analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a

Full analysis: https://app.any.run/tasks/c7974e10-62f2-4d43-b16c-7ad506e17dfd
Verdict: Malicious activity
Analysis date: December 06, 2022, 02:27:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

664DEC7D0454DA27F8D82E842BFE5CB4

SHA1:

68090F09C9AA463E27762843BE1AD219313016CE

SHA256:

A1B848E0B593BDE3FB62535E51F52F715FFFA2131A8EF9FF6A35DE458928581A

SSDEEP:

12288:BdRTyVbBcbxWfS6m68EgyQGlRvnkLD+Ka:BdRTqF8QuVGbvpKa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe (PID: 1592)
    • Application was injected by another process

      • Explorer.EXE (PID: 1084)
    • Runs injected code in another process

      • sLWPlgXgqBTeq.exe (PID: 3144)
    • Unusual connection from system programs

      • Explorer.EXE (PID: 1084)
    • Drops the executable file immediately after the start

      • sLWPlgXgqBTeq.exe (PID: 3144)
      • a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe (PID: 1592)
    • Loads dropped or rewritten executable

      • Explorer.EXE (PID: 1084)
  • SUSPICIOUS

    • Reads the Internet Settings

      • a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe (PID: 1592)
    • Starts itself from another location

      • a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe (PID: 1592)
    • Drops a file with too old compile date

      • sLWPlgXgqBTeq.exe (PID: 3144)
    • Executable content was dropped or overwritten

      • sLWPlgXgqBTeq.exe (PID: 3144)
      • a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe (PID: 1592)
  • INFO

    • Checks proxy server information

      • a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe (PID: 1592)
      • Explorer.EXE (PID: 1084)
    • Checks supported languages

      • a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe (PID: 1592)
      • sLWPlgXgqBTeq.exe (PID: 3144)
    • Reads the computer name

      • a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe (PID: 1592)
    • Creates files in the program directory

      • a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe (PID: 1592)
      • sLWPlgXgqBTeq.exe (PID: 3144)
    • Drops the executable file immediately after the start

      • Explorer.EXE (PID: 1084)
    • Executable content was dropped or overwritten

      • Explorer.EXE (PID: 1084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2010-Oct-24 12:33:33
Detected languages:
  • English - United States
  • Russian - Russia
LegalCopyright: © imgs software
CompanyName: imgs
FileDescription: imgs
FileVersion: 10.414.468.475
ProductVersion: 01.06.001.100
InternalName: imgs
OriginalFilename: imgs
ProductName: imgs

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 240

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2010-Oct-24 12:33:33
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
112060
112128
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.802
.rsrc
118784
108785
109056
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.78834
.rdata
229376
234314
234496
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.83676
.data
466944
950272
4608
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.49601
.reloc
1417216
36
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.540436

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.04836
4264
UNKNOWN
English - United States
RT_ICON
1 (#2)
1.7815
20
UNKNOWN
English - United States
RT_GROUP_ICON
1 (#3)
3.3163
652
UNKNOWN
Russian - Russia
RT_VERSION

Imports

ADVAPI32.dll
KERNEL32.dll
NTDLL.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
msvcrt.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start inject a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe slwplgxgqbteq.exe explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
1592"C:\Users\admin\AppData\Local\Temp\a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe" C:\Users\admin\AppData\Local\Temp\a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe
Explorer.EXE
User:
admin
Company:
imgs
Integrity Level:
MEDIUM
Description:
imgs
Exit code:
0
Version:
10.414.468.475
Modules
Images
c:\users\admin\appdata\local\temp\a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
3144"C:\ProgramData\sLWPlgXgqBTeq.exe" C:\ProgramData\sLWPlgXgqBTeq.exe
a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe
User:
admin
Company:
imgs
Integrity Level:
MEDIUM
Description:
imgs
Version:
10.414.468.475
Modules
Images
c:\programdata\slwplgxgqbteq.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1084C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
759
Read events
623
Write events
132
Delete events
4

Modification events

(PID) Process:(1592) a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1592) a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1592) a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1592) a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1592) a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:sLWPlgXgqBTeq.exe
Value:
C:\ProgramData\sLWPlgXgqBTeq.exe
(PID) Process:(1592) a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1592) a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1592) a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1592) a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1592) a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1084Explorer.EXEC:\ProgramData\boRBM4kAiwlQB.exeexecutable
MD5:FC82F4D72938CB9DE4C2366CB32F11DE
SHA256:4498B450045A3E37BAF1FB943274B6EF6AC4AC712147895B571AC87A0E443F70
1592a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exeC:\Users\admin\AppData\Local\Temp\tmp51F9.tmpexecutable
MD5:664DEC7D0454DA27F8D82E842BFE5CB4
SHA256:A1B848E0B593BDE3FB62535E51F52F715FFFA2131A8EF9FF6A35DE458928581A
3144sLWPlgXgqBTeq.exeC:\ProgramData\bUpHdsLTEHdNU.dllexecutable
MD5:D7D08C3C9CC331C2156313DAC60F610D
SHA256:9AE4998F168B2336EF392AE2ADE161CC0BBD11C4703245A18B2ECE9DD6EE21D4
1592a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exeC:\ProgramData\sLWPlgXgqBTeq.exeexecutable
MD5:664DEC7D0454DA27F8D82E842BFE5CB4
SHA256:A1B848E0B593BDE3FB62535E51F52F715FFFA2131A8EF9FF6A35DE458928581A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1084
Explorer.EXE
216.245.213.78:80
findcopper.org
LIMESTONENETWORKS
US
malicious
1592
a1b848e0b593bde3fb62535e51f52f715fffa2131a8ef9ff6a35de458928581a.exe
216.245.213.78:80
findcopper.org
LIMESTONENETWORKS
US
malicious

DNS requests

Domain
IP
Reputation
findclumsy.org
unknown
findcopper.org
  • 216.245.213.78
malicious
findvoiceless.org
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info