File name:

Spirit.exe

Full analysis: https://app.any.run/tasks/cbef2158-a633-4cae-9caf-4f97d84d6080
Verdict: Malicious activity
Analysis date: February 10, 2024, 16:00:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

F2A055B5634373F384692C2DAAEDF299

SHA1:

41D6F65378F2360C48BCC6684BADDF9C62585086

SHA256:

926D3B91619E6A5D327F09B6D95D46486777910C9CA4965C6E0917C30B9561D8

SSDEEP:

49152:IwR9JS5tZe/HpROWvI5JU5AunBGk33M1/Tkksx/BliWPQZCZbCIB1Pe2RTIvlP37:IiJS5N5JxuBnHMSkKBl7PQobCS1Pe2lk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Spirit.exe (PID: 3216)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Spirit.exe (PID: 3216)

    • Executing commands from a ".bat" file

      • Spirit.exe (PID: 3216)

    • Starts CMD.EXE for commands execution

      • Spirit.exe (PID: 3216)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2840)

    • Reads the Internet Settings

      • cmd.exe (PID: 2840)

  • INFO

    • Checks supported languages

      • Spirit.exe (PID: 3216)

    • Reads the computer name

      • Spirit.exe (PID: 3216)

    • Creates files in the program directory

      • Spirit.exe (PID: 3216)

    • Create files in a temporary directory

      • Spirit.exe (PID: 3216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:07:30 08:52:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 70656
InitializedDataSize: 1567744
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Private build
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: Spirit Browser
OriginalFileName: spiritbrow.exe
FileDescription: Spirit Browser
LegalCopyright: Copyright © 2021
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
13
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start spirit.exe cmd.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs logonui.exe no specs timeout.exe no specs spirit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2420timeout /t 3 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2636timeout /t 2 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2840"C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\5C7.tmp\5C8.tmp\5C9.bat C:\Users\admin\AppData\Local\Temp\Spirit.exe"C:\Windows\System32\cmd.exeSpirit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2856timeout /t 1 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2892LogonUI.exe C:\Windows\System32\LogonUI.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Logon User Interface Host
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\logonui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3216"C:\Users\admin\AppData\Local\Temp\Spirit.exe" C:\Users\admin\AppData\Local\Temp\Spirit.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\spirit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3500timeout /t 1 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
3672"C:\Users\admin\AppData\Local\Temp\Spirit.exe" C:\Users\admin\AppData\Local\Temp\Spirit.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\spirit.exe
c:\windows\system32\ntdll.dll
3944timeout /t 3 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
3948timeout /t 5 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
Total events
1 347
Read events
1 347
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3216Spirit.exeC:\Program Files\RandomLines.exeexecutable
MD5:50CAEEE44DC92A147CF95FD82EB6E299
SHA256:81B9A2E3E9EE39F05B585AD871696A946837FCF784D3D4ECD4B9CAEA16560A1E
3216Spirit.exeC:\Program Files\mbr.exeexecutable
MD5:03DC6A471476A26055FC25B81DF800EF
SHA256:BA125E407DC4BAC03A8E7AE352CE4D17F6DCED729F69689058D020CE00F95643
3216Spirit.exeC:\Program Files\InvertColor.exeexecutable
MD5:EBB811D0396C06A70FE74D9B23679446
SHA256:28E979002CB4DB546BF9D9D58F5A55FD8319BE638A0974C634CAE6E7E9DBCD89
3216Spirit.exeC:\Program Files\error.exeexecutable
MD5:BCDC1A6F1805A6130DFD1913B1659BC2
SHA256:78E706C684DA0134ACE5FDD5CC5E7263C5F17B905D783F928EB68D558116AAC6
3216Spirit.exeC:\Program Files\start.exeexecutable
MD5:67088968F1B274502A887933E634CEB4
SHA256:81C9AD8512B2C5248A6A107B7F6FA529C959FA23329E599C9AFA2AFEB84D2163
3216Spirit.exeC:\Program Files\bomb.exeexecutable
MD5:05AD3F85B73E5FF86504F8DCC55B5D42
SHA256:124CF5CA90E7AAEDE685FE0CDA72B6A63B80583D2D5EC04D5BAEB4A1851C48AF
3216Spirit.exeC:\Program Files\logon.exeexecutable
MD5:2D88DDA976244BC9A14591ABF1432F46
SHA256:B738E6861277724C5F2F1037FD529B77ED75749B00DF76860E949E1EF7316EAC
3216Spirit.exeC:\Program Files\tunnel.exeexecutable
MD5:0909DCA5D016F70B982B3A39B92AA0FF
SHA256:4F74CF50ABB877593CA5FE53281B206ADCF6BDA2FFC9A600ECA0EB1206C5DD6B
3216Spirit.exeC:\Users\admin\AppData\Local\Temp\5C7.tmp\5C8.tmp\5C9.battext
MD5:DF6F6C2EAE66CFF8C13A3FAA2BF1699D
SHA256:2A3E63F855DFB9A48D89337959D521650B04B038463D8DD96D7E344B4ED47C34
3216Spirit.exeC:\Program Files\ScreenMelter.exeexecutable
MD5:615D04A80C94F9E36EFB9C567A8AFC34
SHA256:9F2C6D14A476D10615FE8E099EF8F87681B80382665B81C041EB5128AE7C7CB8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Spirit.exe