File name:

signagent.exe

Full analysis: https://app.any.run/tasks/feca357e-cfe0-49ce-836a-e8897fd791db
Verdict: Malicious activity
Analysis date: February 14, 2024, 14:21:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FB920425D42164707719ACC24F1AC6ED

SHA1:

3027EC56905770DD6C66213DC646A84EE8FAA0EA

SHA256:

9D721EDFD8BB0E1A74D911172F75FE5BE961021177A99A4811F05E5515C3CC83

SSDEEP:

98304:UQtECxNfEUhluP9rxQqUZRb3CfHTJvVmXPMWlp/LfUPxVO9HzTn9ZX7/J/HYBLFU:5QK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • signagent.exe (PID: 3700)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • signagent.exe (PID: 3700)

  • INFO

    • Create files in a temporary directory

      • signagent.exe (PID: 3700)
      • signagent.exe (PID: 2096)

    • Reads product name

      • signagent.exe (PID: 3700)
      • SignAgent.NET.exe (PID: 2160)
      • SignAgent.NET.exe (PID: 3984)
      • signagent.exe (PID: 2096)

    • Checks supported languages

      • signagent.exe (PID: 3700)
      • SignAgent.NET.exe (PID: 2160)
      • signagent.exe (PID: 2096)
      • SignAgent.NET.exe (PID: 3984)

    • Reads the computer name

      • SignAgent.NET.exe (PID: 2160)
      • SignAgent.NET.exe (PID: 3984)

    • Reads Environment values

      • SignAgent.NET.exe (PID: 2160)
      • signagent.exe (PID: 3700)
      • SignAgent.NET.exe (PID: 3984)
      • signagent.exe (PID: 2096)

    • Reads the machine GUID from the registry

      • SignAgent.NET.exe (PID: 2160)
      • SignAgent.NET.exe (PID: 3984)

    • Creates files or folders in the user directory

      • SignAgent.NET.exe (PID: 2160)

    • Manual execution by a user

      • explorer.exe (PID: 3848)
      • signagent.exe (PID: 2096)
      • notepad.exe (PID: 2660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:04:25 09:39:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.35
CodeSize: 105984
InitializedDataSize: 3644928
UninitializedDataSize: -
EntryPoint: 0x620d
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.3.1.318
ProductVersionNumber: 4.3.1.318
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Symprex Limited
FileDescription: Symprex Email Signature Manager Agent
FileVersion: 4.3.1.318
InternalName: SignAgent.exe
LegalCopyright: Copyright © 2023 Symprex Limited
OriginalFileName: SignAgent.exe
ProductName: Symprex Email Signature Manager
ProductVersion: 4.3.1.318
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start signagent.exe signagent.net.exe no specs explorer.exe no specs signagent.exe no specs signagent.net.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2096"C:\Users\admin\AppData\Local\Temp\signagent.exe" C:\Users\admin\AppData\Local\Temp\signagent.exeexplorer.exe
User:
admin
Company:
Symprex Limited
Integrity Level:
MEDIUM
Description:
Symprex Email Signature Manager Agent
Exit code:
0
Version:
4.3.1.318
Modules
Images
c:\users\admin\appdata\local\temp\signagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2160C:\Users\admin\AppData\Local\Temp\Symprex\SignAgent.NET.exe /loader="C:\Users\admin\AppData\Local\Temp\signagent.exe" /loadertype="selfextractor" /apppath="C:\Users\admin\AppData\Local\Temp"C:\Users\admin\AppData\Local\Temp\Symprex\SignAgent.NET.exesignagent.exe
User:
admin
Company:
Symprex Limited
Integrity Level:
MEDIUM
Description:
Symprex Email Signature Manager Agent
Exit code:
0
Version:
4.3.1.318
Modules
Images
c:\users\admin\appdata\local\temp\symprex\signagent.net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2660"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\SignAgentLoader.logC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3700"C:\Users\admin\AppData\Local\Temp\signagent.exe" C:\Users\admin\AppData\Local\Temp\signagent.exe
explorer.exe
User:
admin
Company:
Symprex Limited
Integrity Level:
MEDIUM
Description:
Symprex Email Signature Manager Agent
Exit code:
0
Version:
4.3.1.318
Modules
Images
c:\users\admin\appdata\local\temp\signagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3848"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3984C:\Users\admin\AppData\Local\Temp\Symprex\SignAgent.NET.exe /loader="C:\Users\admin\AppData\Local\Temp\signagent.exe" /loadertype="selfextractor" /apppath="C:\Users\admin\AppData\Local\Temp"C:\Users\admin\AppData\Local\Temp\Symprex\SignAgent.NET.exesignagent.exe
User:
admin
Company:
Symprex Limited
Integrity Level:
MEDIUM
Description:
Symprex Email Signature Manager Agent
Exit code:
0
Version:
4.3.1.318
Modules
Images
c:\users\admin\appdata\local\temp\symprex\signagent.net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
3 977
Read events
3 970
Write events
4
Delete events
3

Modification events

(PID) Process:(2160) SignAgent.NET.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Symprex Email Signature Manager Agent Run Once
Value:
(PID) Process:(2160) SignAgent.NET.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Setup
Operation:writeName:DisableRoamingSignaturesTemporaryToggle
Value:
1
(PID) Process:(2160) SignAgent.NET.exeKey:HKEY_CURRENT_USER\Software\Symprex\Email Signature Manager Agent
Operation:writeName:Port
Value:
9570
(PID) Process:(2160) SignAgent.NET.exeKey:HKEY_CURRENT_USER\Software\Symprex\Email Signature Manager Agent
Operation:delete valueName:Port
Value:
(PID) Process:(3984) SignAgent.NET.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Symprex Email Signature Manager Agent Run Once
Value:
(PID) Process:(3984) SignAgent.NET.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Setup
Operation:writeName:DisableRoamingSignaturesTemporaryToggle
Value:
1
(PID) Process:(3984) SignAgent.NET.exeKey:HKEY_CURRENT_USER\Software\Symprex\Email Signature Manager Agent
Operation:writeName:Port
Value:
9570
Executable files
1
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3700signagent.exeC:\Users\admin\AppData\Local\Temp\SignAgentLoader.logtext
MD5:564A716F5CE0249DA026F37D2E644A59
SHA256:61CDB9BD9430E2DD83C986A7D625FFBB9AD43515001710F09A7ECC57CD270D99
3700signagent.exeC:\Users\admin\AppData\Local\Temp\Symprex\SignAgent.NET.exe.configxml
MD5:E528F953BFCB998EFF9B8EB9F2588D8D
SHA256:513E9CF4A590F97C51F6BEBABD302A1E3941E3C10485DB797C694D4669D1671C
2160SignAgent.NET.exeC:\Users\admin\AppData\Local\IsolatedStorage\hjpr2cks.sd0\z0ko1gyu.zeg\Url.iljw2qix4hyqyi2zkegmjk0aq2xtftxi\identity.datbinary
MD5:69D661AD8A36437AB5E942FDE6ADA521
SHA256:4BC1C704976FDB6C547DB2DD7F05C703A9985B3F8E694C7DAE0B9BCF77A84AFD
3700signagent.exeC:\Users\admin\AppData\Local\Temp\Symprex\SignAgent.NET.exeexecutable
MD5:34AA0892C09FBB0828FA51AC9681A7D8
SHA256:36A3FADA149B7F08A975A55D5C683708A1F10A561D0C1F737E9146B6CE320F58
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
signagent.exe