File name:

aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9

Full analysis: https://app.any.run/tasks/915183f6-ebee-47ff-995f-95069a01a18d
Verdict: Malicious activity
Analysis date: December 06, 2022, 04:00:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
hiloti
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

99181A961ECB7B6DDC753AA7B29A7343

SHA1:

6CCB2A85F2D8BACD6B112D441CA573DA1472598D

SHA256:

AA5947B30431ACB3797485284197CE85DBB55EE977200A04B953C5DBDBAFE0B9

SSDEEP:

6144:XgCgln0sQDXpCfQYZxCN0RtDidc1MsKW/q0FLxgKTPhXdJW:QCO0sQDXpIBfCNUvhKkRPht

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe (PID: 1580)
    • Changes the autorun value in the registry

      • iHgEpGc08513.exe (PID: 2596)
    • HILOTI was detected

      • aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe (PID: 1580)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe (PID: 1580)
    • Drops a file with too old compile date

      • aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe (PID: 1580)
    • Reads the Internet Settings

      • aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe (PID: 1580)
      • iHgEpGc08513.exe (PID: 2596)
    • Reads Microsoft Outlook installation path

      • iHgEpGc08513.exe (PID: 2596)
    • Reads security settings of Internet Explorer

      • iHgEpGc08513.exe (PID: 2596)
    • Reads Internet Explorer settings

      • iHgEpGc08513.exe (PID: 2596)
  • INFO

    • Checks supported languages

      • aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe (PID: 1580)
      • iHgEpGc08513.exe (PID: 2596)
    • Reads the computer name

      • aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe (PID: 1580)
      • iHgEpGc08513.exe (PID: 2596)
    • Creates files in the program directory

      • aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe (PID: 1580)
      • iHgEpGc08513.exe (PID: 2596)
    • Checks proxy server information

      • aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe (PID: 1580)
      • iHgEpGc08513.exe (PID: 2596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1970-Jul-04 12:04:23
Detected languages:
  • English - United States
  • Russian - Russia
FileDescription: DOM Manager
FileVersion: 2.10.0.1
LegalCopyright: Copyright (C) 2009
OriginalFilename: dommgr.exe
ProductName: DOM Manager
ProductVersion: 2.10.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 240

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 1970-Jul-04 12:04:23
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
8898
9216
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.78851
.rsrc
16384
11977
12288
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.68447
.data
28672
1482752
3584
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.45929
.rdata
1511424
305500
305664
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.91263
.tls
1818624
4096
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.213101

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.10006
4264
UNKNOWN
Russian - Russia
RT_ICON
2
4.71128
2440
UNKNOWN
Russian - Russia
RT_ICON
3
4.08271
1128
UNKNOWN
Russian - Russia
RT_ICON
1 (#2)
2.50016
48
UNKNOWN
Russian - Russia
RT_GROUP_ICON
1 (#3)
3.41581
588
UNKNOWN
Russian - Russia
RT_VERSION

Imports

ADVAPI32.dll
KERNEL32.dll
NTDLL.dll
OLEAUT32.dll
RPCRT4.dll
USER32.dll
msvcrt.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #HILOTI aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe ihgepgc08513.exe

Process information

PID
CMD
Path
Indicators
Parent process
1580"C:\Users\admin\AppData\Local\Temp\aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe" C:\Users\admin\AppData\Local\Temp\aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
DOM Manager
Version:
2.10.0.1
Modules
Images
c:\users\admin\appdata\local\temp\aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2596"C:\ProgramData\iHgEpGc08513\iHgEpGc08513.exe" "C:\Users\admin\AppData\Local\Temp\aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe"C:\ProgramData\iHgEpGc08513\iHgEpGc08513.exe
aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DOM Manager
Version:
2.10.0.1
Modules
Images
c:\programdata\ihgepgc08513\ihgepgc08513.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
822
Read events
773
Write events
48
Delete events
1

Modification events

(PID) Process:(1580) aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1580) aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1580) aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1580) aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1580) aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1580) aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1580) aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1580) aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1580) aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1580) aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
1
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1580aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exeC:\Users\admin\AppData\Local\Temp\aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9binary
MD5:125012E7A302F9478787143EBD311749
SHA256:25D0CE99DC3E5DC0B4D3D0E3F3C1C7769EBF50DEA3AF4853B4A31EB1AB808731
1580aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exeC:\ProgramData\iHgEpGc08513\iHgEpGc08513.exeexecutable
MD5:99181A961ECB7B6DDC753AA7B29A7343
SHA256:AA5947B30431ACB3797485284197CE85DBB55EE977200A04B953C5DBDBAFE0B9
2596iHgEpGc08513.exeC:\ProgramData\iHgEpGc08513\iHgEpGc08513binary
MD5:AC872424F0218878EA06269066A06183
SHA256:ECC58313CEC572D870147A036003E01EF9F67BD8150D82144DF026998C2ACBA5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
1
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1580
aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe
GET
89.187.53.223:80
http://89.187.53.223/lurl.php?affid=08513
MD
malicious
1580
aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe
GET
89.187.53.223:80
http://89.187.53.223/lurl.php?affid=08513
MD
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2596
iHgEpGc08513.exe
89.187.53.223:80
Scientific-Production Center Monitoring, Ltd
MD
malicious
89.187.53.223:80
Scientific-Production Center Monitoring, Ltd
MD
malicious
1580
aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe
89.187.53.223:80
Scientific-Production Center Monitoring, Ltd
MD
malicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1580
aa5947b30431acb3797485284197ce85dbb55ee977200a04b953c5dbdbafe0b9.exe
A Network Trojan was detected
ET TROJAN Hiloti loader requesting payload URL
No debug info