| File name: | MRPQTGv98.1.exe |
| Full analysis: | https://app.any.run/tasks/8eab11ef-6e11-49af-902a-bdf6c2235118 |
| Verdict: | Malicious activity |
| Analysis date: | August 24, 2019, 20:52:28 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386, for MS Windows |
| MD5: | 43412619617A74B67EA734FA4C92CBC3 |
| SHA1: | FA52B9D52F36BD032DA207B2C8B7EB28198A1532 |
| SHA256: | 9BF9CC8BB6106C9A8F1D104702BFF8089990EB344792941187D6281AE51CFF90 |
| SSDEEP: | 98304:TfxANV3yMPwRADRBXBBqjWwE7nmU0fzfJ4LXDbzfJ4LXD1szfJ4LXDj:TfxEBPWoxBwE7h0fzR4TXzR4T5szR4TX |
MALICIOUS
Application was dropped or rewritten from another process
- ChkValid.exe (PID: 3340)
- IsSSD.exe (PID: 3608)
- BDTBT.exe (PID: 2656)
- ChkValid.exe (PID: 3888)
- ChkValid.exe (PID: 2404)
- ChkValid.exe (PID: 2340)
- ChkValid.exe (PID: 3428)
- ChkValid.exe (PID: 3568)
- ChkValid.exe (PID: 3020)
- Generic.exe (PID: 3560)
- Generic.exe (PID: 3740)
- Generic.exe (PID: 3448)
- Generic.exe (PID: 2640)
- Generic.exe (PID: 4008)
- ChkValid.exe (PID: 2720)
- ChkValid.exe (PID: 2956)
- ChkValid.exe (PID: 2244)
- ChkValid.exe (PID: 2396)
- ChkValid.exe (PID: 2060)
- Generic.exe (PID: 3924)
- Generic.exe (PID: 3204)
- ChkValid.exe (PID: 3296)
- Generic.exe (PID: 3680)
Executes PowerShell scripts
- cmd.exe (PID: 2516)
SUSPICIOUS
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 2128)
- cmd.exe (PID: 3940)
- cmd.exe (PID: 2668)
- cmd.exe (PID: 3336)
- cmd.exe (PID: 4068)
- cmd.exe (PID: 2776)
- cmd.exe (PID: 3808)
- cmd.exe (PID: 2772)
- cmd.exe (PID: 3392)
- cmd.exe (PID: 2764)
- cmd.exe (PID: 2776)
- cmd.exe (PID: 2444)
- cmd.exe (PID: 3140)
- cmd.exe (PID: 2384)
- cmd.exe (PID: 3488)
- cmd.exe (PID: 3408)
- cmd.exe (PID: 4060)
- cmd.exe (PID: 3988)
- cmd.exe (PID: 2852)
- cmd.exe (PID: 2596)
- cmd.exe (PID: 3536)
- cmd.exe (PID: 3844)
- cmd.exe (PID: 3312)
- cmd.exe (PID: 3468)
- cmd.exe (PID: 3056)
- cmd.exe (PID: 3752)
- cmd.exe (PID: 3624)
- cmd.exe (PID: 2440)
- cmd.exe (PID: 3600)
- cmd.exe (PID: 2836)
- cmd.exe (PID: 3668)
- cmd.exe (PID: 2704)
- cmd.exe (PID: 4080)
- cmd.exe (PID: 2428)
- cmd.exe (PID: 3432)
- cmd.exe (PID: 504)
- cmd.exe (PID: 2840)
- cmd.exe (PID: 3064)
- cmd.exe (PID: 2436)
- cmd.exe (PID: 2820)
- cmd.exe (PID: 4064)
- cmd.exe (PID: 2264)
- cmd.exe (PID: 3776)
- cmd.exe (PID: 2980)
- cmd.exe (PID: 2260)
- cmd.exe (PID: 3076)
- cmd.exe (PID: 2300)
- cmd.exe (PID: 3216)
- cmd.exe (PID: 3372)
- cmd.exe (PID: 3500)
- cmd.exe (PID: 2304)
- cmd.exe (PID: 2952)
- cmd.exe (PID: 3616)
- cmd.exe (PID: 3896)
- cmd.exe (PID: 3636)
- cmd.exe (PID: 3480)
- cmd.exe (PID: 4024)
- cmd.exe (PID: 3028)
- cmd.exe (PID: 2796)
- cmd.exe (PID: 3548)
- cmd.exe (PID: 3320)
- cmd.exe (PID: 2444)
- cmd.exe (PID: 2724)
- cmd.exe (PID: 3728)
- cmd.exe (PID: 2992)
- cmd.exe (PID: 4024)
- cmd.exe (PID: 1260)
- cmd.exe (PID: 3324)
- cmd.exe (PID: 2216)
- cmd.exe (PID: 2780)
- cmd.exe (PID: 3384)
- cmd.exe (PID: 3076)
- cmd.exe (PID: 3008)
- cmd.exe (PID: 3196)
- cmd.exe (PID: 2808)
- cmd.exe (PID: 3440)
- cmd.exe (PID: 1428)
- cmd.exe (PID: 2428)
- cmd.exe (PID: 3224)
- cmd.exe (PID: 3692)
- cmd.exe (PID: 2616)
- cmd.exe (PID: 2856)
- cmd.exe (PID: 3716)
- cmd.exe (PID: 2520)
- cmd.exe (PID: 3144)
- cmd.exe (PID: 2708)
- cmd.exe (PID: 2368)
- cmd.exe (PID: 2496)
- cmd.exe (PID: 2328)
- cmd.exe (PID: 2220)
- cmd.exe (PID: 3864)
- cmd.exe (PID: 2400)
- cmd.exe (PID: 4008)
- cmd.exe (PID: 2948)
Starts CMD.EXE for commands execution
- MRPQTGv98.1.exe (PID: 2336)
- cmd.exe (PID: 3392)
- cmd.exe (PID: 2372)
- cmd.exe (PID: 3932)
- cmd.exe (PID: 2340)
- cmd.exe (PID: 1260)
- cmd.exe (PID: 3332)
- cmd.exe (PID: 3088)
- cmd.exe (PID: 3368)
Executable content was dropped or overwritten
- MRPQTGv98.1.exe (PID: 2336)
- cmd.exe (PID: 3392)
Uses WMIC.EXE to obtain a system information
- cmd.exe (PID: 3392)
- cmd.exe (PID: 2396)
- cmd.exe (PID: 2300)
- cmd.exe (PID: 2388)
- cmd.exe (PID: 2420)
- cmd.exe (PID: 2604)
- cmd.exe (PID: 3676)
- cmd.exe (PID: 2704)
- cmd.exe (PID: 2204)
- cmd.exe (PID: 3960)
- cmd.exe (PID: 2252)
- cmd.exe (PID: 2288)
- cmd.exe (PID: 2788)
- cmd.exe (PID: 3236)
- cmd.exe (PID: 3068)
- cmd.exe (PID: 3956)
- cmd.exe (PID: 1216)
- cmd.exe (PID: 2908)
- cmd.exe (PID: 2124)
- cmd.exe (PID: 3280)
- cmd.exe (PID: 3652)
- cmd.exe (PID: 3408)
- cmd.exe (PID: 3472)
- cmd.exe (PID: 3492)
- cmd.exe (PID: 2552)
- cmd.exe (PID: 3564)
- cmd.exe (PID: 2840)
- cmd.exe (PID: 2928)
- cmd.exe (PID: 3364)
- cmd.exe (PID: 3000)
- cmd.exe (PID: 3356)
- cmd.exe (PID: 3552)
- cmd.exe (PID: 3884)
- cmd.exe (PID: 3780)
- cmd.exe (PID: 1640)
- cmd.exe (PID: 2720)
- cmd.exe (PID: 3936)
- cmd.exe (PID: 3656)
- cmd.exe (PID: 3992)
- cmd.exe (PID: 2904)
- cmd.exe (PID: 3500)
- cmd.exe (PID: 2164)
- cmd.exe (PID: 4044)
- cmd.exe (PID: 3584)
- cmd.exe (PID: 1440)
- cmd.exe (PID: 3496)
- cmd.exe (PID: 3172)
- cmd.exe (PID: 3624)
- cmd.exe (PID: 3304)
- cmd.exe (PID: 3568)
- cmd.exe (PID: 3648)
- cmd.exe (PID: 3520)
- cmd.exe (PID: 704)
- cmd.exe (PID: 3292)
- cmd.exe (PID: 1876)
- cmd.exe (PID: 2388)
- cmd.exe (PID: 2588)
- cmd.exe (PID: 2632)
- cmd.exe (PID: 3828)
- cmd.exe (PID: 2224)
- cmd.exe (PID: 2892)
- cmd.exe (PID: 3016)
- cmd.exe (PID: 2580)
- cmd.exe (PID: 2828)
- cmd.exe (PID: 3072)
- cmd.exe (PID: 3720)
- cmd.exe (PID: 2484)
- cmd.exe (PID: 4032)
- cmd.exe (PID: 3040)
- cmd.exe (PID: 3688)
- cmd.exe (PID: 2604)
- cmd.exe (PID: 2944)
- cmd.exe (PID: 4076)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 3392)
Reads Environment values
- reg.exe (PID: 3464)
- reg.exe (PID: 2052)
- reg.exe (PID: 2524)
- reg.exe (PID: 3584)
- reg.exe (PID: 3724)
- reg.exe (PID: 3972)
- reg.exe (PID: 2316)
- reg.exe (PID: 2992)
Starts SC.EXE for service management
- cmd.exe (PID: 3392)
Uses WMIC.EXE to obtain a list of AntiViruses
- cmd.exe (PID: 3392)
Application launched itself
- cmd.exe (PID: 3392)
Executes scripts
- cmd.exe (PID: 3392)
- cmd.exe (PID: 3020)
- cmd.exe (PID: 3456)
- cmd.exe (PID: 2976)
- cmd.exe (PID: 3744)
- cmd.exe (PID: 2792)
- cmd.exe (PID: 2736)
- cmd.exe (PID: 3700)
Uses WMIC.EXE to obtain a list of video controllers
- cmd.exe (PID: 3392)
- cmd.exe (PID: 3364)
Reads the BIOS version
- reg.exe (PID: 3928)
- reg.exe (PID: 3412)
- reg.exe (PID: 3096)
- reg.exe (PID: 3920)
Creates files in the user directory
- powershell.exe (PID: 3432)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2011:12:22 14:26:47+01:00 |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 64512 |
| InitializedDataSize: | 6590464 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xcb10 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 2.0.1.9 |
| ProductVersionNumber: | 2.0.1.9 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Windows, Latin1 |
| Comments: | Computer Query Tool For MRP |
| CompanyName: | MRP |
| FileDescription: | Query Tool |
| FileVersion: | 2. 0. 1. 9 |
| LegalCopyright: | MRP |
| ProductName: | OEM Query Tool For MRP |
| ProductVersion: | 2. 0. 1. 9 |
Total processes
646
Monitored processes
610
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 408 | FINDSTR /i "86" | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 408 | C:\Windows\System32\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BaseBuildRevisionNumber" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 460 | WMIC path Win32_VideoController get Name /value | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 460 | C:\Windows\System32\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BuildBranch" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 504 | C:\Windows\system32\cmd.exe /c C:\Windows\System32\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion" 2>nul | findstr /I "XEN" 2>nul | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 504 | C:\Windows\System32\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 560 | WMIC PATH WIN32_OperatingSystem get DataExecutionPrevention_Drivers /format:list | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 620 | findstr /I "QEMU" | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 704 | findstr /I "QEMU" | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 704 | C:\Windows\system32\cmd.exe /c wmic memorychip get tag /value 2>nul | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
3 750
Read events
3 695
Write events
55
Delete events
0
Modification events
| (PID) Process: | (3432) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
12
Suspicious files
2
Text files
365
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\GetInstDate.vbs | text | |
MD5:— | SHA256:— | |||
| 2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\QTOEMTest.ini | text | |
MD5:— | SHA256:— | |||
| 2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\NewSKU.ini | text | |
MD5:— | SHA256:— | |||
| 2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\OldSKU.ini | text | |
MD5:— | SHA256:— | |||
| 2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\pkconfig.ini | text | |
MD5:— | SHA256:— | |||
| 2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\QueryDisks.vbs | text | |
MD5:— | SHA256:— | |||
| 3392 | cmd.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\$tempfile | — | |
MD5:— | SHA256:— | |||
| 2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\Generic_2.exe | executable | |
MD5:99022B783EF7C73C93C1DFA1AC630CAC | SHA256:FBFFBB076A94A11683FFDC3850CA178A3FA56CA1B9235BD112625E8F052D6B7A | |||
| 2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\DiskModelNameW7.vbs | text | |
MD5:— | SHA256:— | |||
| 2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\InSpectre.exe | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report