analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

8A6EA674E75372008949C4F1E04303D4265638FE.exe

Full analysis: https://app.any.run/tasks/727b187f-e162-4111-a5f9-4ca4c5693a71
Verdict: Malicious activity
Analysis date: December 06, 2019, 14:35:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

D3344DA029B2296761359F8E1DBB1C49

SHA1:

8A6EA674E75372008949C4F1E04303D4265638FE

SHA256:

A0919D2A455417657A4CAD342725A536A7B780651DF720F2D2AC77FD91BE8DB2

SSDEEP:

3072:MJ7mYROZdkz9fjqOvi5la+Jt5swoT+CRjWCBk6/0Dg4HLBNC4l3Xo6kldN:MQlkdqQAat6CRjWI1dELyso68

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses SVCHOST.EXE for hidden code execution

      • 8A6EA674E75372008949C4F1E04303D4265638FE.exe (PID: 3732)

    • Changes the autorun value in the registry

      • 8A6EA674E75372008949C4F1E04303D4265638FE.exe (PID: 3732)
      • svchost.exe (PID: 584)

  • SUSPICIOUS

    • Creates files in the user directory

      • 8A6EA674E75372008949C4F1E04303D4265638FE.exe (PID: 3732)

    • Application launched itself

      • 8A6EA674E75372008949C4F1E04303D4265638FE.exe (PID: 2524)

    • Executable content was dropped or overwritten

      • 8A6EA674E75372008949C4F1E04303D4265638FE.exe (PID: 3732)

    • Starts Internet Explorer

      • 8A6EA674E75372008949C4F1E04303D4265638FE.exe (PID: 3732)

  • INFO

    • Manual execution by user

      • msinfo32.exe (PID: 2720)
      • explorer.exe (PID: 3836)
      • WINWORD.EXE (PID: 960)

    • Creates files in the user directory

      • iexplore.exe (PID: 2668)
      • WINWORD.EXE (PID: 960)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2668)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (30.7)
.exe | UPX compressed Win32 Executable (30.1)
.exe | Win32 EXE Yoda's Crypter (29.5)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:05:30 04:30:05+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 163840
InitializedDataSize: 32768
UninitializedDataSize: 92274688
EntryPoint: 0x5827e90
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 11.0.55321.0
ProductVersionNumber: 11.0.0.0
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
CompanyName: TeamViewer GmbH
FileDescription: TeamViewer 11
FileVersion: 11.0.55321.0
InternalName: TeamViewer
LegalCopyright: TeamViewer GmbH
LegalTrademarks: TeamViewer
OriginalFileName: TeamViewer.exe
PrivateBuild: TeamViewer Remote Control Application
ProductName: TeamViewer
ProductVersion: 11

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-May-2007 02:30:05
Detected languages:
  • Chinese - PRC
  • English - United Kingdom
  • English - United States
CompanyName: TeamViewer GmbH
FileDescription: TeamViewer 11
FileVersion: 11.0.55321.0
InternalName: TeamViewer
LegalCopyright: TeamViewer GmbH
LegalTrademarks: TeamViewer
OriginalFilename: TeamViewer.exe
PrivateBuild: TeamViewer Remote Control Application
ProductName: TeamViewer
ProductVersion: 11.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 30-May-2007 02:30:05
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x05800000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x05801000
0x00028000
0x00027200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.71396
.rsrc
0x05829000
0x00008000
0x00007E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.81263

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.35697
884
Latin 1 / Western European
English - United States
RT_VERSION
2
6.88627
296
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
5.79022
296
Latin 1 / Western European
Chinese - PRC
RT_ICON
7
5.97605
116
Latin 1 / Western European
Chinese - PRC
RT_STRING
103
6.48301
254
Latin 1 / Western European
Chinese - PRC
RT_DIALOG
107
4.82997
34
Latin 1 / Western European
Chinese - PRC
RT_GROUP_ICON
108
4.32193
20
Latin 1 / Western European
Chinese - PRC
RT_GROUP_ICON
109
3.875
16
Latin 1 / Western European
Chinese - PRC
RT_ACCELERATOR

Imports

GDI32.dll
KERNEL32.DLL
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 8a6ea674e75372008949c4f1e04303d4265638fe.exe no specs 8a6ea674e75372008949c4f1e04303d4265638fe.exe svchost.exe iexplore.exe no specs msinfo32.exe no specs explorer.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2524"C:\Users\admin\AppData\Local\Temp\8A6EA674E75372008949C4F1E04303D4265638FE.exe" C:\Users\admin\AppData\Local\Temp\8A6EA674E75372008949C4F1E04303D4265638FE.exeexplorer.exe
User:
admin
Company:
TeamViewer GmbH
Integrity Level:
MEDIUM
Description:
TeamViewer 11
Exit code:
0
Version:
11.0.55321.0
3732"C:\Users\admin\AppData\Local\Temp\8A6EA674E75372008949C4F1E04303D4265638FE.exe" C:\Users\admin\AppData\Local\Temp\8A6EA674E75372008949C4F1E04303D4265638FE.exe
8A6EA674E75372008949C4F1E04303D4265638FE.exe
User:
admin
Company:
TeamViewer GmbH
Integrity Level:
MEDIUM
Description:
TeamViewer 11
Exit code:
0
Version:
11.0.55321.0
584svchost.exeC:\Windows\system32\svchost.exe
8A6EA674E75372008949C4F1E04303D4265638FE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2668"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe8A6EA674E75372008949C4F1E04303D4265638FE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2720"C:\Windows\system32\msinfo32.exe" C:\Windows\system32\msinfo32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System Information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3836"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
960"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\bsoftware.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Total events
1 424
Read events
1 048
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
2
Unknown types
4

Dropped files

PID
Process
Filename
Type
960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE527.tmp.cvr
MD5:
SHA256:
960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{172B7881-D969-450D-A461-CFD28AF0FA81}.tmp
MD5:
SHA256:
960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A3CD98EC-F5C2-4957-9591-5B17846EFE09}.tmp
MD5:
SHA256:
960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B33A1157-B2FE-4E58-BC6D-C75CFBEED4E8}.tmp
MD5:
SHA256:
960WINWORD.EXEC:\Users\admin\Documents\~$oftware.rtfpgc
MD5:989C98501269832DE1990426B61CE4F4
SHA256:9998B867D563E877E2364FCAF178579F3F77C6563EB7AF448B93B6F81D614BF7
960WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:D5BAEB3BF0E8CDC52D7795D5151C8A89
SHA256:793C2B6D0C47CFA84EFB2E2326C14CD400103555409ECBF565E23F4B407E0448
960WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\bsoftware.rtf.LNKlnk
MD5:1723CE35206FE741FC98A6F78D70C5D3
SHA256:3CB754C7376DA1A48536A0BAD8A250AD2C12ACFE02F1EDB1FE6D2B17BC6092A9
37328A6EA674E75372008949C4F1E04303D4265638FE.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\We7qCrQnw.cfgbinary
MD5:63683C85990D00979FF69F901D62C650
SHA256:1CA25758AE9653535A8D70F8D65BEFB1A7E2BFD3A0D442347E83BA54F7C65A32
960WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:A6C5D36F7220A4DDEB44C114168A9298
SHA256:C2BB5A3D2E402DE4954960233821E0562BF65505E887A62397F0594B55AE6356
37328A6EA674E75372008949C4F1E04303D4265638FE.exeC:\Users\admin\AppData\Roaming\System32\csrss.exeexecutable
MD5:D3344DA029B2296761359F8E1DBB1C49
SHA256:A0919D2A455417657A4CAD342725A536A7B780651DF720F2D2AC77FD91BE8DB2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
clarityz.no-ip.biz
  • 0.0.0.0
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
8A6EA674E75372008949C4F1E04303D4265638FE.exe