analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PhotoViewer_1567336589_chenbin_004.exe

Full analysis: https://app.any.run/tasks/d67ae70b-b757-43c1-a90c-4d769e4bfeff
Verdict: Malicious activity
Analysis date: November 08, 2018, 06:56:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3F56D321FE1C641C8332330048DA9585

SHA1:

269C4C5B8F362EE10D1B07634091E54AE2DFBDE3

SHA256:

94F8DA554BADDE07262DAA78BF2103866EC42202B56B98C2930444177C40BB8E

SSDEEP:

196608:ySf1WDFtd844trHSijias2g1FKmVCaQnCVhvHYv/9+:ySf1ktdj4tuJaveKGbQnCVJHYv/M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • PhotoViewer_1567336589_chenbin_004.exe (PID: 2852)

    • Application was dropped or rewritten from another process

      • PhotoViewer.exe (PID: 2392)
      • Report.exe (PID: 3240)
      • PdfReader.exe (PID: 3276)
      • PhotoViewer.exe (PID: 3260)

    • Loads the Task Scheduler COM API

      • PhotoViewer_1567336589_chenbin_004.exe (PID: 2852)

    • Loads dropped or rewritten executable

      • PhotoViewer.exe (PID: 2392)
      • PdfReader.exe (PID: 3276)
      • svchost.exe (PID: 2404)
      • regsvr32.exe (PID: 3048)
      • svchost.exe (PID: 836)
      • PhotoViewer.exe (PID: 3260)
      • regsvr32.exe (PID: 2348)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PhotoViewer_1567336589_chenbin_004.exe (PID: 2852)

    • Creates files in the user directory

      • PhotoViewer_1567336589_chenbin_004.exe (PID: 2852)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 2348)

    • Uses TASKKILL.EXE to kill process

      • PhotoViewer_1567336589_chenbin_004.exe (PID: 2852)

    • Creates files in the Windows directory

      • svchost.exe (PID: 836)

    • Creates a software uninstall entry

      • PhotoViewer_1567336589_chenbin_004.exe (PID: 2852)

    • Creates or modifies windows services

      • regsvr32.exe (PID: 3048)

    • Modifies the open verb of a shell class

      • PhotoViewer.exe (PID: 2392)
      • PdfReader.exe (PID: 3276)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

ProductVersion: 1.4.0.6
ProductName: ABC看图
OriginalFileName: install.exe
LegalCopyright: Copyright © 2016 上海展盟网络科技有限公司 All Rights Reserved
InternalName: install.exe
FileVersion: 1.4.0.6
FileDescription: ABC看图安装包
CompanyName: 上海展盟网络科技有限公司
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.4.0.6
FileVersionNumber: 1.4.0.6
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0xa52ee
UninitializedDataSize: -
InitializedDataSize: 8582144
CodeSize: 1135616
LinkerVersion: 14
PEType: PE32
TimeStamp: 2018:07:12 11:11:16+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 12-Jul-2018 09:11:16
Detected languages:
  • Chinese - PRC
Debug artifacts:
  • E:\svn\photoviewer\bin\Release\Install.pdb
CompanyName: 上海展盟网络科技有限公司
FileDescription: ABC看图安装包
FileVersion: 1.4.0.6
InternalName: install.exe
LegalCopyright: Copyright © 2016 上海展盟网络科技有限公司 All Rights Reserved
OriginalFilename: install.exe
ProductName: ABC看图
ProductVersion: 1.4.0.6

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000130

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 12-Jul-2018 09:11:16
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00115269
0x00115400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.51654
.rdata
0x00117000
0x0003A3A0
0x0003A400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.25712
.data
0x00152000
0x00006764
0x00002C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.36545
.gfids
0x00159000
0x000001D4
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.60591
.tls
0x0015A000
0x00000009
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
0x0015B000
0x007DFA60
0x007DFC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.99632
.reloc
0x0093B000
0x0000E794
0x0000E800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.58008

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.01722
2318
UNKNOWN
Chinese - PRC
RT_MANIFEST
2
3.18698
67624
UNKNOWN
Chinese - PRC
RT_ICON
3
3.40373
16936
UNKNOWN
Chinese - PRC
RT_ICON
4
4.10391
9640
UNKNOWN
Chinese - PRC
RT_ICON
5
3.80108
4264
UNKNOWN
Chinese - PRC
RT_ICON
6
4.21505
1128
UNKNOWN
Chinese - PRC
RT_ICON
7
1.76997
60
UNKNOWN
Chinese - PRC
RT_STRING
103
3.24033
284
UNKNOWN
Chinese - PRC
RT_DIALOG
109
1.79879
16
UNKNOWN
Chinese - PRC
RT_ACCELERATOR
128
2.79908
90
UNKNOWN
Chinese - PRC
RT_GROUP_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
IMM32.dll
IPHLPAPI.DLL
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
17
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start photoviewer_1567336589_chenbin_004.exe no specs photoviewer_1567336589_chenbin_004.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs photoviewer.exe no specs svchost.exe no specs pdfreader.exe no specs report.exe photoviewer.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2312"C:\Users\admin\AppData\Local\Temp\PhotoViewer_1567336589_chenbin_004.exe" C:\Users\admin\AppData\Local\Temp\PhotoViewer_1567336589_chenbin_004.exeexplorer.exe
User:
admin
Company:
上海展盟网络科技有限公司
Integrity Level:
MEDIUM
Description:
ABC看图安装包
Exit code:
3221226540
Version:
1.4.0.6
2852"C:\Users\admin\AppData\Local\Temp\PhotoViewer_1567336589_chenbin_004.exe" C:\Users\admin\AppData\Local\Temp\PhotoViewer_1567336589_chenbin_004.exe
explorer.exe
User:
admin
Company:
上海展盟网络科技有限公司
Integrity Level:
HIGH
Description:
ABC看图安装包
Exit code:
0
Version:
1.4.0.6
2092"C:\Windows\System32\taskkill.exe" /f /im PhotoViewer.exeC:\Windows\System32\taskkill.exePhotoViewer_1567336589_chenbin_004.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2644"C:\Windows\System32\taskkill.exe" /f /im Photomanager.exeC:\Windows\System32\taskkill.exePhotoViewer_1567336589_chenbin_004.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
548"C:\Windows\System32\taskkill.exe" /f /im PdfReader.exeC:\Windows\System32\taskkill.exePhotoViewer_1567336589_chenbin_004.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2744"C:\Windows\System32\taskkill.exe" /f /im Update.exeC:\Windows\System32\taskkill.exePhotoViewer_1567336589_chenbin_004.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2820"C:\Windows\System32\taskkill.exe" /f /im Report.exeC:\Windows\System32\taskkill.exePhotoViewer_1567336589_chenbin_004.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3000"C:\Windows\system32\regsvr32.exe" /s /u C:\Users\admin\AppData\Roaming\PhotoViewer\ShellExt.dllC:\Windows\system32\regsvr32.exePhotoViewer_1567336589_chenbin_004.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
128"C:\Windows\system32\regsvr32.exe" /s /u C:\Users\admin\AppData\Roaming\PhotoViewer\Checker.dllC:\Windows\system32\regsvr32.exePhotoViewer_1567336589_chenbin_004.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2348"C:\Windows\system32\regsvr32.exe" /s C:\Users\admin\AppData\Roaming\PhotoViewer\ShellExt.dllC:\Windows\system32\regsvr32.exePhotoViewer_1567336589_chenbin_004.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 962
Read events
1 154
Write events
0
Delete events
0

Modification events

No data
Executable files
21
Suspicious files
0
Text files
1
Unknown types
10

Dropped files

PID
Process
Filename
Type
2852PhotoViewer_1567336589_chenbin_004.exeC:\Users\admin\AppData\Local\Temp\ABCPhotoView.7z
MD5:
SHA256:
2852PhotoViewer_1567336589_chenbin_004.exeC:\Users\admin\AppData\Roaming\PhotoViewer\Update.exeexecutable
MD5:2DEE0EE5C0A7FF338D9E2F086FF2BFE9
SHA256:824A2A84BC4755C3DB90F718FDB1D2DB90B2CB64DFC1FE35F4466DD5315D6568
2852PhotoViewer_1567336589_chenbin_004.exeC:\Users\admin\AppData\Local\Temp\CheckABCPhotoView.7z.md5text
MD5:0D1044734AB2ECE1EF358078F22BCB4F
SHA256:F5C6BCD4DD597BAE2A7FCA045B733A89587D5D3B8376EA9904B1CD75D873A993
2852PhotoViewer_1567336589_chenbin_004.exeC:\Users\admin\AppData\Roaming\PhotoViewer\ShellExt.dllexecutable
MD5:A5FA380C2EDC87D16144162556E78F11
SHA256:117C89423657FE95C13DCB110FE3D4C09355AC9E7E1D6F39E1FA136492074E21
2852PhotoViewer_1567336589_chenbin_004.exeC:\Users\admin\AppData\Roaming\PhotoViewer\Report.exeexecutable
MD5:0A90936A39CD85D0C1802FBAB21AC636
SHA256:4D078E3B3E17D6C775274862C92D29DCCDF5757593F2877DD9E9018E5EDCA0D5
836svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:9A24B65FCBC1386B75BEF6D800F00467
SHA256:CA84D551051C7FEEEB2E618C1ED21EF3A5511C3F4937EB969629F58AEADF58E6
2852PhotoViewer_1567336589_chenbin_004.exeC:\Users\admin\AppData\Roaming\PhotoViewer\pdfium.dllexecutable
MD5:34DD4F28F701CB4DADDDAA695D55DF34
SHA256:5AE8EBBFFFCF975CAA73F3BE633D78F8D6880C64E3B5C3DDB10C5677CFA402EE
2852PhotoViewer_1567336589_chenbin_004.exeC:\Users\admin\AppData\Roaming\PhotoViewer\PdfReader.exeexecutable
MD5:C14884CEA81CC1B9982E70D1258C2F81
SHA256:616EE40B0FA843442AFB44D9EE62C9CD186003C3FC504A2AEB940C21DD82B715
2852PhotoViewer_1567336589_chenbin_004.exeC:\Users\admin\AppData\Roaming\PhotoViewer\imgdecoder-gdip.dllexecutable
MD5:E7792D2B17939D6D80A5794EBA388412
SHA256:7566429F97D19E0710F9E4FD273B22C39867A9D812C9DC3E8E193AA314090F55
2852PhotoViewer_1567336589_chenbin_004.exeC:\Users\admin\AppData\Roaming\PhotoViewer\Uninst.exeexecutable
MD5:1D71B3B59C88CCF19FCEA9214D4866D3
SHA256:653A7B08CD449407F970BDD8255F0B5AF49128D9AB95E664F9A616006CEE1871
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3240
Report.exe
GET
117.50.8.146:80
http://kantu.shzhanmeng.com/2.gif?proj=kantu&food=D5CmfUa6EOoz/uWnaEtDZXgwy658l4b/w/zm2qlL2w9iFbjGTa205QLCT+2L5NHuQcW2ISZX5QI/fCSxuKnH8YkfLJhyb7/8KWBXghSrdscUaoND97CcdjOpxuJrRnCaWP3lZz6bi7NeqMhJtbZUipLbozzBQcILbZtlJwsL/3zQBeUk3TDS/P2SMYaghrImTFrj9DyOh1Pu3Uh7eAm6IJVQxk1k
CN
malicious
3260
PhotoViewer.exe
GET
113.215.232.5:80
http://down2.abckantu.com/n/kantu/parameter.xml
CN
suspicious
3260
PhotoViewer.exe
GET
119.167.216.173:80
http://ktnews.7654.com/
CN
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3260
PhotoViewer.exe
119.167.216.173:80
ktnews.7654.com
CHINA UNICOM China169 Backbone
CN
suspicious
113.215.232.5:80
down2.abckantu.com
Huashu media&Network Limited
CN
suspicious
3240
Report.exe
117.50.8.146:80
kantu.shzhanmeng.com
China Unicom Beijing Province Network
CN
malicious

DNS requests

Domain
IP
Reputation
kantu.shzhanmeng.com
  • 117.50.8.146
malicious
ktnews.7654.com
  • 119.167.216.173
  • 221.204.60.123
  • 113.200.16.31
  • 27.221.54.19
  • 221.204.58.110
  • 121.29.54.65
  • 113.200.16.30
  • 221.204.60.63
  • 113.200.16.27
  • 211.91.160.204
  • 139.215.203.208
  • 113.200.16.32
  • 112.132.32.105
  • 218.11.8.104
  • 139.215.203.199
malicious
down2.abckantu.com
  • 113.215.232.5
  • 113.215.232.8
  • 113.215.232.9
  • 113.215.232.10
  • 113.215.232.11
  • 113.215.232.7
  • 113.215.232.6
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PhotoViewer_1567336589_chenbin_004.exe