analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9

Full analysis: https://app.any.run/tasks/e271abc3-f3de-4440-b87d-c0c5c8f0e4f7
Verdict: Malicious activity
Analysis date: July 18, 2019, 08:40:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

A3C22E2F449F09814C0E24C499D1C9A2

SHA1:

454BEF599195E5C6C82C2A6EE381AACA8899D9F8

SHA256:

9A429B84F416346DE08EBE452FCA6705A00FA5F3D345857BF5CB4ED0546549F9

SSDEEP:

3072:hJaWDaGRTtZumcr6yfTjGcqUE9ZRGwUVOYHfZEXhHLtmDYjRhmek:z7btZuZfTjpqFcwKOYHfiXhrCQR7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe (PID: 3608)
    • Actions looks like stealing of personal data

      • 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe (PID: 2804)
  • SUSPICIOUS

    • Changes tracing settings of the file or console

      • 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe (PID: 2804)
    • Checks for external IP

      • 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe (PID: 2804)
    • Executable content was dropped or overwritten

      • 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe (PID: 3608)
    • Creates files in the user directory

      • 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe (PID: 3608)
    • Application launched itself

      • 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe (PID: 3608)
  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 3996)
    • Reads settings of System Certificates

      • 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe (PID: 2804)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3996)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (62)
.exe | Win64 Executable (generic) (23.3)
.dll | Win32 Dynamic Link Library (generic) (5.5)
.exe | Win32 Executable (generic) (3.8)
.exe | Win16/32 Executable Delphi generic (1.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2eb5e
UninitializedDataSize: -
InitializedDataSize: 512
CodeSize: 183296
LinkerVersion: 8
PEType: PE32
TimeStamp: 2019:06:17 11:55:54+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 17-Jun-2019 09:55:54

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 2
Time date stamp: 17-Jun-2019 09:55:54
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x0002CB64
0x0002CC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.39984
.reloc
0x00030000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe winword.exe no specs 9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe

Process information

PID
CMD
Path
Indicators
Parent process
3608"C:\Users\admin\AppData\Local\Temp\9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe" C:\Users\admin\AppData\Local\Temp\9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3996"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\campusweight.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2804"C:\Users\admin\AppData\Local\Temp\9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe"C:\Users\admin\AppData\Local\Temp\9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 025
Read events
665
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
5
Unknown types
4

Dropped files

PID
Process
Filename
Type
3996WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR1337.tmp.cvr
MD5:
SHA256:
3996WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D40ED17F838C08142D2050F63A3156BE
SHA256:B534221B95F851D7A71BF0842EB138803536EA050CF9D9E5BDD61CBF85129AF9
3996WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\campusweight.rtf.LNKlnk
MD5:6BA0AB5B0DAB68CD15246409E01C95EC
SHA256:08204E91D4BA4358C744545A8906C243445670F4EBB9656AA04052E8BC63779E
36089a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lWHEMsIY.urltext
MD5:D6A97210A96CCBC0D3A3CA84C0F056F4
SHA256:A375F595CDF206354F08B642F72267C7BE76F342515DF3B05A5569422041F001
3996WINWORD.EXEC:\Users\admin\Desktop\~$mpusweight.rtfpgc
MD5:5241E4C0C647C002D7549A9EDA4EF263
SHA256:52004BB7D3412F98C6676F29A48EE8DCEB543701D4F131A695CCE8F0EA4DB6D9
36089a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exeC:\Users\admin\AppData\Roaming\PLA\rundll32.exeexecutable
MD5:A3C22E2F449F09814C0E24C499D1C9A2
SHA256:9A429B84F416346DE08EBE452FCA6705A00FA5F3D345857BF5CB4ED0546549F9
3996WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:DCC7CED926D600030726485442F94E64
SHA256:31335C5BE8D137AB762B2EB64029BFAB32A6BD350E1AAD901F5298EAFB6C74AB
36089a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exeC:\Users\admin\AppData\Roaming\PLA\GGUMTFyS.vbstext
MD5:BB45B214AC0AC64FCD1A2A2B6B8D7431
SHA256:C37A662978C00318CA20C2135ED5278C9D7AC84F96B68ADDD39C6F810A32BE4C
3996WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
21
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2804
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
GET
200
216.239.38.21:80
http://ifconfig.me/ip
US
text
15 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2804
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
216.239.38.21:80
ifconfig.me
Google Inc.
US
whitelisted
2804
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger LLP
GB
malicious
2804
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
77.88.21.38:25
smtp.yandex.com
YANDEX LLC
RU
whitelisted
2804
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
93.158.134.38:25
smtp.yandex.com
YANDEX LLC
RU
whitelisted
2804
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
213.180.193.38:25
smtp.yandex.com
YANDEX LLC
RU
whitelisted
2804
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
213.180.204.38:25
smtp.yandex.com
YANDEX LLC
RU
whitelisted
2804
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
87.250.250.38:25
smtp.yandex.com
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
ifconfig.me
  • 216.239.38.21
  • 216.239.36.21
  • 216.239.34.21
  • 216.239.32.21
shared
smtp.yandex.com
  • 87.250.250.38
  • 213.180.204.38
  • 213.180.193.38
  • 77.88.21.38
  • 93.158.134.38
shared
dns.msftncsi.com
  • 131.107.255.255
shared
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
2804
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (ifconfig .me)
2804
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ifconfig. me)
Process
Message
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
9a429b84f416346de08ebe452fca6705a00fa5f3d345857bf5cb4ed0546549f9.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278