File name:

aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849

Full analysis: https://app.any.run/tasks/d6fad88d-4ebe-4410-8a32-9a17c115b694
Verdict: Malicious activity
Analysis date: December 06, 2022, 04:47:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C25A3C97B272F681149194AA7D34C646

SHA1:

DCBE06AABEDB22438A7E6F696219DA570226C6E6

SHA256:

AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849

SSDEEP:

3072:MYOqQr9HIwt8Sgd3+AaWmk7m8sPN8i7g1QUojsDoemee:MrFrZYpa/N8iMiUojsDm1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe (PID: 1872)

    • Changes the autorun value in the registry

      • aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe (PID: 1872)

  • SUSPICIOUS

    • Reads the Internet Settings

      • aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe (PID: 1872)

    • Detected use of alternative data streams (AltDS)

      • playerpepflashplayer.exe (PID: 3388)
      • aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe (PID: 1872)
      • sitesfeedsuggested20313.exe (PID: 3672)
      • decryptioncontent.exe (PID: 3932)
      • microsofthomefeed15639.exe (PID: 2560)

    • Starts itself from another location

      • aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe (PID: 1872)

    • Executable content was dropped or overwritten

      • aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe (PID: 1872)

    • Reads browser cookies

      • aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe (PID: 1872)

  • INFO

    • Checks supported languages

      • playerpepflashplayer.exe (PID: 3388)
      • aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe (PID: 1872)
      • decryptioncontent.exe (PID: 3932)
      • microsofthomefeed15639.exe (PID: 2560)
      • sitesfeedsuggested20313.exe (PID: 3672)

    • Checks proxy server information

      • aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe (PID: 1872)

    • Reads the computer name

      • playerpepflashplayer.exe (PID: 3388)
      • decryptioncontent.exe (PID: 3932)
      • aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe (PID: 1872)
      • sitesfeedsuggested20313.exe (PID: 3672)
      • microsofthomefeed15639.exe (PID: 2560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2011-Apr-26 13:24:37

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 232

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 2011-Apr-26 13:24:37
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
75780
76288
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.98776
.idata
81920
154244
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.8497
.rsrc
237568
58908
59392
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.84611

Resources

Title
Entropy
Size
Codepage
Language
Type
1
7.99469
31279
UNKNOWN
UNKNOWN
PNG
2
7.99231
21909
UNKNOWN
UNKNOWN
PNG
95
3.75988
296
UNKNOWN
UNKNOWN
RT_ICON
1 (#2)
3.54888
2216
UNKNOWN
UNKNOWN
RT_ICON
2 (#2)
3.57696
1384
UNKNOWN
UNKNOWN
RT_ICON
1 (#3)
2.32824
34
UNKNOWN
UNKNOWN
RT_GROUP_ICON
1 (#4)
3.50124
800
UNKNOWN
UNKNOWN
RT_VERSION

Imports

kernel32.dll
user32.dll

Exports

Title
Ordinal
Address
Kvnljlkqvre
1
5135
Wmfsdccmd
2
7754
Ydkhgpq
3
7869
IsLtdyyqt
4
6885
CreateAfludarpqks
5
4434
Aihcwvbw
6
7073
Ngejluw
7
5946
GetMhltrcerlxb
8
5177
BeginWbulfhv
9
5536
IsRxagbwuuuo
10
7077
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start start aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe playerpepflashplayer.exe no specs sitesfeedsuggested20313.exe no specs decryptioncontent.exe no specs microsofthomefeed15639.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1872"C:\Users\admin\AppData\Local\Temp\aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe" C:\Users\admin\AppData\Local\Temp\aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3388"c:\users\admin\appdata\local\google\chrome\user data\pepperflash\32.0.0.433\playerpepflashplayer.exe"c:\users\admin\appdata\local\google\chrome\user data\pepperflash\32.0.0.433\playerpepflashplayer.exeaa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\google\chrome\user data\pepperflash\32.0.0.433\playerpepflashplayer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3672"c:\users\admin\appdata\local\microsoft\feeds\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\webslices~\sitesfeedsuggested20313.exe"c:\users\admin\appdata\local\microsoft\feeds\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\webslices~\sitesfeedsuggested20313.exeaa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\microsoft\feeds\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\webslices~\sitesfeedsuggested20313.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3932"c:\users\admin\appdata\roaming\mozilla\firefox\profiles\qldyz51w.default\gmp-widevinecdm\4.10.1440.18\decryptioncontent.exe"c:\users\admin\appdata\roaming\mozilla\firefox\profiles\qldyz51w.default\gmp-widevinecdm\4.10.1440.18\decryptioncontent.exeaa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\mozilla\firefox\profiles\qldyz51w.default\gmp-widevinecdm\4.10.1440.18\decryptioncontent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2560"c:\users\admin\appdata\local\microsoft\feeds\microsoft feeds~\microsofthomefeed15639.exe"c:\users\admin\appdata\local\microsoft\feeds\microsoft feeds~\microsofthomefeed15639.exeaa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\microsoft\feeds\microsoft feeds~\microsofthomefeed15639.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
6 731
Read events
1 105
Write events
5 626
Delete events
0

Modification events

(PID) Process:(1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
6
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1872aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeC:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\gccheckGoogle.exeexecutable
MD5:C25A3C97B272F681149194AA7D34C646
SHA256:AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849
1872aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeC:\Users\admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MicrosoftHomefeed15639.exeexecutable
MD5:C25A3C97B272F681149194AA7D34C646
SHA256:AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849
1872aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeC:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\SitesfeedSuggested20313.exeexecutable
MD5:C25A3C97B272F681149194AA7D34C646
SHA256:AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849
1872aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\PepperFlash\32.0.0.433\Playerpepflashplayer.exeexecutable
MD5:C25A3C97B272F681149194AA7D34C646
SHA256:AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849
1872aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeC:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\BuiltInBuilding.exeexecutable
MD5:C25A3C97B272F681149194AA7D34C646
SHA256:AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849
1872aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\4.10.1440.18\DecryptionContent.exeexecutable
MD5:C25A3C97B272F681149194AA7D34C646
SHA256:AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
8
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
1670302059.website-usb.us
unknown
1670302065.website-usb.us
unknown
1670302069.website-usb.us
unknown
1670302073.website-usb.us
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2023 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849