| File name: | 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe |
| Full analysis: | https://app.any.run/tasks/0d84e54e-ed48-4a07-86f8-208b886e6081 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | January 19, 2025, 19:08:34 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | 2D96E4C716EB0CF915026ED8A7D01AF0 |
| SHA1: | 8D793F2EC2B319B9AB4D7D6F12275D15C4C73F88 |
| SHA256: | 9217F79FECA332AEEADABED6B7B0C10BB0CDF9B1D1DB5AA83A4E8AC704BF80C0 |
| SSDEEP: | 6144:KcGHcbt3OZx9qnGkMQQtbFMO1rWa3NnoyQ77sUGQtygfo:1ocb8qYFZ1P9noJ0Udy+o |
MALICIOUS
Deletes shadow copies
- EVPFEE~1:bin (PID: 2052)
Actions looks like stealing of personal data
- ehsched.exe (PID: 3108)
SUSPICIOUS
Executable content was dropped or overwritten
- 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe (PID: 1580)
- C6J6RX~1.EXE (PID: 2824)
- ehsched.exe (PID: 3108)
- EVPFEE~1:bin (PID: 2052)
Detected use of alternative data streams (AltDS)
- 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe (PID: 1580)
- C6J6RX~1.EXE (PID: 2824)
- EVPFEE~1:bin (PID: 2052)
- KYMSL0~1:bin (PID: 1920)
- ehsched.exe (PID: 3108)
- 8AJ8RS~1:bin (PID: 1204)
Starts itself from another location
- 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe (PID: 1580)
- C6J6RX~1.EXE (PID: 2824)
- ehsched.exe (PID: 3108)
Starts application with an unusual extension
- 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe (PID: 1580)
- C6J6RX~1.EXE (PID: 2824)
- ehsched.exe (PID: 3108)
Reads security settings of Internet Explorer
- KYMSL0~1:bin (PID: 1920)
Starts CMD.EXE for commands execution
- eventvwr.exe (PID: 920)
Executing commands from ".cmd" file
- eventvwr.exe (PID: 920)
The executable file from the user directory is run by the CMD process
- C6J6RX~1.EXE (PID: 2824)
Reads the Internet Settings
- eventvwr.exe (PID: 920)
- KYMSL0~1:bin (PID: 1920)
Creates or modifies Windows services
- EVPFEE~1:bin (PID: 2052)
Executes as Windows Service
- VSSVC.exe (PID: 1924)
- ehsched.exe (PID: 3108)
Takes ownership (TAKEOWN.EXE)
- EVPFEE~1:bin (PID: 2052)
Uses ICACLS.EXE to modify access control lists
- EVPFEE~1:bin (PID: 2052)
Process drops legitimate windows executable
- EVPFEE~1:bin (PID: 2052)
Process uses ARP to discover network configuration
- 8AJ8RS~1:bin (PID: 1204)
Uses NSLOOKUP.EXE to check DNS info
- 8AJ8RS~1:bin (PID: 1204)
Starts NET.EXE for network exploration
- 8AJ8RS~1:bin (PID: 1204)
Uses pipe srvsvc via SMB (transferring data)
- net.exe (PID: 532)
Creates file in the systems drive root
- ehsched.exe (PID: 3108)
INFO
Checks supported languages
- 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe (PID: 1580)
- KYMSL0~1:bin (PID: 1920)
- C6J6RX~1.EXE (PID: 2824)
- EVPFEE~1:bin (PID: 2052)
- ehsched.exe (PID: 3108)
- ehtray.exe (PID: 1600)
- 8AJ8RS~1:bin (PID: 1204)
Process checks whether UAC notifications are on
- 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe (PID: 1580)
- KYMSL0~1:bin (PID: 1920)
- EVPFEE~1:bin (PID: 2052)
- ehsched.exe (PID: 3108)
- 8AJ8RS~1:bin (PID: 1204)
- C6J6RX~1.EXE (PID: 2824)
Reads the machine GUID from the registry
- 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe (PID: 1580)
- C6J6RX~1.EXE (PID: 2824)
- EVPFEE~1:bin (PID: 2052)
- ehsched.exe (PID: 3108)
- KYMSL0~1:bin (PID: 1920)
- 8AJ8RS~1:bin (PID: 1204)
- ehtray.exe (PID: 1600)
Reads the computer name
- 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe (PID: 1580)
- EVPFEE~1:bin (PID: 2052)
- KYMSL0~1:bin (PID: 1920)
- ehsched.exe (PID: 3108)
- 8AJ8RS~1:bin (PID: 1204)
- ehtray.exe (PID: 1600)
- C6J6RX~1.EXE (PID: 2824)
Creates files or folders in the user directory
- 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe (PID: 1580)
- KYMSL0~1:bin (PID: 1920)
- C6J6RX~1.EXE (PID: 2824)
- ehsched.exe (PID: 3108)
Create files in a temporary directory
- KYMSL0~1:bin (PID: 1920)
Reads security settings of Internet Explorer
- eventvwr.exe (PID: 920)
The process uses the downloaded file
- KYMSL0~1:bin (PID: 1920)
- eventvwr.exe (PID: 920)
The sample compiled with english language support
- EVPFEE~1:bin (PID: 2052)
Python executable
- ehsched.exe (PID: 3108)
Manual execution by a user
- ehtray.exe (PID: 1600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:05:01 08:50:32+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 12.1 |
| CodeSize: | 102400 |
| InitializedDataSize: | 208896 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x5907 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.7.2150.1013 |
| ProductVersionNumber: | 3.7.2150.1013 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | Python Software Foundation |
| FileDescription: | Python |
| FileVersion: | 3.7.2 |
| InternalName: | Python Console |
| LegalCopyright: | Copyright © 2001-2016 Python Software Foundation. Copyright © 2000 BeOpen.com. Copyright © 1995-2001 CNRI. Copyright © 1991-1995 SMC. |
| OriginalFileName: | python.exe |
| ProductName: | Python |
| ProductVersion: | 3.7.2 |
Total processes
66
Monitored processes
20
Malicious processes
8
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 532 | C:\Windows\system32\\net.exe view igmp.mcast.net | C:\Windows\System32\net.exe | — | 8AJ8RS~1:bin | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 920 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | KYMSL0~1:bin | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1204 | C:\Users\admin\AppData\Roaming\8AJ8RS~1:bin | C:\Users\admin\AppData\Roaming\8AJ8RS~1:bin | — | ehsched.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1580 | "C:\Users\admin\AppData\Local\Temp\9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe" | C:\Users\admin\AppData\Local\Temp\9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1600 | "C:\Windows\eHome\EhTray.exe" /nav:-2 | C:\Windows\ehome\ehtray.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Center Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1772 | C:\Windows\system32\\arp.exe -a | C:\Windows\System32\ARP.EXE | — | 8AJ8RS~1:bin | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Arp Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1804 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | KYMSL0~1:bin | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1920 | C:\Users\admin\AppData\Roaming\KYMSL0~1:bin C:\Users\admin\AppData\Local\Temp\9217F7~1.EXE | C:\Users\admin\AppData\Roaming\KYMSL0~1:bin | — | 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1924 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2000 | C:\Windows\system32\\nslookup.exe 224.0.0.22 | C:\Windows\System32\nslookup.exe | 8AJ8RS~1:bin | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
6 266
Read events
6 238
Write events
24
Delete events
4
Modification events
| (PID) Process: | (1920) KYMSL0~1:bin | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1920) KYMSL0~1:bin | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1920) KYMSL0~1:bin | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1920) KYMSL0~1:bin | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (920) eventvwr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (920) eventvwr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (920) eventvwr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (920) eventvwr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2052) EVPFEE~1:bin | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ehSched |
| Operation: | write | Name: | RequiredPrivileges |
Value: SeTcbPrivilege | |||
| (PID) Process: | (2052) EVPFEE~1:bin | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ehSched |
| Operation: | write | Name: | RequiredPrivileges |
Value: SeChangeNotifyPrivilege | |||
Executable files
5
Suspicious files
943
Text files
619
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1580 | 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe | C:\Users\admin\AppData\Roaming\KYMSL0~1 | — | |
MD5:— | SHA256:— | |||
| 2824 | C6J6RX~1.EXE | C:\Users\admin\AppData\Roaming\EVPFEE~1 | — | |
MD5:— | SHA256:— | |||
| 3108 | ehsched.exe | C:\Users\admin\AppData\Roaming\8AJ8RS~1 | — | |
MD5:— | SHA256:— | |||
| 1920 | KYMSL0~1:bin | C:\Users\admin\AppData\Local\Temp\eLphQuQ.cmd | text | |
MD5:C153DD32C3ED1406C69FE51BB7674CCB | SHA256:4297523139958BB1ABC8430979A635B61E9547166AE046A2FFFFF24A977ED00C | |||
| 2052 | EVPFEE~1:bin | C:\Windows\ehome\ehsched.exe | executable | |
MD5:2D96E4C716EB0CF915026ED8A7D01AF0 | SHA256:9217F79FECA332AEEADABED6B7B0C10BB0CDF9B1D1DB5AA83A4E8AC704BF80C0 | |||
| 3108 | ehsched.exe | C:\Users\admin\AppData\Roaming\8AJ8RS~1:bin | executable | |
MD5:2D96E4C716EB0CF915026ED8A7D01AF0 | SHA256:9217F79FECA332AEEADABED6B7B0C10BB0CDF9B1D1DB5AA83A4E8AC704BF80C0 | |||
| 1580 | 9217f79feca332aeeadabed6b7b0c10bb0cdf9b1d1db5aa83a4e8ac704bf80c0.exe | C:\Users\admin\AppData\Roaming\KYMSL0~1:bin | executable | |
MD5:2D96E4C716EB0CF915026ED8A7D01AF0 | SHA256:9217F79FECA332AEEADABED6B7B0C10BB0CDF9B1D1DB5AA83A4E8AC704BF80C0 | |||
| 2052 | EVPFEE~1:bin | C:\Windows\ehome\ehsched.exe:0 | executable | |
MD5:D389BFF34F80CAEDE417BF9D1507996A | SHA256:12859B9925D7A4631DE61A820922F43F56ED23C2AF014CBF36322685E5CF641E | |||
| 2824 | C6J6RX~1.EXE | C:\Users\admin\AppData\Roaming\EVPFEE~1:bin | executable | |
MD5:2D96E4C716EB0CF915026ED8A7D01AF0 | SHA256:9217F79FECA332AEEADABED6B7B0C10BB0CDF9B1D1DB5AA83A4E8AC704BF80C0 | |||
| 1204 | 8AJ8RS~1:bin | C:\Windows\Temp\GsbA28B.tmp | text | |
MD5:4A98D34E53BF3DBE2D2B3E7FBE98B092 | SHA256:116945EA15B82B9C115EF65FD4CB23683B49F1F8422CEBF83B778191A2D04CBA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
10
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
2.100.168.192.in-addr.arpa |
| whitelisted |
255.100.168.192.in-addr.arpa |
| unknown |
22.0.0.224.in-addr.arpa |
| unknown |
252.0.0.224.in-addr.arpa |
| unknown |
igmp.mcast.net |
| whitelisted |