File name:

aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed

Full analysis: https://app.any.run/tasks/680979ca-afe2-4a9a-b698-5bab235bbc1a
Verdict: Malicious activity
Analysis date: December 06, 2022, 03:54:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B9981E80CA464B9F06E410A46188FF57

SHA1:

BA1E393FA269AF84CD24D18A359181752614BAFD

SHA256:

AA5E0845CB5B10EC129F89D4024970E91DB250B220E184B4F3296F49B70CA9ED

SSDEEP:

6144:ZTz4g5mrLSfzkIiROcfR11nXRQhBPZR2obO2OdI85RsQXg2TYyuZ7mS0YMa:Z0nSriROcfR/XRo7xbtOdI85Rs0tYyuH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Change Internet Settings

      • IXn03qTukr.exe (PID: 2964)
  • SUSPICIOUS

    • Reads the Internet Settings

      • IXn03qTukr.exe (PID: 2964)
    • Detected use of alternative data streams (AltDS)

      • IXn03qTukr.exe (PID: 2964)
    • Starts itself from another location

      • aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed.exe (PID: 2056)
    • Changes internet zones settings

      • IXn03qTukr.exe (PID: 2964)
  • INFO

    • Checks supported languages

      • IXn03qTukr.exe (PID: 2964)
      • aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed.exe (PID: 2056)
    • Checks proxy server information

      • IXn03qTukr.exe (PID: 2964)
    • Reads the computer name

      • IXn03qTukr.exe (PID: 2964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2011-Oct-18 19:02:55
Detected languages:
  • Process Default Language
CompanyName: Sun Microsystems, Inc.
FileDescription:
FileVersion: 6.0.60.2
Full Version: 1.6.0_06-b02
InternalName:
LegalCopyright: Copyright © 2004
OriginalFilename:
ProductName:
ProductVersion: 6.0.60.2

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 192

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 26
TimeDateStamp: 2011-Oct-18 19:02:55
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
9532
9728
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.13616
.rdata
16384
4817
5120
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.82838
.data
24576
3008
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.20483
.fhj5
28672
196
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.48671
.fhj50
32768
222
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.43236
.fhj51
36864
228
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.69088
.fhj52
40960
151423
151552
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.71305
.fhj53
192512
151423
151552
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.75318
.fhj54
344064
212
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.54667
.fhj55
348160
214
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.56642

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.34193
9640
Latin 1 / Western European
Process Default Language
RT_ICON
2
5.43858
4264
Latin 1 / Western European
Process Default Language
RT_ICON
3
5.85464
1128
Latin 1 / Western European
Process Default Language
RT_ICON
2 (#2)
2.45849
48
Latin 1 / Western European
Process Default Language
RT_GROUP_ICON
1 (#2)
3.25415
700
Latin 1 / Western European
Process Default Language
RT_VERSION
1 (#3)
5.04894
360
Latin 1 / Western European
Process Default Language
RT_MANIFEST

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.dll
MFC42u.DLL
SHELL32.dll
USER32.dll
WINMM.dll
msvcrt.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed.exe no specs ixn03qtukr.exe

Process information

PID
CMD
Path
Indicators
Parent process
2056"C:\Users\admin\AppData\Local\Temp\aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed.exe" C:\Users\admin\AppData\Local\Temp\aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed.exeExplorer.EXE
User:
admin
Company:
Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.0.60.2
Modules
Images
c:\users\admin\appdata\local\temp\aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2964C:\PROGRA~2\IXn03qTukr.exeC:\PROGRA~2\IXn03qTukr.exe
aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed.exe
User:
admin
Company:
Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Version:
6.0.60.2
Modules
Images
c:\programdata\ixn03qtukr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
701
Read events
655
Write events
46
Delete events
0

Modification events

(PID) Process:(2964) IXn03qTukr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2964) IXn03qTukr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2964) IXn03qTukr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2964) IXn03qTukr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2964) IXn03qTukr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2964) IXn03qTukr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2964) IXn03qTukr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2964) IXn03qTukr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2964) IXn03qTukr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2964) IXn03qTukr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:Use FormSuggest
Value:
Yes
Executable files
1
Suspicious files
1
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
2964IXn03qTukr.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\Uninstall System Restore.lnklnk
MD5:E5DE74D1E7485693A782D4ACF7D0547E
SHA256:57E0CC394342262C2B4E513B8E31E22D86CBD0CD192D05F1165218EA2DFE3296
2964IXn03qTukr.exeC:\PROGRA~2\IXn03qTukrbinary
MD5:89D37084DDC9D1467A189FAE8AB5411A
SHA256:76FE9B9C3C1C504126C7CB003A4BDD8E94C42C65CFC0F2EA864D8DB0884242A9
2056aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed.exeC:\ProgramData\IXn03qTukr.exeexecutable
MD5:B9981E80CA464B9F06E410A46188FF57
SHA256:AA5E0845CB5B10EC129F89D4024970E91DB250B220E184B4F3296F49B70CA9ED
2964IXn03qTukr.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\System Restore.lnklnk
MD5:D6196F7A01469DC85588514555D95A29
SHA256:7F89F37F0808386AAB50CFCA83F83597B4459B2EAA9066A66B77DBA092288F50
2964IXn03qTukr.exeC:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Restore.lnklnk
MD5:982C00877AA0F9F3AE97056A9465BB23
SHA256:673C0CD545CAEF4623BF59F19448CD40BB7C35141A3806E08E86B494A3A7C711
2964IXn03qTukr.exeC:\Users\admin\Desktop\System Restore.lnklnk
MD5:51FE1E5F483CB01D1FE20981BB0D051F
SHA256:88B74B1F482887E4AE33437FA4E2705C732A085C30382BA6F06C9E6DB313983E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
1
DNS requests
6
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2964
IXn03qTukr.exe
GET
403
198.71.233.197:80
http://bitgale.com/404.php?type=stats&affid=540&subid=01&version=8.0&installok
US
html
199 b
malicious
2964
IXn03qTukr.exe
GET
198.71.233.197:80
http://bitgale.com/a-houston-ppc-agency-how-to-show-tangible-ppc-value-to-clients/
US
malicious
2964
IXn03qTukr.exe
GET
301
198.71.233.197:80
http://bitgale.com/britix/a
US
html
199 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2964
IXn03qTukr.exe
198.71.233.197:80
bitgale.com
AS-26496-GO-DADDY-COM-LLC
US
malicious

DNS requests

Domain
IP
Reputation
start-520186.com
unknown
open-994233.com
unknown
bitgale.com
  • 198.71.233.197
malicious
wiki-722866.com
unknown
dearafford.com
unknown
catalogs-503872.com
unknown

Threats

PID
Process
Class
Message
2964
IXn03qTukr.exe
A Network Trojan was detected
ET TROJAN Fake AV GET
2964
IXn03qTukr.exe
A Network Trojan was detected
ET TROJAN Trojan.Win32.A.FakeAV Reporting
2964
IXn03qTukr.exe
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
2964
IXn03qTukr.exe
A Network Trojan was detected
ET TROJAN Jorik FakeAV GET
2964
IXn03qTukr.exe
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
2964
IXn03qTukr.exe
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
No debug info