| File name: | trow.exe |
| Full analysis: | https://app.any.run/tasks/e7f71c0e-148a-494f-9808-3c2f454d9ef3 |
| Verdict: | Malicious activity |
| Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
| Analysis date: | December 09, 2023, 20:34:46 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | FB75D4F81BE51074BB4147E781E5B402 |
| SHA1: | 55E512EBFE4F3A08A66C35500506837AD2C473C8 |
| SHA256: | 94A0A09EE6A21526AC34D41EABF4BA603E9A30C26E6A1DC072FF45749DFB1FE1 |
| SSDEEP: | 6144:gUOj2bJ/7HZg6Z8TYKxc99NY6ZAYL2WYCXUha5v5mswpl85JlmnADb:gUOjK75RZ8TY8cnNZAfjCX2aTO85tb |
MALICIOUS
Drops the executable file immediately after the start
- trow.exe (PID: 3048)
Changes the autorun value in the registry
- trow.exe (PID: 3048)
- svchost.exe (PID: 2932)
- svchost.exe (PID: 1360)
- svchost.exe (PID: 3272)
- svchost.exe (PID: 3384)
- svchost.exe (PID: 2072)
PUSHDO has been detected (SURICATA)
- svchost.exe (PID: 3940)
- trow.exe (PID: 3048)
- svchost.exe (PID: 3092)
- svchost.exe (PID: 3272)
- svchost.exe (PID: 2764)
- svchost.exe (PID: 2072)
- svchost.exe (PID: 2316)
- svchost.exe (PID: 1936)
- svchost.exe (PID: 1360)
- svchost.exe (PID: 3564)
- svchost.exe (PID: 2932)
- svchost.exe (PID: 3384)
- svchost.exe (PID: 3584)
Connects to the CnC server
- trow.exe (PID: 3048)
- svchost.exe (PID: 3940)
- svchost.exe (PID: 2764)
- svchost.exe (PID: 3272)
- svchost.exe (PID: 1360)
- svchost.exe (PID: 1936)
- svchost.exe (PID: 2316)
- svchost.exe (PID: 3092)
- svchost.exe (PID: 3564)
- svchost.exe (PID: 3384)
- svchost.exe (PID: 2932)
- svchost.exe (PID: 3584)
- svchost.exe (PID: 2072)
SUSPICIOUS
Reads the Internet Settings
- trow.exe (PID: 3048)
Application launched itself
- svchost.exe (PID: 3892)
- svchost.exe (PID: 3832)
- svchost.exe (PID: 2444)
Connects to SMTP port
- svchost.exe (PID: 1936)
- svchost.exe (PID: 3940)
- svchost.exe (PID: 1360)
- svchost.exe (PID: 2764)
- svchost.exe (PID: 3384)
- svchost.exe (PID: 2072)
- svchost.exe (PID: 3092)
- svchost.exe (PID: 3564)
- svchost.exe (PID: 2932)
- svchost.exe (PID: 3584)
- svchost.exe (PID: 3272)
- svchost.exe (PID: 2316)
INFO
Checks supported languages
- trow.exe (PID: 3048)
- wmpnscfg.exe (PID: 2976)
Checks proxy server information
- trow.exe (PID: 3048)
- svchost.exe (PID: 1360)
- svchost.exe (PID: 3940)
- svchost.exe (PID: 2316)
- svchost.exe (PID: 2764)
- svchost.exe (PID: 3384)
- svchost.exe (PID: 3564)
- svchost.exe (PID: 3092)
- svchost.exe (PID: 3584)
- svchost.exe (PID: 3272)
- svchost.exe (PID: 2932)
- svchost.exe (PID: 1936)
- svchost.exe (PID: 2072)
Reads the computer name
- trow.exe (PID: 3048)
- wmpnscfg.exe (PID: 2976)
Reads the machine GUID from the registry
- trow.exe (PID: 3048)
Manual execution by a user
- wmpnscfg.exe (PID: 2976)
Creates files or folders in the user directory
- trow.exe (PID: 3048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2017:06:27 10:21:16+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 134144 |
| InitializedDataSize: | 195584 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xcf09 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 7.8.52.7 |
| ProductVersionNumber: | 7.8.52.7 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| PrivateBuild: | 7.8.52.7 |
| InternalName: | Pedals |
| AssemblyVersion: | 7.8.52.7 |
| CompanyName: | UBTECH Robotics |
| Comments: | Powershell Fuse 694 Interplay |
| FileDescription: | Powershell Fuse 694 Interplay |
| LegalTrademarks: | Copyright © 2013. All rights reserved. UBTECH Robotics |
| LegalCopyright: | Copyright © 2013. All rights reserved. UBTECH Robotics |
| OriginalFileName: | Pedals.exe |
| Languages: | English |
| ProductName: | Pedals |
| FileVersion: | 7.8.52.7 |
| ProductVersion: | 7.8.52.7 |
Total processes
55
Monitored processes
17
Malicious processes
16
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1360 | C:\Windows\system32\svchost.exe | C:\Windows\System32\svchost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1936 | C:\Windows\system32\svchost.exe | C:\Windows\System32\svchost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2072 | C:\Windows\system32\svchost.exe | C:\Windows\System32\svchost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2316 | C:\Windows\system32\svchost.exe | C:\Windows\System32\svchost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2444 | C:\Windows\system32\svchost.exe | C:\Windows\System32\svchost.exe | — | trow.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2764 | C:\Windows\system32\svchost.exe | C:\Windows\System32\svchost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2932 | C:\Windows\system32\svchost.exe | C:\Windows\System32\svchost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2976 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3048 | "C:\Users\admin\AppData\Local\Temp\trow.exe" | C:\Users\admin\AppData\Local\Temp\trow.exe | explorer.exe | ||||||||||||
User: admin Company: UBTECH Robotics Integrity Level: MEDIUM Description: Powershell Fuse 694 Interplay Exit code: 0 Version: 7.8.52.7 Modules
| |||||||||||||||
| 3092 | C:\Windows\system32\svchost.exe | C:\Windows\System32\svchost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
24 799
Read events
17 549
Write events
7 250
Delete events
0
Modification events
| (PID) Process: | (3048) trow.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (3048) trow.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3048) trow.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (3048) trow.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005A010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3048) trow.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3048) trow.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3048) trow.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3048) trow.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3048) trow.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47} |
| Operation: | write | Name: | WpadDecisionReason |
Value: 1 | |||
| (PID) Process: | (3048) trow.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47} |
| Operation: | write | Name: | WpadDecisionTime |
Value: ECAC8A2DDF2ADA01 | |||
Executable files
1
Suspicious files
1
Text files
32
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3048 | trow.exe | C:\Users\admin\taswexuahoft.exe | executable | |
MD5:FB75D4F81BE51074BB4147E781E5B402 | SHA256:94A0A09EE6A21526AC34D41EABF4BA603E9A30C26E6A1DC072FF45749DFB1FE1 | |||
| 3048 | trow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\LSS7PJKZ.txt | text | |
MD5:A1FEE6DF87F58E434B73B40020C06386 | SHA256:2B1509A45D0416BBEF77BE5585F55E7E5DECCBA785E3D1EF31CC0F44B14A012F | |||
| 3048 | trow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\ZPR4IBVP.txt | text | |
MD5:F158D4FB1B5A727DC55F27032154A17A | SHA256:C13FC53F4FCA5B7ECF88CCDC36AD343F5B2EE16703A12AB658282E3C0D01A2BE | |||
| 3048 | trow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\UNDZSKTU.txt | text | |
MD5:8B278894E89B4206140F3B152AAA91ED | SHA256:E29FC01BB0A7C081BEC9251CF7ED84DF34CE9D8039DD2A997E8F866694B6EE34 | |||
| 3048 | trow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\KXV2XJ2B.txt | text | |
MD5:7FEB3055B93DCB6CAC89AD3E8C31C070 | SHA256:898E7EA5EF89775EAD3A405DE47CE983FC83F276EF3A11ABF2A73D0C53997471 | |||
| 3048 | trow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\860WWBKB.txt | text | |
MD5:E1A079E42FBFF996C9EC083483FA69A7 | SHA256:E00732F16F2FA4858E9DF810AE2A39190F620CC1CBFD2A668AA8FD5DE0587277 | |||
| 3048 | trow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\HTM1N056.txt | text | |
MD5:A8329BFD4C3F2E01130A2BD064E62C6C | SHA256:13EB89DE67E64D924C961EB8E83A619CAD2DE90E06251155515612D7D8BD30B6 | |||
| 3048 | trow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\8NWR9BZV.txt | text | |
MD5:AD5CB82E16B75798EA48BE90CF675DF4 | SHA256:4463AA4368DC1656D16CCEF2DED6BC88C2426B07F64641FC47637DDF01282804 | |||
| 1936 | svchost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\U8ITZVUY.txt | text | |
MD5:166370ED191D96F5B81BE513B54312E7 | SHA256:FB64C87056A825B97021D2D654DDE770A54BDF96C3D6CC36204116B6CC3C4494 | |||
| 3048 | trow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\c5d8393293ce2ba62f117b2c2d55bc3e_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:60806F4F110A6F85831390DAFBB98385 | SHA256:219D1A0D4109122414A4EF1B17D392652E94E7492B490EC6FF33EF553D125A4D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
549
TCP/UDP connections
1 771
DNS requests
1 848
Threats
551
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3048 | trow.exe | POST | 200 | 104.26.15.53:80 | http://www.elpro.si/ | unknown | html | 150 Kb | unknown |
3048 | trow.exe | POST | 200 | 91.210.235.23:80 | http://www.nelipak.nl/ | unknown | html | 60.1 Kb | unknown |
3048 | trow.exe | POST | 301 | 80.74.154.6:80 | http://www.transsib.com/ | unknown | html | 162 b | unknown |
3048 | trow.exe | POST | 301 | 80.74.154.6:80 | http://www.transsib.com/ | unknown | html | 162 b | unknown |
3048 | trow.exe | POST | 301 | 165.227.252.190:80 | http://www.crcsi.org/ | unknown | html | 309 b | unknown |
3048 | trow.exe | POST | 200 | 104.218.10.254:80 | http://www.pohlfood.com/ | unknown | html | 104 Kb | unknown |
3048 | trow.exe | POST | 302 | 104.26.10.81:80 | http://www.com-sit.com/ | unknown | — | — | unknown |
3048 | trow.exe | POST | 301 | 69.163.239.62:80 | http://www.sjbs.org/ | unknown | html | 225 b | unknown |
3048 | trow.exe | POST | 403 | 34.120.97.14:80 | http://www.udesign.biz/ | unknown | html | 134 b | unknown |
3048 | trow.exe | POST | 403 | 147.154.0.23:80 | http://www.nqks.com/ | unknown | html | 681 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3048 | trow.exe | 64.125.133.18:80 | www.reglera.com | DLSS-CA-EMERYVILLE-AS | US | unknown |
3048 | trow.exe | 104.218.10.254:80 | www.pohlfood.com | A2HOSTING | US | unknown |
3048 | trow.exe | 165.227.252.190:80 | www.crcsi.org | DIGITALOCEAN-ASN | US | unknown |
3048 | trow.exe | 91.210.235.23:80 | www.nelipak.nl | Blacknight Internet Solutions Limited | IE | unknown |
3048 | trow.exe | 104.26.15.53:80 | www.elpro.si | CLOUDFLARENET | US | unknown |
3048 | trow.exe | 69.163.239.62:80 | www.sjbs.org | DREAMHOST-AS | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.mobilnic.net |
| unknown |
www.ex-olive.com |
| malicious |
www.sjbs.org |
| malicious |
www.sclover3.com |
| malicious |
www.crcsi.org |
| malicious |
www.nelipak.nl |
| malicious |
www.transsib.com |
| unknown |
www.reglera.com |
| malicious |
www.elpro.si |
| malicious |
www.pohlfood.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3048 | trow.exe | Malware Command and Control Activity Detected | ET MALWARE Backdoor.Win32.Pushdo.s Checkin |
3048 | trow.exe | Malware Command and Control Activity Detected | ET MALWARE Backdoor.Win32.Pushdo.s Checkin |
3048 | trow.exe | Malware Command and Control Activity Detected | ET MALWARE Backdoor.Win32.Pushdo.s Checkin |
1080 | svchost.exe | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
3048 | trow.exe | Malware Command and Control Activity Detected | ET MALWARE Backdoor.Win32.Pushdo.s Checkin |
3048 | trow.exe | Malware Command and Control Activity Detected | ET MALWARE Backdoor.Win32.Pushdo.s Checkin |
3048 | trow.exe | Malware Command and Control Activity Detected | ET MALWARE Backdoor.Win32.Pushdo.s Checkin |
3048 | trow.exe | Malware Command and Control Activity Detected | ET MALWARE Backdoor.Win32.Pushdo.s Checkin |
3048 | trow.exe | Malware Command and Control Activity Detected | ET MALWARE Backdoor.Win32.Pushdo.s Checkin |
3048 | trow.exe | Malware Command and Control Activity Detected | ET MALWARE Backdoor.Win32.Pushdo.s Checkin |