analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

tgytutrc.exe

Full analysis: https://app.any.run/tasks/e423f3bb-fc5d-4014-9695-54438376ae3b
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 02:41:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0651914270A02FA44D612268815A6D6F

SHA1:

F223DE7EC64C11EDA7A56DDCC517E993AF83EE17

SHA256:

A79B71D9FFCF664C53DD0FCE97C480D59A5E43A73D18B088C332EF55E59FD987

SSDEEP:

98304:60L4X3GuVO75yit6JKq+Yk7pDFfngtzLuh0Sx580DDLq0ye+qOkxa:FL4vO75yitYQvnGzLuKSxa0nLqSx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE to view/add/change user profiles

      • tgytutrc6686.exe (PID: 2344)

  • SUSPICIOUS

    • Starts itself from another location

      • tgytutrc.exe (PID: 3544)

    • Starts CMD.EXE for commands execution

      • tgytutrc.exe (PID: 3544)

    • Creates files like Ransomware instruction

      • tgytutrc.exe (PID: 3544)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3944)

    • Application launched itself

      • tgytutrc6686.exe (PID: 2344)

  • INFO

    • Manual execution by user

      • NOTEPAD.EXE (PID: 1340)
      • verclsid.exe (PID: 3568)
      • taskmgr.exe (PID: 1768)
      • rundll32.exe (PID: 2860)
      • WINWORD.EXE (PID: 1328)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1328)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

ProductVersion: 1.5.1.0
ProductName: Service tgytutrc
OriginalFileName: tgytutrc
LegalCopyright: Copyright (C) ALISA LTD 2019
InternalName: tgytutrc
FileVersion: 1.5.1.0
FileDescription: Background Tasks Host
CompanyName: ALISA LTD
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.5.1.0
FileVersionNumber: 1.5.1.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x8a9058
UninitializedDataSize: -
InitializedDataSize: 322048
CodeSize: 950784
LinkerVersion: 14.16
PEType: PE32
TimeStamp: 2019:03:18 10:07:54+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Mar-2019 09:07:54
Detected languages:
  • English - United States
CompanyName: ALISA LTD
FileDescription: Background Tasks Host
FileVersion: 1.5.1.0
InternalName: tgytutrc
LegalCopyright: Copyright (C) ALISA LTD 2019
OriginalFilename: tgytutrc
ProductName: Service tgytutrc
ProductVersion: 1.5.1.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 9
Time date stamp: 18-Mar-2019 09:07:54
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_NET_RUN_FROM_SWAP
  • IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
2\x80\x0e
0x00001000
0x000E8032
0x00067800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.97986
\xceF\x03
0x000EA000
0x000346CE
0x00012E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.95114
\xfc\xb6
0x0011F000
0x0000B6FC
0x00001A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.9368
\x08\x05
0x0012B000
0x00000508
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.48712
(\xe2
0x0012C000
0x0000E228
0x00008C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
7.97873
.idata
0x0013B000
0x00001000
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.56441
.rsrc
0x0013C000
0x00001000
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.72048
.themida
0x0013D000
0x0076C000
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.boot
0x008A9000
0x004BEC00
0x004BEC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.95287

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.89623
392
UNKNOWN
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
IPHLPAPI.DLL
NETAPI32.dll
SHELL32.dll
SHLWAPI.dll
Secur32.dll
WS2_32.dll
kernel32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
33
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tgytutrc.exe no specs tgytutrc.exe cmd.exe tgytutrc6686.exe no specs logoff.exe no specs logoff.exe no specs logoff.exe no specs logoff.exe no specs logoff.exe no specs logoff.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs tgytutrc6686.exe no specs tgytutrc6686.exe no specs tgytutrc6686.exe no specs tgytutrc6686.exe tgytutrc6686.exe notepad.exe no specs tgytutrc6686.exe no specs winword.exe no specs taskmgr.exe no specs tgytutrc6686.exe no specs tgytutrc6686.exe tgytutrc6686.exe no specs tgytutrc6686.exe no specs tgytutrc6686.exe tgytutrc6686.exe no specs tgytutrc6686.exe tgytutrc6686.exe no specs rundll32.exe no specs verclsid.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3164"C:\Users\admin\Desktop\tgytutrc.exe" C:\Users\admin\Desktop\tgytutrc.exeexplorer.exe
User:
admin
Company:
ALISA LTD
Integrity Level:
MEDIUM
Description:
Background Tasks Host
Exit code:
3221226540
Version:
1.5.1.0
3544"C:\Users\admin\Desktop\tgytutrc.exe" C:\Users\admin\Desktop\tgytutrc.exe
explorer.exe
User:
admin
Company:
ALISA LTD
Integrity Level:
HIGH
Description:
Background Tasks Host
Exit code:
0
Version:
1.5.1.0
3944C:\Windows\system32\cmd.exe /c move /y C:\Users\admin\Desktop\tgytutrc.exe C:\Users\admin\AppData\Local\Temp\tgytutrc6686.exeC:\Windows\system32\cmd.exe
tgytutrc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2344C:\Users\admin\AppData\Local\Temp\tgytutrc6686.exe -mC:\Users\admin\AppData\Local\Temp\tgytutrc6686.exetgytutrc.exe
User:
admin
Company:
ALISA LTD
Integrity Level:
HIGH
Description:
Background Tasks Host
Version:
1.5.1.0
1512C:\Windows\system32\logoff.exe 0C:\Windows\system32\logoff.exetgytutrc6686.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Session Logoff Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
628C:\Windows\system32\logoff.exe 0C:\Windows\system32\logoff.exetgytutrc6686.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Session Logoff Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2508C:\Windows\system32\logoff.exe 0C:\Windows\system32\logoff.exetgytutrc6686.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Session Logoff Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2468C:\Windows\system32\logoff.exe 0C:\Windows\system32\logoff.exetgytutrc6686.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Session Logoff Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3596C:\Windows\system32\logoff.exe 0C:\Windows\system32\logoff.exetgytutrc6686.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Session Logoff Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1548C:\Windows\system32\logoff.exe 0C:\Windows\system32\logoff.exetgytutrc6686.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Session Logoff Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 090
Read events
879
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
108
Text files
8
Unknown types
9

Dropped files

PID
Process
Filename
Type
3544tgytutrc.exeC:\Users\admin\AppData\Local\Temp\~DFC86E4970A28136AE.TMP
MD5:
SHA256:
2712tgytutrc6686.exeC:\Users\admin\AppData\Local\Temp\~DF1C50453A43613786.TMP
MD5:
SHA256:
1328WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR22C.tmp.cvr
MD5:
SHA256:
2712tgytutrc6686.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccessMUI.xml.lockedbinary
MD5:4E67DB2125DA59B25A54BD49BB97940F
SHA256:7D00CC2BA535DDCC81C803A4E4E620B623EAD426AA3AFA87FDC0FC919C1044BC
1328WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\programmehim.rtf.LNK
MD5:
SHA256:
2712tgytutrc6686.exeC:\MSOCache\All Users\{90140000-001B-0410-0000-0000000FF1CE}-C\Setup.xml.lockedbinary
MD5:888AE1059C6845DE04DCFC9250C471BB
SHA256:DE6C0832FF78AB7CF4F3419D1B3A360DD5C04A7486D9450C3FA79D57F2F10716
2712tgytutrc6686.exeC:\MSOCache\All Users\{90140000-0018-0407-0000-0000000FF1CE}-C\Setup.xml.lockedbinary
MD5:100E9ABD58C5097320A6F84C77332DFC
SHA256:4B58673BD3572C3C19270A307386473198ABD352E81BD60E8768E72DBA7A6281
3944cmd.exeC:\Users\admin\AppData\Local\Temp\tgytutrc6686.exeexecutable
MD5:0651914270A02FA44D612268815A6D6F
SHA256:A79B71D9FFCF664C53DD0FCE97C480D59A5E43A73D18B088C332EF55E59FD987
2712tgytutrc6686.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\branding.xml.lockedbinary
MD5:3B4B9DBE6367C191E2EFA178AA89416F
SHA256:04C64701BF24C668A9241D988F2FE661FDB3435CA5379DEB53970DA54CD5816D
2712tgytutrc6686.exeC:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\branding.xml.lockedbinary
MD5:F4324D3F2E4E61BC57F93A4186699D6A
SHA256:0C22A6E3EDA7203D1486DFFDB880EF3F50268EE7B3AD269A3AE2120A16E6E9E3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
tgytutrc6686.exe
C:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccessMUI.xml
tgytutrc6686.exe
C:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccessMUI.xml
tgytutrc6686.exe
C:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\branding.xml
tgytutrc6686.exe
C:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\Setup.xml
tgytutrc6686.exe
C:\MSOCache\All Users\{90140000-0018-0407-0000-0000000FF1CE}-C\Setup.xml
tgytutrc6686.exe
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
tgytutrc6686.exe
C:\MSOCache\All Users\{90140000-001B-0410-0000-0000000FF1CE}-C\Setup.xml
tgytutrc6686.exe
C:\MSOCache\All Users\{90140000-001B-040C-0000-0000000FF1CE}-C\WordMUI.xml
tgytutrc6686.exe
C:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\branding.xml
tgytutrc6686.exe
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
tgytutrc.exe