analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2018-09-29_20-26-55.exe

Full analysis: https://app.any.run/tasks/ed088f23-46f9-44f9-af9c-28703bab5e39
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: June 16, 2019, 14:42:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ramnit
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C51A0BFC921D6721E99A6D0FCAE02D73

SHA1:

FD6B54E251483BB88D1CEDD4CCB065D16E990195

SHA256:

AD45CFB13369D393156E9571F239AB9C58C43239067BBC74152D747D32BF3B0D

SSDEEP:

6144:WWympplTPwW1jcBOHDQHg0aLBLwpWfA3Danv4:J7pzjcYIsLOpWCD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses SVCHOST.EXE for hidden code execution

      • sfseunjd.exe (PID: 3684)

    • Writes to a start menu file

      • svchost.exe (PID: 2620)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 2620)
      • sfseunjd.exe (PID: 3304)

    • UAC/LUA settings modification

      • sfseunjd.exe (PID: 3304)

    • Modifies Windows security services settings

      • sfseunjd.exe (PID: 3304)

    • Changes Security Center notification settings

      • sfseunjd.exe (PID: 3304)

    • Modifies Windows Defender service settings

      • sfseunjd.exe (PID: 3304)

    • Changes firewall settings

      • sfseunjd.exe (PID: 3304)

    • RAMNIT was detected

      • svchost.exe (PID: 2620)

    • Changes the login/logoff helper path in the registry

      • sfseunjd.exe (PID: 3304)

    • Connects to CnC server

      • svchost.exe (PID: 2620)

    • Application was injected by another process

      • dwm.exe (PID: 1980)
      • explorer.exe (PID: 2044)
      • windanr.exe (PID: 556)
      • taskeng.exe (PID: 3756)
      • ctfmon.exe (PID: 3780)
      • conhost.exe (PID: 392)

    • Ramnit was detected

      • explorer.exe (PID: 2044)
      • dwm.exe (PID: 1980)
      • taskeng.exe (PID: 3756)
      • windanr.exe (PID: 556)
      • ctfmon.exe (PID: 3780)
      • conhost.exe (PID: 392)
      • tracert.exe (PID: 1212)

    • Runs injected code in another process

      • svchost.exe (PID: 3900)

  • SUSPICIOUS

    • Starts itself from another location

      • 2018-09-29_20-26-55.exe (PID: 2836)

    • Executable content was dropped or overwritten

      • sfseunjd.exe (PID: 3684)
      • 2018-09-29_20-26-55.exe (PID: 2836)

    • Creates files in the user directory

      • svchost.exe (PID: 2620)

    • Creates files in the program directory

      • svchost.exe (PID: 2620)

    • Creates files in the Windows directory

      • sdbinst.exe (PID: 3988)

    • Creates a software uninstall entry

      • sdbinst.exe (PID: 3988)

    • Starts CMD.EXE for commands execution

      • iscsicli.exe (PID: 2768)

    • Reads the cookies of Google Chrome

      • svchost.exe (PID: 3900)

    • Reads the cookies of Mozilla Firefox

      • svchost.exe (PID: 3900)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1f33
UninitializedDataSize: -
InitializedDataSize: 37888
CodeSize: 175616
LinkerVersion: 10
PEType: PE32
TimeStamp: 2018:04:02 12:37:07+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 02-Apr-2018 10:37:07

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 02-Apr-2018 10:37:07
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0002ADBC
0x0002AE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.72863
.rdata
0x0002C000
0x00004ABA
0x00004C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.13125
.data
0x00031000
0x00003AA8
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.52774
.rsrc
0x00035000
0x00005010
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0
.reloc
0x0003B000
0x000016BA
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
3.88139

Imports

ADVAPI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
19
Malicious processes
14
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start inject inject inject inject inject 2018-09-29_20-26-55.exe sfseunjd.exe #RAMNIT svchost.exe svchost.exe sdbinst.exe no specs sdbinst.exe iscsicli.exe no specs iscsicli.exe cmd.exe no specs sfseunjd.exe sdbinst.exe no specs sdbinst.exe dwm.exe explorer.exe taskeng.exe ctfmon.exe windanr.exe #RAMNIT tracert.exe no specs conhost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2836"C:\Users\admin\AppData\Local\Temp\2018-09-29_20-26-55.exe" C:\Users\admin\AppData\Local\Temp\2018-09-29_20-26-55.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3684C:\Users\admin\AppData\Local\Temp\sfseunjd.exeC:\Users\admin\AppData\Local\Temp\sfseunjd.exe
2018-09-29_20-26-55.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2620C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe
sfseunjd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3900C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe
sfseunjd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2768"C:\Windows\system32\sdbinst.exe" /q "C:\Users\admin\AppData\Local\Temp\\..\..\LocalLow\com.admin.sdb"C:\Windows\system32\sdbinst.exesfseunjd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Application Compatibility Database Installer
Exit code:
3221226540
Version:
6.0.7600.16385 (win7_rtm.090713-1255)
3988"C:\Windows\system32\sdbinst.exe" /q "C:\Users\admin\AppData\Local\Temp\\..\..\LocalLow\com.admin.sdb"C:\Windows\system32\sdbinst.exe
sfseunjd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Application Compatibility Database Installer
Exit code:
0
Version:
6.0.7600.16385 (win7_rtm.090713-1255)
3552"C:\Windows\system32\iscsicli.exe" C:\Windows\system32\iscsicli.exesfseunjd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
iSCSI Discovery tool
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2768"C:\Windows\system32\iscsicli.exe" C:\Windows\system32\iscsicli.exe
sfseunjd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
iSCSI Discovery tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2676cmd /c C:\Users\admin\AppData\Local\Temp\..\..\LocalLow\cmd.admin.bat C:\Windows\system32\cmd.exeiscsicli.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3304"C:\Users\admin\AppData\Local\Temp\sfseunjd.exe" C:\Users\admin\AppData\Local\Temp\sfseunjd.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
1 897
Read events
1 766
Write events
129
Delete events
2

Modification events

(PID) Process:(556) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:APPSTARTING
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(556) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:ARROW
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(556) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:CROSS
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(556) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:HAND
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(556) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:HELP
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(556) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:IBEAM
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(556) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:NO
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(556) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:SIZEALL
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(556) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:SIZENESW
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(556) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:SIZENS
Value:
%SystemRoot%\cursors\clearcur.cur
Executable files
2
Suspicious files
8
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2620svchost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jjbcnbda.exe
MD5:
SHA256:
2620svchost.exeC:\Users\admin\AppData\Local\bdjmdbtj\jjbcnbda.exe
MD5:
SHA256:
3900svchost.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\cookies.txt
MD5:
SHA256:
3900svchost.exeC:\Users\admin\AppData\Local\Temp\~TMAD1C.tmp
MD5:
SHA256:
3900svchost.exeC:\Users\admin\AppData\Local\mfpmqwom.logini
MD5:27D91E89937BA20ECF00126BB584EC55
SHA256:057754F7E02CEE326D8531F2C79261F75FDC510372F477A2FDB8779528078414
3900svchost.exeC:\Users\admin\AppData\Local\fwdicmqp.logcompressed
MD5:27E82C2A40ADEAB0D869624957315244
SHA256:49E43A75638DB1451C3E67D6EE1EEEB5A70D20F46E47433A05CE506053A22130
2620svchost.exeC:\Users\admin\AppData\Local\dgjcifgy.logbinary
MD5:32FAF24CE588D59B11B7D3DB32146C9B
SHA256:5B01A0AD61A67B125C30BA2462ED4F1D7A8663136CBD8CDE02721C83405EEB68
28362018-09-29_20-26-55.exeC:\Users\admin\AppData\Local\Temp\sfseunjd.exeexecutable
MD5:C51A0BFC921D6721E99A6D0FCAE02D73
SHA256:AD45CFB13369D393156E9571F239AB9C58C43239067BBC74152D747D32BF3B0D
2620svchost.exeC:\ProgramData\qkoagtka.logtext
MD5:0CFBF1F563D8566D1E80E041303374BE
SHA256:3F54059BA10CF9171491AEE9104FEA54D95889E6E534758DA29A8D226CED3617
3900svchost.exeC:\Users\admin\AppData\Local\kmypexkj.logini
MD5:4ECACEC5787C77DEACE45E111D29FFE7
SHA256:4617ED574B0445BCE05F49BA81B0075B57EE51E22666C683787ECAEAA936D59C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
29
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2620
svchost.exe
92.63.97.30:443
jmwrboefbrhresaekn.com
JSC ISPsystem
RU
malicious
172.217.21.238:80
google.com
Google Inc.
US
whitelisted
2620
svchost.exe
35.224.11.86:443
gadqgqkdexwspxdc.com
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.21.238
whitelisted
goldenfreeanhfirst.com
malicious
lrjhjpmogfmrctmyqy.com
unknown
gadqgqkdexwspxdc.com
  • 35.224.11.86
malicious
wpmlwkual.com
unknown
uacujgnkrqpmjiwfb.com
unknown
saolyfuyhuymmhd.com
unknown
qhkyxycreoheacbh.com
malicious
eoqtvdvtqtlsurfcot.com
unknown
bjymkakljso.com
unknown

Threats

PID
Process
Class
Message
2620
svchost.exe
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
2620
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Ramnit Checkin
2620
svchost.exe
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
2620
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Ramnit Checkin
2620
svchost.exe
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
2620
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Banker Ramnit CnC Connection
2620
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Banker Ramnit CnC Connection
2620
svchost.exe
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
2620
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Ramnit Checkin
2620
svchost.exe
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
Process
Message
sfseunjd.exe
CheckBypassed ok
svchost.exe
Started
svchost.exe
[VNCDLL][:3900][ImgMapSection:30] A section of 0 bytes mapped to the target process at 0x01E80000
svchost.exe
[VNCDLL][:3900][ImgMapSection:30] A section of 0 bytes mapped to the target process at 0x003B0000
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2018-09-29_20-26-55.exe