analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca

Full analysis: https://app.any.run/tasks/99bea1b6-8467-46f3-9fce-039a81593b4f
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: December 06, 2022, 05:31:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7407CF90F8CE97CCB971CD406DD4DB89

SHA1:

309168954CD23C0D2C38C2D5157A89C5568ADC95

SHA256:

A1B6339824AF14363A2B54B013C3B9D4C40AF0F072FCC092116F4F2FB36518CA

SSDEEP:

3072:+JOvVMmh2Fs+mSzQZktciZfYvz7g2Xe7H6OgU3ABq+:+9j4KQZkQ83gU3A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was injected by another process

      • taskeng.exe (PID: 300)
      • Dwm.exe (PID: 612)
    • Runs injected code in another process

      • a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe (PID: 2436)
    • Changes the autorun value in the registry

      • taskeng.exe (PID: 300)
      • Dwm.exe (PID: 612)
    • Connects to the CnC server

      • a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe (PID: 2436)
  • SUSPICIOUS

    • Reads the Internet Settings

      • a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe (PID: 2436)
  • INFO

    • Checks proxy server information

      • a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe (PID: 2436)
    • Checks supported languages

      • a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe (PID: 2436)
    • Reads the computer name

      • a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe (PID: 2436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2011-Mar-16 12:00:03
CompanyName: It Systems
FileDescription: Covering Software
FileVersion: 6.6.3300.0 (xpscanner010817-1148)
InternalName: memcopy
LegalCopyright: © It Systems Corp. All rights reserved.
OriginalFilename: w7rqwr.exe
ProductName: AV SoftWare ©
ProductVersion: 6.6.3300.0

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: -
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: 26
e_oemid: -
e_oeminfo: -
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 6
TimeDateStamp: 2011-Mar-16 12:00:03
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
47804
48128
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.98299
DATA
53248
90020
90112
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99791
.bss
143360
15612
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
159744
132
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.403873
.idata
163840
800
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.18673
.rsrc
167936
6548
6656
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
7.18827

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.45338
800
UNKNOWN
UNKNOWN
RT_VERSION
52
5.73734
1384
UNKNOWN
UNKNOWN
RT_ICON
BINARY1
7.95447
4096
UNKNOWN
UNKNOWN
1

Imports

kernel32.dll
user32.dll

Exports

Title
Ordinal
Address
Oblbjnounh
1
5289
Tajfyddyuo
2
4779
Qccftrju
3
5814
CloseBetfkiybs
4
6635
SetFyfilmeff
5
7271
AddGvgdtwl
6
7081
EndYaaxven
7
7790
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
inject inject start a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe taskeng.exe dwm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2436"C:\Users\admin\AppData\Local\Temp\a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe" C:\Users\admin\AppData\Local\Temp\a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
300taskeng.exe {14329CA9-5E27-4C13-B68C-D578B7014C76}C:\Windows\system32\taskeng.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Engine
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskeng.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
612"C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
Total events
389
Read events
345
Write events
44
Delete events
0

Modification events

(PID) Process:(2436) a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2436) a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2436) a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2436) a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2436) a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2436) a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2436) a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2436) a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2436) a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2436) a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2436
a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe
POST
172.105.157.192:80
http://boltoflexaria.in/check.php?ver=2&query=2C66508BDF14314321E0B83076443FEB
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2436
a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe
172.105.157.192:80
Linode, LLC
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
2436
a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 4.
1 ETPRO signatures available at the full report
Process
Message
a1b6339824af14363a2b54b013c3b9d4c40af0f072fcc092116f4f2fb36518ca.exe
--- There are totally 0 threads running