analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | fjnkrs.exe |
| Full analysis: | https://app.any.run/tasks/dd199c29-9e71-4838-8cc2-710b7539a0c3 |
| Verdict: | Malicious activity |
| Analysis date: | January 18, 2020, 13:39:44 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | FBF576B4DC30432D630C2642DBB3F62D |
| SHA1: | 37F300A7923E5E618C1D08BD80876442B09065E7 |
| SHA256: | A4376D94EBA2F8D20BD148BAB79566F7114B64240875C9972710F62BDD4185E7 |
| SSDEEP: | 1536:uvNQnnY/Sh3cotkiuF/kHstS75/ozk8B:uFH/0/trOftQ5/oh |
MALICIOUS
Application was injected by another process
- explorer.exe (PID: 352)
- taskeng.exe (PID: 2032)
- ctfmon.exe (PID: 708)
- dwm.exe (PID: 280)
- windanr.exe (PID: 3788)
- DllHost.exe (PID: 3824)
Runs injected code in another process
- fjnkrs.exe (PID: 1324)
Changes Security Center notification settings
- fjnkrs.exe (PID: 1324)
UAC/LUA settings modification
- fjnkrs.exe (PID: 1324)
SUSPICIOUS
No suspicious indicators.INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | DOS Executable Generic (100) |
|---|
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2002:02:10 14:15:37+01:00 |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 512 |
| InitializedDataSize: | - |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1040 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 10-Feb-2002 13:15:37 |
| Debug artifacts: |
|
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0x4550 |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x014C |
| Checksum: | 0x0001 |
| Initial IP value: | 0x7279 |
| Initial CS value: | 0x3C66 |
| Overlay number: | 0x726F |
| OEM identifier: | 0x010B |
| OEM information: | 0x0006 |
| Address of NE header: | 0x0000000C |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 1 |
| Time date stamp: | 10-Feb-2002 13:15:37 |
| Pointer to Symbol Table: | 0x726F4C5B |
| Number of symbols: | 1564823652 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x00012000 | 0x00011200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.98914 |
Imports
KERNEL32.dll |
USER32.dll |
Total processes
37
Monitored processes
8
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 1324 | "C:\Users\admin\AppData\Local\Temp\fjnkrs.exe" | C:\Users\admin\AppData\Local\Temp\fjnkrs.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM | ||||
| 2032 | taskeng.exe {532150F8-214C-4D30-9483-0A3BC3E44D0E} | C:\Windows\System32\taskeng.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Engine Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 280 | "C:\Windows\system32\Dwm.exe" | C:\Windows\System32\dwm.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 352 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 708 | C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | taskeng.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CTF Loader Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3788 | "windanr.exe" | C:\Windows\system32\windanr.exe | qemu-ga.exe | |
User: admin Integrity Level: MEDIUM | ||||
| 2132 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3824 | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
984
Read events
774
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1324 | fjnkrs.exe | C:\Users\admin\AppData\Local\Temp\vfji.exe | — | |
MD5:— | SHA256:— | |||
| 1324 | fjnkrs.exe | C:\Users\admin\AppData\Local\VirtualStore\Windows\system.ini | binary | |
MD5:FBB2723C86BBC0EF384B8DCAA011A2D0 | SHA256:650A8218B657CA58FCDE00E94E6B8D0F84166A89488DF9FF3AFEFAB95AD0CF24 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report