File name:

a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb

Full analysis: https://app.any.run/tasks/179e31ff-d09c-4866-ba20-9f1be2aa496c
Verdict: Malicious activity
Analysis date: December 06, 2022, 01:38:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

57C8491C5085A93A62FADFB4B88AA027

SHA1:

45E0B7C8A5A35136ADB3E4A6D756E73F6A863510

SHA256:

A1B73BC0982F70BDCB7C2699A41B951A5ECBC5F46EDC40DCAC564017D5E85BCB

SSDEEP:

12288:6+MMnMMMMMq8U649pTI1g/xtjOmPKHJuZ2LxdXi8P:6+MMnMMMMMq8ypC4dUJuZGTX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe (PID: 1328)
  • SUSPICIOUS

    • Reads the Internet Settings

      • a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe (PID: 1328)
    • Starts itself from another location

      • a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe (PID: 1328)
  • INFO

    • Reads the computer name

      • a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe (PID: 1328)
    • Checks supported languages

      • a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe (PID: 1328)
      • QNsursDHHhnjS.exe (PID: 2416)
    • Checks proxy server information

      • a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe (PID: 1328)
    • Creates files in the program directory

      • a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe (PID: 1328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win16/32 Executable Delphi generic (34.1)
.exe | Generic Win/DOS Executable (32.9)
.exe | DOS Executable Generic (32.9)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2009-Mar-05 21:48:39
Detected languages:
  • English - United States
CompanyName: QNP
FileDescription: Cluster analysis
FileVersion: 1.3.1.1
InternalName: QCLA
LegalCopyright: 37 CFR 1.53(c)
OriginalFilename: QCLA.EXE
ProductName: CLAnalysis
ProductVersion: 1.3.1.1

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 6
TimeDateStamp: 2009-Mar-05 21:48:39
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
1168
1536
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.19114
.idata
8192
5160
5632
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.25119
.reloc
16384
64
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.455376
.rsrc
20480
133652
134144
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.56855
.data
155648
1064960
157696
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.80376
.rdata
1220608
209940
210432
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.80008

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.82653
3752
UNKNOWN
English - United States
RT_ICON
2
6.23219
2216
UNKNOWN
English - United States
RT_ICON
3
5.60454
3752
UNKNOWN
English - United States
RT_ICON
4
5.8986
2216
UNKNOWN
English - United States
RT_ICON
5
5.59354
3752
UNKNOWN
English - United States
RT_ICON
6
3.63414
1640
UNKNOWN
English - United States
RT_ICON
7
3.63414
1640
UNKNOWN
English - United States
RT_ICON
8
2.63595
296
UNKNOWN
English - United States
RT_ICON
9
2.93951
296
UNKNOWN
English - United States
RT_ICON
10
3.01071
296
UNKNOWN
English - United States
RT_ICON

Imports

ADVAPI32.dll
DDRAW.dll
KERNEL32.dll
MSWSOCK.dll
SAMLIB.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe qnsursdhhhnjs.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1328"C:\Users\admin\AppData\Local\Temp\a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe" C:\Users\admin\AppData\Local\Temp\a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe
Explorer.EXE
User:
admin
Company:
QNP
Integrity Level:
MEDIUM
Description:
Cluster analysis
Version:
1.3.1.1
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\gdi32.dll
2416"C:\ProgramData\QNsursDHHhnjS.exe" C:\ProgramData\QNsursDHHhnjS.exea1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe
User:
admin
Company:
QNP
Integrity Level:
MEDIUM
Description:
Cluster analysis
Version:
1.3.1.1
Modules
Images
c:\programdata\qnsursdhhhnjs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\user32.dll
Total events
533
Read events
462
Write events
69
Delete events
2

Modification events

(PID) Process:(1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:QNsursDHHhnjS
Value:
C:\ProgramData\QNsursDHHhnjS.exe
(PID) Process:(1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1328a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exeC:\Users\admin\AppData\Local\Temp\tmp28F5.tmpexecutable
MD5:57C8491C5085A93A62FADFB4B88AA027
SHA256:A1B73BC0982F70BDCB7C2699A41B951A5ECBC5F46EDC40DCAC564017D5E85BCB
1328a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exeC:\ProgramData\QNsursDHHhnjS.exeexecutable
MD5:57C8491C5085A93A62FADFB4B88AA027
SHA256:A1B73BC0982F70BDCB7C2699A41B951A5ECBC5F46EDC40DCAC564017D5E85BCB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
7
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
searchadventure.org
unknown
clickarrogant.org
unknown
searchas.org
unknown
searchairplane.org
unknown
searchnuse.org
unknown
searchbetsy.org
unknown
searchboth.org
unknown

Threats

No threats detected
No debug info