| File name: | iexplore.exe |
| Full analysis: | https://app.any.run/tasks/1c3277bb-5822-407f-a2ea-a5d8a6b25f0f |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | June 12, 2020, 06:33:56 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5: | D72A48467315FCF42A9EAF95F23A641E |
| SHA1: | A02BA29C46C5755D77EBC321371940BCE21D4A6E |
| SHA256: | 9A483BC2E0F629CD1696D6A14D667C119192FF61F1901BE12DAB5124ED890ECA |
| SSDEEP: | 49152:YXe1iMLASa/AA5KFB6tlwlHgCbo0TM0Tv1doH1V6+8H7komPR33HjD6RA:8e1iJdAA5KFMtlwlvzTv1doT6+8bmPFX |
MALICIOUS
Starts NET.EXE to view/add/change user profiles
- iexplore.exe (PID: 2416)
- cmd.exe (PID: 2092)
Starts NET.EXE for service management
- iexplore.exe (PID: 2416)
- dllmm.exe (PID: 3136)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 2660)
- schtasks.exe (PID: 784)
- schtasks.exe (PID: 996)
- schtasks.exe (PID: 2632)
- schtasks.exe (PID: 1216)
- schtasks.exe (PID: 2968)
- schtasks.exe (PID: 2204)
Uses Task Scheduler to run other applications
- cmd.exe (PID: 2092)
Application was dropped or rewritten from another process
- dlltpsso.exe (PID: 3352)
- dlltpsso.exe (PID: 2724)
- dlltpsso.exe (PID: 2304)
- xsfxdel~.exe (PID: 2536)
- narratorso.exe (PID: 1136)
- narratorso.exe (PID: 2912)
- narratorso.exe (PID: 3028)
- xsfxdel~.exe (PID: 2164)
- 0oskso.exe (PID: 1180)
- 0oskso.exe (PID: 2808)
- 0oskso.exe (PID: 2712)
- dllmm.exe (PID: 3136)
- xsfxdel~.exe (PID: 1760)
Downloads executable files from the Internet
- cscript.exe (PID: 2968)
- cscript.exe (PID: 2404)
- cscript.exe (PID: 2500)
Changes Image File Execution Options
- regedit.exe (PID: 944)
- regedit.exe (PID: 984)
- regedit.exe (PID: 2596)
SUSPICIOUS
Starts CMD.EXE for commands execution
- iexplore.exe (PID: 2416)
- cmd.exe (PID: 2092)
- dlltpsso.exe (PID: 2304)
- cmd.exe (PID: 3928)
- narratorso.exe (PID: 3028)
- cmd.exe (PID: 2540)
- cmd.exe (PID: 2684)
- 0oskso.exe (PID: 2712)
- dllmm.exe (PID: 3136)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 2860)
- cmd.exe (PID: 2092)
- cmd.exe (PID: 3928)
- cmd.exe (PID: 2540)
- cmd.exe (PID: 2684)
Executes scripts
- iexplore.exe (PID: 2416)
- cmd.exe (PID: 2092)
- dllmm.exe (PID: 3136)
Starts SC.EXE for service management
- iexplore.exe (PID: 2416)
- cmd.exe (PID: 2092)
- dllmm.exe (PID: 3136)
Creates files in the Windows directory
- iexplore.exe (PID: 2416)
- cscript.exe (PID: 2968)
- dlltpsso.exe (PID: 2304)
- cmd.exe (PID: 3928)
- SecEdit.exe (PID: 1732)
- cscript.exe (PID: 2672)
- narratorso.exe (PID: 3028)
- SecEdit.exe (PID: 1520)
- SecEdit.exe (PID: 2676)
- SecEdit.exe (PID: 3044)
- cmd.exe (PID: 2540)
- cmd.exe (PID: 2684)
- cscript.exe (PID: 2404)
- 0oskso.exe (PID: 2712)
- SecEdit.exe (PID: 4004)
- SecEdit.exe (PID: 2568)
- cscript.exe (PID: 2500)
- dllmm.exe (PID: 3136)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 2092)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 2092)
Application launched itself
- cmd.exe (PID: 2092)
Uses NETSH.EXE for network configuration
- cmd.exe (PID: 2092)
Uses IPCONFIG.EXE to discover IP address
- cmd.exe (PID: 2092)
Creates executable files which already exist in Windows
- cmd.exe (PID: 2092)
Reads Internet Cache Settings
- cscript.exe (PID: 2968)
- cscript.exe (PID: 2672)
- cscript.exe (PID: 2404)
- cscript.exe (PID: 2500)
Executable content was dropped or overwritten
- cscript.exe (PID: 2968)
- dlltpsso.exe (PID: 2304)
- cscript.exe (PID: 2672)
- narratorso.exe (PID: 3028)
- cscript.exe (PID: 2404)
- 0oskso.exe (PID: 2712)
- cscript.exe (PID: 2500)
Removes files from Windows directory
- cmd.exe (PID: 3928)
- xsfxdel~.exe (PID: 2536)
- cmd.exe (PID: 2540)
- cmd.exe (PID: 2684)
- cmd.exe (PID: 2092)
- WScript.exe (PID: 4044)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (64.2) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.6) |
| .exe | | | Win32 Executable (generic) (10.6) |
| .exe | | | Generic Win/DOS Executable (4.7) |
| .exe | | | DOS Executable Generic (4.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:05:28 13:25:47+02:00 |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 2236416 |
| InitializedDataSize: | 24576 |
| UninitializedDataSize: | 6217728 |
| EntryPoint: | 0x80f5d0 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Chinese (Simplified) |
| CharacterSet: | Unicode |
| FileVersion: | 1.0.0.0 |
| FileDescription: | 安全防护中心模块 |
| ProductName: | 安全防护中心模块 |
| ProductVersion: | 1.0.0.0 |
| CompanyName: | www.360.cn |
| LegalCopyright: | (C)360.cn ALL Rights Reserved. |
| Comments: | 安全防护中心模块 |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 28-May-2020 11:25:47 |
| Detected languages: |
|
| FileVersion: | 1.0.0.0 |
| FileDescription: | 安全防护中心模块 |
| ProductName: | 安全防护中心模块 |
| ProductVersion: | 1.0.0.0 |
| CompanyName: | www.360.cn |
| LegalCopyright: | (C)360.cn ALL Rights Reserved. |
| Comments: | 安全防护中心模块 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000108 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 3 |
| Time date stamp: | 28-May-2020 11:25:47 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x005EE000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x005EF000 | 0x00222000 | 0x00221200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99991 |
.rsrc | 0x00811000 | 0x00006000 | 0x00005600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.35133 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 3.63481 | 632 | Latin 1 / Western European | Chinese - PRC | RT_VERSION |
2 | 7.35083 | 296 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 5.53812 | 9640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 5.7219 | 4264 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 5.72783 | 2440 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 4.70004 | 1128 | Latin 1 / Western European | UNKNOWN | RT_ICON |
127 | 3.58496 | 12 | Latin 1 / Western European | Chinese - PRC | RT_MENU |
150 | 6.87777 | 152 | Latin 1 / Western European | Chinese - PRC | RT_DIALOG |
286 | 7.4257 | 378 | Latin 1 / Western European | Chinese - PRC | RT_DIALOG |
554 | 7.12441 | 250 | Latin 1 / Western European | Chinese - PRC | RT_DIALOG |
Imports
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.DLL |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
WINMM.dll |
WINSPOOL.DRV |
WS2_32.dll |
Total processes
460
Monitored processes
392
Malicious processes
10
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 276 | sc stop csrss | C:\Windows\system32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 1060 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 320 | C:\Windows\system32\cmd.exe /S /D /c" echo y" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 332 | takeown /f C:\Windows\SysWOW64\wscript.exe /a | C:\Windows\system32\takeown.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Takes ownership of a file Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 348 | sc delete mssecsvc2.0 | C:\Windows\system32\sc.exe | — | dllmm.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 1060 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 352 | C:\Windows\system32\cmd.exe /S /D /c" echo y" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 404 | cacls C:\Windows\system32\narrator.exe /e /d SERVICE | C:\Windows\system32\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Control ACLs Program Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 440 | C:\Windows\system32\cmd.exe /S /D /c" echo Y" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 464 | cacls "C:\ProgramData\WmiAppSvr\svchost.exe" /d everyone | C:\Windows\system32\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Control ACLs Program Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 464 | takeown /f C:\Windows\system32\sethc.exe /a | C:\Windows\system32\takeown.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Takes ownership of a file Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 480 | cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r | C:\Windows\system32\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Control ACLs Program Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
3 089
Read events
2 428
Write events
660
Delete events
1
Modification events
| (PID) Process: | (2416) iexplore.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2416) iexplore.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
| Operation: | write | Name: | @C:\Windows\system32\ntshrui.dll,-103 |
Value: S&hare with | |||
| (PID) Process: | (2416) iexplore.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
| Operation: | write | Name: | @C:\Windows\System32\wshext.dll,-4511 |
Value: Open &with Command Prompt | |||
| (PID) Process: | (2416) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2416) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (3136) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3136) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\p2pcollab.dll,-8042 |
Value: Peer to Peer Trust | |||
| (PID) Process: | (3136) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\qagentrt.dll,-10 |
Value: System Health Authentication | |||
| (PID) Process: | (3136) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dnsapi.dll,-103 |
Value: Domain Name System (DNS) Server Trust | |||
| (PID) Process: | (3136) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\System32\fveui.dll,-843 |
Value: BitLocker Drive Encryption | |||
Executable files
10
Suspicious files
0
Text files
41
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2676 | SecEdit.exe | C:\Windows\Fonts\cloud.log | — | |
MD5:— | SHA256:— | |||
| 1732 | SecEdit.exe | C:\Windows\Fonts\cloud.log | — | |
MD5:— | SHA256:— | |||
| 2304 | dlltpsso.exe | C:\Windows\Fonts\AS.bat | text | |
MD5:— | SHA256:— | |||
| 2092 | cmd.exe | C:\Users\admin\AppData\Local\Temp\xxoo.vbs | text | |
MD5:— | SHA256:— | |||
| 2304 | dlltpsso.exe | C:\Windows\Fonts\2.ini | text | |
MD5:— | SHA256:— | |||
| 2968 | cscript.exe | C:\Windows\Temp\dlltpsso.exe | executable | |
MD5:— | SHA256:— | |||
| 2304 | dlltpsso.exe | C:\Windows\Fonts\1.ini | text | |
MD5:— | SHA256:— | |||
| 3044 | SecEdit.exe | C:\Windows\Fonts\cloud.log | — | |
MD5:— | SHA256:— | |||
| 2304 | dlltpsso.exe | C:\Windows\Fonts\smss.reg | text | |
MD5:— | SHA256:— | |||
| 2304 | dlltpsso.exe | C:\Windows\Fonts\smss.exe | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
1
Threats
14
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2500 | cscript.exe | GET | 200 | 123.58.182.252:80 | http://note.youdao.com/yws/api/personal/file/WEB5054fc459aa11c43e89b6ae4a9946e8b?method=download&inline=true&shareKey=b92eb5f848edcb42eb6327e5ed2bbb35 | CN | executable | 3.95 Mb | malicious |
2968 | cscript.exe | GET | 200 | 123.58.182.252:80 | http://note.youdao.com/yws/api/personal/file/WEB9582c940624e9219810ac5a73cf78f60?method=download&inline=true&shareKey=cc2ecda7adab81bd366de9fe738ee7a5 | CN | executable | 279 Kb | malicious |
2404 | cscript.exe | GET | 200 | 123.58.182.252:80 | http://note.youdao.com/yws/api/personal/file/WEB413662f5cc07627e58c48fe17d4d29d0?method=download&inline=true&shareKey=eb9998a97429406e7ea9f4bf2bf14549 | CN | executable | 279 Kb | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2968 | cscript.exe | 123.58.182.252:80 | note.youdao.com | Guangzhou NetEase Computer System Co., Ltd. | CN | malicious |
2672 | cscript.exe | 123.58.182.252:80 | note.youdao.com | Guangzhou NetEase Computer System Co., Ltd. | CN | malicious |
2404 | cscript.exe | 123.58.182.252:80 | note.youdao.com | Guangzhou NetEase Computer System Co., Ltd. | CN | malicious |
2500 | cscript.exe | 123.58.182.252:80 | note.youdao.com | Guangzhou NetEase Computer System Co., Ltd. | CN | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
note.youdao.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
— | — | Misc activity | ET INFO EXE - Served Inline HTTP |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
— | — | Misc activity | ET INFO EXE - Served Inline HTTP |
— | — | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
— | — | Misc activity | ET INFO EXE - Served Inline HTTP |