analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

8A6EA674E75372008949C4F1E04303D4265638FE.exe

Full analysis: https://app.any.run/tasks/28fbd62d-f299-41cc-b039-1d2b9f6dae70
Verdict: Malicious activity
Analysis date: December 06, 2019, 15:31:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

D3344DA029B2296761359F8E1DBB1C49

SHA1:

8A6EA674E75372008949C4F1E04303D4265638FE

SHA256:

A0919D2A455417657A4CAD342725A536A7B780651DF720F2D2AC77FD91BE8DB2

SSDEEP:

3072:MJ7mYROZdkz9fjqOvi5la+Jt5swoT+CRjWCBk6/0Dg4HLBNC4l3Xo6kldN:MQlkdqQAat6CRjWI1dELyso68

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses SVCHOST.EXE for hidden code execution

      • 8A6EA674E75372008949C4F1E04303D4265638FE.exe (PID: 2660)
    • Changes the autorun value in the registry

      • 8A6EA674E75372008949C4F1E04303D4265638FE.exe (PID: 2660)
      • csrss.exe (PID: 3892)
      • svchost.exe (PID: 2748)
  • SUSPICIOUS

    • Creates files in the user directory

      • csrss.exe (PID: 3892)
      • 8A6EA674E75372008949C4F1E04303D4265638FE.exe (PID: 2660)
    • Executable content was dropped or overwritten

      • 8A6EA674E75372008949C4F1E04303D4265638FE.exe (PID: 2660)
    • Starts Internet Explorer

      • csrss.exe (PID: 3892)
      • 8A6EA674E75372008949C4F1E04303D4265638FE.exe (PID: 2660)
    • Application launched itself

      • 8A6EA674E75372008949C4F1E04303D4265638FE.exe (PID: 1752)
      • csrss.exe (PID: 1732)
  • INFO

    • Manual execution by user

      • taskmgr.exe (PID: 892)
      • explorer.exe (PID: 3752)
    • Creates files in the user directory

      • iexplore.exe (PID: 3096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (30.7)
.exe | UPX compressed Win32 Executable (30.1)
.exe | Win32 EXE Yoda's Crypter (29.5)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

ProductVersion: 11
ProductName: TeamViewer
PrivateBuild: TeamViewer Remote Control Application
OriginalFileName: TeamViewer.exe
LegalTrademarks: TeamViewer
LegalCopyright: TeamViewer GmbH
InternalName: TeamViewer
FileVersion: 11.0.55321.0
FileDescription: TeamViewer 11
CompanyName: TeamViewer GmbH
CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: Private build
FileFlagsMask: 0x003f
ProductVersionNumber: 11.0.0.0
FileVersionNumber: 11.0.55321.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x5827e90
UninitializedDataSize: 92274688
InitializedDataSize: 32768
CodeSize: 163840
LinkerVersion: 6
PEType: PE32
TimeStamp: 2007:05:30 04:30:05+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-May-2007 02:30:05
Detected languages:
  • Chinese - PRC
  • English - United Kingdom
  • English - United States
CompanyName: TeamViewer GmbH
FileDescription: TeamViewer 11
FileVersion: 11.0.55321.0
InternalName: TeamViewer
LegalCopyright: TeamViewer GmbH
LegalTrademarks: TeamViewer
OriginalFilename: TeamViewer.exe
PrivateBuild: TeamViewer Remote Control Application
ProductName: TeamViewer
ProductVersion: 11.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 30-May-2007 02:30:05
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x05800000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x05801000
0x00028000
0x00027200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.71396
.rsrc
0x05829000
0x00008000
0x00007E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.81263

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.35697
884
Latin 1 / Western European
English - United States
RT_VERSION
2
6.88627
296
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
5.79022
296
Latin 1 / Western European
Chinese - PRC
RT_ICON
7
5.97605
116
Latin 1 / Western European
Chinese - PRC
RT_STRING
103
6.48301
254
Latin 1 / Western European
Chinese - PRC
RT_DIALOG
107
4.82997
34
Latin 1 / Western European
Chinese - PRC
RT_GROUP_ICON
108
4.32193
20
Latin 1 / Western European
Chinese - PRC
RT_GROUP_ICON
109
3.875
16
Latin 1 / Western European
Chinese - PRC
RT_ACCELERATOR

Imports

GDI32.dll
KERNEL32.DLL
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 8a6ea674e75372008949c4f1e04303d4265638fe.exe no specs 8a6ea674e75372008949c4f1e04303d4265638fe.exe taskmgr.exe no specs svchost.exe iexplore.exe no specs csrss.exe no specs csrss.exe iexplore.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1752"C:\Users\admin\AppData\Local\Temp\8A6EA674E75372008949C4F1E04303D4265638FE.exe" C:\Users\admin\AppData\Local\Temp\8A6EA674E75372008949C4F1E04303D4265638FE.exeexplorer.exe
User:
admin
Company:
TeamViewer GmbH
Integrity Level:
MEDIUM
Description:
TeamViewer 11
Exit code:
0
Version:
11.0.55321.0
2660"C:\Users\admin\AppData\Local\Temp\8A6EA674E75372008949C4F1E04303D4265638FE.exe" C:\Users\admin\AppData\Local\Temp\8A6EA674E75372008949C4F1E04303D4265638FE.exe
8A6EA674E75372008949C4F1E04303D4265638FE.exe
User:
admin
Company:
TeamViewer GmbH
Integrity Level:
MEDIUM
Description:
TeamViewer 11
Exit code:
0
Version:
11.0.55321.0
892"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2748svchost.exeC:\Windows\system32\svchost.exe
8A6EA674E75372008949C4F1E04303D4265638FE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3096"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe8A6EA674E75372008949C4F1E04303D4265638FE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1732"C:\Users\admin\AppData\Roaming\System32\csrss.exe" C:\Users\admin\AppData\Roaming\System32\csrss.exesvchost.exe
User:
admin
Company:
TeamViewer GmbH
Integrity Level:
MEDIUM
Description:
TeamViewer 11
Exit code:
0
Version:
11.0.55321.0
3892"C:\Users\admin\AppData\Roaming\System32\csrss.exe" C:\Users\admin\AppData\Roaming\System32\csrss.exe
csrss.exe
User:
admin
Company:
TeamViewer GmbH
Integrity Level:
MEDIUM
Description:
TeamViewer 11
Exit code:
0
Version:
11.0.55321.0
2184"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.execsrss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3752"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
653
Read events
543
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
26608A6EA674E75372008949C4F1E04303D4265638FE.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\We7qCrQnw.cfgbinary
MD5:63683C85990D00979FF69F901D62C650
SHA256:1CA25758AE9653535A8D70F8D65BEFB1A7E2BFD3A0D442347E83BA54F7C65A32
26608A6EA674E75372008949C4F1E04303D4265638FE.exeC:\Users\admin\AppData\Roaming\System32\csrss.exeexecutable
MD5:D3344DA029B2296761359F8E1DBB1C49
SHA256:A0919D2A455417657A4CAD342725A536A7B780651DF720F2D2AC77FD91BE8DB2
3892csrss.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\We7qCrQnw.cfgbinary
MD5:63683C85990D00979FF69F901D62C650
SHA256:1CA25758AE9653535A8D70F8D65BEFB1A7E2BFD3A0D442347E83BA54F7C65A32
3096iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\We7qCrQnw.dattext
MD5:84CAD01FDB44AE58DBE6C3973DCD87F5
SHA256:8B1F194BE530240C18BF0B1EE0D038E750FAB8B24C6BD25C864297E5EBB41FA6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
clarityz.no-ip.biz
  • 0.0.0.0
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
No debug info