 Dynamic Link Library (generic) (1.2)
.exe | Win32 Executable (generic) (0.8)
.exe | Generic Win/DOS Executable (0.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:08:13 19:13:38+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, Removable run from swap
PEType: PE32
LinkerVersion: 6
CodeSize: 8704
InitializedDataSize: 5632
UninitializedDataSize: -
EntryPoint: 0x21af
OSVersion: 4
ImageVersion: 4
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.4.0.0
ProductVersionNumber: 1.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Meinberg Radio Clocks
FileDescription: NTP Time Server Monitor
FileVersion: 1.04
LegalCopyright: ©Meinberg Radio Clocks 2005-2008
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ntp-time-server-monitor-104.exe mbgtsmon.exe no specs ntp-time-server-monitor-104.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3484"C:\Users\admin\AppData\Local\Temp\ntp-time-server-monitor-104.exe" C:\Users\admin\AppData\Local\Temp\ntp-time-server-monitor-104.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\ntp-time-server-monitor-104.exe
c:\windows\system32\ntdll.dll
3512"C:\Users\admin\AppData\Local\Temp\ntp-time-server-monitor-104.exe" C:\Users\admin\AppData\Local\Temp\ntp-time-server-monitor-104.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ntp-time-server-monitor-104.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3652"C:\Program Files\meinberg\ntp_time_server_monitor\mbgtsmon.exe" C:\Program Files\meinberg\ntp_time_server_monitor\mbgtsmon.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\program files\meinberg\ntp_time_server_monitor\mbgtsmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\wsock32.dll
Total events
1 024
Read events
1 024
Write events
0
Delete events
0

Modification events

No data
Executable files
18
Suspicious files
2
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
3512ntp-time-server-monitor-104.exeC:\Users\admin\AppData\Local\Temp\GLC72F2.tmpexecutable
MD5:09E59D00DF5D2EFFD8DD9B30385CB9D2
SHA256:1C574EAB5E83CCFE5A0BB7B59E028CC5FA2F4E77868051E305D83C709711FF77
3512ntp-time-server-monitor-104.exeC:\Users\admin\AppData\Local\Temp\GLF7EBE.tmpexecutable
MD5:9DA8F742593D4BBCA708B90725282AE2
SHA256:E362A9815527869E0F71FDF766A1C3648E307145DEFDA7A5279914E522BCB57C
3512ntp-time-server-monitor-104.exeC:\Users\admin\AppData\Local\Temp\~GLH0000.TMPexecutable
MD5:9DA8F742593D4BBCA708B90725282AE2
SHA256:E362A9815527869E0F71FDF766A1C3648E307145DEFDA7A5279914E522BCB57C
3512ntp-time-server-monitor-104.exeC:\Windows\system32\temp.000executable
MD5:AAC4E9AAC898F9ABBF36CEC4DBC37B90
SHA256:B4ADDE180EA1C9A180FE5B17A241A2890A88EC7B256DB6250B520E66FFFF0BC3
3512ntp-time-server-monitor-104.exeC:\Windows\system32\~GLH0002.TMPexecutable
MD5:AAC4E9AAC898F9ABBF36CEC4DBC37B90
SHA256:B4ADDE180EA1C9A180FE5B17A241A2890A88EC7B256DB6250B520E66FFFF0BC3
3512ntp-time-server-monitor-104.exeC:\Program Files\meinberg\ntp_time_server_monitor\UNWISE.EXEexecutable
MD5:2B85FE26CA828485BFF6A454B881A295
SHA256:7128574752F0A7DA1284D589C195AAFE25C29F825D7028CEBDB21A7ECC44DC00
3512ntp-time-server-monitor-104.exeC:\Windows\System32\mbgutil.dllexecutable
MD5:AAC4E9AAC898F9ABBF36CEC4DBC37B90
SHA256:B4ADDE180EA1C9A180FE5B17A241A2890A88EC7B256DB6250B520E66FFFF0BC3
3512ntp-time-server-monitor-104.exeC:\Windows\System32\~GLH0003.TMPexecutable
MD5:AAC4E9AAC898F9ABBF36CEC4DBC37B90
SHA256:B4ADDE180EA1C9A180FE5B17A241A2890A88EC7B256DB6250B520E66FFFF0BC3
3512ntp-time-server-monitor-104.exeC:\Users\admin\AppData\Local\Temp\GLK7303.tmpexecutable
MD5:517419CAE37F6C78C80F9B7D0FBB8661
SHA256:BFE7E013CFB85E78B994D3AD34ECA08286494A835CB85F1D7BCED3DF6FE93A11
3512ntp-time-server-monitor-104.exeC:\Program Files\meinberg\ntp_time_server_monitor\~GLH0001.TMPexecutable
MD5:2B85FE26CA828485BFF6A454B881A295
SHA256:7128574752F0A7DA1284D589C195AAFE25C29F825D7028CEBDB21A7ECC44DC00
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ntp-time-server-monitor-104.exe